Certification of Pipeline Risk Assessment Methodologies
In order to achieve the certification objectives stated in www.pipelinerisk.net, a certifying committee has been established. Service on the committee is voluntary, uncompensated, and by invitation by current membership. Duties of committee members are in support of reviewing certification submittals, communicating with submitters, and granting of certifications.
The committee will meet, usually by phone or web conference, when certification requests are received, have been given an initial review, and are judged to be ready for committee consideration.
One committee member will be asked to serve as the ‘champion’ for the submitter. In this role, the Champion will make preliminary reviews of all submitted materials and identify any information gaps. He will communicate these gaps to both the submitter and the Committee, asking for timely remedying of the gaps by the submitter. The Champion will maintain a log of all communications and materials received.
When the Champion feels that either 1) the submittal is ready to receive certification or 2) cannot be certified, he shall alert the committee membership. The committee chairman will convene a meeting as soon as possible after receipt of notice from the Champion. At the committee meeting, the Champion will present his findings and recommendation regarding the submittal.
The committee will determine the certification status of the submittal, based on the recommendations of the Champion as well as committee members’ independent review of materials submitted. Consensus will be sought but a 2/3 majority vote can be employed if necessary.
Committee will issue a formal notification to submitter stating the results of the committee’s deliberations.
Reasonable and prudent steps will be taken to protect submitter’s confidentiality and proprietary property at all phases of the certification process. Committee members will not normally be given details regarding the source of submittals received.
Requests for certification are currently being received in one of two general forms:
- Submissions based on performing a risk assessment of the sample dataset provided on www.pipelinerisk.net
- Submission of a practitioner’s full risk assessment model, sometimes with sample results.
Certifications can be granted for either of these since either can demonstrate compliance with the Essential Elements.
Attachment A Selected Certification Guidance Materials from www.pipelinerisk.net
A methodology that achieves certification by this process is judged to meet or exceed minimum risk assessment requirements of a modern and robust pipeline risk management program. This means almost unquestionably that the assessment also meets all US IMP regulations (CFR 49 Part 192 and Part 195), both explicit and implicit. That is, the regulatory objectives are met as well as the specific requirements detailed in the regulations and accompanying incorporated-by-reference documents.
Submission to Certifying Committee
The minimum documents to be submitted to the certifying committee are shown below. Certification-seekers are encouraged to supplement this minimum list with clarifying documents to ensure that evaluators understand all nuances of the particular assessment.
- List of assumptions employed in producing risk estimates including target level of conservatism
- tabulated risk estimates for each segment of each pipeline with units specified
- PoF (probability of failure or frequency of failure)
- Failure mechanism 1
- Failure mechanism 2
- CoF (consequence of failure)
- aggregate risk values for each PL
- for entire 2400 ft lengths
- for values on each PL
- 3 summary values: Risk, PoF, CoF
- a summary value for each threat included in PoF
When independent certification is sought, the criteria to be used in evaluating the submitted risk assessment are described below.
The first test verifies that the general provisions of the Essential Elements guidance document have been met. See xxx. Most of the Essential Elements serve as objective criteria. That is, very little subjectivity is required in determining when the provisions of the element have been met by a risk assessment. Some, however, do require some interpretation and judgement to gage whether the element’s provisions are satisfied. In those instances, sufficient feedback will be provided to the submitter to fully understand the concerns, if any.
As noted in the Essential Elements, some general aspects to be evaluated by the certification committee include:
Profiles that differ along each pipeline, capturing changing risk conditions along a pipeline and between the pipelines. Profiles should showcase peaks and valleys in risk along each pipeline with drivers of significant changes readily identifiable eg, higher internal corrosion potential due to low spot in elevation profile.
Aggregates that avoids common aggregation errors and
- appropriately summarize the differences between pipelines
- allow rapid identification of key risk drivers
- compare with benchmarks, ie, are similar with significant difference readily explained
Segmentation that is appropriate for the data available and avoids common errors.
Defaults: while certification of a default-assignment program is a future phase of the certification process, the committee will examine the assignment of values used to supplement the provided information and will comment to the submitter if choices in values seem inappropriate for any reason.
Finally, the submitted risk assessment results will be examined in detail to determine if all risk issues have been captured and fairly represented in those results. In addition to the Essential Elements and the general aspects just mentioned, a modern and robust risk assessment should be able to provide insights into issues such as these that are implied by the test dataset:
Role of inspection, especially ILI
no findings vs no ILI
non-actionable ILI findings
impacts falling objects
lack of support
scour and ext forces
Potential for cracking
flow stream oscillations
Implications of casings
Role of pressure testing
test pressure effects
Effects of age on specific risk issues
Changes in corrosion potential
Unmitigated corrosion rates
Additional Risk Issues
- Information provided in the test scenarios is designed to highlight many common pipeline risk issues. However, it is not practical to showcase every possible risk issue in a test such as this. Risk issues not explicitly defined in information provided can be included in analyses at option of submitter (ie, optional assumptions to be made by submitter—these should be documented). Some examples (not a comprehensive list!) of additional risk issues or issues that may warrant a deeper examination (beyond data provided) include:
pipe manufacturing tolerances
valve failure mechanisms vs pipe, eg, wall thickness differences
other impact potentials from falling objects, vehicles, etc
What if risk estimates submitted differ significantly from the benchmark? Without prior agreement on ‘true’ risk estimates, how can certification be accomplished?
Accurate risk assessments can produce a wide range of risk estimates for exactly the same scenario, depending on factors such as:
- assumptions employed when information is missing or weak
- target level of conservatism desired
Uncertainty must be acknowledged–even estimates that are exactly correct statistically (ie, over many repetitions) they will not be correct for each segment for each year. For instance, an event might truly occur 1 time every 6 years as a long term average but have multiple occurrences per year for some period. A one hundred year flood can happen twice in the same year. That is the nature of the probabilistic world around us.
So, you’re saying the numerical estimates do not matter?
Values submitted do matter, but for many purposes, including certification, they matter most in the context of the other estimates produced. In comparing to the benchmark profiles, the most critical aspects are where changes in risk occur and the directions and magnitudes of those changes (orders of magnitude changes often best reflect real world situations) relative to the overall profile. These changes in a risk profile should be caused by changes in risk that are grounded in fundamental principles of engineering and science.
What are the fees for and who gets them?
If fees become necessary, they are intended to only cover actual costs of performing the certification evaluation and communicating with the submitter. When necessary, members of the certifying committee will engage appropriate technical resources from member companies to assist committee members in the analyses. If the entire fee from a submitter is not required to complete the evaluation, remnant funds will be allocated to a general fund that is used to maintain this website and refresh the content as often as possible.
Attachment B Essential Elements
This iteration of the Essential Elements list is intended to provide a concise checklist-type display of the key concepts. Details can be found on www.pipelinerisk.net.
Pipeline Risk Assessment—The Essential Elements
This document sets forth the essential elements for a pipeline risk assessment. Including these elements in a pipeline risk assessment ensures that the assessment is able to produce meaningful risk estimates. Adoption of these minimum elements facilitates efficient and consistent regulatory oversight and manages expectations of all stakeholders.
The essential elements is intentionally a very short list—identifying only those elements that are necessary in order for the risk assessment to be minimally effective. Many additional characteristics ensure optimum risk assessment. Discussion of aspects beyond the essentials presented here are available in guidance documents on www.pipelinerisk.net.
The risk assessment must include a definition of ‘failure’.
The risk assessment must produce a measure of probability of failure and a measure of potential consequence. Both must be expressed in verifiable and commonly used measurement units, free from intermediate schemes (such as scoring or point assignments).
All plausible failure mechanisms must be included in the assessment of PoF. Each failure mechanism must have each of the following three aspects measured or estimated independently, using verifiable and common measurement units:
Exposure (attack)—the type and unmitigated aggressiveness of every force or process that may precipitate failure
Mitigation (defense)—the type and effectiveness of every mitigation measure designed to block or reduce an exposure
Resistance (strength)—a measure or estimate of the frequency of failures that would occur when damages occur
For each time-dependent failure mechanism, a theoretical remaining life estimate must be produced and expressed in a time unit.
Various types of consequences may be appropriate in a PL RA. All types that are part of the risk assessment must be defined and have appropriate units of measurement assigned. The risk assessment must acknowledge the range of possible consequence scenarios associated with failure, from ‘worst case’ to ‘most probable’.
The risk assessment must produce a profile of changing risks along the pipeline. The entire risk assessment must be performed at all points of the pipeline.
The assessment must include complete and appropriate use of all available information. Appropriateness is evident when the risk assessment uses the information in substantially the same way that a SME uses the information to improve his understanding of risk.
For analysis purposes, the risk assessment must divide the pipeline into segments where risks are unchanging—ie, all risk variables are essentially unchanging within each segment. Due to characteristics such as hydraulic profile and varying natural environments, most pipelines will require at least 100 segments per mile with some pipelines requiring thousands of segments per mile. Compromise approaches involving the use of averages or extremes (maximums, minimums) to characterize a segment are normally unnecessary and significantly weaken the analyses.
The risk assessment must estimate the level of conservatism employed in all aspects—inputs, defaults, algorithms, calibrations. The same level of conservatism need not apply to all aspects.
The assessment must be free of general bias (eg, weightings) that forces incorrect conclusions for some segments. For example, using behaviors of populations of pipeline segments to force pre-conceived outcomes on individual segments (ie, applications of weightings based on historical failure frequencies) will usually force such an inappropriate bias.
For a variety of purposes, summarization of the risks presented by multiple segments will be desirable—eg, trap to trap, valve to valve, summaries of risk. Such summaries must avoid simple statistics (sums, average, maximum, etc) or weighted statistics (length-weighted averages, etc) that are not fully descriptive of the real risks presented by the collection of segments (ie, use of such summarization strategies often lead to incorrect conclusions and must be avoided).
To illustrate the inclusion of the essential elements in a risk assessment, the following example is offered. This is an example only—alternate approaches can also embody the essential elements and produce risk estimates that have an acceptable level of rigor.
A 120 mile pipeline is to have a risk assessment performed. For the assessment, failure is defined as loss of integrity leading to loss of pipeline contents. Consequences are measured as potential harm to public health and property, and the environment. Measurement units for the assessment are as follows:
Minimum data as defined in ASME B31.8S is collected and includes SME estimates where actual data is unavailable. The collected data implies changes in risk along the pipeline route—6,530 segments are created by the changing data with an average length of 87 ft. This ensures that a risk profile with adequate discrimination is generated.
A level of conservatism to be used is defined as P90 for all inputs that are not based on actual measurements. This means that a ‘negative surprise’ will arise once for every ten inputs—“the input will only overestimate the true value 10% of the time” . The risk assessors have chosen this level of conservatism to account for plausible, but extreme, conditions and ensure that risks are not underestimated.
For assessing PoF from time-independent failure mechanisms, the top level equation selected by risk assessors is as follows:
PoF_time-independent = exposure x (1 – mitigation) x (1 – resistance)
As an example for applying this to PoF_ third_party_excavations, the following inputs are identified (by SME’s) for certain portions of the subject pipeline:
- Exposure (unmitigated ‘attack’) is estimated to be 3 excavation events per mile-year
- Using a mitigation (defense) effectiveness analysis, SME’s estimate that 1 in 50 of these exposures will not be successfully kept away from the pipeline by existing mitigation measures. this results in an overall mitigation effectiveness estimate of 98% mitigated
- Of the exposures that result in contact with the pipe, SME’s perform an analysis to estimate that 1 in 4 will result in failure, not just damage. This estimate includes the possible presence of weaknesses due to threat interaction and/or manufacturing and construction issues. So, the pipeline in this area is judged to be 75% resistive to failure from this mechanism, once contact occurs.
These inputs result in the following assessment:
(3 excavation events per mile-year) x (1 – 98% mitigated) x (1 – 75% resistive) = 1.5% per mile-year (a failure about every 67 years along this mile of pipeline).
Note that a useful intermediate calculation, probability of damage—but not failure—emerges from this assessment:
(3 excavation events per mile-year) x (1 – 98% mitigated) = 0.06 damage events/mile-year (damage occurring about once every 17 years).
This estimate can be verified by future inspections.
This same approach is used for other time-independent failure mechanisms and for all portions of the pipeline.
For assessment of PoF for time-dependent failure mechanisms, the previous algorithms are slightly modified to the following form:
PoF_time-dependent = (TTF_time-dependent)
TTF_time-dependent = resistance / [exposure x (1 – mitigation)]
As an example, SME’s have determined that, at certain locations along the 120 mile pipeline, 5 mpy soil corrosivity leads to external corrosion exposure (unmitigated). Examination of coating and CP effectiveness leads SME’s to assign a mitigation effectiveness of 90% . Recent inspections, adjusted for uncertainty, result in a pipe wall thickness estimate of 0.220” (resistance). Use of these inputs in the PoF assessment is shown below:
SME’s have analyzed potential consequences and determined the range of possible consequence scenarios generated by a failure. The range of possibilities is characterized by a set of scenarios. This company has decided to monetize all potential consequences. After assignment of scenario probabilities to each scenario, a point estimate representing the distribution of all future scenarios yields the value of $11,500 per failure.
Risk assessors calculate all risk elements for each of the 6,530 segments. To estimate PoF for any portion of the 120 mile pipeline, a probabilistic summation (OR gate) is used to ensure that length effects and the probabilistic nature of estimates are appropriately considered. To estimate total risk, an expected loss calculation for the full 120 miles yields an average value of $210/mile-year. The company uses this value to compare to, among other benchmarks, a US national average for similar pipelines of $350/mile-year.
1 With performance-based regulation, compliance has elements of subjectivity and can never be absolutely guaranteed.
2 or ‘underestimate’, depending on which results in estimates of higher risk