The principles of this section have subsequently been incorporated into each part of AS 2885 (except Part 4).
The SAFETY section was developed, largely by a committee member Mr Ken Bilston, with the assistance of BHP Petroleum’s risk department.
The impetus for its development came through Mr Bilston’s involvement with the then BHP Eastern Gas Pipeline.
As part of the approval process for that pipeline, regulators required a quantitative risk assessment (QRA) of the pipeline which considers the risk to the population of rupture, and leaks through 50 and 10 mm holes in the pipeline.
Mr Bilston reasoned that the whole QRA process (intended for concentrated infrastructure) was essentially worthless for linear infrastructure where the threats to the pipeline integrity and the consequence of pipeline failure vary metre by metre over the whole of the pipeline length.
Moreover he reasoned that:
- History has shown that pipeline design practice incorporates approaches that generally provide protection to the pipeline and thus to the public;
- Designers methodically work along the pipeline length to identify “˜threats’, and incorporate specific designs to control these; and,
- Designers do not communicate these safety aspects of the pipeline within their own organisations, the regulatory bodies and the public.
- The Safety Process was designed to properly communicate the industry’s approach to pipeline safety through design and operational procedures.
Specifically the process requires:
1. The designer’s access to all design documents, including (at that time) the developing geographic information system (GIS), showing the inter-relationship between all information along the pipeline route, displayed against a background of high resolution photography.
2. An investigation to identify activities along the pipeline route that present a threat to the pipeline (because they may contact the pipeline, or may carry another threat like, for example, ground movement).
3. An understanding of the consequence of pipeline rupture, to determine the extent of the worst possible failure for input to the design (radiation consequence distance).
4. The designer to undertake a methodical investigation along the whole pipeline route to identify each potential threat to the pipeline from the start to the finish, to analyse the effect of each identified threat to the pipeline and to modify the design sufficiently for him to consider that the threat is controlled.
5. Where the designer considers that the threat is not controlled, he is required to undertake a failure analysis, and if necessary, an assessment of the risk.
6. Full documentation of the process (in sufficient detail for the analysis to be understood by an independent person come time after the process was completed).
7. Validation of the process by a workshop of stakeholders whose experience includes each aspect of pipeline design, construction and operation, together with interested bodies including the regulator, other infrastructure owners and, if needed, community representatives.
8. Revision of the whole process at intervals not exceeding 5 years, and where required, of parts of the process in the event that threats or consequences change.
The SAFETY process was renamed “˜SAFETY MANAGEMENT STUDY’ (SMS) in the 2007 revision of AS 2885.1, however the process essentially remains unchanged.
Risk is assessed through a structured process that reflects both experience and knowledge, and is designed to identify and concentrate attention on threats that result in real “˜risk’.
Additionally the process recognises that “in order to protect the people from the pipelines, the pipelines must be protected from the people”.
Hence the design must incorporate both physical methods to protect the pipeline from failure, should the threat contact the pipeline and procedural methods (static – like signs, and active – like patrols).
Each threat must:
1. Be identified;
2. Be assessed as being a credible or non-credible threat;
3. At least the minimum of physical and procedural methods be given by the designer considered necessary to control the threat;
4. The designer must assess the effectiveness of the controls, against industry experience, specific analysis or other methods.
5. Where the designer considers the controls are effective in preventing the threat from damaging the pipeline, the threat is considered an accepted risk.
6. Where the designer considers the controls may not be effective, he is required to enter the risk assessment process.
a) The first step is to assess whether the threat can result in a fluid release. Where this occurs the threat is considered cause a hazardous event. Where there is no fluid release the process considers that the threat may be assessed as an accepted risk, although the designer may apply additional controls if these are considered to further reduce the likelihood of damage.
b) Each hazardous event must be analysed to determine the failure mode, and the consequence. The risk may be assessed using the frequency and severity levels, and the risk matrix incorporated in the Standard.
c) Risks assessed as high (or higher) must return to the design process and the design modified sufficiently for the risk to be no higher than intermediate.
d) Risks assessed as low (or lower) are accepted as being tolerable.
e) Risks assessed as intermediate must be further evaluated. Where possible, additional controls must be applied in an attempt to reduce the risk to low. Where this is not possible, an analysis must be performed to demonstrate that the residual risk satisfies the criteria in the Standard of As-Low-As Reasonably Practicable (ALARP).
7. When the whole of the pipeline is analysed and all documentation is complete, the designer is required to convene a workshop of stakeholders to review the SAFETY PROCESS (or SAFETY MANAGEMENT STUDY) in detail, including identifying any threats that may have been missed by the designer, assessing the effectiveness of the controls proposed (and suggesting alternatively or additional controls), and assessing the risk analysis. Once complete, the Licensee must approve the Safety Management Study, and in so doing, take responsibility for implementing its findings.
The Standard requires the designer to do the work – the Workshop and its facilitator are required to assess the designers’ safety management study, and to form an opinion of the quality, thoroughness and validity of it.
Unfortunately the industry has tended to combine the work and the validation study into the same activity, and more often than not, the facilitator has contributed much more to the study than simple facilitation.
This must stop, to ensure the process integrity.
ALARP
AS 2885.1 requires a study to demonstrate that a risk is controlled to As Low As Reasonably Practicable (ALARP) when the risk is assessed as intermediate.
The Standard defines that ALARP is achieved when the cost (of alternative or additional controls) is grossly disproportionate to the reduction in risk delivered by that alternative.
By definition, any study to demonstrate ALARP must consider all reasonable alternatives to controlling the threat, and it must rank these by cost and risk reduction delivered by the alternative.
Assessment of this data will lead to a conclusion that can be appreciated both by the designer, the validation workshop and external parties if required.
The Standard recognises that some intermediate risks can be readily assessed as satisfying the ALARP criteria, while others may require considerably more effort, possibly including third party studies, engineering design and detailed cost estimation and independent risk quantification by professionals in this field.
The designer and the Workshop must carefully consider the integrity of each ALARP assessment, recognising that in the event of a failure from the threat, this assessment will undoubtedly be assessed by a court, should the failure result in fatalities or other consequences for which an injured party would seek recompense through the legal system.
An argument is currently being put forward that all controlled threats, including those identified as accepted risk and those whose assessed risk is low (or lower) are referred to as being reduced to ALARP risks. The argument is that this better reflects the understanding of the broad risk environment.
The writer argues that should this occur, it will destroy the significance of ALARP to the AS 2885 risk process – since most accepted risks would fail a proper ALARP study (for example the cost of an increase in depth of cover does not become grossly disproportionate to the risk reduction achieved until the depth increase is significant).
Consequently any future change to the existing risk levels to call all “˜ALARP’ should be carefully considered by industry to ensure that the change, and any additional requirements do not degrade the integrity of the Standard.
Special case – land use change
Prior to AS 2885-1987 mandatory design factors applied to each location class.
A change from rural to residential location class required the pipeline operating pressure to be reduced (to reflect the residential design factor) or that section of the pipeline to be abandoned.
The industry argued that this was unreasonable, and that it could provide sufficient additional protection to reduce the risk for a pipeline designed for a rural location to that required for a residential location.
The 1987 revision recognised this argument, requiring a study to establish the additional controls necessary, and for these to be implemented.
AS 2885.1-2007 addressed a concern among industry that pipeline licensees may not be applying the necessary integrity to these studies, resulting in solutions that may not have provided the risk reduction necessary.
Clause 4.7.4 (change of location class) was designed to address this concern.
Should there be a change in location class at any location along a pipeline (usually from a less demanding to a more demanding location class), this clause requires a formal study that “shall include analysis of at least the alternatives of the following:
a) MAOP reduction (to a level where rupture is non-credible).
b) Pipe replacement (with no rupture pipe).
c) Pipeline relocation (to a location where the consequence is eliminated).
d) Modification of land use (to separate the people from the pipeline).
e) Implementing physical and procedural protection measures that are effective in controlling threats capable of causing rupture of the pipeline.
For the selected solution, the assessment shall demonstrate that the cost of the risk reduction measures provided by alternative solutions is grossly disproportionate to the benefit gained from the reduced risk that could result from implementing any of the alternatives.”
It appears that in cases where land use changes have occurred, studies to satisfy this clause have been cursory, and if called on by a court following pipeline failure, would be unlikely to satisfy the requirements for an ALARP study.
Should this happen, the regulatory impact on the pipeline industry is likely to be profound.
Pipeline Licensees who are required to manage a land use change must comply with the intent of Clause 4.7.4, and complete and document a proper, detailed and justifiable ALARP study.
The study must be capable of justifying the Licensee’s contention that the controls reduced the risk to ALARP in the event that there is a pipeline failure resulting in loss of life and property damage that could result in the Licensee being prosecuted. A simple assessment made in an SMS workshop will not satisfy this requirement.
Application of the safety process to everything
As discussed above, the 1997 SAFETY process was developed within AS 2885.1 (design and construction).
Since that time risk process has been applied to everything, including many operational activities for which a different risk assessment process is more appropriate.
The writer believes that this has degraded the relatively “˜pure’ process originally established for design.
In the writer’s opinion, the responsible technical committees need to very carefully reassess the safety/risk assessment requirements for activities covered by each part of the Standard.
Recognising that the design and construction component represents a very small part of the pipeline lifetime, that it has an expert team of professionals involved in the holistic development through a highly intensive, comprehensive understanding of the whole environment in order to make it a safe design for its lifetime.
The ongoing process through the operation and development of the pipeline usually involves a small team, small projects and functions that are quite different from those required at the time of the new pipeline development.
During the operations phase, risk assessment and control may well be addressed by methods other than that developed for pipeline design and construction.
Hopefully this will be carefully considered in the development of a new part of AS 2885, proposed to incorporate the risk management requirements for all parts of the pipeline’s life, and application to new projects, specific activities (like pressure testing), construction and the many threats and changes applying to an operating pipeline throughout its life.
Note: This article reflects an understanding of the AS 2885 risk process gained through involvement from its initial development and publication in AS 2885.1 – 1997. It does not necessarily reflect the opinion of the current technical committee of Standards Australia. Standards Australia should be contacted to provide a clarification or ruling on any matter in this article that seems contentious.