Risk Management

Introduction

Some may wonder why a book with Pipeline Risk Management in its title finally focuses on the ‘management’ aspect in the last chapter. Hopefully, it is apparent that in measuring risk—the risk assessment step—much of the management process becomes very apparent^{^[1]}. Full understanding of pipeline risk generates numerous opportunities to reduce that risk. So previous chapters have already identified risk mitigation opportunities. Reducing exposure, increasing mitigation or resistance, and minimizing consequences all serve to reduce risk.

Even if the risk quantification is imprecise, the exercise is important. The quantification puts a value on the depth of cover, patrol, ILI, pressure test, emergency response, leak detection, secondary containment, and the numerous other important determinants of risk, thereby providing the ‘benefit’ portion of cost/benefit analyses for these measures. Different mitigation measures will have different benefits (and costs) at various locations along a pipeline. The cost/benefit all along a pipeline guides decision-makers in risk management. Even when imprecise, the quantifications demonstrate a defensible, process-based approach to understanding and therefore managing risk.

However, even when the risk assessment is precise, there are still nuances and real challenges in risk management. For instance, knowing how and where risk reduction can/should be achieved still leaves not knowing when it should be done. Once a risk assessment has been completed and the results analyzed, the natural next step is risk management: “What, if anything, should be done about this risk picture that has now been painted?” This chapter can therefore focus on issues regarding the management of pipeline risks and the strategies that will be required to balance the desire to reduce risk with limited available resources.

Reaction to risk should be appropriate—proportional.

Risk Context

Recall the earlier discussion in ‘how to get answers quick!’ To gain some sense of pipeline risks, an examination of historical incident statistics is useful. A sketch of ‘typical’ pipeline risk is readily available from statistics compiled by various sources, often governmental. Using these, a risk evaluator can keep some numbers handy to provide context when needed. For example, in the US, with about 300,000 miles of gas transmission pipeline and 175,000 miles of hazardous liquids pipeline (jurisdictional by US regulations), estimates of country-wide reportable failures per year is readily obtained. These data suggest that a value of 1 to 2 reportable accidents for every 2,000 mile-years of hydrocarbon transmission pipeline provides a rough US failure frequency value—0.0005 to 0.001 incidents per mile-year. So, a 100 mile pipeline could be expected^{^[2]} to experience a significant failure once every 10 to 20 years.

Similarly, one set of recent historical experience statistics suggests that losses of around $500 to $4,000 per mile-year can be associated with US regulated pipelines. So, an owner of a 100 mile pipeline may recognize that he is exposed to long term losses averaging from $50,000 to $400,000 per year.

This same exercise can be repeated to gain a general sense of fatality or injury potential from various types of pipeline systems, based on how large populations of pipeline segments have behaved over long periods of time.

Important cautions are in order when using any generic statistical data (a recurring cautionary statement in this text), especially such high-level summary data. There are many miles of pipeline in the US that will have no accidents nor losses of any kind in many decades of operation. There will also be some miles of pipeline with long term performance worse than suggested by the summary statistics.

Nonetheless, having numbers such as these can be the beginnings of comparisons with non-pipeline risks. See discussion later in this chapter.

Applications

Once risk assessment has advanced to where the organization believes in produced results, the use of those results to support risk management can occur. Risk management plays numerous roles in decision support. PRMM discusses the following common and overlapping applications of a pipeline risk assessment/management program:

Identification of risks.
Reduction of risks.
Reduction of liability.
Resource allocations.
Project approvals.
Budget setting.
Due diligence.
Risk communications.

As well as the direct use of risk assessment results to support specific tasks in risk management, such as:

Design an operating discipline
Assist in route selection
Optimize spending
Strengthen project evaluation
Determine project prioritization
Determine resource allocation
Ensure regulatory compliance

Design Phase Risk Management

From choices in routing and wall thickness to redundancy in control/safety systems, many risk impacting decisions are made in the design phase of a pipeline. Practitioners of ALARP recognize the need for risk assessment at the beginning of the design [1031]. The design process itself is an exercise in risk management, with specified ‘reactions’ tailored to changing risks along the pipeline route. Risk nonetheless varies along the length.

Risk management, practiced during the design process, establishes an initial safety margin. This may be mandated by regulations as previously discussed or chosen by the designer. As some modern design efforts move toward limit-state design approaches, the historical notions of safety margins and extra robustness in a design are being quantified and re-evaluated.

The safety margin is related to a target level of reliability, even if not explicitly stated. When stated, the use of event recurrence intervals is a common aspect. For instance, a structure could be designed to withstand a 100 year flood or alternatively, a 500 year flood; a 50 year recurrence interval seismic event or 100 year. There remains the potential, albeit remote, that a more severe event occurs in the structure’s life. These considerations should be reflected in the risk assessment.

A pre-construction risk assessment is gaining in popularity since it helps owners understand another aspect of cost-of-ownership. These assessments will be based on the best available pre-construction information such as component design specifications, operational intent, maintenance plans, route surveys, soil investigations, geohazard threat assessments, and others. During construction and installation, new information pertinent to the risk assessment, will be available. This information usually deals with field-identified deviations from design intent and might include

Minor deviations in intended route
Unexpected subsurface conditions encountered
Use of different pipe components (elbows versus field bends, etc.)
Results of construction inspections and integrity tests
Differences in actual vs minimum design requirements, such as depth of cover or need for protective caps.

While such changes are mostly covered by design and construction specifications, a certain amount of decision-making occurs informally on the job site. This is also the practice of risk management. As-built information will be very valuable for a detailed, initial risk assessment and future risk assessments.

An integrity verification, such as a pressure test and/or ILI, conducted immediately after installation, decreases the chance of failure from design-related issues and certain errors in manufacturing/construction. It also provides a baseline for comparisons to future integrity assessments, providing a means to determine the rate at which new damages are being introduced.

In some pipeline systems, such as gathering pipelines intended for finite service lives, some amount of degradation (corrosion) is accepted. This is normally an economical decision—given limited need for the asset, it is more cost effective to possibly need to repair/replace than protect. Most pipeline systems are designed to avoid all degradation mechanisms. This is in contrast to some engineered systems that have ‘corrosion allowances’ or other expectations of an amount of tolerable degradation or wear out. When a pipeline design document includes a ‘design life’ or similar metric, it is not usually intended as a measure of the structure’s lifespan from a serviceability standpoint. It may indeed be a measure of some consumable aspect of the structure, such as an anode bed, designed to deplete over time. A design life may also indicate the period for which the asset is thought to be required, perhaps tied to the predicted life of a hydrocarbon production field. But, similar to a building, the life expectancy of a pipeline is indefinite when it is properly maintained. The use of design life to mean a period beyond which the pipeline structure becomes unserviceable, would be an extreme and unusual interpretation.

Specific risk elements can be better understood, and sometimes efficiently changed, in the design phase. Exposure can sometimes be changed by route selection; consequence can be changed by choices in route as well as product/pressure/volumes. Another interesting application of the recommended risk assessment approach is the ability to assess tradeoffs between increased mitigation and increased resistance during the design phase. Resistance options such as wall thickness often involve higher initial capital costs while many mitigation options involve either higher installation costs (for example, depth of cover) or on-going costs (for example, patrol, public education). Comparing the costs and risk reductions associated with such options strengthens the design and project economics.

See also the discussion of risk assessment and route selection in .

Measurement tool

Formal risk assessment is a measuring tool. The measurements emerging from its application provide a consistent, defensible basis for risk management choices. As with any measuring process, uncertainty exists and should be acknowledged. Minor changes in risk results may not reflect actual changes but rather variations in an inherently ‘noisy’ set of data. Understanding of measurement variability begins with examination of the assessment results. Common sources of measurement variation—and possible contributors to measurement error—are listed in PRMM. The ability to distinguish real changes in risk level from changes due to measurement uncertainty will vary from assessment to assessment.

See and also PRMM for some simple statistical and graphical tools that can be used to further explore a risk assessment’s capabilities as a measurement tool.

Acceptable risk

Risk management will eventually require judgments regarding ‘how safe is safe enough?” Value judgments associated with risk usually employ qualitative terms such as:

Acceptable risk
Tolerable risk
Justifiable risk
Negligible
Trivial risks.

Choices in acceptable risk are complex, involving socio-economic and political considerations at a high level and human psychology on an individual level. To put a level of risk into perspective, it is instructive to look at the types of risks people are ordinarily exposed to during day-to-day life. There are voluntary activities (driving a car) and involuntary activities (being hit by lightning) that involve risks higher than those due to most pipeline components. But comparing voluntary to involuntary risks is not usually a sufficient argument for tolerability of risk.

Societal and individual risks

QRA has long-employed a distinction between individual risk and societal risk. Individual risk provides an estimate for the risk to an individual at a specific location for a specified period of time.

Societal risk usually represents the relationship between frequency of events and number of individuals that could suffer a specified harm from that event—for instance, the annual risk of death of a certain number of people in one pipeline incident. FN curves are commonly used to show the aggregation of many possible pairing scenarios—fatality count versus event frequency.

An important distinction between the two is the exposure created by a facility. Each pipeline component potentially generates a certain hazard radius. Only receptors within that radius are theoretically harmed by a leak/rupture from the component. A collection of components—for example, a long length of pipeline—will not expose the same receptors to potential harm. The maximum exposure occurs for an individual who is very near (perhaps directly over) the pipeline 24 hours of every day. The individual is exposed to pipeline failures immediately adjacent and for some distance along the pipeline to either side. Moving away from the line, risk decreases because he is exposed to less pipeline, based on simple geometry. Determining the length of pipe that can affect a single point is a consideration in individual risk estimates. Both individual and societal risk are important. The use of only societal risk to generate acceptable risk levels for instance, may result in areas with low receptor counts—for example, low population density—bearing a disproportionate amount of risk. The societal risk relationship may suggest that events with low counts of damage—for example, fatalities—are more tolerable and can therefore carry higher probabilities. Strict application of this may result in lower event probabilities only in areas where more receptors exist.

Reaction to Risk

A risk assessment will not accurately predict the next incident—what will happen, where, and when?—except in extreme cases. Our current understanding of real-world phenomena requires an allowance for randomness, expressed in our estimates as probability. So even if the risk assessment is as perfect as current understanding allows, it will still only be accurate for large populations of segments over long periods of time, again, not showing precisely where/when action should be taken. Therefore, it is common for decision-makers to take courses of action not fully supported by their risk assessment results. For example, a decision might be made to reduce certain high consequence, low probability events, even when such events carry a lower EL than other events (ie, lower consequence, higher probability events). This was noted in the discussion of matrix-style visualization tools. However, when this occurs, it must be recognized that one of two things are occurring:

The risk estimates are not trusted. There are several variations on this possibility. The most obvious is that the decision-maker feels something is omitted or incorrectly assessed. Another possibility is that the decision-maker chooses a different confidence level. For instance, the risk assessment is conducted at a P90 level and the decision-maker, desiring a P99 level, overrides the assessment with what he believes accounts for the additional uncertainty.
The decision-maker is intentionally choosing an irrational path. A statement this absolute is possible since a risk assessment can include all available knowledge. If it does include all, then choosing a course contrary to that is supported by a trusted, complete, and logical assessment requires some valuation by the decision maker that is not supported by available knowledge. In the case of risk management, emotional decision-making is prevalent.

Risk Aversion

It is commonly accepted that our reactions to risk are not proportional. For instance, we are typically more outraged by—or more averse to—single events with larger consequences than multiple, smaller consequence events, even when the latter is ultimately more costly to society.

Visually, the slope of the common FN curve is said to display risk aversion. The shape of most FN curves shows increasingly lower chances of increasingly higher fatality count incidents. That is, the chances of a single event causing 100 fatalities should be much lower than 1/100 of the chance a single fatality. This reflects one aspect of risk aversion—the decreasing acceptability of single events that generate increasing consequences.

Decision points

Risk management requires that risk-altering decisions be made. Decision-making ultimately hinges on the concept of acceptable risk, even if not directly stated as such. Implicit in the notion of ‘acceptable’ risk is the determination of that risk level that will carry the designation. There must be a decision process to arrive at this believed-to-be-appropriate level of risk that will be called ‘acceptable’.

Due to human risk perceptions, consequences often become more critical than probabilities in reactions to risk and, hence, in decision-making. An emphasis on dramatic but highly improbable scenarios is not always rational. In risk communications and regulatory decision making, this makes a formal study and quantification of incident event sequences more necessary. Many of the events in the sequences studied will be related to a particular damage state. The sequence begins with a failure probability but then follows paths that are ultimately measuring the likelihood of various consequence scenarios. Along the pathways to common consequences of interest are questions such as—is there immediate ignition or delayed ignition? How big a cloud may form? What are the likely temperature and wind conditions? What if an explosion occurs? How far are the vulnerable receptors?

The overall likelihood of failure of the pipeline—often the starting point for the event sequence—is a function of the PoF variables discussed in this book. Most risk management efforts should normally focus first on the probability of failure. This is not only because failure frequency reduction is usually the best way to reduce risks, but also because so many variables impact failure frequency that a formal structure is needed to properly consider all of the important factors.

While risk estimates produced with a modern risk assessment are expressed in absolute terms (for example, failures/km-year, $/mile-year), it is often their relative value that prompts action. Especially when absolute action-criteria are not triggered but when action is nonetheless prudent, risk management can employ ranking and scaling to prioritize and schedule management activities.

A complication in any decision process is the need for a time factor in setting a risk tolerance or an action trigger. A certain level of risk may be tolerable for some period of time, until the situation can be efficiently addressed. For instance, less-than-desired depth of cover may not require immediate attention and can be addressed in conjunction with other work planned in the area—perhaps months or years in the future. At some level, however, a risk is seen to be so unacceptable that immediate action, even the shutdown of the pipeline, may be warranted.

Recall that risk levels will generally rise over time, at least when uncertainty is modeled as increased risk. Any decision approach must acknowledge the potential increase over time. A certain portion of the risk management effort will often be going to offset natural increases in risk while the remainder advances the goal for risk reduction.

In many cases, the amount of available resources appears to set the de facto level of acceptable risk (beyond any compliance-based risk levels), since money usually runs out before the list of “things to do” is exhausted. Operators often generate/maintain an ongoing list of possible projects to manage the risk level on an asset but often fall short in establishing criteria for the criticality and timing of each potential project. Ideally, the budgets are themselves established by a consistent and defensible risk management strategy. A formal risk assessment is an essential element in the strategy.

With risk assessment results in hand, a risk management strategy can be developed to drive spending on all portions of all assets. A time horizon is an aspect of budget-setting; ie, how quickly are goals to be achieved? When the budgets are established with the aim to improve or maintain pre-established risk levels, then required actions are identified and appropriate levels of resources can be allocated.

Whether the exercise is to prioritize risk issues, rank projects, set annual spending budgets, or establish acceptable risk values, various risk management decision processes can be employed, as is discussed in the following section.

Comparative Criteria

Especially where quantitative acceptable risk criteria are not available, comparative risks are used to help judge acceptability. See examples and related discussions of risk comparisons and voluntary versus involuntary risks in PRMM.

Also relevant is the implied level of acceptable risk based on pipeline industry standards and regulations. As a comparison metric, these implied values can be used to suggest acceptability of risk. This is discussed in the next section of this chapter.

Changes in risk level also use comparisons—sometimes to emphasize a bias or position for or against some endeavor that generates the risk. For example, a change in risk from 5e-8 probability of fatality per year to 10e-8 probability of fatality per year can be described as either:

A doubling of risk.
A minor, insignificant increase in risk.

Both may be technically correct but sends dramatically different messages to an audience. Similar examples to suggest noteworthy or, alternatively, insignificant improvements in safety by the employment of new mitigation measures are common in debates over acceptable risk levels.

Numerical criteria

A numerical risk criterion is sometimes used at a decision point for risk management. Examples of specific criteria, usually used by regulatory agencies and expressed in terms of acceptable annual chances of fatality, are shown in PRMM. These values are sometimes used as actionable limits—“a risk above this line requires action; below the line is ‘safe enough’.”

For those wishing safety levels beyond regulatory minimum compliance levels that use such numerical criteria, it might be a starting point from which detailed risk management can begin.

Note that a numerical criteria for acceptable pipeline risk is often based on length, consistent with the definition of individual risk discussed earlier. This is logical since a long pipeline, while possibly exposing many receptors, does not increase the exposure to a given receptor due to its length. A criteria that does not consider this would make a criteria impossible to meet for a very long pipeline.

If criteria is based on unit length, then it must consider a very small unit length, eg inch, cm, mm, failure potentials. Otherwise, small but critical features can be masked by nearby very safe segments. Imagine an ILI-detected anomaly, only one mm in length but very deep, with failure imminent. If this is an isolated pit, the neighboring joints of pipe might be defect free for many meters and readily meet acceptable risk criteria. A per-km risk criteria could show acceptable risks despite the defect, due to its length contribution being so small, if an inappropriate risk aggregation strategy was used. A full and proper aggregation would ensure that the one mm feature results in an unacceptable per-km risk rate. See related discussions in Chapters 2 to 4.

Data-based criteria

Rather than an overall criteria for ‘actionable’ levels of risk, the analysis of values from a specific risk assessment can lead to the establishment of action triggers. This includes reactions to outliers (see later discussion) and continuous-improvement approaches, both of which react to results from specific assessments. PRMM discusses some data analyses techniques that might be useful in using risk assessment data to make risk management decisions.

A prudent philosophy to risk management may lie in continuous improvement but will also need to be supplemented by predetermined strategies that are at least loosely based on acceptability criteria. The operator can always be seeking risk reduction opportunities at all locations. However, for consistency and defensibility, the degree and speed with which risk reductions occur should be driven by pre-established trigger points (criteria), to ensure a predominantly ‘continuous improvement’ strategy is indeed reducing risks.

Risk criteria

Establishment of risk criteria provides a way to confirm that acceptable or tolerable risk levels exist.

Both qualitative and quantitative risk criteria have been used. Numerical risk criteria can link quantitative risk estimates with subjective, qualitative decision criteria such as “insignificant risk” or “actionable risk.”

ALARP

The concept of “as low as reasonably practical” (ALARP) is an example of such a linking and is widely recognized among risk assessment and risk management practitioners.

The ALARP principle generally requires facility owners to adopt all safety measures up to the point where the cost of the safety measure is “grossly disproportionate” to the risk reduction.

Even though quantitative criteria are used, the application of ALARP has a qualitative aspect to it. There are references that seek to quantify aspects such as ‘grossly disproportionate’ that are embedded in the ALARP definition.

This is illustrated in the following example:

Consider a catastrophic pipeline accident involving the death of two individuals and the loss of the pipeline with an estimated event frequency of 10-5 per mile-year. The threshold for disproportionate cost, using a disproportionality factor, is illustrated as follows:

The values and units in this example are:

10-5 accidents of this type per mile per year

58 miles length of pipeline

$10M cost of fatality

2 person fatality per accident

6 is disproportionality factor, based on some guidance documents suggesting factors between 2 and 10

$1.5M additional cost per accident for other losses

(10-5 × 58) accidents/year × ($10,000,000 × 2 + $1,500,000)/accident × 6 = $75,000/year

In this example, $21.5M is the cost of an accident of this type; $12,500 is the annual risk from an accident of this type; and the $75,000/year value is a theoretical maximum amount to be spent to reduce the chance of that accident. This is heavily influenced by the disproportionality factor.

This threshold for disproportionate cost is used in the following way: If it is possible to reduce the risk of the accident for less than $75K/year then before the risk can be declared ALARP, it must be reduced. It may be possible to reduce the risk for much less. Alternatively, it may not be possible to significantly reduce the risk without spending vast amounts of money—in excess of the disproportionality-factor-adjusted avoided loss of $75K/year. In this case, the risk would be determined to be ALARP and additional spending to reduce it is not warranted. Another example of when spending becomes ‘grossly disproportionate’ to the risk reduction benefits, is in the following section.

Examples of Established Quantitative Criteria:

Examples of numerical risk criteria can be found specifically for pipelines, more often for land-use planning, worker safety, and other industries such as chemicals processing and aerospace engineering. PRMM provides examples of risk criteria from around the world. Some additional examples follow.

Ireland

Ireland’s Commission for Energy Regulation, in its ALARP recommendations [1031] recommends the following for ‘petroleum undertakings’:

€2.4M as minimum value of ‘implied cost of averting a fatality’, based on work done by Ireland’s National Roads Authority and comparable to UK HSE’s 2003 valuation that equates to €2.25M in 2013.
Grossly disproportionate is assumed to be more than 10X the benefit. Factors less than 10 will be considered but require ‘a robust justification’. This factor also serves to better protect small populations exposed to the threat.
Individual risk tolerability limits:<10-6 fatality per year is broadly acceptable, values of >10-4 for public or 10-3 for workers are unacceptable. This is reported to be comparable to criteria used in the Netherlands, Western Australia, and UK.
Societal risk upper tolerances are established using 10-3 fatalities per year for 1 individual (y axis intersect) with a -1 slope on log-log plot of frequency versus number of fatalities (public only, not workers). The lower tolerability limit is two orders of magnitude below the upper.
The use of a factor of at least 2 is seen in other disproportionality quantifications.

Latin America

A major pipeline operating country in Latin America used, for many years, a criteria of $5K/km as an unpublished criteria to determine actionable levels of risk. This was a maximum allowable risk level since it implicitly allowed segments with risk levels below this value to be unactionable.

Research

Recent work [777, 888] has suggested tolerable risk levels based on currently accepted standards of pipeline design, operation, and maintenance. These tolerable risk levels have been incorporated into Canadian pipeline standards^{^[3]} [9988] and were reportedly being considered for inclusion into US pipeline standards. Designed for onshore natural gas transmission pipelines, this assessment applies the concepts to the subject pipeline segments.

Reliability targets (excerpt from ref [888]):

The goal of RBDA is to achieve tolerable and consistent risk levels for all pipelines. This is accomplished by setting a maximum permissible failure rate that is inversely proportional to the severity of the failure consequences for each limit state category. The reliability level corresponding to the maximum permissible failure rate is referred to as the target reliability level.

Tolerable SR levels were generated by calibration to current design codes and best North American industry practice as partly embodied in ASME B31.8, ASME B31.8S, and 94CFR192.327. Since new pipelines designed and maintained to the requirements of these standards are widely accepted as safe, the average level of SR associated with these pipelines was considered to be tolerable.

RBDA=Reliability based design and assessment

SR=societal risk

Limit state = a state beyond which the pipeline no longer satisfies a particular design or operating requirement. For this application, rupture and large leaks are the limit state of interest.

Offshore

Ref [999] recommends a risk based design standard for offshore pipelines based on safety classes. A safety class is determined by fluid transported, population density (location class), and consequence (safety class). Nominal target failure probabilities are set based on safety class. A reliability based design is an option under this design code and is summarized as follows:

Nominal failure probabilities vs. safety classes

Limit States	Probability Bases	Safety Classes
Low	Medium	High	Very High
SLS	Annual per Pipeline ¹	10^-2	10^-3	10^-3	10^-4
ULS²	Annual per Pipeline ¹	10^-3	10^-4	10^-5	10^-6
FLS	Annual per Pipeline ³
ALS	Annual per Pipeline
	Pressure containment	10^-4-10^-5	l0^-5-10^-6	10^-6-10^-7	l 0^-7-10^-8
1) Or the time period of the temporary phase. 2) The failure probability for the bursting (pressure containment) shall be an order of magnitude lower than the general ULS criterion given in the table, in accordance with industry practice and reflected by the ISO requirements. 3) The failure probability will effectively be governed by the last year in operation or prior to inspection depending on the adopted inspection philosophy.

These nominal probabilities apply to an entire pipeline, according to the table shown.

Engineered structures placed in public areas, include not only pipelines, but also buildings, bridges, walls and numerous other structures. Therefore, building codes imply a level of acceptable risk which may be relevant to acceptable risks for a pipeline. PRMM lists examples of building reliability levels.

Classification of safety classes

Safety class	Definition
Low	Where failure implies low risk of human injury and minor environmental and economic consequences. This is the usual classification for installation phase.
Medium	For temporary conditions where failure implies risk of human injury, significant environmental pollution or very high economic or political consequences. This is the usual classification for operation outside the platform area.
High	For operating conditions where failure implies high risk of human injury, significant environmental pollution or very high economic or political consequences. This is the usual classification during operation in location class 2.

Offshore Standard DNV-OS-F101, October 2007

Risk Reduction

Risk becomes zero when either the PoF or the CoF become zero. While zero risk is unrealistic for most industrial undertakings, it is useful to at least conceptually explore this scenario to confirm that the risk assessment appropriately captures such extreme scenarios. The probability of failure tends towards zero when any of three possible situations appear:

No failure mechanisms exist—ie, exposure = 0
Failure mechanisms are fully mitigated—ie, a threat exists but is prevented from acting on the system to the degree that a failure results. Mitigation = 100% results in no risk.
The system is designed to fully withstand the threat—a failure mechanism acts on but cannot cause the system to fail. Resistance = 100%

CoF becomes zero when no damages can arise from the ‘failure’ being measured. For failure = leak/rupture, CoF becomes zero when any of the four subvariables is zero: product hazard, spill size, dispersion, or receptor damage potential.

Beginning Risk Management

Identifying when and where effectiveness risk reduction efforts should be applied can be a very complex process. In more extreme cases, the need and the urgency will be apparent. But, for most lengths of most pipelines, the seeking of incremental improvements rather than emergency reactions will guide risk management.

Pre-established decision criteria often provides the urgency of risk reduction—how fast should action be taken. Determination of ‘outliers’ versus ‘systemic’ type risk issues often provides the locations and extents where action is warranted. Finally, the risk assessment directs the identification and choices of risk reduction measures. The risk profile is the essential tool in managing pipeline risk.

Profiling

A risk profile—changes in risk along the pipeline route—is required to efficiently begin the process of pipeline risk management, whether the profile covers an entire pipeline system or a sub-section such as a HCA. The profile of changing risk along the length is the key to understanding and managing risk.

The profile instantly reveals the nature of the pipeline’s risk. There may be extreme outliers, or stable but high risk, stable and low risk, rapid changes, and numerous other patterns. These patterns are critical in determining how to manage the risk.

The profile of any sub-part of risk may warrant examination. Certainly the interplay between PoF and CoF will influence risk management. But so too will changes in exposure, mitigation, and resistance inform decision-making, as will changes in hazard zone size and receptor populations/sensitivities.

Acceptable risk criteria and other pre-determined decision points (discussed previously) can be added to the profile. This clearly shows where action is warranted and not. Many applications of risk management will, however seek continuous improvement, where additional actions will be taken even where criteria are met. A comparative analyses is almost always a part of risk management that goes beyond meeting criteria. In all instances, the profile is the key tool.

Use Profiles to Guide Risk Management

Outliers vs Systemic Issues

Pipelines or portions of pipelines may exhibit profiles such as the examples in Figure 13.1. Segment A in Figure 13.1 has some obvious outliers. These may also exceed acceptable criteria and hence warrant action—perhaps immediate action.

Segment B shows consistent risk—no obvious outliers. The entire length may meet criteria or it may alternatively be entirely out of compliance. This is the first determination to be made. If entirely failing to meet criteria, the risk issue is often systemic. That is, there is one or more risk-driving factors embedded along the entire length. Examples include a weak longitudinal weld seam, failing corrosion coating, sensitive and vulnerable receptors, etc. Knowing this, the risk management plan can be constructed accordingly.

A profile may show both A and B type behavior and alternate between the two or multiple variations of the two. This provides an opportunity to customize action plans to location-specific and issue-specific portions of the segment. With the initial determination of ‘within/outside criteria’ and then ‘outliers’ versus ‘systemic’ type issues, action planning can begin—tailoring possible actions to what is seen in the profile.

Candidate projects are identified based on the risk issue(s) needing to be addressed. A project may change exposure, mitigation, resistance, or consequence or it may impact more than one of these. But since at least one must be changed in order to change the risk, the exercise of identifying candidate projects is greatly facilitated by the risk assessment (which shows each of these components independently).

The location-specific or issue-specific portions of the segment will generally have remediation opportunities determined by what-if analyses. Potential projects are compared and chosen based on their cost/benefits.

Unit Length

Previously discussed ‘unit risk’ considerations will be important. A rank-ordering based on risk-per-foot will usually yield a different list than risk-per-segment, where a ‘segment’ is of varying lengths. Both lists are important—even a short stretch of disproportionately higher risk warrants attention, as does a segment whose cumulative risk is higher.

Segment length for risk management is often quite different than for risk assessment. Risk assessment is driven by the data. Aggregation approaches are used to subsequently collect multiple risk assessment segments into longer segments that will receive the same risk remediation.

Conservatism

As detailed in —using an intentional bias towards overstating the actual risk—is a useful property of many risk assessments. Removal of such conservatism reduces apparent risk. Therefore, a legitimate form of risk management is often to remove uncertainty, thereby reducing the overstatements of risk and lowering the modeled risk.

As a subset of the conservatism role discussion, consider also the use of both measurements and estimates common in a modern risk assessment. Estimates must often be used when measurements are unavailable or carry too much uncertainty (see the discussion). A common risk issue identified for improvement will be any conservative estimates used. Replacing them with actual measurements is normally an uncertainty-reducing opportunity. Again, this reduction in uncertainty can be equated to reduction in risk, when using conservative inputs.

Mitigation options

The risk assessment focuses attention on risk reduction opportunities in several ways. Obviously, where risks are higher, more attention is probably warranted. Looking deeper, the risk assessment also shows the cause of the higher risk. Especially on a comparative basis, locations of higher exposure, less mitigation, and less resistance become apparent. This helps direct resources optimally. For instance, depth of cover or concrete slab protects a pipeline from third-party damage; cracks and corrosion flaws detected and removed while they are still of a size to have no impact on pipeline integrity ensures that TTF is sufficiently long to avoid failure. In practical terms, changing certain things are of course much more attractive than others.

Reducing risk by reducing the probability of failure—usually mitigating exposures identified in the PoF assessment—is normally the main risk management effort. Reducing potential consequences is usually more problematic due to the generally unchangeable nature, from a practical standpoint, of the consequence factors. It would require altering some aspect of the product stream and/or the pipeline’s surroundings to effect the greatest change. Although some consequence elements such as emergency response and leak detection are very realistic opportunities to reduce consequences, their range of effectiveness and reliability do not often match the opportunities to impact the PoF.

Risk management may possibly even lead to the reduction or temporary elimination of certain mitigation activities in low-risk areas to allow more resources to go to higher risk segments. Intentionally permitting a risk increase in an area may be controversial and should only be done after careful and thoughtful analysis. Nonetheless, when additional resources are not available, redistribution of existing resources may be reasonable and prudent.

Analyses of Changes

Change	Variables affected
Increase pipe wall thickness by 10%.	Resistance, all stress influenced factors, many associated changes if done on existing pipeline (new coating, depth cover, signs, etc.)
Reduce pipeline operating pressure by 10%.	Stress factors, leak size, hazard zone, MAOP potential, etc.
Improve leak detection on certain leak rate from 20min to 10min	Leak size, hazard zone (including reaction).
If population increases	Receptors, activity level for third party damages 22 per mile to 33 per mile (50% increase).
Increase air patrol frequency.	Third party damage, geohazards, sabotage, leak detection.
Improve depth-of-cover by 10%.	Third party damage (including impacts), geohazards, sabotage, corrosion.

Risks dominated by consequences

Since options for reducing potential consequences are normally fewer and more problematic, it is usually preferable to reduce risk by decreasing failure potential. Nonetheless, it is always useful and sometimes essential to examine consequence-reduction opportunities. The high level, simple multiplication of the 4 key leak/rupture consequence determinants introduced in is useful here. The product of four variables essentially determines the magnitude of the potential consequences:

RI = PH × RQ × D × R

Where

LI = Release impact (CoF)

PH = product hazard (toxicity, flammability, etc.)

RQ = release quantity (quantity of the liquid or vapor release)

D = dispersion (spread or range of the release)

R = receptors (all things that could be damaged by contact
with the release).

Reducing any of the inputs results in CoF reduction.

For instance, changing the product type or pressure, installing secondary containment, relocating the pipeline or removing the nearby receptors, or reducing the size or flowrate are all risk reduction options, at least theoretically, but these are rarely realistic options due to economic considerations. Typically, the more practical opportunities for most pipelines involve improving leak detection and emergency response.

For service interruption risks, customer impact mitigations are similarly few compared to excursion avoidance opportunities. CoF reduction opportunities are detailed in and .

Despite the more problematic nature of CoF reduction, occasionally, reducing failure probability is not enough to bring the risk to an acceptable level (by whatever acceptability criteria is being used). to explore additional leak/rupture risk reduction opportunities under this circumstance, one possible approach is as follows:

Determine to what level the PoF would need to be decreased in order for this risk to be brought in line with “normal” risk levels or some criteria of acceptability?
Is this level technically possible?
Is this level economically feasible?

If it is determined that acceptable risk levels cannot be achieved by lowering failure potential and the more practical CoF reductions are insufficient, then an examination of more extreme options is warranted.

Can the product by modified to be less hazardous?
Can alternative modes of transport result in lower risk?
Can the pressure be reduced?
Can the pipeline be relocated?
Can the potential spill dispersion be reduced by secondary containment?

While these are a part of any risk management effort, they perhaps become especially critical when tolerable risk levels are most difficult to achieve.

Progress Tracking

Examining and tracking progress in risk reduction is efficiently accomplished via EL. Since EL values can be threat-specific, location-specific, consequence-specific, etc., various components of overall EL can be tracked as well as the total EL. For example, while an upgrade to a CP system should show improvement in overall EL, the impact on “external corrosion EL” will be driving that improvement and may warrant independent examination. An improvement in patrolling a pipeline may show significant improvements in “third party EL’ and ‘consequence reduction’ (leak detection), again shown in the overall EL but perhaps also interesting to view independently.

Spending

Basing scheduling and resource allocation decisions on risk estimates should be a defensible, traceable process. The pipeline components with the highest and lowest risk estimates are obviously significant to risk management. A disproportionate amount of resources is justifiably spent on the higher risk segments. In a fully monetized risk assessment, appropriate amounts of spending are also suggested.

Underpinning the discussion of measuring risk avoidance costs should be the idea that analyses may ultimately prove that a venture is not worth pursuing. Once risk costs are added to capital and operating costs, there may be insufficient return on investment to justify the venture at all. A formal risk assessment provides the more objective means for such determinations. Experience-based judgment and perhaps even intuition will still be important in decision-making, but the structure and discipline of the risk assessment removes much of the subjectivity that would otherwise accompany such challenging determinations.

Cost of accidents

Risk reduction is intended to result in the avoided losses due to accidents. Avoided losses should include avoided indirect costs such as political and legal ramifications, contract violations, loss of customer confidence, and other considerations.

discusses the estimation of potential loss, for example, the cost of accidents and shows some historical costs of incidents.

Cost of mitigation

Risk management seeks the most efficient attainment of acceptable risk. It is often appropriate to exhaust the lower cost risk reduction options before more expensive options are considered. A risk assessment ‘values’ mitigation activities based on their ability to reduce risk (specifically, reduce PoF), with no consideration given to the cost of the activity. Risk management adds mitigation cost considerations in order to optimize spending towards risk reduction. Some hypothetical projects, with example cost/benefit values, are shown in (modified from original scoring examples shown in PRMM). Note that some actions have a very location-specific impact while others have a large system-wide impact. See the discussion on cumulative risk calculations earlier in this chapter.

Sample mitigation project cost-benefit analysis

1	2	3	4
Action	Cost NPV ($K)	Failure mechanism impacted	Reduction in risk (%)
1000-ft pipe replacement	82	All	2,200
Increased training/procedures	25	Incorrect operations	20
Upgrade cathodic protection	46	Corrosion	54
Maps/records improvements	33	Third party; incorrect operations	8
Information management system improvements	19	All	17
Recoat 400ft	76	Corrosion	500

Note that some percentage changes represent orders of magnitude differences in ‘before’ and ‘after’ risks. This is consistent with real world experiences that demonstrate there are commonly multiple orders of magnitude differences between the higher and lower risk components.

Practitioners of ALARP are obliged to consider costs of mitigation as well as risks while conducting risk management. ALARP includes the generation of a cost/benefit analyses where the concept of potential mitigation that is grossly disproportionate to its benefit arises. Quantifying the point at which a potential mitigation becomes grossly disproportionate is debatable. One regulator states that a factor of 10 or more equates to disproportionality but provisions for lesser factors have been made. [1031] That regulator guidance document also addresses potential arguments, perhaps employed by some petitioners in the past that attempt to weaken the ALARP application:

The cost of the measure, against which the safety benefit is being compared, should be restricted to those costs that are solely required for the measure. Realistic costs should be used so that, for example, the measure is not over engineered to derive a large cost, distorting the comparison to conclude that it would be grossly disproportionate to implement.

If the cost of implementing a risk reduction measure is primarily lost or deferred production, the ALARP assessment should be undertaken for the two cases where lost or deferred production is and is not accounted for. If the decision is dependent on the additional cost of the lost or deferred production (i.e. the risk reduction measure would be installed without considering this cost), a highly robust and thorough argument as to why the measure could not be installed while losing less production (for example, at a shutdown) will be required if the measure is to be rejected.

If the lost production is actually deferred production (i.e. the life of the equipment is based on operating rather than calendar time), then the lost production should only take account of lost monetary interest on the lost production plus an allowance for operational costs during the implementation time, or potential increase in operational costs at the end of life.

If shortly after a design is frozen, or constructed, a risk reduction measure is identified that normally would have been implemented as part of a good design process, but has not been, it would normally be expected that the measure, or one that provides a similar safety benefit, is implemented. An argument of grossly disproportionate correction costs cannot be used to justify an incorrect design.

If the cost of a risk reduction measure is assessed to be in gross disproportion to the safety benefit it provides and it is not implemented because of a short remaining lifetime, it is expected that supporting analysis will be carried out for a number of different remaining lifetimes due to the inherent uncertainty in such a figure. The justification for a non-implementation decision that is dependent on a short lifetime assumption would have to be extremely robust. [1031]

An argument could be constructed that, for a reason such as the short remaining lifetime, the reinstatement cost of a previously functioning risk reduction measure is grossly disproportionate to the safety benefit that it achieves. This is commonly called reverse ALARP. In this case the test of Good Practice must still be met and, since the risk reduction measure was initially installed, it is Good Practice to reinstall or repair it. Reverse ALARP arguments will not be accepted in an ALARP demonstration. [1031]

Basic cost estimation practice is readily applied to risk management PRMM provides a more detailed discussion of estimating costs of risk mitigation

Consequences AND Probability

Risk management opportunities can be presented in a misleading way if both consequence and probability issues are not addressed. For instance, a government-sponsored study on the benefits of additional pipeline valve capabilities attempted to show a cost benefit conclusion. While it appropriately analyzed differences in consequence potential arising from increased shut in opportunities, it failed to provide the necessary context of how often would such ‘savings’ occur. The ref [1015] study on value of additional block valves [1050] discussion of cost/benefit concludes the following:

“The study results further show that for natural gas release scenarios, block valve closure within 8 minutes after the break can result in a potential cost avoidance of at least $2,000,000 for 12-in nominal diameter natural gas pipelines and $8,000,000 for 42-in nominal diameter natural gas pipelines depending on the configuration of buildings within the Class 3 HCA.”
“The benefit in terms of cost avoidance for damage to buildings and personal property attributed to block valve closure swiftness increases as the duration of the block valve shutdown phase decreases. Risk analysis results for a hypothetical 30-in. nominal diameter hazardous liquid pipeline release of liquid propane show that the estimated avoided cost of moderate building and property damage resulting from block valve closure in 13 rather than 70 minutes is over $300,000,000.”

Note that the above conclusions are not yet cost/benefit valuations. As presented, they do not consider the frequency of pertinent scenarios, a critical aspect in determining the risk reduction benefit, ie, how often the consequence avoidance is triggered.^{^[4]} Benefit realizations are also contingent upon outside factors, notably the ability of firefighters to be on scene within a specified time period.

At face value, these cost avoidance values may appear very attractive. However, the possibility of realizing such cost savings could be extremely remote. With a pertinent incident rate of, say 0.00001 per year, and cost of the additional capabilities being, perhaps $250,000 per installation, the attractiveness of the option is greatly reduced—ie, spending $250,000 to avoid $3,080/year of losses. ($308,000,000/incident x 0.00001 incidents/year = $3,080/year). On the other hand, if the incident rate is closer to 0.001, then the installation of the new capabilities is indeed very attractive.

Monitoring and linking costs to specific risk elements allows decision makers to more efficiently allocate resources. Safer practices may require extra operating costs but will ideally be offset by cost savings from the generally more efficient operation; for example, less downtime, employee absence, etc. Then, the focus can be on the value, from a risk perspective, of the activities.

Route alternatives

Much goes into the process of selecting a route for a pipeline or a site for an associated facility. An often overlooked aspect is that each potential route or site location carries a risk cost as well as an acquisition/installation cost and on-going operating/maintenance cost A less expensive installation route alternative may carry a “route penalty,” as an offset to the cost savings once future risks are included in the analysis. This in effect assigns a cost to the condition(s) causing the increased risk. This is obvious in decisions such as avoiding populated areas when possible, but is less obvious for other elements of risk. Using a full and robust risk assessment ensures a complete understanding and improved decision-making.

For example, pipeline route A might be shorter than pipeline alternate route B. Suppose that the shorter distance would result in a savings of $665,000 in materials and installation costs. However, route A contains potential AC induced corrosion, more corrosive soils, the presence of more buried foreign pipelines, and a higher potential incident rate of on-going excavation damage. Even after mitigating measures, these additional threats to pipeline integrity are estimated to cause the risk for route choice A to carry $135,000/year more risk (expected loss) than route B. Unless the facility is expected to only have a very short life span, the initial installation savings is quickly offset and the option is less attractive. Adding consequence considerations, a difference in pipeline routes involving, for example, differing population densities will often result in even more dramatic impacts on risk.

To support route selection, a robust risk assessment will assign a ‘cost’ to even an unchangeable condition along the pipeline. Examples include soil conditions, nearby population density, potential for earth movements, and nearby excavation activity levels. This ‘cost’ is the level of risk that is added by the condition. This is especially useful when alternate routes or site locations are considered in new pipeline or facility design.

Risk Management Support

As with any initiative, especially in larger organizations, the risk management program must itself be managed. This involves assignment of roles and responsibilities (ownerships) as well as written control documents guiding all aspects of the program. There are multiple examples of failed programs due to insufficient attention to the administrative aspects.

Similarly, an oft-overlooked aspect of pipeline risk management is risk communications. Risk can be a technically complex and emotionally charged topic. When competing interests and priorities are involved, as they often are among stakeholders of pipeline activities, communications should be done in a way that does not widen differences among those stakeholders. An audience can readily seize upon unfortunate ‘sound bites’ and an unintended messages and, depending on their bias, be too influenced or too dismissive of any risk assessment data. For instance, the priorities of neighbors to the pipeline are sometimes at odds with the owner/operators. The communications of risk ‘facts’ from the latter to the former has historically been problematic when not done with care and compassion.

PRMM details these concepts of program administration and risk communications. It also discusses the related issue of risk perception, an aspect that makes risk an emotional and more difficult topic to reach consensus. Comparative risks, including issues around voluntary versus involuntary risk, is a useful concept for enhancing risk understanding and in communications. This too is covered in the risk management chapter of PRMM with useful sample tables included.

A common observation emerging from mature pipeline risk management programs is that unforeseen benefits are numerous. From central repositories of information yielding new insights, to more consistent and defensible decision-making at many levels in the organization, new capabilities emerge and strengthen the corporation processes—if not the corporate culture itself.

A good plan, violently executed now, is better than a perfect plan next week.

George S. Patton

‘apparent’ but not always easy! ↑
To the extent that it is represented by the population of pipeline segments from which the comparison statistic emerges. ↑
As a non-mandatory annex. ↑
They also, surprisingly, do not include any benefits from avoiding loss of life or injury. ↑

Ch13 Risk Mgmt