Service Interruption Risk

• 1. Risk of service interruption.

Background

Up to now, the focus has been on assessing the risk of pipeline failure, with ‘failure’ defined as a leak or rupture. This is an integrity-focused risk assessment. Recall that a broader definition of failure for any engineered system is ‘not meeting its intended purpose’. With a typical pipeline purpose of ‘moving x volume of product y from point a to point b in time period z, within delivery parameters of a,b,c, etc., a pipeline has many ways to ‘fail’ that do not involve a leak or rupture. So, an expanded definition of ‘failure’ will often include ‘service interruption’.

A service interruption can cause direct consequence to revenue generation, customer satisfaction, and other factors. In this chapter, the focus is on service interruption as a broader definition of failure, inclusive of all leak/rupture scenarios.

For this expanded risk assessment, a service interruption is a deviation from product or delivery specifications that causes a negative impact to a customer. The definition implies the existence of a specification (an agreement stating the delivery parameters, including product quality), a time variable (duration of the deviation), a customer (an entity receiving service from the pipeline), and a consequence to that customer. These are discussed in this chapter. Additional terms and phrases such as excursions, upsets, ‘off-spec’, violations of delivery parameters, specification violations or non-compliances, will be used interchangeably in these discussions.

The quantification of service interruption risk will normally be meaningful only for the portion of the system directly connected to the customer. At other locations, there may be no customer to be harmed, so no potential consequences. It is only when the excursion manifests at a customer location that harm can occur. This is not to say that upstream portions do not contribute to service interruption potential—they certainly do. But since many systems have intervention opportunities, it is only after considering all interplays among excursion sources and remedies that the interruption potential at a given location can be known.

Note however, that the entire downstream portion of a pipeline system can be viewed as a customer of the segment being assessed.  This is often a good framework assumption for the risk assessment.

The risk of service interruption is additive to the risk of pipeline leak/rupture. This makes the risk assessment more complicated because pipeline leak/rupture is only one of the often-numerous ways in which a service interruption can occur—leak/rupture is a subset of all possible service interruption scenarios. Service interruptions can be caused by contamination, blockages, under-performing equipment, and many others that in no way threaten system integrity. All must be assessed in order to fully measure service interruption risk. An event may or may not lead to a service interruption depending on how long the event lasts and the system’s ability to respond to the event. So, the analyses must provide for the system’s ability to absorb excursions without causing customer harm.

Ensuring an interruptible supply, ie, no service interruption, may conflict with ensuring minimum consequences to leak/rupture events. Scenarios such as erroneous valve closures or equipment failures normally cannot be tolerated from a service interruption viewpoint so steps are taken to limit the equipment and operational complexities that lead to unwanted interruptions. This may result in also limiting the necessary, desirable shutdowns for which the protective equipment is intended. This can present a design/philosophy challenge, especially when dealing with pipeline sections close to the customer where reaction times are minimal.

This trade-off between delaying action when needed versus premature, incorrect reactions (false positives vs false negatives, ROC) appears in many decision-making contexts.

‘How To’ Overview

Terminology will be defined in the next section, but as an overview, here is the general process.

Including service interruption in the risk assessment is simply an expanded version of the failure = loss-of-integrity risk assessment methodology. The loss-of-integrity risk assessment as detailed in previous chapters is a part of the risk of service interruption assessment and is ready to be included into the expanded risk assessment.

Just as all causes of leaks and ruptures were itemized and evaluated, all causes of service interruptions must similarly be itemized and evaluated. Added to the probability of leak or rupture is the probabilities of all events that cause a service interruption but do not cause a leak or rupture. This involves identifying all possible excursions from delivery specifications, with no initial consideration for their ultimate potential for customer harm.

For example, a blockage in a pipe segment should be treated as an excursion, even if that particular blockage does not directly impact any customer. A contaminant intrusion episode is an excursion even if it will be subsequently diluted to a level of insignificance. These would be excursions with no customer consequence, ie, no service interruption, but are excursions nonetheless. Potential customer impacts, and how those translate to consequences for the service provider, are considered next, in the consequence of service interruption portion of the assessment.

Service interruption will normally include all of the leak/rupture failure mechanisms since all causes of leaks and ruptures usually cause service interruption. Some leak/rupture events may not, however, result in a service interruption, but are still excursion events. When, for example, an in-service repair such as a clamp can be implemented without interrupting the pipeline’s operation, an excursion has occurred but the ‘repair without halting flow’ has prevented a service interruption. The risk assessment should show both—the occurrence of the excursion and the lack of customer harm

The definition for service interruption contains reference to a time factor. Time is often a necessary consideration in a specification noncompliance. A customer’s system might be able to tolerate certain excursions for some amount of time before losses are incurred. This is analogous to the measurement of ‘resistance’ in the leak/rupture assessment since some failure mechanisms can be resisted for longer times than others. When assessing customer sensitivity to specification deviations, the evaluator should consider tolerable excursion durations with probable durations. This is captured in the assessment through proper inclusion of excursion events and resistance estimates, as discussed in this chapter.

Definitions & Issues

Many issues are intertwined in a potential service interruption scenario. Again, a reductionist approach to the risk assessment—breaking the overall issue into smaller pieces—is efficient. This means that issues must be separated, measured independently, and those measurements must then be appropriately combined to reveal new knowledge. First, some definitions and issues will be presented to help ensure complete understanding of the assessment process.

Service

The service normally of interest here is the movement of products by pipeline under conditions agreed upon by the pipeline operator and a customer. The focus here is on the perspective of service provider—normally the pipeline operator. The risk assessment produces estimates of frequencies and magnitudes of losses due to service interruptions, potentially suffered by the customer and for which the service provider is usually liable. Most of these loss scenarios arise because the customer does not receive the service that was promised. Beyond loss of revenue to the service provider, damages suffered by the customer due to the interruption will often also translate to losses to be borne by the service provider. So, the assumption is that the customer loss is linked to the service provider loss.

Service interruption

Defined by the definition of ‘failure’. For purposes here, failure is defined as a deviation from product and/or delivery specifications that potentially causes an impact to a customer. A service interruption requires both a deviation from a service parameter and some impact to a customer.

Risk of service interruption

This is measured as follows:

Risk = Probability of Service Failure x Consequences

Exposure, mitigation, and resistance for each threat to service reliability must be measured to produce a PoF. Then, potential customer harm and related consequences are measured and combined with the PoF to yield the risk of service interruption. This aspect of risk (consequence) is a separate branch in the risk assessment, additive to the leak/rupture risk assessment estimates.

Excursion

Any occurrence, along any point of a pipeline system, that potentially causes a service interruption. Any deviation from an intended product or transportation characteristic, for example product composition, flow rate, temperature, pressure, content, etc. is counted as an excursion, regardless of its ability to actually cause upset to a customer. For instance, even if a small amount of water carryover into a flowing pipeline will not result in a product spec violation by the time it reaches any customer, it is nonetheless an excursion if it at least initially violates the specification. The probability of each excursion causing upset is considered separately from the identification of the excursion.

Voluntary Excursions

An operator may unilaterally decide to discontinue service for a variety reasons. It is usually a matter of choosing interruption as a less consequential course of action in light of other urgencies. Halting flow due to unacceptable product contamination, the need for emergency maintenance or repair on a segment, financial issues, non-performance of upstream supplier, weather events, are examples of many possible scenarios. If the operator must sacrifice service to one customer in order to continue service to another, that too obviously constitutes an excursion event of interest. See further discussion in later section.

Exposure, Exposure Event, Event

The frequency of unmitigated excursions.  An excursion, in the measuring of service interruptions, is equivalent to an ‘exposure‘ previously defined in leak/rupture risk assessment.

As in the integrity-focused risk assessment, the handling of some resistance issues will need to be matched to definitions of exposure events. When an excursion is defined as only those events ‘large’ enough to potentially cause a customer interruption (in the absence of mitigation), then the inherent ability to resist must be captured in a similar way for the assessment. Alternatively, all excursions, even very minor (as specified in the definition of ‘excursion’), can be counted and then any level of resistance to the more minor events can be modeled.

The most robust modeling approach will consider any event with any chance of causing customer harm to be an excursion.  However, this level of rigor, and the associated costs of such rigor, are not always warranted in a risk assessment.

Consequence

The amount of harm/damage/loss/upset potentially suffered by the pipeline owner/operator if the excursion reaches a customer facility and causes harm. Note that the implication is that the consequence of interest is the amount of customer harm that transfers to the owner/operator even though that  might not be the entire amount of harm suffered by the customer. This helps to distinguish among various contracted pipeline services.

Offspec

A special type of excursion, this is an abbreviation for ‘off specification’ meaning failure to comply with an agreed upon specification that dictates the characteristics of the transportation or delivery service, including the characteristics of the delivered product.

Mitigation

Actions taken to reduce the frequency or magnitude of excursions. A mitigation prevents an excursion or reduces its severity and/or duration.  By this definition, there are overlaps with resistance, discussed below.  Since mitigation and resistance have the same mathematical impact on risk estimates, the choice is largely a matter of preference.

Resistance

Ability of the system to absorb excursions that would otherwise cause harm to customers. Resistance for these types of failure includes interventions (for example, engaging alternative supply streams into the pipeline) and inherent system characteristics (for example, sufficient pipeline system volume to dilute contaminants or sufficient pressure to temporarily withstand supply interruptions). Resistance does not prevent or reduce an excursion but prevents or reduces a service interruption. A resistance protects the customer from a service interruption even though an excursion has occurred.

Resistance: Intervention/Reactionary Type

Interventions, as used here, are a type of resistance to failure. They are actions taken. Examples of actions include blending (diluting) of contaminants until acceptable concentrations are achieved; turning off a contaminated supply and activating an alternate supply; increasing the flow contribution from another source to maintain pressures; etc.

Resistance: Inherent/System Characteristics Type

There are also inherent properties of the system that offer resistance to the excursion. Examples of resistance factors that are inherent include large volume segments that are able to absorb minor introductions of contaminants or abnormal flowrates (especially when more compressible fluids–eg, gases–are involved) with no impacts to a customer. Some gas transmission pipeline segments are essentially being used for gas storage as they are intentionally ‘packed’ and ‘unpacked’ with gas and can absorb many excursions of inflows and outflows without interrupting a customer delivery.

Normalizing Exposures with Resistance and Consequences

Note that there will often be, in some situations assessed, an overlap between definitions of exposure rate and system resistance measuring customer impact. In other words, depending on the risk assessors’ modeling preference, a characteristic of a pipeline system can be viewed as a reduced level of exposure or an increased amount of resistance.  As previously noted, this can be simply a matter of preference, since the math leads to the same result.

Resistance includes aspects like alternate supplies, ability to blend, etc. just as do some exposure rates from a source. Exposures below a certain threshold are insignificant to some customers; for example, the accidental introduction of a small amount of water into a large gas transmission pipeline. To keep the service interruption risk assessment efficient and organized, clarifying rules can distinguish when an aspect belongs to the exposure rate versus a resistance estimate.

The most robust analyses will pair excursion types with specific mitigation measures, resistance capabilities, and customer damages. This can be a complex, multi-dimensional analysis for each customer when all permutations of spec deviations and durations are judged against each customer’s damage potential. Such rigor in an assessment is often unwarranted. A simple definition of excursion as ‘failure to meet specifications’ coupled with a customer damage rate, even when sometimes ‘nearly zero damages’ for certain excursions, is a simpler and often sufficiently accurate assessment approach. For example, a residential natural gas consumer is unaffected by slight deviations from natural gas specifications or delivery parameters so long as his appliances remain functional and undamaged.

To make the risk assessment more transparent, the agreed upon specifications for product quality and delivery parameters should define excursions. If a customer happens to be insensitive to certain spec deviations that should probably be captured in the consequence assessment. It should perhaps not be modeled as system resistance since the excursion has still occurred and has reached the customer.

Modeling choices should be made to ensure that exposure and resistance measurements employ a common definition. The most robust approach, counting exposure events by imagining absolutely no resistance, may not be warranted or practical in some assessments. The alternative—defining exposures as only events that can cause harm when ‘standard’ resistances are in place, may be a more desirable approach.

Risk Overlaps

In addition to leak/rupture events being a subset of service interruption risk, there are other overlaps. For example, an offspec excursion such as introduction of water into a hydrocarbon stream is an event of interest to both leak/rupture assessment (internal corrosion) and service interruption. Service interruption, by definition, ie ‘service’, focuses only on potential customer impacts. This may include damages to non-owned (customer) facilities similar to damages experienced by the pipeline owner—internal corrosion, for example. This separation of consequences—those to the owner directly versus those incurred via a customer’s consequence—is consistent with the reductionist approach of this recommended risk assessment methodology. Clarity is achieved by treating these consequences independently.

Reliability

Reliability issues overlap risk issues in many regards. This is especially true in stations where specialized and mission-critical equipment is often a part of the transportation, storage, and transfer operations. Those involved with station maintenance will often have long lists of variables that impact equipment reliability. Predictive-Preventive Maintenance (PPM) programs can be very data intensive—considering temperatures, vibrations, fuel consumption, filtering activity, etc. in very sophisticated statistical algorithms. When a risk assessment focuses solely on public safety, the emphasis is on failures that lead to loss of pipeline product. Since PPM variables measure all aspects of equipment availability, many are not pertinent to such a risk assessment unless service interruption consequences are included. Some PPM variables will of course apply to both and are appropriately included in any form of risk assessment.

Segmentation

Although segmentation occurs early in the risk assessment process, the ingredients needed for most efficient segmentation may not become apparent until service interruption scenarios are identified. The potential harm to each customer must be assessed at the customer’s location along the pipeline, but the service interruption risk usually involves all upstream portions and may sometimes also arise from certain downstream locations. In most cases, all upstream segments connected to a customer-connected-segment, contribute to the service interruption risk for that customer—some by introducing excursion potential and some by providing intervention opportunities that may prevent excursions from causing a service interruption.

Dynamic Segmentation

As with integrity-focused risk assessment, dynamic segmentation is the best approach for modeling service interruption risk. Segment breaks are warranted only where there is significant—from a risk measurement viewpoint—change in any variable thought to impact service interruption probability or consequence. Putting aside leak/rupture segmentation for a moment, segments based on other service interruption factors can typically be longer than those generated in leak/rupture-focused risk assessments. An exception would be where customers or inflows are in close proximity to each other, for example in a distribution system or some gathering systems.

Sources of change for product or transportation characteristics typically include inflow locations, customer take-offs, pump stations, tank farms, pressure regulation points, and a few others. Relevant characteristics typically subject to gradual or abrupt changes along a pipeline system include pressure, volume, and flowrates. The first is common to most pipelines and, to some extent, drives change in the latter two. All may vary more with diameter changes along the route. These changing variables potentially impact dilution of contaminants and ability to meet delivery specifications and may therefore trigger new segments.

Since the service interruption consequence potential is assessed at the customer location, customer proximity along a pipeline will therefore also be a factor. The opportunity for reactionary interventions will often change with proximity to the customer—upstream/downstream volumes, pressures, flowrates, etc, partially determine the opportunity to intervene in an excursion scenario. A pipeline section very close to a customer, where early detection and intervention of an excursion is not possible, will show a greater risk than a section on the same line far enough away from the customer where detection and possibly avoidance of customer interruption are possible.

The frequency of segment-generation—for example, what change in pressure, flow, customer proximity, etc. warrants the creation of a new segment—depends on the desired rigor of the risk assessment.

The service interruption potential from one segment will usually transfer to the immediate downstream segment. Specifically, the excursion potential from upstream segments is normally relevant, since the upstream segment is essentially an inflow or source of product to the segment being assessed. Therefore, a segment near a customer will normally carry the excursion potential from many upstream segments. The risks—excursion and consequence potential—from all segments is of course relevant when aggregating the risk for the whole pipeline or any collection of segments.

Facility Segmentation

Segmentation within facilities is sometimes less intuitive. Each component or collection of components that potentially contributes to a service interruption should be assessed as a separate ‘segment’ for purposes of risk assessment. This contribution includes each component’s role in leak/rupture potential as one possible scenario interruption scenario. Therefore, the same segmentation employed for leak/rupture assessment would normally be a starting point for service interruption assessment. See discussion under segmentation for integrity-focused risk assessment. Additional components may then be required to include components that play no role in leak/rupture potential but must be included as potential service interruption contributors.

For practical reasons including preliminary or very general assessments, an entire facility could be treated as a single source of potential excursions. The facility’s collection of excursion scenarios would still need to be estimated with independent estimates of exposure, mitigation, and resistance. This requires at least a general consideration of the types and counts of potentially contributing components. Facilities with more numerous and/or more significant sources of excursion must be identified and their contribution to service interruption potential quantified in order to obtain an accurate risk assessment. Risk analyses tools such as HAZOPS are useful in collecting and assessing scenarios.

Segmentation Process

Most pipeline risk assessments will begin with an integrity-focused assessment—the risks from leak/rupture. These assessments will ideally be based upon a thorough dynamic segmentation process of all pipeline components, including station facilities such as tank farms, compressor stations, certain processing/treating locations, metering facilities, etc. Results from these assessments can be efficiently aggregated. Having a proper aggregation option, the numerous dynamic segments that went into the analyses do not necessarily have to be preserved for use in the service interruption risk assessment. Rather, the aggregated results—PoF (from leak/rupture) from point x to y—can be used as inputs to the service interruption risk assessment. This makes the service interruption risk assessment more intuitive.

Using this strategy, the following segmentation strategy can be efficient:

1. Identify non-leak/rupture factors contributing to excursion potential. Conceptually, this means working from customer locations upstream to any location with significant change or potential change in flow, pressure, product composition (treatment facilities, inflows, etc.), ability to change any of these (ie, available branch connections, pump/compressor stations, perhaps currently not used), or any other factors thought to be pertinent. In some cases, this will include special considerations for changes in potential for moving/entraining/sweeping of accumulated liquid/solid contaminants (for example, low spot accumulation points, critical angle exceedances, liquid drain traps, etc.), blockage formation likelihood; for example, hydrates, paraffins, etc.
2. Perform dynamic segmentation using these non-leak/rupture variables. This will normally result in fewer dynamic segments than produced from a complete leak/rupture assessment.
3. Aggregate PoF values from dynamic segments generated in the leak/rupture assessment. Include these aggregated values with the service interruption segments, to perform a final dynamic segmentation.

The assessment process

As previously noted, service interruption risk assessment is a separate branch in the risk assessment, additive to the leak/rupture risk estimates when total risk is being measured. An excursion can occur in many different components (pipeline segments) so all portions of the pipeline contribute to the risk and must be included in the risk assessment. However, the potential consequences occur only at the customer, per the definition of service interruption.

The assessment of PoF, when failure is ‘service interruption’, follows the same format as for PoF when failure = loss of integrity (leaks/ruptures). Exposure, mitigation, and resistance for each threat to service reliability must be estimated.

Consistent with the definitions given previously. Risk is calculated as the product of the interruption likelihood and consequences:

Risk = Probability of Failure x Consequences

The PoF includes the estimation of all pertinent likelihood elements—exposures, mitigations, resistance factors. Consequences represents the magnitude of potential damages arising from a service interruption. The PoF of each segment will usually contribute to the PoF of the next downstream segment. The risk, however, remains with the customer location’s segment since consequences are defined in terms of customer harm.

The overall process is generalized as follows:

1. Define all service interruption scenarios. What must happen and for how long? The transportation/delivery service contract may specify the parameters that constitute a failure in providing the service.
2. Identify all events that lead to service interruption. Each deviation parameter (for example: pressure, flow, quality, etc.) will normally have multiple causes—multiple underlying events. Techniques like HAZOPS are useful for this step. Assess the likelihood of each event.
3. Identify mitigating measures for each potential events. Multiple mitigation measures may be in place for each potential excursion event.
4. Identify all opportunities to detect and intervene, once an excursion is underway. This is the estimate of resistance in terms of excursions that can be absorbed by the system, preventing customer harm. Note that sometimes a resistance measure can be taken far downstream of the excursion.
5. Define potential consequences to each customer for each type of service interruption. These consequences are normally expressed as monetary costs.
6. Using only non-leak/rupture variables, perform dynamic segmentation (see dynamic segmentation discussion at end of this chapter)
7. Using results from previous integrity-based (leak/rupture) assessments, calculate the aggregated leak/rupture PoF for each of the dynamic segments produced from previous step (or perform dynamic segmentation using both leak/rupture segments and service interruption segments).
8. Not every leak/rupture will interrupt every customer.  Determine the fraction of PoF leak/rupture events that could be addressed without interruption of service (for example: in service clamp repairs). Reduce the exposure from leak/rupture excursions by this fraction.
9. Perform risk assessment for all segments using exposure, mitigation, resistance, and consequence estimates.
10. To show overall service interruption risk for a pipeline (or portion of a pipeline) combine all pairs of PoF and customer CoF scenarios for each segment included in the summary.

The probability of excursion involves exposure and mitigation and is akin to the probability of damage PoD calculation for the leak/rupture assessment. The excursion probability of each segment will usually contribute to that of the next downstream segment.

The PoF uses this excursion probability and also captures the available resistances to interruption such as system redundancies, dilution volumes, and any intervention possibilities, where an excursion occurs along the pipeline, but resistance protects the customer from impact. Resistance to an excursion may not occur until some distance downstream of the location of the excursion. Consider a contamination excursion which eventually dilutes to insignificant levels, far from the origin of the excursion. A resistance will often transfer to the downstream segments. The risk, however, occurs at and remains with the customer location’s segment since consequences are defined in terms of customer harm.

Excursion probability includes exposure and mitigation estimates. Service interruption probability includes excursion probability plus resistance. Service interruption risk includes service interruption probability plus potential customer impacts. The following sections are organized to follow this process flow:

1. Excursion probability
2. Service interruption probability (includes potential for customer impact)
3. Service interruption risk

Probability of Excursion

• 1. Exposure/Mitigation/Resistance Triad in PoF Service Interruption

Measuring the rate or probability of excursions combines exposure and mitigation estimates: [probability of excursion] = [exposure] x (1 – [mitigation]). An excursion source will often potentially affect long segments of the system and be insensitive to segment length. When lengths are relevant, such as for many leak/rupture, blockage, and pipeline dynamics excursions, event rates can be aggregated to include length effects. When event rates are sensitive to counts of components at the same location, for instance the number of independent shut down triggers at a facility, then event rates can again be aggregated to include component counts. Then, event rates in units of events/year rather than, say, events/mile-year can be efficiently used in service interruption risk estimates.

Probability of excursion should include all events that could potentially impact a customer in the absence of resistance. Extraction of resistance considerations—excluding them from the assessment—at this point in the analysis is important. For example, the fact that a contaminant introduced at point A will dilute to be inconsequential before the customer delivery at point B, does not negate the fact that the excursion has occurred. The customer impact—measured independently—can be zero, but the event is still counted in the probability of excursion estimation. While this may at first appear to be a complication, it actually adds clarity to the assessment. As with the integrity-focused risk assessment, failure to consider such factors independently weakens the analyses.

Excursion Exposure

Two general categories of excursions cover all possibilities: (1) deviations from product specifications and (2) deviations from specified delivery parameters. Each has its own set of exposures, mitigation measures, and resistance which will often overlap between the two types of upset.

We now look at the exposure, the excursion potential, in more detail. Using some of the factors first introduced in PRMM, the following overall equation is usually appropriate:

Probability of Excursion = (PSD + DPD)

Where

PSD = product specification deviation—the potential for the product transported to be off-spec—non compliant with a quality specification

DPD = delivery parameter deviation—the potential for some aspect of the delivery to be unacceptable—non compliant with the agreed upon terms of delivery

A breakdown of typical PSD and DPD exposure categories is as follows:

A. Product Specification Deviation (PSD)

A1. Product Origin

A2. Product Equipment Malfunctions

A3. Pipeline Dynamics

A4. Other

B. Delivery Parameter Deviation (DPD)

B1. Pipeline Failures

B2. Pipeline Blockages

B3. Equipment Failures

B4. Operator Error

An exposure estimate from each of these potential causes of excursion is part of the assessment. The exposure is the estimate of excursion frequency, in the absence of mitigation. The role of mitigation must be ignored when first generating exposure estimates. Discussion of exposure from each of these potential sources of excursion is in the following sections.

Excursion Mitigation

Once the exposure to excursions has been estimated, then mitigation measures can be identified and quantified. As with the integrity-focused assessment, the most robust assessment will pair specific exposures with specific mitigations. A more generalized assessment may take a short cut by assuming that some mitigations provide protection against all exposures, as long as excessive loss of accuracy does not accompany this short cut.

Mitigations are similar to those for leak/rupture prevention, especially those employed against human error, and include control and safety systems, procedures, training, SCADA, error preventors, etc. Operator training and procedures often play a role in preventing or minimizing probabilities or consequences of service interruption episodes. These are important in calibration, maintenance, and servicing of detection and mitigation equipment as well as monitoring and taking action from a control room. The evaluator should look for active procedures and training programs that specifically address service interruption episodes. The availability of checklists, the use of procedures (especially when procedures are automatically computer displayed), and the knowledge of operators are all indicators of the strength of this mitigation.

Emergency/practice drills can play a role in preventing or minimizing service interruption excursions. While drilling can be seen as a part of operator training, it is a critical factor in optimizing response time and may be considered as a separate item in the assessment. Where regular drills indicate a highly reliable system, more effectiveness can be assumed. Especially when human intervention is required and especially where time is critical (as is usually the case), drilling should be regular enough that even unusual events will be handled with a minimum of reaction time.

See discussion in the integrity-focused assessment sections of this text for guidance on these and other general mitigation measures commonly employed to reduce both leak/rupture and service interruption events.

Additional mitigation to reduce service interruption excursions is available in the form of reliability programs such as PPM, real time monitoring, and others. Some exposure-specific mitigation measures are discussed in sections below. This list is not all-inclusive since mitigation opportunities are numerous and often customized to specific issues. All types of mitigation can and should be assessed for effectiveness, following the assessment guidance offered here and in the integrity-focused risk assessment discussions.

Excursion Resistance

Some resistance occurs at the point of the excursion; for example, immediate dilution, insignificant impact on pressure or flowrate, etc. while others provide resistance some distance from the excursion but prior to the customer location; for example, eventual dilution and recovery of pressure or flowrate, etc.

Excursion-specific resistance factors are discussed in the sections below while a general resistance discussion follows in an independent section.

Estimating Excursions

A. Product specification deviation (PSD)

The transportation of products by pipeline is a service normally governed by contracts that specify delivery parameters. These specifications will show the acceptable characteristics of the product moved as well as the acceptable delivery parameters such as temperature, pressure, and flowrate. Deviations from contract specifications can cause an interruption of service for customers. Even when formal contracts with such specifications do not exist, there is usually an implied agreement that the delivery will fit the customer’s requirements.

In water pipelines, specifications vary depending on the type of water system. Potable water systems off-spec excursions include unacceptable levels of dissolved solids, metals, organic compounds, and others.

Off-spec episodes may involve product contamination. Some contaminants are also agents that promote internal corrosion in steel lines. Their potential introduction into a pipeline may have already been quantified in the integrity-focused risk assessment.

To assess the contamination potential, the evaluator should first define ‘contamination’. A simple way to do this might be to define it as any product component that is outside the contract-specified limits of acceptability.

A list of all plausible scenarios that could produce contamination will be required in a robust risk assessment. For each potential offspec parameter, specific sources that generate or contribute to the excursion should be identified. This list will serve as a prompter for the assessments. At this point, no consideration for dilution, mitigation, or other contamination-reducing possibilities are included. Exposure estimates are independent of possible effects of mitigation and resistance—those considerations come later in the assessment.

A segment’s exposure to excursions must include excursion potentials from all upstream sections. The general sources of offspec episodes or ‘upsets’ causing excursions are identified as:

• Product origin
• Product treatment equipment malfunctions
• Pipeline dynamics
• Other.

The assessment is to determine the frequency of future excursions from each specific source. To accomplish this, the evaluator should have a clear understanding of the possible excursion episodes. The historical perspective—details of previous incidents—will be important to the extent that previous experience is relevant to future performance.

Some specification parameters are put in place to control internal corrosion or other damages to the transportation equipment while others protect the customer’s equipment and/or product quality. A list can be developed, based on customer specifications that show critical offspec parameters and intolerable concentrations. Additional columns for detectability, mitigation and customer sensitivity can be included to provide guidance for the next steps of the evaluation. This will also serve to better document the assessment.

A1. Product origin

The product’s origin point, for example, delivery pipeline, storage facility, processing plant, ground well, etc, provides the first opportunity for excursion.

Changes of products in storage facilities and pipeline change-in-service situations, including batch deliveries, are also potential sources of deviation from product specifications. A composition change may also affect the density, viscosity, and dew point of a hydrocarbon stream. This can adversely impact processes that are intolerant to liquid formation or changes in those characteristics.

Even when a product originates directly from, for example, a single hydrocarbon processing plant, the composition may vary, depending on the processing variables and techniques. Temperature, pressure, or catalyst changes within the process will change the resulting stream to varying extents. Materials used to remove impurities from a product stream may themselves introduce a contamination. A carryover of glycol from a dehydration unit is one example; an over-injection of a corrosion inhibitor is another.

Inadequate processing of product or potential contaminant is another source of excursion. A CO₂ scrubber in an LPG processing plant, for example, might occasionally allow an unacceptably high level of CO₂ in the product stream to pass to the pipeline. The use of drag reducing agents to enhance flowrates can also be a source of upset for sensitive customers.

The evaluator can seek evidence to assess the exposure—the unmitigated excursion potential–from changes at product origin, even when available evidence is based on the mitigated excursion potential.

Some qualitative examples of excursion estimation are shown in PRMM. These qualitative descriptors are reproduced as follows with possible quantitative estimates added.

High Rate; perhaps 0.5 to 500 events/year

Excursions are happening or have happened recently. Customer impacts occur routinely or are only narrowly avoided (near misses).

Medium Rate; perhaps 0.1 to 0.5 events/year

Excursions have happened in the past in essentially the same system, but not recently; or theoretically, a real possibility exists that a relatively simple (high-probability) event can precipitate an excursion.

Low Rate; perhaps 0.01 to 0.1 event/year

Rare excursions can theoretically occur under extreme conditions. Historical customer impacts are almost nonexistent.

No Exposure; perhaps 0.00001 to 0.01 events/year

System configuration and/or customer insensitivity disallows upset possibility originating from source. A customer impact is virtually impossible in the present system configuration.

Prevention of offspec episodes and minimization of impacts is supported through close working relationships with customers and suppliers.

Mitigation of Exposures Arising from Source(s)

Because products often originate at facilities not under the control of the pipeline operator, there may be both foreign (owner of the origination point) mitigations and operator (of the segment being assessed) mitigations. Since it will often be difficult to assess and track changes in mitigations of non-owned facilities, it is often more efficient to include foreign mitigations in the exposure rate estimate assigned to the non-owned facility. Those mitigations are often still important to understand and perhaps quantify, but keeping them separate from mitigations applied by the owner of the assessed component is a modeling convenience.

Mitigation opportunities may be limited in some cases. However, common mitigation measures for non-owned/operated point-of-origin upset episodes include

• Real time or sampling-based monitoring of all pipeline entry points (and possibly even upstream of the pipeline—in the supplier facility itself—for early warning) to detect offspec episodes or their precursors at earliest opportunity
• Redundant decontamination/treatment/supply equipment for increased reliability on single source scenarios.
• Close working relationship with third-party suppliers
• Availability of multiple product stream sources at origin point (blending or partial shut in opportunities)
• Arrangements of alternate supplies to shut off offending sources without disrupting pipeline supply
• Provisions for rapid switches to alternate supplies
• Plans and practiced procedures to switch to alternate supplies
• Automatic switching to alternate supplies
• Operator training to ensure prompt and proper detection and reaction to excursions.

Any preventive actions should be factored into the assessment of excursion mitigation.

A2. Treatment equipment malfunctions

Pipeline equipment at, or downstream of, the product source, designed to control product specification parameters such as removal of impurities can malfunction and allow offspec episodes. This may overlap the previous assessment ‘product origin’ so care must be taken to count all events appropriately—neither over- nor under-counting.

Some on-line—during the transportation–equipment such as dehydrators help ensure product specification parameters including protecting the pipeline from possible corrosion agents. Hence, their reliability in preventing upsets will overlap previous analysis of their role in PoF from internal corrosion.

Injections of substances such as corrosion inhibitor liquids or flow-enhancing chemicals are examples of intentionally-introduced substances that may impact customers. Even when customers are unaffected by intended concentrations of such injected substances, equipment malfunction or flow regime changes may lead to higher concentrations of these products than what is tolerable by the customer.

Multi-phase pipelines, in which combined streams of hydrocarbon gas, liquids, and water are simultaneously transported, are often found in gathering systems and offshore production pipelines. Downstream receipts from such systems frequently rely on equipment to perform separation. When separation equipment fails, excursions occur.

When the equipment can potentially introduce a contaminant—for example, flow enhancer, glycol dehydration, corrosion inhibitor, etc.—an estimate of the unmitigated exposure, followed by the effectiveness of mitigation, is needed. When the equipment is preventing offspec excursions then its role as a mitigation measure against a continuous exposure needs to be estimated.

Unmitigated upset potential from on-line equipment malfunctions can range in event frequency from ‘almost never’ to ‘continuous’. A detailed assessment may include formal equipment reliability modeling.

Estimation can be done in a very detailed, robust manner when critical consequence may emerge, or alternatively may simply be approximated by those knowledgeable of the system when less onerous consequence potential exists.

Mitigation

The following mitigation activities can be factored into the evaluation for excursions due to equipment malfunctions for both scenarios—’equipment-generated exposures’ and ‘equipment as excursion prevention’:

• Strong equipment maintenance practices to prevent malfunctions
• Redundancy of systems (backups) to increase reliability of equipment or systems to reduce the probability of overall failures
• Early detection of malfunctions to allow action to be taken before a damaging excursion or a loss of function occurs.

A3. Pipeline dynamics

Another generator of excursion scenarios is liquids or solids becoming more concentrated in a product stream by a change in pipeline system dynamics. A possible source of solids could be foreign materials from original construction or subsequent repairs, materials originally introduced by within-spec streams, materials from offspec excursions, or materials generated within the pipeline during its operational history.

• 1. Critical Inclination Angle Exceeded, Resulting in Depositions

Free liquids, both water and heavier hydrocarbons, and solids may accumulate in low-lying areas of a pipeline transporting hydrocarbons.

Some pipelines also have potential for other types of accumulations. Hydrates, rust particles, debris from damaged pigs, or paraffin buildups displaced from the pipe wall are examples of materials generated during operations. (see also discussion of pipeline blockages) To cause this, the offending materials would have to be present initially, so an exposure estimate arises from that necessary condition. Added to this for the complete estimate of exposure, is the potential for an accompanying event causing a significant disturbance to the pipe displacing a large amount of the buildup at one time, leading to the customer impact.

Pipeline dynamics can also precipitate a service interruption by causing a delivery parameter to become offspec. Pressure surges or sudden changes in product flow may interrupt service as a control device engages or the customer equipment is exposed to unfavorable conditions. This halts flow, thereby interrupting the flowrate required by the specification.

Potential for upset from changes in pipeline dynamics is assessed in terms of exposure and mitigation, as are all types of service interruptions. Specific pairings of mitigations with affected exposures may be warranted since not all mitigations will affect all exposures. For instance, preventing excursions due to re-entrainment or sweeping of accumulations may have no benefit to the exposure of flow interruptions from inadvertent valve closures. Note also, that some mitigation measures will increase the potential for service interruptions. For instance, maintenance pigging carries a chance of flow interruption due to pig failure or formation of a blockage.

Mitigation

Prevention activities typically factored into the assessment for upset potential due to pipeline dynamics include:

• Performing pipeline pigging, cleaning, dehydration, etc., in manners that prevent later excursions.
• A protocol that requires experts to review any planned changes in pipeline dynamics. Such reviews are designed to detect hidden problems that might trigger an otherwise unexpected event.
• Close monitoring/control of flow parameters to avoid abrupt, unexpected shocks to the system.

Instrumentation calibration/maintenance to ensure proper actions and reduce unintentional activations. This is also often appropriately included in the exposure estimate when the instrumentation/equipment is a possible initiator of the exposure.

A4. Other

As a special type of failure mechanism, the threat of sabotage may warrant special attention in service interruption risk, beyond its role in leak/rupture risk. Saboteur actions directed towards service interruption rather than leak/rupture can be included in this part of the assessment. With the change in definition of ‘failure’, this threat assessment will closely mirror the leak/rupture assessment. Different exposure types and frequencies must be identified, representing the product and delivery vulnerabilities rather than integrity vulnerabilities. Mitigations will be very similar for both types of ‘failure’. The roll of resistance will need to be supplemented in the service interruption assessment since sabotage here may involve different types of excursions; for example, the introduction of an unexpected contaminant with different detectability and reaction opportunities.

Examples of additional upset scenarios that do not directly arise from a product in-coming source or from pipeline flowing dynamics include improper restoration to service after maintenance, change in service, infiltration of ground water into a low-pressure distribution system piping, incorrect handling of batched products, and others. When such scenarios are plausible, they should be included in the risk assessment with the same exposure-mitigation-resistance triad used in all PoF analyses.

B. Delivery parameters deviation (DPD)

General excursion scenarios that must be included in assessing the risk of service interruption are deviations from acceptable delivery parameters such as pressure, temperature, or flow. For example, when a city resident orders a connection to the municipal gas distribution system, the implied contract is that gas, appropriate in composition, will be supplied at sufficient flow and pressure to work satisfactorily in the customer’s heating and cooking systems.

General causes of delivery parameter deviations include:

• Pipeline failures
• Pipeline blockages
• Equipment failures
• Operator error.

Since a customer impact is the consequence of interest, potential scenarios upstream of a customer normally generate the events of interest and are included in the evaluation. However, some downstream events may also generate upstream customer consequences. For instance, excessive flow entries or exits downstream may impact upstream pressure levels.

As with all exposures, a list of plausible scenarios should be developed. Critical delivery parameters, based on customer specifications, should be identified and linked to specific mechanisms that could upset those parameters.

Undersupply excursions—not meeting minimum pressure/flow specifications—are a common type of excursion. These are judged to arise from two general types of exposure, each with specific contributors:

• insufficient delivery to customer
• intentional supply or inventory reductions
• reductions to accommodate seasonal-, business-, temporary maintenance-, other customer-needs, and other scenarios
• unintentional supply or inventory reductions
• leaks/ruptures in upstream segment(s)
• equipment failure
• operator error
• blockages

B1. Pipeline Leak/Rupture

A leak/rupture in a pipeline component will usually precipitate a delivery interruption. The possibility of this is assessed by performing the integrity-focused risk assessment (for leak/rupture). The resulting estimate is a measure of this type of failure potential.

The excursion potential is equal to the PoF for leak/rupture estimated in the integrity-focused risk assessment, less the scenarios where no service interruption occurs despite there being a leak. When a leak can be repaired without interrupting flow, pressure, or other delivery parameter, for example, clamp installed, a service interruption has not occurred.

B2. Equipment failures

Equipment failures that can cause an unacceptable delivery parameter will normally need to be included in a service interruption assessment. Pumps, compressors, and valves are often critical since they directly control pressures and flowrates. These primary pieces of equipment are normally influenced by multiple secondary systems. Most modern pipeline control systems employ a complex network of manual and automatic monitoring, relief, and shut down instrumentation, as described in . These same systems that reduce the probability of leak/rupture may increase the potential for service interruption. Erroneous equipment operations (inadvertent valve closure, pump stop, etc.), mis-calibration of instruments, or improper actions by operators or maintainers causing shut downs are examples.

Unintentional equipment activations—valves, rotating equipment, etc.—or equipment activations generated by abnormal conditions can cause flow restrictions. An “unwanted action” of such devices is normally not addressed in the basic risk assessment model because such malfunctions do not usually lead to pipeline leak/rupture. Therefore, this additional consideration must be added when service interruption is being evaluated.

Reliability improves when more than one line of defense exists in preventing excursions. For maximum benefits, there should be no single point of failure that would either create an excursion or disable the system’s ability to prevent an excursion. Where redundant equipment or bypasses exist and can be activated in a timely manner, excursion probability is reduced.

Outages caused by weather or natural events such as hurricanes, earthquakes, fires, and floods are possible causes of leak/rupture and also considered in service interruption potential as possible sources of equipment failure excursion. A common example of a non-leak/rupture event of this type is an offshore pipeline system that is intentionally shut down whenever large storms threaten. Other examples include those typically covered under force majeure clauses in a legal contract.

The complexities and variabilities in pipelines and their associated control system designs prevents a detailed discussion of all possible interruption scenarios. To generalize these scenarios, some categorizations of equipment potentially contributing to service interruption can be made. Here are some groupings and discussion to stimulate thinking on this topic.

Pressure and flow regulating equipment

Pumps and compressors used to maintain specified flows and pressures are more complex mechanical/electrical equipment that are more prone to service interruption. Relatively minor occurrences that will stop these devices in the interest of safety and prevention of serious equipment damage include those listed for leak/rupture prevention, such as pressure, flowrate, and tank levels. Additional parameters, associated with the prime movers and often threatening service interruption, but not immediate leak/rupture potential, include temperature, voltage, electrical current, vibration, sensor status, equipment position/status, and many more.

Valves

Flow stopping that halt flow through a pipeline are potential causes of specification violations. This includes shut-in devices from product origination points such as wells, and mainline block valves, including emergency shut-in, automatic, remote, check valves, and manual configurations are included here.

Safety/Control Systems

Instrumentation and devices intended to prevent damage to the system exist in virtually all pipeline delivery systems. Examples include regulator valves, relief valves, rupture disks, limit switches (which activate equipment upon certain pressure, temperature, tank level, electrical parameters, etc. limits or rate-of-change), and others that will normally impact ability to delivery when they activate.

Equipment controlling product properties during transportation can also be considered here. The number and nature of devices that could malfunction and cause a delivery parameter upset is normally important to a risk assessment. The phrase “single point of failure” is used to indicate that one component’s failure is sufficient to precipitate a service interruption. This makes a system more vulnerable to excursion. Examples often include malfunction events associated with components such as instrument power supply, instrument supply lines, vent lines, valve seats, pressure sensors, relief valve springs, relief valve pilots, and SCADA signal processing.

Mitigation

Prevention (mitigation) activities for service interruptions caused by equipment malfunctions include:

• Measures to minimize potential for inadvertent equipment activations—fail safe logic, overrides, redundancies, etc.
• Measures to reduce rate of occurrence of abnormal conditions
• Equipment calibration and maintenance practices
• Inspections and calibrations including all monitoring and transmitting devices
• Redundancy preventing, for instance, one erroneous indication from unilaterally cause unnecessary device activations.

While these measures can be included in the assessment of exposure, it is often more useful to rather include them with mitigation. One benefit is the development of an argument, via cost/benefit analyses, for the increase or reduction in activities.

It will usually also be important to identify and include the presence of redundant systems that prevent customer impacts, even after component interruptions. Such systems were established for a reason and at a cost and therefore warrant consideration in the risk assessment.

Potential for delivery parameter deviation due to equipment failure is potentially high when excursions are happening or have happened recently–customer impacts occurring or are only narrowly avoided (near misses) by preventive actions. Frequent weather-related interruptions are additional indicators. Since such evidence is occurring with mitigation and resistance, exposure rates considered in the absence of mitigation and resistance may be especially high.

B3. Operator error

The potential for human errors and omissions is logically a part of service interruption potential. The risk analysis conducted for the leak/rupture risk assessment is normally a part of the service interruption assessment. Errors that lead to service interruption but not leak/ruptures, precipitate additional failure scenarios that are additive to the estimated error rates for leak/rupture.

Part of the service interruption assessment is the potential for an on-line operational error such as an inadvertent valve closure, unintentional halting of a pump or compressor, introduction of a contaminant or failure to remove a contaminant, or other errors that do not endanger the pipeline integrity but can temporarily interrupt pipeline operation. Note that the focus here is on accidental human activities. Willful actions are addressed as sabotage.

As with the potential for leak/rupture, the evaluator should begin the mitigation assessment with an examination of the training, testing, and procedures program to gauge the effectiveness of measures that are in place to generally avoid all errors. Error prevention activities also include visual/audible signs, signals, and alarms; the use of special checklists and procedures, and designs that allow excursions only under an unlikely sequence of errors.

B4. Pipeline blockages

• 1. Interior wall build-ups, such as paraffin

Restricted or blocked flow in a pipeline may not lead to a leak/rupture but can generate a delivery parameter (such as pressure or flow) deviation.

The potential for unmitigated, unresisted blockage events may range from virtually zero events/yr, when potential is very low, to dozens of events/year when exposure is high.

Monitoring via pressure profile, internal inspection device, or others may provide early warning of impending blockages. Mitigative actions potentially taken include cleaning (mechanical, chemical, or thermochemical) at frequencies consistent with buildup rates; the introduction of chemical inhibitors to prevent or minimize buildup.

B5. Other

Examples of other delivery parameter excursions include voluntary deviations. When the operator chooses to create an excursion to avoid higher consequences, an excursion has nonetheless been created. Depending on issues such as contract provisions, the customer’s impact and subsequent recovery of damages may differ from an accidental excursion. Voluntary or semi-voluntary excursion scenarios include:

• Weather events—operator chooses to interrupt service due to safety or system integrity issues; for example, halting operations during floods, hurricanes, ice storms, etc. These excursions differ from excursions generated by weather-related equipment failures in that no equipment failure has occurred and the operator is taking proactive measures.
• Financial events—these can range from choosing to supply one customer at the expense of another during a shortage to company bankruptcy. Intentional non-compliance with contracted terms of delivery could also be prompted by special financial issues.
• Other suppliers’ non-performance—an example would be interruption of upstream supply causing downstream shortages.
• Urgent maintenance or repair—no failure has occurred but operator must respond to a failure precursor, perhaps identified during an inspection.

Exposure, mitigation, and resistance estimates can be assigned to these excursions and included in the assessment.

Resistance

In the integrity-focused risk assessment, the actions taken to prevent pipeline failures is included as mitigation in various threat assessments. A PoD estimate emerges from this. The system’s ability to resist failure, given damage is occurring, is then measured as ‘resistance’. PoF is calculated from PoD and resistance.

In the service interruption risk, actions to prevent events that lead to service interruptions are also assessed early in the assessment as mitigations and results in a ‘probability of excursion’. Then, resistance to failure is added to produce a PoF, ie, probability of service interruption, since failure = service interruption here. Service interruption scenarios often have additional opportunities—beyond those available to leak/rupture prevention—for intervention after an excursion episode has occurred that would otherwise lead to a service interruption. System volumes, flow rates, pressures, redundancies, etc. all act to absorb the excursion, often by blending or diluting away the infraction, making it invisible to the customer.

Recall that the recommendation is to consider an excursion to be an event originating at the entry to the pipeline rather than at a customer. The consequence occurs at the customer. While both could be modeled as occurring only at the customer, excursions at other locations would still have to be assessed for their potential to reach the customer. Under this recommendation, that is the resistance estimate, to keep it independent from the initiating excursion event. This helps in diagnostics and risk management.

In the risk estimates, resistance shows when some segments are more capable of absorbing excursions and can at least partially recover from an episode before customer impact occurs. This exactly parallels the resistance estimate which distinguishes between PoD and PoF in an integrity-focused risk assessment. In both assessments, resistance is expressed as a fraction of failures avoided. A segment that is 90% resistive would experience a service interruption once out of every ten excursions (excursions that, despite mitigation, are occurring).

In some pipeline systems for which interruptible delivery is critical, extra provisions are usually made to prevent interruption. Timely reactions to events that would otherwise cause service interruptions are sometimes possible. Examples include halting the flow of an offending product stream and replacing it with an acceptable product stream, blending streams to reduce concentration levels, immediate treating of a contaminant, and immediate customer notifications when customers can prevent or minimize harm from an excursion.

Even a pipeline failure may not result in a service interruption. If the leak can be repaired without significant change to product flow (for example, a clamp repair) or an alternative supply is available to replace the lost supply to the customer.

Note that by considering interventions, a high-probability excursion that has a low probability of actually impacting the customer is recognized but shows lower risk than the same event that is more likely to impact the customer. This is important to the understanding and management of the risk.

Variable Resistance

Adding to the challenge of measuring resistance is the fact that some systems experience variable resistance. Seasonal changes in resistance are common, with supply-demand issues creating shortages and excesses. Some systems are highly variable, with inventories, system dynamics, and available options varying day-by-day or even hour-by-hour.

Inherent Resistance

System volumes, pressures, and dynamics play a role in resistance. Systems that are more able to absorb excursions in that they are slower to react to an upset or otherwise less sensitive to an excursion. For instance, a high-pressure, large-volume gas pipeline system in which outflows will only slowly depressure the system upon temporary loss of inflows. Contrast this with a small liquid system that is effectively “tight-lined” (inflows balance outflows with temporary imbalances resulting in immediate loss of pressure and flow). In this latter case, intervention opportunities will be limited and their effectiveness will be challenged.

Example 12.1 Probability of Customer Impact from Delivery Excursion

A section of a high-pressure gas transmission system serves a customer with sensitivities to pressure and flowrate. Both must be kept within specified parameters.

Exposure and Mitigation Estimates

High side excursions—overpressure and excessive flowrate are both possible events in this segment and are deemed to be continuous exposures since the source generates pressure levels and flowrates that can both exceed customer tolerance limits. The estimate of ‘continuous exposure’ carries an assignment of 5.3e5 events/yr (one event per minute) in this risk assessment’s protocol. Offsetting this exposure are mitigation measures, evaluated as shown below:

Protecting the customer from excessive pressures and flowrates are control devices and safety systems. Failure possibilities for mitigation equipment include mechanical or electrical failure of the systems, mis-calibration or failure of associated pressure/flow sensors, loss of instrument power supply, incorrect signal from SCADA system, and others.

Mitigation of ‘too much’ pressure and flowrate excursions from equipment failure at the customer ‘take-off’ location are identified as:

• Pressure controller (pressure control valve) at customer gate—failure here can either interrupt service or allow too much pressure into customer facility. Controller failure scenarios leading to excessive pressure or flow are estimated to be 10-8 per year.  This was extracted from a LOPA analyses that generated a value for ‘failures on demand’ for the control valve.
• Control valve at meter site Controller failures leading to excessive pressure or flow are estimated to be 10-7 per year.
• Additional mitigation offered by safety systems including high pressure and high flow automatic valves, are under the control of the customer and not included in this calculation. If they were to be included, they would modeled as generating redundant mitigation whereby both a controller and the safety system must simultaneously fail before the upset occurs.

In this scenario, either of the equipment failures would result in an event of interest, suggesting that they should be combined with an OR gate. This results in an estimate of ‘probability of upset’:

5.3e5 unmitigated exposure-events/yr x [(10e-8)+(10e-7)] upsets/exposure-events = 5.8e-2 upsets/year or an upset event about every 17 years.

Low-side excursions—not meeting minimum pressure/flow specifications, are judged (via HAZOPS) to arise from two general types of exposure, each with specific contributors:

Undersupply into segment = 0.2 events/year (an event every 5 years) from scenarios of:

• pipeline leaks/ruptures on associated segments
• unintentional closures of any of three upstream automatic block valves unintentional halting of mainline compressor station where station bypass would not allow sufficient downstream pressure
• unplanned interruption of source flows
• improper planning of flows/inventories
• excessive outflows.
• others

Adding to this, emergency maintenance scenarios with an estimate of 0.01 events/year.

SME’s identify mitigation measures that are currently available to prevent the exposures that are not already fully analyzed (the control valve and pipeline leak/rupture mitigation rates are already available). For a preliminary estimate, the SME team judges that mitigations are in place to offset approximately 8 out of 10 excursions of these types that are not mitigated by the instrumented safety systems. This is a combined mitigation estimate that integrates each individual mitigation measures contribution as if all exposures are equally mitigated by each. This is a simplifying assumption, technically inaccurate (for example, pipeline failure rates are not mitigated by these mitigations) but deemed acceptable for current assessment needs. The team plans to update and improve upon these estimates with a detailed HAZOP later in the year.

Using these estimates, the probability of a low-side excursion is assessed to be:

(0.2 + 0.01) unmitigated events/year x (1 – 80%) upsets / event = 0.042 upsets/yr or an upset event about every 24 years.

Resistance estimates

Next, the SME team quantifies the ability of the system to resist the potential customer upset, given the occurrence of an upset event. To begin the analysis, all sources of resistance are identified and include:

• Line pack (inventory), normally of sufficient pressure/volume to compensate for several hours of undersupply into the segment, without impacting customer delivery parameters. This resistance effectively offsets the episodes that are of short duration. SME’s assign a resistance benefit of 60% based on the fraction of shorter duration episodes possible.
• Redundancy: no redundancy of supply is available to this customer.
• Alternate supplies: the availability of contract provisions and relationships with product suppliers who would likely ‘loan’ product volume during a critical need, allows SME’s to estimate that an additional 20% of the listed episodes would not lead to customer impact.

The combined resistance is therefore estimated to be: 60% OR 20% = 68% (68% of the episodes would not result in customer impacts).

The final probability of customer impact is estimated to be:

(0.06 + 0.04) upsets/yr x (1 – 68%) customer impacts/upset =
0.03 customer impacts per year
(or a customer impact about once every 31 years).

The fairly long history of 15 years with no excursions is used to partially validate this estimate.

Note that none of the equipment failures identified in the above example would cause a pipeline leak/rupture on the assessed segment, but rather serve to estimate a service interruption potential only.

A major delivery deviation would be consequential to this customer, requiring an emergency interruption of their processes and a multi-day resumption of service. Impacts to this customer are estimated to be $450,000 per delivery deviation. This, coupled with the previous estimate of impact probability, results in an EL = 0.03 x $450K = $14K per year.

Example 12.2 Service interruption potential

Example 10.2 of PRMM can be improved by better quantifying the risk elements as follows: XYZ natural gas transmission pipeline has been sectioned and evaluated using a leak/rupture risk assessment model. This pipeline supplies the distribution systems of several municipalities, two industrial complexes, and one electric power generation plant. The most sensitive of the customers is usually the power generation plant. This is not always the case because some of the municipalities could only replace about 70% of the loss of gas on service interruption during a cold weather period. Therefore, there are periods when the municipalities might be critical customers. This is also the time when the supply to the power plant is most critical, so the scenarios are seen as equal.

Notification to customers minimizes the impact of the interruption because alternate supplies may be available at short notice. Early detection is possible for some excursion types, but for a block valve closure near the customer or for the sweeping of liquids into a customer service line, at most only a few minutes of advance warning can be assumed. There are no redundant supplies for this pipeline itself. The pipeline has been divided into sections for risk assessment. Section A is far enough away from the supplier so that early detection and notification of an excursion are always possible. Section B, however, includes an inflow metering station very close to the customer facilities. This station contains equipment that could malfunction and not allow any time for detection and remedy before the customer is impacted.

A preliminary and conservative, P90 risk of service interruption assessment is sought. Because each section includes common elements—conditions found in all sections–many input values will be the same for these two sections. The potential for excursions, considering all mitigations applied, for Section A and Section B is evaluated as follows:

Product specification deviation (PSD)

Product origin: 0.01 events/yr

Only one source, comprising approximately 20% of the gas stream, is suspect due to the gas arriving from offshore with entrained water. Onshore water removal facilities have occasionally failed to remove all liquids.

Equipment failure: 0.2 events/yr

No gas treating equipment in this system: 0.0 events/yr

Pipeline dynamics: 0.05 events/yr

Past episodes of sweeping of fluids have occurred when gas velocity increases appreciably. This is linked to the occasional introduction of water into the pipeline by the offshore supplier mentioned previously.

Other: 0 events/yr

No other potential sources identified.

Delivery Parameter Deviations (DPD)

Pipeline failure:

0.0005 events/mile-year x 30 miles of pipeline = 0.0015 events/year

From previous integrity focused risk assessment.

Blockages: 0.000001 events/yr

No mechanisms to cause flow stream blockage, other than inadvertently closed valve, considered below.

Equipment: 0.06 events/yr

Automatic valves set to close on high rate of change in pressure have caused unintentional closures in the past. Installation of redundant instrumentation has theoretically minimized the potential for this event again. However, the evaluator feels that the potential still exists. Both sections have equivalent equipment failure potential.

Operator error (Section A)

Little chance for service interruption due to operator error. No automatic valves or rotating equipment. Manual block valves are locked shut. Control room interaction is always done. Mitigated error rate is estimated to be 0.05 events/year.

Operator error (Section B)

A higher chance for operator error due to the presence of automatic valves and other equipment in this section. Mitigated error rate from all plausible event scenarios is estimated, via a HAZOPS technique, to be 0.1 events/year.

Section A total = 0.01 + 0.2 + 0.05 + 0 + 0.0015 + 0.000001 + 0.06 + 0.05
= 0.37 excursions per year

Section B total = 0.01 + 0.2 + 0.05 + 0 + 0.0015 + 0.000001 + 0.06 + 0.1 + 0.37* = 0.79 excursions per year

*Note that section A is an input to Section B. that is, all excursions originating and not eliminated in Section A, are excursions for Section B.

The above values are analogous to the PoD values produced in the integrity-focused assessment. They reflect the frequency of events that could lead to failure, ie, customer harm.

Resistance

Next, resistance is estimated. Reactive and inherent interventions to excursion scenarios are available for both sections. For Section A, it is felt that system dynamics allow early detection and response to most of the excursions that have been identified. The volume and pressure of the pipeline downstream of Section A would dilute contaminants and allow an adequate response time to even a pipeline failure or valve closure in Section A. Fractions of events successfully resisted are assigned for blending/dilution (0.8), early detection and re-establishment of supply or establishment of alternative supply (0.3). These are thought to generally apply to all excursion types and, hence, establish the resistance via an OR gate. Therefore, Section A is 1 – (1 – 0.8) x (1- 0.3) = 86% resistive to the potential excursions. Section A is assessed to carry a service interruption potential of 0.37 excursions/year x (1 – 0.86) fraction resisted = 0.052 events/yr or a customer impact about once every 20 years.

Early notification is not able to provide enough warning for every excursion case in Section B, however. Therefore, reactive interventions will only apply to some excursions that can be detected and responded to, namely, those occurring upstream of Section B. For the types of excursions that can be detected in a timely manner, product origin and equipment problems, percentages are awarded for early detection (30%), notification where the customer impact is reduced (10%), and training (8%).

Section B therefore has an additional amount of resistance equal to 1 – (1-0.3) x (1-0.1) x (1-0.08) = 42%.  This analysis shows a much higher potential for service interruption for episodes occurring in Section B as opposed to episodes in Section A.  0.052 events/yr from Section A plus 0.42 events/yr mitigated 42% yields a summary probability of damaging excursion to the customer of 0.3/year or about once every three years.

The customer consequence potential would be calculated next. A direct comparison between the two sections for the overall risk of service interruption can then be made.

Reactionary Resistance—Intervention Opportunities

To assess the availability and reliability of interventions, a compiled list of the effectivenesses of all the intervening actions that are plausible and available, is needed. Note that these actions may not apply to all identified episodes of product specification deviation or delivery parameter deviation and therefore may need to be paired with specific excursion types. If an action cannot reliably address excursions of all types, then intervention applies only to the benefiting excursion(s). For example, if an early detection system can react quickly to a pipeline failure but cannot detect a contamination episode, then the benefit applies only to leak scenario resistance.

Resistance percentages will be used in assessments for PSD and DPD independently. Again, reducing failure potential in this fashion does not indicate a reduced probability of the event, only the reduced probability of the event causing customer upset, ie, service interruption. This is an important distinction just as it is in the integrity –focused risk assessment that discriminates between probability of damage and probability of failure.

Detection

When an excursion is not detectable, reactionary intervention action is not possible. When at least some of the possible excursions are detectable, additional intervention opportunities may be available. For resistance estimation, the ability to identify and provide some advance notice of an excursion plays a role only when it enables intervention.

The reliability and timeliness of detection should be assessed. Detection includes receiving, interpreting, and responding to the indications. Indirect indications, such as a pressure drop after an accidental valve closure, serve as detection mechanisms but often require diagnostic time.

A location on the pipeline near the customer may generate an excursion for which there would not be a possibility of early detection and timely reaction. When some excursion types can be detected and some may not be, or when detection/reaction is not reliable, effectiveness estimates should be accordingly adjusted and applied only to specific excursions.

Customer notification

In some cases, timely notification to a customer of an excursion can prevent an outage for that customer. In many cases, impacts can at least be reduced. This is discussed under consequences. Customer notification is generally not a resistance factor since it does not prevent the excursion from reaching the customer. Rather it is a part of consequence minimization.

Redundant equipment/supply

Resistance to excursion is available in system configurations that allow rerouting of product to blend a high contaminant concentration or otherwise keep the customer supplied with product that meets minimum quality and delivery specifications. The redundancy must be available in a time that will prevent customer harm. Factors impacting reliability may include the following:

• Degree of human intervention required
• Amount of automatic switching available
• Regular testing of switching to alternative sources
• Reliability of switching equipment
• Knowledge and experience of personnel who are involved in switching operations
• Contingency plans to handle possible problems during switching

Consequences—Potential Customer Impact

As noted in the service interruption definitions, the consequence usually being measured in the risk assessment is the damages that occur to the pipeline owner/operator, with the idea that it is the customer damages that are primarily driving the owner/operator’s damages. Again, not all customer damages are borne by the owner/operator, depending on contract terms.  Both direct and indirect consequences should be recognized in the risk assessment.

A distinction between ‘transportation event’ vs ‘delivery event’ may be useful in some consequence assessments. Product ownership is often separated from transportation service in the pipeline industry. This separation has implications for costs of product loss during leak events and certain contract non-performance penalties. Whether the service interruption is interrupting the transportation or the delivery may be a subtle nuance that impacts costs.

A segment will often potentially impact multiple customers to varying degrees. Some sections of pipeline are therefore more capable than others of generating service interruption excursion. A transmission line excursion might impact several industrial users, other pipelines, or several entire distribution systems. In a distribution system, a failure on a ‘main’ will impact many end customers, whereas a service line failure will usually impact few. Number of customers is of course not the only metric of consequence. Some individual customers can be very high consumers of the pipeline service and/or have much higher consequences of service interruption, for example, an electrical power generation plant or a critical care health facility.

In distribution and gathering systems, meter counts and/or outflow volumes are normally available and can be linked to upstream portions of the pipeline system. A customer count or usage-adjusted count will normally be relevant to outage costs. It is often the most readily available metric of consequence and may appropriately serve as a surrogate for all consequences, pending further assessment.

Sometimes it is difficult to link customers with specific segments of a distribution or complex gathering system network, other than the piece that directly connects them to the system. Multiple, complex hydraulic modeling scenarios may be required to know possible impacts from portions of the system farther from a customer. Where it is not practical to link specific customers or even customer counts to all potential excursion-generating locations, approximations may be appropriate. The volume or pressure in any portion of the system or the count of customers downstream could be assumed to be directly proportional to the criticality of that supply at any location. Therefore, locations where higher flow rates, more downstream customers, etc. are potentially interrupted may be modeled to cause higher outage consequences.

A more robust risk assessment will include the specific sensitivity of the various customers. Both receipt- and delivery-customers should be included when either can be harmed by service interruption. A customer is not necessarily an outside party—internal customer harm is normally also of interest.  For example, pipelines owned by chemical companies may serve only internal customers, ie, the chemical plants served.

The customer tolerance to excursions is the key to consequences in service interruptions. The customer specifications should reflect the acceptable product and delivery parameters, which sets the definition of ‘excursion’. However, when standardized specifications are used, there is often a difference between what can actually be tolerated versus what contract specifications allow. In some cases, customer sensitivity is fairly apparent. For instance, when the customer is a simple user of the product, such as a typical residential customer who uses natural gas for cooking and home heating, minor deviations from standard natural gas specifications are inconsequential. To determine at what point deviations do become consequential, the manufacturer of the customers’ equipment (stove, heater, etc.) will be the more reliable information source. For more sophisticated consumers of transported products, interviews with the customer’s process experts may be warranted. In many assessments, however, this is an unwarranted level of rigor. A simple definition of excursion as ‘failure to meet specifications’ coupled with an estimated customer damage rate, perhaps nearly ‘zero damages’ for certain excursions, is a simpler and often sufficiently accurate assessment approach.

In a residential situation, if the pipeline provides heating fuel in cold weather conditions, loss of service can cause or cause or aggravate human health problems. Similarly, loss of power to critical operations such as hospitals, schools, and emergency service providers can have far-reaching repercussions. While electricity is the often most common need at such facilities, pipelines often provide the fuel for the primary generation of that electricity or the backup systems.

There is often a time component to level of damage from an excursion. Some customers are only impacted if the interruption is for an extended period of time. Perhaps short time outages are tolerable and significant losses occur only with long term production interruption. Some customers can incur large losses if interruption occurs for even short periods.

Direct Consequences

The most obvious cost of service interruption is the loss of pipeline revenue due to curtailment of product sales and/or transport fees during the excursion. This can be viewed as a direct cost of the interruption. Other direct costs are similar to those identified in the integrity-focused risk assessment and include:

• Fines, penalties
• Loss of product, if leak/rupture or if de-inventorying is necessary
• Clean up/remediation/restorations, if needed
• Repairs, if needed
• Return to service

The costs associated with a service interruption will usually be related to the duration of the outage.

Revenues

Revenues generated from the pipeline section being evaluated will often be a reasonable measure of the consequence potential of that section, from a provider-of-service (the pipeline owner/operator) view. A section’s revenues should include revenues from all relevant up- and downstream sections whose ability to serve their customers may be simultaneously compromised by the outage. The entire downstream portion of a pipeline can be viewed as a customer of the segment being assessed. This captures the intuitive belief that a “header” or larger upstream section has higher consequence potential than a single-delivery downstream section.

Return to Service

Repair, outage, and other ‘return to service’ costs are an element of integrity-focused risk assessments, but since time is a critical aspect of many service interruptions, these processes must often also be included as an aspect of service interruption impacts. In addition to the direct costs associated with ‘return to service’, customer impacts related to outage periods are added here.

Consequences of distribution system failures can also be categorized as “outage related.” These include damages arising from interruption of product delivery, including the relative time of the interruption. Some customers will be more damaged by loss of service than others.

The availability of make-up supply, can often require a complex network analysis with many assumptions and possible scenarios. As a modeling convenience, availability of replacement supply could be assumed to be inversely proportional to the normal flow rate under the premise that the greater the flow rate that is interrupted, the more difficult will be the replacement of that supply.

Other aspects of return to service costs include:

• Restoration priority (for example, the components of the system that would need to be repaired first, given that there are damages to or weaknesses within several portions)
• Extent of similar facilities that may need to be inspected prior to re-start
• Regulatory requirements related to return-to-service, if applicable (for example, inspection of similar facilities, if a leak/rupture has occurred)
• Spare parts inventories
• Reliability issues
• PPM programs

See for further discussion of return-to-service costs. PRMM examples illustrate some rudimentary calculations of service interruption losses.

Indirect Consequences

Other costs, normally considered ‘indirect costs’, related to service interruption are also similar to leak/rupture indirect consequences and include those discussed in PRMM:

• Legal action directed against the pipeline operation
• Loss of contract negotiating power
• Loss of market share to competitors
• Loss of funding/support for future pipeline projects.
• Increased regulatory burdens

Legal implications can range from breach of contract actions to extra compensation for numerous types of customer indirect losses.

As discussed in PRMM, loss of credibility, loss of shareholder confidence, and imposition of new laws and regulations are all considered to be potential indirect costs of pipeline failure, whether that failure is a leak/rupture or a serious service interruption. The loss of service to more powerful political customers in certain socio-political environments, must sometimes be considered. A critical customer may have a degree of power or influence over the pipeline operation.

The CoF assessed in the integrity-focused risk assessment will overlap some aspects of the consequences of service interruption, where longer periods of interruption increase consequences (plant shut downs, lack of heating to homes and hospitals, etc.)

Indirect cost estimation

Indirect costs are difficult to calculate and are very situation specific, as also discussed in other sections. As with leak/rupture type failures, the indirect costs associated with service interruption may parallel the direct costs. That is, when no better information is available, a default percentage (or multiplying factor) of the direct costs can be used to represent the indirect costs. This is defensible since indirect costs are logically proportional to direct costs.

Of course, actual indirect costs can be dramatically higher in a specific situation, paralleling the situation-specific factors that determine when a leak/rupture scenario becomes more consequential. Until scenario-specific indirect costs can be more accurately estimated, the use of a simplification provides a convenient method to at least acknowledge the existence of indirect costs.

Minimizing Impacts

In this section, we examine actions taken that do not prevent the incident but lessen its impact after the excursion reaches the customer. This ‘after reaching customer’ distinction is important in discriminating between resistance and consequence minimization. Resistance measures the system’s abilities to absorb the excursion and prevent it from reaching the customer. Here, we examine actions taken after customer impact is imminent.

Unlike spill consequence mitigation to reduce the consequences of pipeline leaks/ruptures, the service impact recognizes few opportunities for consequence mitigation. There are few analogous actions the pipeline operator can take to reduce customer impacts, once the excursion is being experienced by the customer. Note the distinction between mitigating the probability of an impact to a customer versus mitigating the impact once it has reached the customer. Recall that actions taken to either prevent excursions or prevent customer impact—blending, alternate supplies, etc.—are considered in the likelihood of service interruption. They act as mitigation or resistance measures to prevent customer impact.

Actions akin to emergency response as a consequence minimization for leak/rupture are not usually available under the assessment of service interruption (although they may be a part of the ‘resistance’ estimates, as part of the PoF assessment). This is chiefly due to the definition of service interruption.

Under our definition of ‘service interruption’, a consequence does not occur until/unless the event has reached the customer. Therefore, it is the customer who is able to take the most significant consequence mitigating actions, not the pipeline operator. So, unless the assessment evaluates the customer’s internal abilities to mitigate an excursion, this aspect must be left largely unaddressable.

Early Warning

Early notification of an impending event is the chief consequence mitigation opportunity for service interruption risk. Especially when customer warning is sufficient to prevent an outage for that customer, consequences are minimized. This is a situation in which, by the action of notifying the customer of a pending specification violation, that customer can take action to prevent an outage. Coupled with a reliable early detection ability, this reduces the service interruption potential. An example would be an industrial consumer who, upon notification, can switch to an alternate supply. Similarly, a delivering customer who has alternate delivery options to move his product may avoid harm when notified in sufficient time.

When a customer early warning is useful for minimizing impact but will not prevent an outage, the intervention affects consequences but not probability of upset. An example would be an industrial user who, on notification of a pending service interruption, can perform an orderly shutdown of an operation rather than an emergency shutdown with its inherent safety and equipment damage issues.

Even when intervention is not possible, early detection and timely notification is still valuable. Most customers will benefit from early warning. The customer’s ability to react to the notification and adapt to the excursion can be estimated considering the range of possible detection/notification time periods. The value of the early detection and notification can be quantified by estimating the amount of consequence avoidance achieved.