Key Concepts

Risk- What is it?

The chance of some consequence, normally a negative consequence. A negative consequence usually involves some type of failure. So, assessing or measuring risk involves measuring the probability of some type of failure. Hence the need to define ‘failure’.

Risk vs Hazard
Acceptable, Tolerable Risk
ALARP
Essential Elements of a Robust Risk Assessment

Failure–A Definition is Required

As detailed in PRMM, answering the question of “what can go wrong?” begins with defining a pipeline failure. A failure implies a loss or consequence.

The unintentional release of pipeline contents is one common definition of a failure. Loss of integrity is a type of pipeline failure also implying leak/rupture. The difference between the two may lie in some scenarios such as tank overfill that may include the first but not the latter.

A more general definition of failure is ‘no longer able to perform its intended function’. The risk of service interruption, includes failure from all scenarios resulting in the pipeline not meeting its delivery requirements (its intended purpose).

The concept of limit state can be useful here. In structural engineering, a limit state is a threshold beyond which a design requirement is no longer satisfied (CSA Z662 Annex O). The structure is said to have failed when it fails to meet its design intent which in turn is an exceedance of a limit state. Typical limit states include ‘ultimate’—corresponding to a rupture or large leak—‘leakage’, and ‘serviceability’.

Complicating the quest for a universal definition of failure in the pipeline industry is the fact that municipal pipeline distribution systems (water, wastewater, natural gas) tolerate some amount of leakage. Failure may be defined as ‘excessive’ leakage in contrast to pipelines where any amount of leakage is considered ‘failure’.

The most used definition of failure in this book will be leak/rupture. The term leak implies that the release of pipeline contents is unintentional, distinguishing a failure from a venting, de-pressuring, blow down, flaring, or other deliberate product release.

PHMSA proposed regulations offers a definition of ‘rupture’:

Definition of Rupture
For both gas transmission and hazardous liquid pipelines, the proposed rule defines the term “rupture” as any of the following events that involve an uncontrolled, large-volume release over a short period of time:
1. An unanticipated or unplanned pressure loss of 10 percent or greater, occurring within a time interval of 15 minutes or less, unless the operator has documented in advance the need for a higher pressure-change threshold due to pipeline flow dynamics;
2. An unexplained flow rate change, pressure change, instrumentation indication, or equipment function that in the operator’s experience may be representative of an uncontrolled, large-volume release or failure;
3. An apparent large-volume, uncontrolled release or failure observed by operator personnel, the public, or public authorities, and that is reported to the operator
https://www.regulations.gov/document/PHMSA-2013-0255-0006

Failure mechanism, failure mode, threat

Digging deeper, we often need a definition of ‘failure’ from a material science point of view. Loss of load carrying capacity is a good working definition of material failure. ‘Load carrying capacity’ is also an appropriate definition for resistance, as measured in a risk assessment. In this text, a failure mechanism is the driving force that can cause a failure.

The failure mode is the manner in which the material fails. Common failure mode categories are ductile (yield), brittle (fracture) or a combination, with sub categories of tensile, compressive, and shear. The failure mode is the end state.

The failure mechanism is the process that leads to the failure mode. Failure mechanisms include corrosion, impact, buckling, and cracking.

A failure scenario is the complete sequence of events that, when combined, result in the failure.

A failure manifesting as a leak is included in the ‘load carrying capacity’ definition for most pipeline components, since the load of internal pressure is no longer completely carried once a leak of any size forms. This is conceptually true even if the internal pressure load is only the weight of a drop of liquid that should have been contained.

As detailed in PRMM, the ways in which a pipeline can fail can be categorized according to the behavior of the failure mechanisms relative to the passage of time. When the failure rate tends to vary only with a changing environment, the underlying mechanism is considered time-independent and should exhibit a constant failure rate as long as the environment stays constant. When the failure rate tends to increase with time and is logically linked with an aging effect, the underlying mechanism is time-dependent.

Pipelines tend to avoid early-life leak/rupture failures by commonly used techniques such as manufacture/construction quality control (for example, pipe mill pressure testing, weld inspection) and post-installation pressure test.

Pipelines are often constructed of materials such as steel that has no known degradation mechanism other than corrosion and cracking. By controlling these, a steel pipeline is thought to have an indefinite life-span. See discussion under ‘design life’.

Estimates of pipe strength are essential in risk assessment. This is discussed here.

Failure potential must be evaluated in terms of three independent examinations: exposure, mitigation, resiResistancestance.

Damage vs Failure

Risk Assessment-Why and How

The most commonly accepted definition of risk is POF x CoF. While this basic definition has near universal agreement, there is no consensus on the best way to arrive at risk estimates.

Data

The role of data/information cannot be overstated. Note the many areas of content on this site that deal with data. Here are just a few:

In a typical risk assessment, we populated 200 to 300 variables for every inch of a pipeline. This may seem to be a daunting task, but given database technologies, it is actually very easy. See Mechanics of RA.

We are often asked, “Of those 200+ variables, which are more important?”. More technically-savvy questioners ask this as “Have you performed a sensitivity analysis?”

This question is best answered by reminding that the risk assessment is a mirror of the real world. In the real world, some variables will consistently matter more. Examples include wall thickness and nearby population density. But in the majority of cases, variables that are commonly unimportant will, in certain scenarios, be the single most important input into a risk assessment. Examples of those include landslide threat and pressure cycling.

Why and How of Risk Assessment

Myths, Misconceptions, and Past Practice

Essential Elements of a Modern Risk Assessment

Quantitative Risk Assessment–It’s Easy!

In the past, QRA had to rely heavily–maybe even ‘exclusively’–on statistics. Not surprising given the origins of QRA. This is no longer the case.

If they do the same thing as QRA, why not just use classical QRA?

Several reasons: classic QRA is expensive and awkward to apply to a long, linear asset in a constantly changing natural environment—can you imagine developing and maintaining event trees/fault trees along every foot of every pipeline? Classical QRA was created by statisticians and relies heavily on historical failure frequencies. Ask a statistician how often something will happen in the future and he will ask how often it has happened in the past. I often hear something like “we can’t do QRA because we don’t have data.” I think what they mean is that they believe that databases full of incident frequencies—how often each pipeline component has failed by each failure mechanism—are needed before they can produce the QRA type risk estimates. That’s simply not correct. It’s a carryover from the notion of a purely statistics-driven approach. While such historical failure data is helpful, it is by no means essential to RA. We should take an engineering- and physics-based approach rather than rely on questionable or inadequate statistical data.

Modern QRA: FoF Triad

Modern QRA: CoF Hazard Zones

Risk Management-After Risk has been Measured

Distinct from ‘assessing’ risk, the management of risk involves deciding things: if risks are acceptable and, if not, how best to reduce them and, either way, how to keep risk from growing.