See also
Guide to the Guides
See also: Guide to the Guides
ASME B31.8S and API 1160
ASME B31.8S Standard has served us well over the last years, becoming the most well-known pipeline integrity management program (IMP) standard worldwide. However continuous improvement was always anticipated and expected. Accordingly, improved guidance should now be provided to operators on how risk assessments should be conducted in order to meet IMP expectations.
Regulators of pipelines agree that some specific changes are needed. In the US, there has been recent regulator (PHMSA) criticisms regarding the current industry practice of pipeline risk assessment. These criticisms are not unjustified, since some practitioners continue to use older methods that were never intended to support today’s integrity management efforts.
The following discussion describes some urgently needed revisions, specifically to the ASME B31.8 Standard but applicable to any IMP guidance document. The urgency arises from the confusion and misdirected resources (eg, special treatment for ‘interactive threats’ and ‘weightings’) created by the current language in the Standard. The recommended changes deal with the Standard’s requirements and guidance related to the nature and application of threat identification and risk assessment. Specific language changes are suggested and explained below, with section numbers correspond to those found in the 2004 edition.
Proposed Changes to 2.2 Integrity Threat Classification
The threat categories—both the 9 categories of the higher level and the 21 in the more-detailed level—should be revised. Some of these ‘threats’ refer to vulnerabilities rather than failure mechanisms and some failure mechanisms are missing. For example, a category to capture all crack-related mechanisms—not just SCC—including fatigue and all environmentally assisted cracking (EAC) such as SCC, SSC, HIC, and others is needed. A list consistent with true threat identification and assessment is needed.
Another urgent change needed is to the category called ‘stable’. The idea of stable ‘threats’ has proven to be problematic. It is inconsistent with risk assessment practice in other industries and is often challenged from a technical perspective (eg, NTSB report on San Bruno). It is also, a significant cause of confusion in modeling interactive threats (see previous column on Threat Interaction—A Case of Confusing Terminology).
Here is why the confusion arises. Most would consider a ‘threat’ to be synonymous with failure mechanism. Several of the ASME B31.8S listed ‘threats’ are not failure mechanisms while others are. Some are potential weak points or locations of ‘increased vulnerability’ and must be treated differently in a risk assessment. Manufacturing defects, construction defects, and equipment issues are not failure mechanisms–they do not cause failure. They rather represent potential weaknesses or potential initiation sites for certain failure mechanisms. For example, fatigue or corrosion could act as an underlying failure mechanism to grow a lamination or pipe seam/weld imperfection; or an external force could concentrate stress on a wrinkle bend or gasket to a point where it becomes a point of failure.
Practitioners of risk assessment often attempt to treat the B31.8S ‘stable’ threats—which are actually locations of potential weaknesses—in the same way they treat bona fide failure mechanisms. This has led to confusion and inaccurate risk modeling. The recognition of inappropriate consideration of ‘threat interaction’ is one example of problematic application of the threat categories as currently stated. Therefore, a re-classification of these ‘threats’ is imperative.
Recognizing the difference between failure mechanisms and potential weak spots resolves issues of ‘threat interactions’ in a risk assessment. By coupling the likelihood of any/all failure mechanisms being active AND occurring at any/all weak spots, that interaction is always captured.
Pending full revision of the listed threats, the following high level change to the threat categories is suggested (with accompanying clarification language):
Time-Dependent
Time-Independent
Stable Potential Strength Reductions
Note: many alternative labels for the ‘stable’ category have been suggested and might be appropriate. Examples include:
- Potential Resistance Issues
- Possible Weaknesses
- Special Vulnerabilities
- Special Susceptibilities
- Locations of Increased Susceptibility
Another alternative would be to discuss this category separately from the failure mechanisms discussion, thereby not listing it as a third category but rather as an entirely separate issue to cover in a risk assessment.
Regardless of specific label or how to treat it in the text, this category must be differentiated from the actual failure mechanism categories, somehow capturing that these are components in a pipeline system that must be treated as specific locations with potentially increased vulnerabilities to certain failure mechanisms.
Proposed Changes to 5.5(a) Risk Assessment
This paragraph is in conflict with the objectives of IMP. The “fairly simple” approach mentioned cannot support required IMP tasks. Suggested edits are as follows:
(a) In order to organize integrity assessments for pipeline segments of concern, a risk priority management process shall be established. This r Risk estimates is composed of a number reflecting the overall likelihood of failure and, separately, a number reflecting the consequences shall both be used in the risk management process. The risk analysis can be fairly simple with values ranging from 1 to 3 (to reflect high, medium, and low likelihood and consequences) or can be more complex and involve a larger range to provide greater differentiation between pipeline segments. Multiplying the relative likelihood and consequence numbers together provides the operator with a relative risk for the segment and a relative priority for its assessment. The Appendix A shall be used as the initial prescriptive basis for risk assessment.
The ‘fairly simple’ approach noted above is not consistent with IMP objectives. For example, both remaining life estimates and mitigation effectiveness valuations are implicitly mandated by IMP and are most appropriately conducted within the IMP risk assessment. Most of our older, relative models were not designed for the analyses rigor specified in a modern IMP.
Proposed Changes to 5.5(b) and (c) Risk Assessment
The discussion of four possible RA approaches in Section 5.5 mischaracterizes risk assessment and needs to be largely removed. ALL acceptable risk assessments should use SME’s, scenarios (the underpinnings of our understanding), and should be probabilistic in nature. So, those three–SME, scenario, probabilistic–are not really ‘approaches’ but rather ingredients in any and all acceptable risk assessment. Implying that a different level of rigor is associated with each approach further complicates the issue.
The suggestion is to avoid labeling risk assessment methods. There are no universally agreed upon labels—ie quantitative, semi-quantitative, qualitative, scoring, indexing, probabilistic, deterministic, mechanistic, etc are examples of labels that are used, but do not add clarity.
Suggested edits follow. Also, consider replacing the removed language with a list of minimum essential elements in any risk assessment. A full guideline on how to perform pipeline risk assessment would be a huge undertaking, difficult to produce, use, and would be problematic as a basis for audits. This prompts the suggestion for a minimum ingredients list, to ensure a pipeline risk assessment, regardless of specific underlying methodology, is sufficiently robust for IMP. See previous columns on Essential Elements for examples.
(b) An operator shall utilize an appropriate one or more of the following risk assessment approaches consistent with the objectives of the integrity management program. These approaches are listed in a hierarchy of increasing complexity, sophistication, and data requirements.These risk assessment approaches are will include extensive inputs from subject matter experts, relative assessmentsbe based on robust consideration of all failure scenariosassessments, and produce probabilistic assessments results in verifiable measurement units with considerations for all uncertainties. The following paragraphs describe risk assessment methods for the four listed approaches:
(1) Subject Matter Experts (SMEs). SMEs from the operating company or consultants, combined with information obtained from technical literature, can be used to provide a relative numeric value describing the likelihood of failure for each threat and the resulting consequences. The SMEs are utilized by the operator to analyze each pipeline segment, assign relative likelihood and consequence values, and calculate the relative risk.
(2) Relative Assessment Models. This type of assessment builds on pipeline-specific experience and more extensive data, and includes the development of risk models addressing the known threats that have historically impacted pipeline operations. Such relative or data-based methods use models that identify and quantitatively weigh the major threats and consequences relevant to past pipeline operations. These approaches are considered relative risk models, since the risk results are compared with results generated from the same model. They provide a risk ranking for the integrity management decision process. These models utilize algorithms weighing the major threats and consequences, and provide sufficient data to meaningfully assess them. Relative assessment models are more complex and require more specific pipeline system data than subject matter expert-based risk assessment approaches. The relative risk assessment approach, the model, and the results obtained shall be documented in the integrity management program.
(3) Scenario-Based Models. This risk assessment approach creates models that generate a description of an event or series of events leading to a level of risk, and includes both the likelihood and consequences from such events. This method usually includes construction of event trees, decision trees, and fault trees. From these constructs, risk values are determined.
(4) Probabilistic Models. This approach is the most complex and demanding with respect to data requirements. The risk output is provided in a format that is compared to acceptable risk probabilities established by the operator, rather than using a comparative basis. It is the operator’s responsibility to apply the level of integrity/risk analysis methods that meets the needs of the operator’s integrity management program. More than one type of model risk assessment may be used throughout an operator’s system. A thorough understanding of the strengths and limitations of each risk assessment method(s) employed is necessary before a long-term strategy is adopted
All risk assessment approaches described above shall produce results on sufficiently small increments of the pipeline system in order to capture all changes in risk occurring along the system. All approaches shall also have the following common components:
(1) they identify potential events or conditions that could threaten system integrity
(2) they evaluate likelihood of failure and consequences
(3) they permit risk ranking and support identification and quantification of specific threats that primarily influence or drive the risk
(4) they lead to the identification and valuation of integrity assessment and/or mitigation options
(5) they provide for a data feedback loop mechanism
(6) they provide structure and are continuously updateding for risk reassessments
Some risk assessment approaches consider the likelihood and consequences of damage, but they do not consider whether failure occurs as a leak or rupture. Ruptures generally have more potential for damage than leaks. Consequently, the risk assessment approach does not shall include consideration for whether a failure may occur as a leak or rupture and a worst-case assumption of rupture consequence scenarios shall be made identified.
Proposed Changes to 5.7(i) Risk Assessment
The removal of paragraph 5.7(i) dealing with weightings is suggested.
The use of weightings is very problematic, creating possibilities for incorrect risk estimates. They are unnecessary and counterproductive in a modern risk assessment. However, B31.8S seems to mandate their use in section 5.7 for both prescriptive and performance based. The difficulties encountered with the use of weightings are discussed below.
A common use of weightings is to create a forecast distribution of future leaks, predicated on past leak history. This can be realistic in certain cases and for large ‘populations’ of pipeline segments over long periods of time. When a database with enough events is available and conditions and activities along a pipeline are constant and fully represented by the data, the pre-conceived distribution may be a credible forecaster of population behavior. However, one can easily envision scenarios where, in some segments, a single failure mode, uncommon in most other segments, should dominate the risk assessment and result in a very high probability of failure estimate but is artificially, and incorrectly, kept low by the use of the population-based weighting.
Even if the assumed distribution (from which weightings are created) is valid in the aggregate, there will be many locations along a pipeline where the pre-set distribution is not representative of the particular mechanisms at work there. In fact, the weightings can fully obscure the true threat. Consider the often very localized effect of a geotechnical threat. A model using a distribution heavily weighted towards third party damages and external corrosion forces a bias against recognition of geohazard, even when this threat dominates. Depending on the algorithms used, even if a threat such as landslide was deemed imminent for a certain segment of pipeline, it would probably not be able to numerically dominate the higher-weighted threats. The model would dilute or perhaps even totally obscure this high probability of failure since the numerical change would be virtually unnoticeable.
In addition to masking failure potential at specific locations, the use of weightings can force only the higher weighted threats to be ‘drivers’ of risk, at all points along all pipelines. This is rarely realistic. Risk management can become incorrectly driven solely by the pre-set weightings rather than actual data and conditions along the pipelines. This is a technical error and contrary to the whole intent of IMP.
Background
Note that these suggested changes have been requested since before 2016. ASME B31.8s committee asked for a presentation on the suggestions–DNV and WKMC did that. Then the committee wanted a white paper–same team submitted that. Then they wanted proposed alternative language–the team submitted that.
Rather than making any progress towards resolution, at least some of these problem issues made their way into an updated API 1160. The team sent suggested changes to that committee too. Neither committee has ever acknowledged receipt nor responded to these concerns.
If there is disagreement on these suggested changes, there should at least be discussion/debate. Unfortunately for the industry, substandard practices have not only continued but are also endorsed by lack of attention to these important issues.