Embrace paranoia

By W Kent Muhlbauer, P.E., WKM Consultancy

An overview of the pipeline risk management process. By now everyone is probably familiar with the most common definition of risk: Risk = Probability x Consequences.

I always like to start with this relationship because it helps us develop a mindset that there are really two large components of risk – probability of failure and consequences of failure.

The new integrity management (IM) rule subtly employs this probability-consequence relationship. Integrity management is really an attack on probability of failure, conducted in high consequence areas. Anything that threatens integrity increases probability of failure and hence, risk. Then we have high consequence area (HCA) component. Any failures in HCA will probably be more consequential than in non-HCA’s and hence, riskier. We are to apply the highest IM standards – leading to reductions in failure probability – in the HCA’s. This is classic risk management: Risk Mitigation = IM x HCA

I think the best way to begin risk management is to embrace paranoia. There are forces at work at this very instant trying to break our pipelines. Let's list some of them: internal pressure creating stress in the wall and tempting microscopic flaws to grow, a corrosive environment trying to eat away steel, water infiltrating and deteriorating the coatings, Joe Contractor firing up his backhoe, earth movements, erosion, off spec products, fatigue, microbes, etc. We know of all these threats. We constantly inject energy to offset these forces, to keep the system intact. It’s been said, "mother nature hates things she didn’t create." It’s useful to embrace this paranoia because it makes us recognize that a pressurized pipeline is not a natural thing in the world. It won’t continue to exist by itself. That’s an important mindset. We must be vigilant and work to offset the natural forces that are constantly trying to make it go away.

What risk assessment can and cannot do

An important part of this vigilance is risk assessment. There is no universally accepted way to assess and manage risks from a pipeline, but it is being done every day, often very informally. Under IM, our risk management must be formalized.

It is important to recognize what a formal risk assessment can and cannot do, regardless of the methodology employed. The ability to predict pipeline failures (when and where they will occur) would obviously be a great advantage in reducing risk. Unfortunately, this cannot be done at present. Pipeline accidents are relatively rare and often involve the simultaneous failure of several safety provisions. This makes accurate failure predictions almost impossible. So, modern risk assessment methodologies provide a surrogate for such predictions. Assessment efforts by pipeline operating companies are normally not attempts to predict how many failures will occur or where the next failure will occur. Rather, efforts are designed to systematically and objectively capture everything that can be known about the pipelines and their environments, put this information into a risk context, and then use it to make better decisions.

Don’t fear data

Good risk assessment requires data. Megabytes of expensive, resource-consuming data are routinely gathered on pipeline systems. It is a tragedy to not make full use of this. Full use means using this data in the context of other data and continuing to use it until it is refreshed/replaced with newer information. Filing it away, letting it get stale, and forgetting about it (unless an incident happens) is not making good use of data. Today’s computers make large databases manageable and cost effective, so it no longer costs a premium to get to the details.

These are some specific IM data requirements (on a segment-specific basis) listed in the IM regulations. One of the supporting documents for the hazardous liquid regulation says: “Through this required program, hazardous liquid operators will comprehensively evaluate the entire range of threats to each pipeline segment’s integrity by analyzing all available information about the pipeline segment and consequences of a failure on a high consequence area.”

Good risk assessment can and should use large quantities of data. It’s not only the use of individual pieces of data, it’s also the way in which we combine it. Combining all the details reveals things that would otherwise be obscured. But this is really a fairly straight forward thing to do. And, as noted before, in today’s information age, it’s more and more cost-effective.

So, let's talk a bit about risk assessment and the processes behind it.

Familiarization with the building blocks

It’s useful to become familiar with the building blocks of risk assessment. Scenarios, event trees, and fault trees are the core building blocks of any risk assessment. They are not, however, risk assessments themselves. Rather, they are tools that we use to capture our understanding of sequences that lead to failures. They form a basis for any risk model. They aren’t risk models themselves, in my opinion, because they do not pass the risk model tests that I will propose in a moment. HAZOPS and FMEA are also very useful tools especially when you extend your risk assessments to surface facilities like tank farms and pump/compressor stations. But again, these are tools (components) of a complete risk model.

Since conditions along a pipeline are continuously changing, a segmenting strategy will be required. The two main approaches are fixed interval segments (which includes strategies like every mile, between valve sites, etc.) and dynamic segmentation, where a new segment is created whenever a risk variable changes. The fixed interval approach was needed in years past, but with today’s computing environment, the dynamic approach is far superior. With dynamic segmentation, you get iso-risk segments (segments of equal risk). Each segment is unique from its neighbors and you avoid the compromises of having to use average or worst case conditions, as well as the difficulties in getting cumulative risks. I find that risk management is much cleaner when you’ve created these ‘constant risk’ segments.

Handling uncertainty

As noted earlier, we all know the threats. We understand the mechanisms underlying the threats. We know the options in mitigating the threats. But in knowing these things, we also must know the uncertainty involved – we can’t know and control enough of the details to eliminate risk. Just as in weather prediction, at any point in time, there are thousands of forces acting on a pipeline, the magnitude of which are ‘unknown and unknowable’. (We could easily digress into chaos theory and entropy here).

It is important to decide early on how to deal with uncertainty in assessing risks. My advice is simple: assume ‘guilty until proven innocent’. Assume the worst until data shows otherwise. This is not only consistent with the conservatism we engineers are taught to use, it also makes very good political sense. I can illustrate why. There are two ways to be wrong in any part of a risk assessment.

• “Call it good when it's really bad”
• “Call it bad when it's really good”

Lets look at the worst thing that happens in either case.

When you call something “bad”, it shows up on your “radar screen”. You can investigate, find that it's really “good”, and correct the data. The cost of this error is that you’ve spent some resources in collecting information but the benefit is that uncertainty (and, hence, risk) has been reduced.

In the other case, you’ve already called it “good”. There’s no incentive to go check. You won’t be looking for a problem, so you won’t find the error until an incident occurs or an outside auditor finds it. At that point, the error is often made public with accompanying suspicions that the rest of model cannot be trusted, and the company is assuming things are okay, which leads to a general loss of credibility. This is a very high price for a more convenient assumption.

Conservatism is tough to do at times. You’re penalizing a lot of pipe because of the slight chance that some areas have become bad since you last checked. Nevertheless, in my experience, this is the way to go.

It is also important that a risk assessment identify the role of uncertainty in its use of inspection data. Information should have a ‘life span’, reflecting that conditions are always changing and recent information is more useful than older information. Eventually, aged information has little value at all in the risk analysis. This applies to inspections, surveys, etc.

Performing risk assessment – four test

Earlier, we talked about risk assessment tools versus complete models or methodologies. To help distinguish between the two, I’m proposing that any risk assessment methodology be able to pass the following four tests.

"I didn’t know that!" test: gain new knowledge

The risk model should be able to do more than you can do in your head or even with your experts gathered. Most humans can simultaneously consider a handful of factors in making a decision. However, the real world situation might be influenced by dozens of variables simultaneously. Your model should be able to integrate and consider dozens or even hundreds of pieces of information in producing its results.

The model should tell you things you didn’t already know. As a matter of fact, I’ll go so far as to say that if there aren’t some surprises in the assessment results, I would be suspicious of the model’s completeness. Naturally, when given a surprise, you should then be skeptical, and need to be convinced. That helps to validate your model and leads to the next points:

"Why is that?"test: drill down into details

So let's say that the new knowledge is that your line XYZ in Barker County is high risk. You say, "What?! Why is that high risk?" You should be skeptical, by the way. The model should be able to tell you its reasons: maybe it's because there are coincident occurrences of population density, a vulnerable aquifer, and state park lands, coupled with five years since a close interval survey, no ILI, high stress levels, and questionable coating condition, which, taken together, create a riskier-than-normal situation. And you say, “Well, okay, looking at all that, it makes sense.”

Point to a map test: know the risks everywhere

This test is often overlooked. Basically, it means that you should be able to pull out a map of your system, put your finger on any point along the pipeline, and know the risk at that point. Furthermore, you should be able to find out specifically the corrosion risk, the third party risk, the types of receptors, the spill volume, the overall potential consequence, etc. This may seem an obvious thing for a risk assessment to do, but you’d be surprised how many cannot do this. Some have pre-determined their risk areas so they know little about other areas (and one must wonder about this pre-determination). Others do not retain information specific to a given location. Others don’t role up risks into summary judgments. The risk information should be a characteristic of the pipeline at all points.

"What about ___?": a measure of completeness

Someone should be able to query the model on any aspect of risk. Such as “What about subsidence risk? What about stress corrosion cracking? What about falling aircraft?” Make sure all the risk issues are addressed. All known failure modes should be considered, even if they are very rare for your particular system. You never know when you will be expanding your current pipeline inventory with a system that has that failure mode.

Make sure that the very complex consequence potential is assessed in a way that you want and need. Are all receptors and receptor sensitivities addressed; spill sizes; leak detection; emergency response; product characteristics? One of my favorite ways to look at consequences is the product of four factors: spill x spread x receptors x product hazard. If any of these goes to zero, then there are no consequences, no matter how bad the other three are. It seems to me that any complete consequence evaluation will consider at least these four variables.

It’s a project

Think of the initial establishment of risk assessment and risk management processes as a project that requires all the elements of a good project execution, including conceptualization, design, construction, documentation, and training. These elements are all necessary to ensure a good result.

Strategize and conceptualize – this doesn’t mean complexity. Complexity is not always necessary and might even be a danger sign. Strategizing means that you need to know where you’re going in order to best design your risk systems. Knowing the destination, you can then set up systems, processes, gather resources, set timelines, and perform other management tasks to ensure the project’s success.

Closing points to ponder

A bit of paranoia can be good – remember, a pressurized pipeline is not a natural thing, there are forces at work trying to make it go away.

Keep an open mind to the possibilities that this new knowledge can bring. With formalize risk assessment, you’re still using the same data you’ve had for years, but now its being put together in a way that turns information into knowledge.

W Kent Muhlbauer is an internationally recognized authority on pipeline risk management. Techniques developed by Muhlbauer are in use by the largest pipeline operators in the US and around the world.

As owner and principal of WKM Consultancy, Muhlbauer presently advises and consults internationally, specializing in pipeline risk management, pipeline quality management, regulatory compliance, and technical aspects of pipeline designs and operations.