Risk Assessment Techniques in the Pipeline Industry
During the past two decades, emphasis on pipeline safety has shifted from response to prevention of accidents. Preventive actions have included greater levels of inspection, involvement of the public through communications, and prospective analysis of the dangers presented by pipelines. Pipeline companies also began to use various risk assessment techniques, including hazard and operability (HAZOP) analysis, fault tree analysis, scenario-based analysis, and indexing methods. Most analyses focus on specific factors affecting the probability of pipeline failure (e.g., internal corrosion, external corrosion, pipeline loading) or on the consequences of rupture (such as heat intensity, thermal impact radius, depth of cover). Some of these analyses focus on specific pipeline system components, while a few attempt to take component interdependencies into account. Some of the more commonly used techniques are described below.
The pipeline risk assessment and management approaches that have been published to date, regardless of the methodology used to obtain the probabilities and consequences of processes and events leading to risk, emphasize the calculation of a risk number (i.e., a mathematical product of probability and consequence). Although this calculation allows a quantitative comparison of the effect of different factors on pipeline safety, it is not adequate to define risk to the public. As outlined in Chapter 3, such a risk is better characterized in terms of the three questions posed (known in risk assessment as the risk triplet).
Recently, the U.S. Department of Transportation’s Office of Pipeline Safety (OPS) implemented a new regulatory approach—the Integrity Management Program—that establishes new testing, repair, and mitigation requirements for transmission pipelines and requires pipeline companies to use a risk-based approach for pipeline safety. Under the
program, liquid and natural gas pipeline operators, as a first step, will be required to perform risk assessments on each of their pipeline segments in high-consequence areas. Inspections will be performed by the use of in-line inspection tools, analysis of operating and maintenance records, and direct examination of pipe in selected areas. Risk criteria have been considered in other countries, including societal risk due to land use near pipelines (IGE 2001; Committee for the Prevention of Disasters 1999).
CURRENT APPROACH TO RISK ASSESSMENT IN THE PIPELINE INDUSTRY
Risk assessment is the process of identifying, describing, and analyzing risk with the following elements:
Recognition or identification of a hazard or potential adverse event, perhaps with definition of accident scenarios in which the hazards are realized or experienced;
Analysis of the mechanisms by which an event can occur and the mechanisms by which the event can create loss;
Analysis of the consequences of an adverse event as a function of various factors of design or circumstance; and
Estimation of the likelihood of the sequences of events that lead to the consequences.
According to Muhlbauer (1999), because the risk of pipeline failure is sensitive to unmeasurable or unknowable initial conditions, risk efforts are often not attempts to predict how many failures will occur or where the next failure will occur. Instead, efforts are designed to systematically and objectively capture everything that is known and use the information to make better decisions.
Risk assessments can guide pipeline operators to make decisions and take precautions that allow the risks to be minimized or avoided entirely. Risk management is a systematic focusing of limited resources on those activities and conditions with the greatest potential for reducing risk. In risk management, decision makers take the results from risk assessments and use them to prioritize risk reduction actions. Risk controls can involve measures both to prevent adverse events and to mitigate their mag-
nitude. One reduces the likelihood; the other reduces the severity of impact. Another step in risk management is the monitoring of performance to determine whether risk control measures are effective. The process can be repeated to further address and reduce overall risk.
The first step in defining risk is to identify a potential hazard or dangerous situation and describe the mechanisms by which the hazard can cause harm to people, property, and the environment. Risk is then analyzed for each hazard or hazard scenario. In terms that can be analyzed, risk is defined as the product of (a) severity of impact and (b) the likelihood of impact from an adverse event. The severity of impact, often called consequences, can be expressed in human terms such as fatalities or injuries or some other metric such as dollars lost. The likelihood of occurrence of an adverse event can be estimated with a variety of methods, ranging from prior experience with the frequency of occurrence, perhaps using statistical data of similar events, to computations based on mathematical models. Likelihood can also be determined by examining the probability of the adverse event occurring in a Bayesian sense, a prior perception of probability.
The example of automobile travel can clarify the concepts. The consequences of an automobile crash can be damage to the car and injury or death to the driver or passengers. More than 40,000 Americans are killed in automobile crashes each year, and several hundred thousand more are injured. Fender benders and other minor crashes are even more frequent. From these data, the risk for large automobiles or small, local streets or Interstate highways, fender bender or serious crashes can be quantified. If a person never rides in an automobile, the risk of death, injury, or damage to one’s personal property is zero, except as a nonmotorist (e.g., pedestrian, bicyclist). By similar reasoning, a person who makes a living traveling in automobiles is more likely to experience harm than a person who rides occasionally, even given the differences in driving skill. The difference in the likelihood of experiencing harm is a concept known as exposure. The greater the exposure, the higher the risk.
Data on pipeline incidents are collected and analyzed by OPS for each reportable safety incident. These data provide the number of incidents that result in death, injury, or significant property damage. They also provide the general causes of these incidents, including damage by out-
side force, corrosion, construction defects, operator error, natural forces such as ground movement, and many other categories. At some level of aggregation, the data can be used to determine, or quantify, the risk from various types and sizes of pipelines. On the basis of this experience, one can begin to identify factors that determine risk.
The principle of exposure can be applied to pipelines as well. For an individual who seldom crosses or comes near a pipeline right-of-way—a person who has little exposure—the risk is minimal, while people who live, work, or congregate near pipelines have greater exposure. Exposure is a function of time near a pipeline and effective distance. Exposure to the potential dangers of a pipeline leak or rupture is the result of proximity to the pipeline, natural or man-made barriers, and the mobility of people near the pipeline. People pursuing activities on or near the pipeline that can cause damage to the pipeline have the greatest exposure.
SCENARIO-BASED RISK ASSESSMENT
This category of risk assessment includes a number of methods: HAZOP studies, scenario-based fault tree/event tree analysis, and so forth. These techniques are useful for examining specific situations, and often they are used with other techniques.
In the HAZOP study approach, all possible failure modes are examined, but it is very time-consuming and costly. HAZOP analysis is used in the preliminary safety assessment of new systems or modifications of existing systems. A HAZOP analysis involves a detailed examination of pipeline system components to determine the outcome if a specific component does not function as it is designed to (within its normal parameters). Each parameter (e.g., pressure or flow rate) is examined to identify potential changes in the system that are based on changes in the component parameter.
Fault Tree Analysis
In scenario-based fault tree analysis, the sequence of events is traced backwards from a failure. This technique uses most probable or most severe
pipeline failure scenarios, and then resulting damage is estimated and mitigation responses and prevention strategies are developed.
Fault tree analysis is a method of risk identification and scenario building in which the outcome of an event is traced backward to all possible causes (Mc2 Management Consulting 2004). It is a probabilistic top-down analysis that is used to assess the likelihood of occurrence of an undesired system-level event (e.g., a release of product, an explosion), and it can be used to quantify the risk associated with resulting safety hazards. Factors or combinations of factors that could cause the event are put in a structured logic diagram (which takes interdependencies in components into account). The network branches from the outcome event to individual factors (e.g., failure of pump, failure of switch, no response from operator) in a treelike structure. [Additional information is given by Mc2 Management Consulting (2004), IsographDirect (2004), and Sandia National Laboratories (2004).]
Fault tree analysis can include such factors as natural disasters, human activity, and other externally induced causes. The method can also be used to establish cost-effective troubleshooting procedures based on the factors that are most likely to cause a failure.
Other Probabilistic Risk Assessment Techniques
While fault tree analyses are better suited to examine systems in which the failures of components or processes can be described in terms of pass/fail outcomes (a binary description), they are not ideal for systems in which the processes are not discrete and the outcomes cannot be described simply as pass or fail. (Typically, these are natural events.) Other probabilistic risk assessment techniques have been developed that can consider a range of outcomes of individual processes in a scenario.
An example of scenario-based risk assessment models is the PIPESAFE model (Acton et al. 1998).
Index models use customized algorithms to conduct pipeline risk assessment. There are a variety of index models, including Muhlbauer’s
Risk Assessment Methodology, Consequence Modeling (the C-FER method), and the PipeView Risk Model.
Muhlbauer’s Risk Assessment Methodology
Muhlbauer (1996, x) believes that “data on pipeline failures are still insufficient to perform a thorough risk assessment using purely statistical concepts” and that an assessment using probabilistic theory is not required because the probabilities used in the assessment are of questionable benefit.
A hazard, according to Muhlbauer, is a characteristic that provides the potential for loss; it cannot be changed. Risk is the probability of an event that causes a loss and the magnitude of that loss, and therefore actions can be taken to affect the risk. Thus, when risk changes, the hazard may remain unchanged. Risk can change continuously; conditions along a pipeline are usually changing, and as they change, the risk also changes.
Risk is defined by answering three questions:
What can go wrong (every possible failure must be identified)?
How likely is it to go wrong?
What are the consequences?
In this technique, numerical values are assigned to conditions on the pipeline system that contribute to risk. The score, which reflects the importance of an item relative to other items, is determined from a combination of statistical failure data and operator experience. As do all techniques, this model has a number of assumptions:
All hazards are independent and additive.
The worst-case condition is assigned for the pipeline section.
All point values are relative, not absolute.
The relative importance of each item is based on expert judgment; it is subjective.
Only risks to the public are considered, not risks to pipeline operators or contractors.
In Muhlbauer’s basic risk assessment model, data gathered from records and operator interviews are used to establish an index for each category of pipeline failure initiator (i.e., what can go wrong and the as-
sociated likelihood): (a) third-party damage, (b) corrosion, (c) design, and (d) incorrect operations. These four indexes score the probability and importance of all factors that increase or decrease the risk of a pipeline failure. The indexes are summed. The last portion of the assessment addresses the potential hazards, their probabilities of occurring, and their consequences. The consequence factor begins at the point of pipeline failure, called the leak impact factor. The leak impact factor is the sum of the product hazards divided by the dispersion factor.
This basic model can be expanded to include other modules such as the cost of service interruption, distribution systems, offshore pipelines, environment, failure adjustment, leak history adjustment, sabotage, and stress.
Consequence Model (C-FER Model)
C-FER Technologies developed a model that examines isometric thermal radiation distances to determine a burn radius and a 1 percent fatality radius from a natural gas pipeline break. An assumption of this model is that risk can be expressed as the product of failure probability and failure consequences, and reliability is the complement of failure probability. Probability of failure and consequence calculations are conducted by using two C-FER software programs—PIRAMID, which is used to optimize maintenance and inspection decisions, and PRISM, which is used to conduct pipeline reliability analyses (Zimmerman et al. 2002). The model incorporates three factors: a fire model that relates the gas release to the intensity of the heat, a model that provides an estimate of the amount of gas being released as a function of time, and a heat intensity threshold. The model can be used to determine a zone of impact for a pipeline fire. The equation used in the model relates the diameter and operating pressure of a pipeline to the size of the affected areas, assuming a worst-case failure event (Stephens 2000). The model can also be used to determine how the intensity of heat changes with the distance from the fire. From the model, “circles” around a pipeline fire that have equal levels of thermal radiation can be calculated. (In fact, the distance of equal thermal radiation from a pipeline fire may not be circular, depending on the nature of the gas discharge, obstructions of the jet of
flowing gas, and delays in ignition. For example, the gas coming out of a ruptured pipe may be discharged in a particular direction or upward from the surface depending on the direction of the jet of flowing gas.)
C-FER calculates the degree of harm to people due to thermal radiation by using a model that relates the potential for burn injury or fatality to the thermal load received. A 30-second exposure time is assumed for people exposed to the fire in the open. In this interval, it is assumed that an exposed person will remain in fixed position for between 1 and 5 seconds (presumably to understand what is happening and react) and then run at 5 miles per hour in the direction of shelter. It is further assumed that a person would find a sheltered location within 200 feet of his or her initial position. It is offered that the heat flux that will cause burn injury is between 1,000 and 2,000 Btu/h/ft2 (3.2 and 6.3 kW/m2), depending on the burn injury criterion (e.g., time to blister). The threshold level of heat flux for fatal injury is determined when the chance of mortality is 1 percent; that is, 1 in 100 people directly exposed to this thermal load would not be expected to survive. This heat flux is calculated to be 5,000 Btu/h/ft2 (15.8 kW/m2).
C-FER also calculates a lower bound reliability curve based on the probability of a fatality or injury of an individual standing on the centerline of a pipeline. The third calculation is the cumulative frequency of casualties along the length of a pipeline system, called the FN curve. [See Harris and Acton (2001) for more information on these calculations.]
C-FER models the thermal load on wooden structures leading to ignition and fire. One calculation shows that 5,000 Btu/h/ft2 (15.8 kW/m2) would correspond to ignition in the presence of a flame source in approximately 20 minutes. It calculates that spontaneous ignition at this level of thermal radiation would not occur.
On the basis of these thermal radiation levels, C-FER calculates the radius of a hazard area as a function of pipeline size (diameter) and operating pressure. The graph of hazard area radius versus maximum operating pressure is shown in Figure D-1. A 36-inch-diameter pipeline operating at a maximum pressure of 1,000 pounds per square inch would have a hazard area radius of 750 to 800 feet. A 6-inch-diameter pipeline operating at less than 500 pounds per square inch would have a hazard area radius of less than 100 feet.
By using the approach in C-FER’s report, it would be possible to calculate hazard area distances for a variety of hazard scenarios involving more hardened structures and different accident scenarios.
PipeView Risk is a pipeline risk assessment program that assists pipeline operators in evaluating the current condition of their pipelines and identifying sections of higher risk in order to prioritize maintenance programs (Kiefner & Associates and M. J. Harden Associates 2004). PipeView Risk uses a relative risk ranking model. The analyses are performed by evaluating the physical pipeline attributes (e.g., diameter, grade, and wall thickness) in an algorithm that models the relationship between them. PipeView Risk is designed to be geographic information system (GIS) compatible by starting with an Integrated Spatial Analysis Techniques
(ISAT) database—a family of applications that integrate information from many sources including GIS; the Global Positioning System; pipeline maps; and other operating, monitoring, and maintenance data. The ISAT project was begun at the Gas Research Institute in the mid-1990s.
A number of risk assessment methods are being used by the pipeline industry to prioritize risk mitigation actions. Regulatory agencies in the United States and abroad have developed risk-based regulations and criteria for safe operation of pipelines. While the risk assessment methodologies in use allow scarce resources to be focused on mitigation of the highest-risk items by emphasizing a single risk number, they do not adequately characterize all the dimensions of risk. A broader characterization of risk, as outlined in Chapter 3, will enable state and local policy makers, with input from stakeholders, to make land use decisions in a systematic manner.
Acton, M. R., P. J. Baldwin, T. R. Baldwin, and E. E. R. Jager. 1998. The Development of the PIPESAFE Risk Assessment Package for Gas Transmission Pipelines. Proceedings of the International Pipeline Conference, American Society of Mechanical Engineers, Calgary, Alberta, Canada.
Committee for the Prevention of Disasters. 1999. Guidelines for Quantitative Risk Assessment. CPR18E. The Hague, Netherlands.
Harris, R. J., and M. R. Acton. 2001. Development and Implementation of Risk Assessment Methods for Natural Gas Pipelines. Proceedings of the China Gas 2001 International Conference with Special Focus on Gas Safety, Chongqing, China, Nov. 20-21.
IGE. 2001. Steel Pipelines for High Pressure Gas Transmission. IGE Code TD/1 Edition 4, Communication 1670.
IsographDirect. 2004. www.faulttree.org.
Kiefner & Associates and M. J. Harden Associates. 2004. www.mjharden.com/pipeline/ products/pipeviewrisk.html.
Mc2 Management Consulting. 2004. www.mc2consulting.com.
Muhlbauer, W. K. 1996. Pipeline Risk Management Manual, 2nd ed. Gulf Publishing Co., Houston, Tex.
Muhlbauer, W. K. 1999. Lessons Learned in Pipeline Risk Assessment. Presented at Minerals Management Service Alaskan Arctic Pipeline Workshop, Anchorage, Alaska, Nov. 8-9. www.pipelinerisk.com/WKMConsultancy/RALessonsPaper.pdf.
Sandia National Laboratories. 2004. reliability.sandia.gov/Reliability/Fault_Tree_Analysis/ fault_tree_analysis.html.
Stephens, M. J. 2000. A Model for Sizing High Consequence Areas Associated with Natural Gas Pipelines. GRI-00/0189. Gas Research Institute, Oct.
Zimmerman, T., M. Nessim, M. McLamb, B. Rothwell, J. Zhou, and A. Glover. 2002. Target Reliability Levels for Onshore Gas Pipelines. Proceedings of the International Pipeline Conference, American Society of Mechanical Engineers, Calgary, Alberta, Canada, Sept. 29-Oct. 3.