Chapter

6
Risk Assessment
for Pipelines
Chapter 6 provides the concepts, elements, process, and methodolo- Regulatory bodies, government agencies, pipeline safety advo-
gies for assessing the integrity risks in pipelines. The chapter starts cates, and pipeline operators have promoted the continued devel-
defining risk assessment and control as elements of pipeline risk opment and implementation of pipeline risk management. It assists
management allocating its processes within a PLAN-DO-CHECK- both regulatory and pipeline industry goals in improving public
ACT or management system framework. Core risk concepts such safety and environment protection by optimizing the aspects of
as perspectives toward risk, uncertainty, and conservatism, individ- pipeline design, operation and maintenance. Because of this, the
ual and societal risk, and risk aversion are also explained to holisti- risk management programs have been tailored specifically to sat-
cally understand the pipeline risk results. isfy those needs.
The purpose and objectives of the risk assessment is described Managing pipeline integrity risks is an integrated and iterative
following by some examples of applications and outcomes. The process. The management process should also ensure that measures
types of methodologies for assessing risk such as Qualitative, quan- are timely integrated into company’s daily operation. These pro-
titative and semi-quantitative are explained describing their char- cesses are aimed to continuously
acteristics, advantages, limitations and some graphical examples.
The overall process of risk assessment including their compo- • Identify hazards (conditions) and integrity threats
nents and some guidance for planning, data gathering, and integra- • Analyze likelihood of failure and potential consequences
tion are described. Furthermore, sensitivity analysis for identifying • Estimate and evaluate risk
risk reduction options, risk assessment frequency, and documenta- • Determine the measures for reducing risk
tion are explained. • Verify the effectiveness of applied measures
Each of the risk assessment components (i.e., analysis, estima- • Measure identifying continuous improvements
tion and validation, and evaluation), is explained following their
sequential order along the chapter till to the end. Risk (Figure 6.1) increases when either the probability of a fail-
ure increases or the consequences of an event (magnitude of the
potential loss) increases. Pipelines are subject to different hazards,
6.1 Introduction to Pipeline Risk threats, and damage mechanisms through all phases of the pipe-
Management line life. Pipeline integrity threat assessment is discussed in more
detail in Chapter 4. The integrity threats associated with pipelines
Risk management is an integrated management process iden- may induce risks. Pipeline failures will also have impacts in the
tifying, assessing, preventing, monitoring, controlling, and mini- company on both direct costs and revenue, and indirect costs such
mizing or eliminating an unacceptable risk from hazards and as company’s public perception, reputation and the regulatory
threats and associated probability of an event and its associated scrutiny.
consequences. Pipeline risk management is necessary for timely The threat probability may be reduced by implementing effec-
and effectively managing pipeline system assets (e.g., pipeline, tive assessment, monitoring, prevention, and mitigation plans.
components, equipment and any appurtenances) to achieve a
safe, reliable and sustainable pipeline operation protecting the
environment. Example: Probability Reduction Alternatives

• Reduce operating pressure

Example: Decision-Making Processes Applying Pipeline Risk • Repair anomalies
Management Principles • Pipeline re-routing/lowering
• Change operational procedures
• Design • Install protections or system modifications
• Construction
• Operation
• Maintenance and integrity The consequence is typically increasing as opposed to decreas-
• Class location changes ing. Change of the class location designation (e.g., population
• Incidents increase) as to going into a higher-class designation is not con-
• Deactivation, reactivation and abandonment trolled by the pipeline operator. Pipeline consequence assessment
is discussed in more detail in Chapter 5.
138 • Chapter 6 Risk Assessment for Pipelines

The resulting risk reduction programs applied across an entire

company allows integrity staff and senior management manage
local and enterprise risks through a process that is employed with
fidelity. The management review process should verify that the
measures have achieved an acceptable residual risk meeting the
expectations of all stakeholders.

6.1.1 Risk Management Process

Risk management is a process of strategizing appropriate risk
reduction measures and implementing them in the on-going man-
agement of the pipeline activities following with a continuous
Fig. 6.1 Risk: Probability and Consequence improvement process.
As illustrated in Figure 6.2, the risk management process can be
framed with the Quality Management System (QMS) operational
Example: Consequence Increase Cases principle of PLAN-DO-CHECK-ACT. The continuous improve-
ment process on risk involves defining strategies and processes,
• New campground area setting up objectives, goals, and specific targets with well-defined
• New dwellings (e.g., houses, offices, factories) risk performances, and establishing high level of commitment from
• Development of industrial areas senior management and all level of the pipeline organization.
Risk assessment process is an overall process of hazard and threat
Conducting only mitigation actions cannot eliminate risk. identification, risk analysis and risk evaluation to increase reliabil-
Implementation of an effective risk management process can assist ity of a pipeline system. Risk analysis is a structured process for
in reducing pipeline failures by timely identifying high risk pipe- estimation of risk determined from the likelihood and consequence
line segments (risk assessment) and defining measures (risk con- of pipeline failure associated to identified hazards and receptors,
trol). Those measures are discussed in Chapter 11 followed by the respectively. Risk evaluation is the process to review acceptability
Fitness-For-Service assessment in Chapter 12. of risk based on comparison with risk standards or criteria, and the
Risk management reinforces the need for pipeline operators to trial of various risk reduction measures. Risk control is a process
propose risk reduction alternatives, estimate risk values, evaluate of reducing risk by preventing, mitigating and monitoring hazards
(for each alternative) risk profiles, make safety decisions aimed to associated to consequence impacts, and communicating risk man-
control unacceptable risk, and implement corrective actions. agement [1].

Fig. 6.2 Risk Management Process With a Management System Approach

 pipeline integrity management systems – A practical approach • 139

As illustrated in Figure 6.3, risk management essentially embraces special interest groups, individuals, government, regulators and
two main processes, risk assessment and risk control. agencies and pipeline companies.

1. Risk Assessment is conceptually comprised the following 6.1.1.2 Uncertainty and Conservatism Uncertainty and con-
components, servatism during the estimation and evaluation of risks are chal-
a. Risk Analysis and Estimation lenges in the risk assessment that require a reasonable balance.
Planning Risk assessment incorporating a high or low level of conservatism
• Risk goal, objective, and target definitions will contribute to overestimate or underestimate the risk. Some col-
• System definition lected data (i.e., ILI-reported anomaly sizing, detection and char-
• Data gathering acterization, field measurement of flaws, operating over-pressures,
• Data integration etc.) would contain uncertainty that needs to be estimated or quan-
• Hazards and threats, and consequence/receptor tified (e.g., probability density functions) building a reasonable
identification conservatism in estimating risk.
Implementation (Do) Uncertainty arises from risk factors such as limitations of
• Analysis of likelihood and consequence severity and ILI tools, pipe strength, wall thickness measurements, depth of
extent cover, pressure reading, cathodic protection readings, pipe coat-
• Risk estimation ing conditions, growth rate modeling. Uncertainty in the pipe-
• Initial prioritization of the pipeline segments line degradation and changes of pipeline conditions over time
b. Risk evaluation make risk professionals more conservative when estimating
Verification (Check) risk. Quantifying uncertainty using frequency distributions of
• Comparison of risk results versus acceptance criteria events within the risk algorithm may increase the risk assessment
• Determination of acceptable, tolerable and unaccept- credibility.
able risks in the systems It is paramount to determine the level of conservatism and uncer-
• Validation of the risk results from multiple cold tainty suitable to pipeline condition using substantiated assump-
eye review approaches such as Risk Subject Matter tions to enhance the risk assessment. The approach is not to report a
Experts (SMEs), pipeline operations and maintenance larger magnitude of unrealistic risk and apply intentional and non-
and industry performance substantiated bias in the process of risk assessment.
• Validated prioritization of the pipeline segments
• Management of change 6.1.1.3 Individual Risk Individual risk is the measure of risk
2. Risk control includes the following, as perceived by a specific individual that might be located near of
Management Review (Act) the pipeline during a pipeline incident assuming that the individual
• Management review and direction is present 100% of the time. CSA Z662 bases the individual risk
• Prioritized actions: mitigation, prevention and monitoring calculation on the annual probability of the fatality of an individual
• Cost benefit analysis located within the pipeline hazard zone during an incident.
• Risk reduction KPIs: implementation and effectiveness The US Federal regulation 49 CFR 192 [2] and the ASME
• Continuous improvement B31.8S [3] standard describe the potential impact zone, which is
considered as a surrogate for consequence as a function of the out-
6.1.1.1 Perspectives Toward Risk Perspectives of risk such as side diameter, actual maximum operating pressure and a coefficient
likelihood, consequences, outcomes, significance, casual scenario, for natural gas pipelines.
and population may differ from case to case. These differences The Major Industrial Accidents Council of Canada (MIACC)
depends on level of tolerability, acceptability, perception, analysis, issued risk-based land use planning guidelines, which provide pro-
evaluation, pipeline systems location, stratification, jurisdictional cedures on the use of risk assessment in respect to the development
regulations, and modeling including data interpretation, accuracy of land use plans for municipalities and industry. MIACC proposes
and completeness of risk assessment. As illustrated in Figure 6.4, acceptable levels of individual risk in terms of acceptable land
these perspective differences are sources of debate among society, uses. The recommended acceptable levels of public location risk

Fig. 6.3 Risk Management: Risk Assessment and Control

140 • Chapter 6 Risk Assessment for Pipelines

Fig. 6.4 Five (5) Perspectives of Risk

Fig. 6.5 Recommended Acceptable Levels of Public Location Risk for Land Use (Source: Chemical Institute of
Canada [CIC] and Canadian Society of Chemical Engineering [CSChE])

for land use based on the MIACC proposed by the CIC/CSChE and the number of fatalities (N) suffering from a specified level
Process Safety Management division are illustrated in Figure 6.5. of harm in a given population from the consequence of hazardous
fluids being released from a pipeline. Examples of sites that could
6.1.1.4 Societal Risk Societal risk measures the overall risk present societal risk include natural gas pipeline, liquefied petro-
where consequences considered is a function of the expected of leum gas (LPG) pipeline, and liquified natural gas (LNG) pipelines.
fatalities occurring due to a pipeline failure. Societal risk is defined Societal risk evaluation is focused on the estimation of the casu-
as the relationship between frequency of number of fatalities (F) alties of more than one individual being harmed simultaneously
 pipeline integrity management systems – A practical approach • 141

by a pipeline incident. Societal risk usually takes into account the high level of resources, efforts, and costs invested in. Then, pipeline
actual population density sites to characterize the number of indi- companies may need to identify the best benefit-cost scenario (i.e.,
viduals at a given time that could suffer a specified injury or fatal- pipeline replacement, repair and/or pipeline operation at reduced
ity due to a pipeline incident. The societal risk is evaluated as the pressure) to attain their goals and objectives (i.e., the point where
annual probability of failure in an evaluation length. the costs exceed benefits) to achieve a level of acceptable risk.
The above figure illustrates three (3) main risk regions:
Example: The evaluation length could be determined as any area
in Class 2, Class 3 or Class 4 location where the potential impact 1. Unacceptable,
radius (PIR) is greater than 200 meters and/or any area within 2. Tolerable if ALARP, and;
a potential impact containing 20 or more buildings intended 3. Broadly Acceptable region.
for human occupancy. The evaluation length could also be any
1600-m length successive window of a class location-designation The unacceptable risk region contains the level of risk that is not
area along the pipeline segment. tolerable requiring mitigation measures at any cost to continue oper-
ation. The ALARP region is the level of risk that can be tolerated,
but can be further assessed to find a risk level as low as reasonably
Societal risk can be depicted graphically, in the form of F-N
practicable considering the benefits and costs of the additional miti-
curves or numerically, or in the form of a risk integral. F–N dia-
gative measures. The Figure 6.6 shows an ALARP region between
gram is used to represent the historical record of incidents [4]. N,
risk levels of 1 × 10 –3 (workers) and 1 × 10 –6 (ALL). The ideal risk
is the predicted number of fatalities or persons harmed associated
level is within the broadly acceptable region where the risk levels are
with the event while F, is the predicted frequency of occurrence.
negligible or so small that they can be managed by routine mainte-
Mathematically, the equation for an F-N criterion curve may be
nance activities (i.e., ILI, Cathodic Protection Surveys, Right-of-Way
presented as:
Surveillance) and no additional risk mitigation measures are required.
R = F × Na
6.1.1.5 Societal Aversion Societal aversion reflects the social
Where, concerns and reactions to risk. People are more averse to single
F = the frequency of N or more fatalities events with larger consequences than multiple events with lower
N = the number of fatalities fatalities. Society would think differently between the risk of one
a = aversion factor (often between 1 and 2) person being killed every year and the risk of 100 people being killed
R = constant every 100 years in a kilometer of pipeline. Risk aversion is charac-
terized by the society attitude and sensitivity to catastrophic or large
A pipeline operator may adopt societal risk criteria issued by consequence outcomes. It is not the same across societies and the
governmental bodies at the country, regional (e.g., provincial or perception can be different from country to country. (Assumed risk
state) and local level, or criteria developed by industry. Similarly, versus risk imposed upon the society, i.e., flying in an airplane, driv-
pipeline operator companies may establish company-specific soci- ing a car versus living next to a refinery or near a pipeline.)
etal risk criteria based on historical data, if available. Societal aversion captures the society perception of a low prob-
The UK developed risk criteria for advising on land use plan- ability incident causing a large number of fatalities represents a
ning to local planning authorities to address both individual risk higher risk than a higher probability incident causing a proportion-
and societal risk. Guidelines for Developing Quantitative Safety ately lower number of fatalities. Figure 6.7 shows the slope of the
Risk Criteria book provides additional guidance for worldwide risk best-fit line from the correlation between the probability of an inci-
criteria developed by governmental bodies including societal and dent and the associated number of fatalities that can be implied as
individual risk criteria for process management decisions. Figure the degree of aversion [6] of failure consequences from a sample
6.6 provides UK HSE maximum tolerable societal risk and As Low of onshore natural gas pipelines using the Reliability-Based Design
As Reasonably Practicable (ALARP) criteria [4, 5]. and Assessment (RBDA) methodology adopted by Canadian
ALARP is accepted in some jurisdictions not all as a principle industry standard CSA-Z662. Furthermore, the RBDA targets are
for managing risk. In some cases, risk is reduced regardless of the compared with other regulatory and industry jurisdictions.

Fig. 6.6 ALARP—As Low As Reasonably Practicable

142 • Chapter 6 Risk Assessment for Pipelines

Case A: Risk of Failure = (1.25 × 10 –4 failure/km-year) ×

(6 fatalities/failure)
= 7.5 × 10 –4 fatalities/km-year for
the class 1 location

Case B: Risk associated with a low probability of failure

causing a large number of fatalities
Probability of a pipeline failure due to mechanical damage =
1.25 × 10 –6 failure/km-year and consequences of failure in a
class 4 with an impact pipeline length of 800 m.
For 80 single dwelling units, 2 buildings with 4 stores, a motel
intended for human occupancy and two playground occupied
by 20 persons during normal use with a total population density
of 600 persons equates to 600 expected number of fatalities/
Fig. 6.7 Societal Risk Level Comparison failure.

Case B: Risk of Failure = (1.25 × 10 –6 failure/km-year) ×

The following examples illustrate the difference between soci-
(600 fatalities/failure)
etal and aversion risks. The societal risk associated with a number
of fatalities or injured people are quantified in the examples with = 7.5 × 10 –4 fatalities/km-year for
and without aversion factor assumed to be 1.5. the class 4 location

Example: Using No Aversion Factor When no aversion factor is applied in Case A and B, the risk
estimate has the same calculated number.
Case A: Risk associated with a higher probability of failure
causing a proportionately lower number of fatalities
Probability of a pipeline failure due to external corrosion and
mechanical damage = 1.25 × 10 –4 failure/km-year and conse- Using Figure 6.8 to plot the expected number of fatalities (N)
quences of failure in a class 1 location within an impacted pipe- and their frequency (F) from the above example, the risk for Case A
line length of 800 m. and Case B are considered unacceptable because it is above to the
Three (3) dwelling units with a population density of 2 per- maximum tolerable risk societal estimated using BSI PD-8010-3
sons per dwelling within a class 1 location during normal use standard: 2009 [7]. However, the values which might be fallen
equates to six (6) expected number of fatalities/failure. above the ALARP criteria line then mitigations scenarios can be
evaluated.

Fig. 6.8 F-N Diagram—Example of Societal Risk Acceptability Using BSI PD 8010-3
 pipeline integrity management systems – A practical approach • 143

Example: Using Aversion Factor greater than one (1) a = 1.5 Example: Reliability-Based Design Assessment (RBDA)
Applicability:
The Table 6.1 shows that the risk increases exponentially with
the number of fatalities 10 times more with an aversion factor of 1.5 • Design of new pipelines especially those involving novel
(i.e., an aversion factor greater than 1), which means that a lower loading, new technologies and high consequences,
probability of failure of pipeline causing higher number of fatali- • Developing cost effective plans to deal with changes in
ties represent a higher risk values than higher probability of failure original design conditions such as class location upgrades
causing proportionately lower number of fatality. This reflects the or pressure increase,
risk aversion. Recognizing risk aversion associated with multiples • Planning of defect repairs and in-line inspection,
fatalities, societal risk acceptance criteria are usually expressed in • Optimization of damage prevention activities, and
term of F-N relationship. • Reliability-Based assessment for river crossing.
Social media and TV have an impact on society when a pipe-
line incident occurs. However, society has the tendency to ignore
a single fatality or pipeline rupture distributed over time or space,
while the sum of these cause a societal response. For instance, peo- 6.2 Risk Assessment Purpose,
ple paid more attention to the Pacific Gas and Electric Company Applications, Functions,
(PG&E) ruptured in a residential area in the city of San Bruno, and Outcomes
California on September 9, 2010. The accident killed eight (8)
people, injured many more, and caused substantial property dam- The purpose of the pipeline risk assessment is to quantify and
age [8]. Conversely, people tend ignore a pipeline rupture with no estimate the risk levels of pipelines. Some regulations also require
fatalities or environmental damages. companies using the risk assessment to prioritize the integrity
Furthermore, Figure 6.9 shows the reliability targets used by the assessments developing baseline and continual reassessments and
Reliability-Based design and Assessment method [9] adopted by determining additional preventive and mitigative measures.
CSA-Z662 that can be used to make design and operational deci-
sions that meet specified target reliability levels accepting a given
risk level. The benefits of these methods include: Example: Risk Assessment Applications

• Consistent and demonstrable safety levels, • Optimization of pipeline maintenance, inspections and
• Integration of design and operational decisions to reach lowest replacement
cost solutions, • Evaluation of change of service (e.g., type of product being
• Well suited to unconventional pipelines such those in arctic transported), operating condition changes (e.g., pressure,
regions, and those using high strength steel. temperature)
• Upgrade of class location or consequence (i.e., population,
environment)
Table 6.1 Example of Societal Risk Estimation • Increment of existing pipeline reliability
With and Without Aversion • Assessment of safety of the reliability-based pipeline design
with the aim of demonstrating the structural adequacy and
Frequency of Number of Risk of failure® increasing the availability and reliability of a pipeline
fatality (F) fatality (Fatality/
Case (Failure/km-year) (Fatality/failure) km-year)

A 1.25 × 10 –4 61.5 1.83 × 10 –3 Developing a functional risk assessment approach that fits
B 1.25 × 10 –6 6001.5 1.83 × 10 –2 company business model is a challenge in the form of expertise,
resource limitations, and data constraints. Risk analysis and results

Fig. 6.9 Ultimate Limit State Reliability Target for Designed Class Locations 2 to 4 [9]
144 • Chapter 6 Risk Assessment for Pipelines

cannot be interpreted as an exact expression of the structural condi- Risk assessments are typically conducting using the following
tion of the pipeline, its fitness for service, or any other pipeline con- methodologies:
dition. Assumptions, accuracy of information, risks methodology
used and the level of completeness of the assessment of hazards, 1. Qualitative
threats and consequences should play a key role in the company 2. Quantitative
making-decision process. 3. Semi-quantitative
Essential functions are needed to establish a basic risk assess-
ment process with logical and structured approach to integrate effi- Depending on the selected methodology, the following tech-
ciently all available information into a robust risk assessment. The niques may be useful in supporting the risk analysis:
following examples of objectives and expected outcomes provide
the foundations to build a comprehensive risk assessment program • Event trees
or enhance an existing risk model verifying meaningful risk esti- • Fault trees
mates are determined: • Scoring or indexing
• Probabilistic

Example of Essential Risk Assessment Functions: 6.3.1 Qualitative Risk Assessment

Qualitative risk assessment methodology is a relative assessment
• Measures risk in verifiable units, (i.e., consequences: method ranking systems and components relative to each other
$/failure, fatality/failure, Spilled volume/failure), based on subject matter expertise and score or index modeling.
• Calculates failures probabilities grounded in engineering Section “Risk Algorithm” illustrates an example of indexing mod-
principles, (i.e., probability of failure calculation based on eling calculation. Qualitative Risk Assessment is also a method for
Monte Carlo simulation), screening analysis of hazards, threats, and receptors for onshore
• Fully characterizes consequences of failure, and offshore pipelines such as decision-tree model. The following
• Profiles risk along a pipeline, are some of the application of qualitative risk assessments:
• Integrates pipeline knowledge,
• Promotes more accurate decision making, • Where the probability of failure and the consequences cannot
• Controls the bias, and be easily quantified,
• Verifies proper aggregation. • Identification of dominant hazards and threats,
• Integrity planning including segment ranking and optimiza-
tion of maintenance activities,
Example of Expected Outcomes: • Scheduling of hydrostatic, inspection intervals and repairs,
• Pipeline pressure increase and class location designation change,
• Efficient and transparent risk modeling, • Performance of drill-down and data analysis for contributing
• Accurate, verifiable and complete risk results, risk factors,
• Improved understanding of actual risk, • Prioritization of integrity mitigation, prevention and monitor-
• Risk-based inputs to guide integrity decision making— ing measures, and
true risk management, • Input for developing pipeline integrity Key Performance
• Optimized resources allocation leading to higher level of Indicators (KPI).
public safety,
• Appropriate levels of standardization facilitating smoother This methodology has a more limited use, and its limitation
regulatory audits, and is based on type of pipeline segment, and the availability of data
• Expectation of regulators, the public, and management to conduct the analysis. Qualitative risk assessment requires the
fulfilled. estimation of relative probabilities and consequence severities in
broad groups such as very high, high, medium, and low, as illus-
trated in Figure 6.10 and the example below. Although you can
use any number of groups, you will probably not be able to assign
6.3 Risk Assessment Types with sufficient confidence more than five failure probability and
consequence severity groups. This approach is often compelled to
The selection of the optimal method depends on several factors, use subjective likelihood based on intuition and expertise given
such as the following: the partial or non-representative data. These constitute the major
source of uncertainty in the risk profile and evaluation.
• Expectation/Purpose of the risk assessment
• Examples: pipeline segment ranking for ILI, analyz-
Example: Priority Categories Shown in the Qualitative Risk
ing cost-effective risk reduction, selection of mitigation
Matrix
actions to reduce risk
• Objective of the IMP
VERY HIGH or “Unacceptable Risk”: It should be mitigated
• Available resources and number of pipeline segments to study
immediate with engineering and/or administrative controls to a
• Level of effort in gathering and processing data
risk ranking of Low or Very Low. For instance, line replacement
• Complexity of the analysis and time to conduct the assessment
for a pipeline with a leak or pressure reduction for a pipeline
(e.g., months, years)
with anomalies with a depth greater than 80% wall thickness.
• Nature, quality and availability of information and data
 pipeline integrity management systems – A practical approach • 145

Fig. 6.10 Example of Qualitative Risk Matrix and Significance

Fig. 6.11 Example of Risk Profile From the Qualitative Method

Qualitative Risk Assessment advantages over other methods

HIGH: It is should be mitigated with engineering and/or
include the following:
administrative controls to a risk ranking of Low or Very Low
with a specific time frame, such as between 6 months and a year.
ALARP approach can be applied to reach a tolerable risk. For • Use subjective weights, scores, and measures in risk estimation.
instance, pressure reduction and perform a scouring analysis in • Relies on qualitative data from other studies, expert opinions,
a pipeline exposed under a creek, or conduct a HDD under a and personal experience.
river crossing for an exposed pipeline under a river containing • Both probability and consequences is not a measurable quantity.
cracking anomalies. • Criterion relies on subjective scores and weights.
MEDIUM: It should be mitigated with engineering and/or • Easy to perform and helps eliminate non-issues.
administrative controls to a risk ranking of Low or Very Low • It is less accurate and lacks reproducibility and consistency.
with a specific time frame, such as between one (1) and three • Terminology used is barrier to communication: probable,
(3) years depending on mitigation action difficulty. For instance, unlikely, extremely unlikely.
repair features failing within a time period of two years. ALARP • Vulnerable to criticism and undermines effort to
can be applied. standardization.
LOW or “Acceptable Risk”: Should be monitored and verified
on a continuous basis that procedures or controls are in place.
Figure 6.11 is a risk level profile from an indexing modeling
No mitigation required for risk reduction. However, prevention
called relative risk assessment, a matrix plot representing the likeli-
actions might consider improving process. For instance, revise
hood and consequences indexing levels, and the SCC index lev-
integrity procedures every two years or running an ILI tool for
els showing the SCC drives (variables) that contribute to the SCC
corrosion monitoring with an interval of five years.
index results [10].
146 • Chapter 6 Risk Assessment for Pipelines

6.3.2 Semi-Quantitative Risk Assessment 6.3.3 Quantitative Risk Assessment (QRA)

Semi-quantitative is a term that describes any approach that A Quantitative Risk Assessment is defined as a formal and
has aspects derived from both the qualitative and quantitative systematic risk methodology of identifying potentially hazard-
approaches. It is geared to obtain the major benefits of the previous ous events, estimating the likelihood and consequence of those
two approaches (e.g., speed of the qualitative and rigor of the quan- events, and expressing the results as risk to people (employee
titative). Typically, most of the data used in a quantitative approach and public), the environment, and the business. It is a probabi-
is needed for this approach but in less detail. The models also may listic risk assessment approach. This probabilistic approach is
not be as rigorous as those used for the quantitative approach. The more scientific, statistical, technical, formal, quantitative, and
results are usually given in consequence and probability categories objective. Ideally, the probabilistic risk assessment is based on
rather than as risk numbers but numerical values may be associated objective likelihoods such as pipeline failure rates inferred from
with each category to permit the calculation of risk and the applica- statistical data and theories.
tion of appropriate risk acceptance criteria. Population risk or risk of fatalities or injuries is the quantifica-
As illustrated in Figures 6.13 and 6.14, description of prob- tion of the risk to population that might be impacted by a certain
ability of failure may be estimated in a quantitative approach and hazard surrounding the pipeline. Quantitative risk assessment uses
consequences might be expressed in a relative ranking. In a semi- two (2) concepts: individual and societal risk to quantify the risk
quantitative approach, different scales are used to characterize the as measured by the combination of probability and consequence of
likelihood of adverse events and their consequences. Analyzed failure with the number of people affected by a hazardous phenom-
probabilities and their consequences do not require accurate mathe- enon (e.g., fire, explosion, toxicity).
matical data. The objective is to develop a hierarchy of risks against Quantitative Risk Assessment advantages and disadvantages
a quantification, which reflects the order that should be reviewed over other methods include the following:
and no real relationship between them. The combination of the two
models can be a solution in some cases, combining the specific • Require parameter data with probability density function dis-
advantages of each and decreasing their disadvantages. tribution, deterministic and stochastic approaches

Example: A typical risk profile for a liquid pipeline transmission is illustrated in Figure 6.12 showing the variation of risk units’ per-
centage for four main threats (i.e., ERW-Manufacturing threat, Mechanical Damages [MD] threat, External Corrosion [EC], and Stress
Corrosion Cracking [SCC] threat), consequence impacts, and the sum of all risk in terms of Total Risk Units. Such a plot identifies
high-risk segment due to two threats, SCC and ERW threats, as well several segments of pipeline with joints exceeding the pipeline risk
criteria.

Fig. 6.12 Example of Risk Profile From a Semi-Quantitative Risk Method

 pipeline integrity management systems – A practical approach • 147

Fig. 6.13 Example of Semi-Quantitative Risk Matrix

Fig. 6.14 Example of Categorization of Consequences

• Both probability and consequences must be a measurable 6.4 Risk Assessment Process
quantity
• It is the process of using objective or quantitative measures to 6.4.1 RA (Plan)
estimate a risk Planning phase is the preliminary step to conducting the risk
• Provides risk scenario(s) and relies on quantitative data from assessment by establishing the scope and context for risk assessment
other studies, and expert opinions for the risk model aligned with the company policies, goals and objectives as well regu-
• Provide relatively accurate estimates and it is defendable to lations and codes. This phase may involve an information sharing
the stakeholders and consultation process with risk advisors, decisions-makers, risk
• Quantify risk associated with defined scenarios (i.e., line consulting companies, personnel of different company divisions, and
replacement vs repairs) various stakeholders prior to conducting the actual risk assessment.
• Easy to quantify a cost/benefit analysis for risk reduction Companies clearly ought to define risk assessment goals, objec-
• Requires thorough scientific review. Quantitative risk tives, and targets to determine its success in identifying the risk
assessment levels and the actionable measures. Companies also should identify
• May be too complex for stakeholders failure the integrity threats and pipeline release type (i.e., leak, large
• Requires data that not always available leak, and rupture) causing a consequence applicable to the selected
• Relies on comprehension of mathematical methods pipeline system factoring the safety margins (i.e., 1.25% of MAOP),
risk limits (i.e., 0.3 × 10–6 fatality/year for sensitivity institutions)
Table 6.2 compares the purpose, type of method, typical process and expected cost effectiveness (e.g., benefit/cost ratio).
used, and acceptance criteria for determining the Scenario-based, Definition of the pipeline system, segments, data gathering and
Index/Relative and Probabilistic/Quantitative Risk Assessment integration, risk criteria and acceptability, and hazard-threat identi-
Methods. fication processes are required in this phase. The Hazard and Threat
 148

Table 6.2 Differentiating Scenario-based, Index/Relative and Probabilistic/Quantitative Risk Assessment Methods

Scenario-Based Model Probabilistic/Quantitative or Probabilistic

Concept Risk Assessment Index/Relative Risk Assessment Risk Assessment
Main Objective As per API 1160-2013 section 7.2, Scenario-based As per API 1160-2013 section 7.2, Relative As per API 1160-2013 section 7.2,
model uses sequences of events that lead to the Risk Assessments use algorithms with Probabilistic Risk Assessment determines
risk of release, which can be calculated either variable, attributes and weighting factors to the probability of occurrence and
by fault tree or event tree methodologies. provide scores for ranking purposes. The consequence (e.g. cost) of integrity-
method uses all applicable integrity threats related events (e.g. damage or release).
• Chapter 6 Risk Assessment for Pipelines

and consequences to schedule integrity Probability of Exceedance is typically used

assessments, mitigation and re-inspections for mitigating threats following an In-Line
Inspection.
Type of method Qualitative or semi-quantitative Qualitative or semi-quantitative Quantitative
Process • Identify hazard (e.g., flammable, combustible, • Identify threats (e.g., corrosion, dents, • Identify Hazards/Threats
explosive, pressure, human factors, toxic) cracking) and associated hazards/conditions • Determine Probability and Frequency of
• Hazard evaluation: (e.g., loss of power, corro- (e.g., coating damage, ROW activities, pres- Failure
sion, overpressure, overflow) sure cycling) and consequences • Quantify Consequences in monetary
• Hazard controls (e.g., safety devices, design, • Assign qualitative weights for threats and terms
or procedures) consequence types based on subject matter • Determine Individual Risk
• Define risk scenarios (credible and specific) experts • Determine Societal Risk
• Determine consequences • Assign scores to attributes per Hazard (e.g., • Compare against Acceptance Criteria
• Determine probability fault or (event tree) coating damage) leading to a threat (e.g., Identify whether the calculated risk is
• Determine risk using the matrix corrosion) broadly acceptable or tolerable
• Assess the risk for the defined scenarios • Calculate likelihood per threat and • Determine Cost Benefit Analysis for each
• Define preventative and mitigation measures consequence mitigation alternative of the ALARP
• Determine risk drivers region risks
• Define ranking based on risk, likelihood and • Make decisions
consequence
• Validate with SMEs
Acceptance • Likelihood and consequence levels • 2 Standard deviation of likelihood per threat • Leak, Rupture, Serviceability and Fatigue
criteria • Risk categories (significance) and risk score frequency Targets or Industry Failure Frequency
• Risk significance matrix • Acceptable Risk (numeric)
 pipeline integrity management systems – A practical approach • 149

identification are detailed in the next section. W. Kent Muhlbauer, Multiple data alignment and location referencing are accuracy
in his book Pipeline Risk Assessment [11], provides also risk assess- critical for data upload and migration of pipeline systems. Layering
ment techniques in the “Risk Assessment Building Block” section, of data using the same referencing method enables the integrity
which describes various ideas how to understand and measure risk. professional to conduct integrated analysis leading to better criti-
cality and risk assessment. A key in the analysis is spotting changes
6.4.2 Pipeline System Definition and entering new data into the assessment process. Integration
The following are some recommended elements for the defini- can be accomplished in many different ways, i.e., manual, manual
tion of the pipeline system: within GIS, or automatic within GIS. Pipeline operators are usu-
ally employing GIS methods. The integration helps reviewing
1. Identify the pipeline systems including subsystems and par- whether areas of interest may be producing incorrect analysis by
allel loops data cross-reference.
2. Characterize the pipeline sections using physical boundaries An integrated data management provides the following benefits:
(e.g., class location changes, valves, pump stations)
3. Define the pipeline segmentation methodology (e.g., fixed • Quality control
pipe length, pipeline attribute changes) ensuring credible • Standard data format
failure scenarios are not diluted due to over-segmentation • Standardization of process
4. Anticipate the available data when segmenting the pipeline • Same answer regardless of who performs the analysis
while keeping in mind the objective of the risk assessment • System-wide implementation of upgrades and changes
(e.g., In-Line Inspection schedule prioritization). Avoid • Ability to measure performance
either excess modeling or excess data collection not related • Facilitates communication among teams
to the objectives. • Efficient and consistent decision making

6.4.3 Data Gathering Example: Data Type and Categories for Risk Assessment
The next step is performing an inventory of the existing pipe-
line system data related to the risk assessment objectives. The • Pipeline hierarchy, sections and segments
amount and type of data to support risk assessment will mainly • Maps, alignment sheets, digital photos, stationing
vary depending on the integrity threats (e.g., metal loss, cracking, data
incorrect operations) being assessed while the consequence data • Pipe design attributes
may tend to be the same for multiple types of risk assessment. • Pipeline and facility specifications and operating
Data gathering can be accomplished by use of Geographical information (e.g., pipe grade, diameter, pressure lim-
Information Systems (GIS) tools capturing databases, spread- its, elevation profile, leak detection system)
sheets, and external sources. The Pipeline Open Database • Construction and Installation: hydrostatic failure, stresses
Standard (PODS) [12] provides industry recognized-database and duration of tests
architecture for storing pipeline and integrity data that can be • Quality assurance reports
accessed by software using a GIS platform. The ArcGIS Pipeline • Pipeline operation: fluid composition, pressure and tem-
Data Model (APDM) is a geo-database model derived from other perature spectrums, history
database architectures such as PODS; APDM is intended to be a • Maintenance and Integrity
template, not a standard. • Release and repair history; pipeline inspections
Gathering is also conducted by extracting data from maps, align- • Class location changes, right-of-way encroachments
ment sheets, pipeline spreadsheets sourced by companies and pipe- • Integrity threat susceptibility and identification reviews
line industry. In some cases, interviews with stakeholders, company • Corrosion control history: internal and external
personnel from operations, contractors, maintenance department, • Inline inspection and hydrostatic results
and other resources are useful in gathering data. • Cathodic protection: rectifier readings, soil resistivity
readings, Direct Current Voltage Gradient (DCVG)
6.4.4 Data Integration records
Data integration requires the definition of a common pipeline • Repair and maintenance records back from pipeline
location reference that allows data from various sources to be accu- inception
rately associated and integrated. For instance, in-line inspection • Mitigation, monitoring and prevention programs
(ILI) data is referenced to the distance traveled along the inside of • Future operation (e.g., new/changes in the integrity threats)
the pipeline (i.e., chainage from ILI wheel count/odometer) versus • Expected consequence changes (e.g., new neighborhoods/
the right of way surveys such as rectifiers, close interval survey developments)
(CIS) and ground patrolling that may be referenced to stationing. • Industry information related to pipeline failures
The following are some of the considerations for data integration:

a. Data models for upload and process for sustainment

6.4.5 Hazard, Threat, and Consequence
b. Location referencing
c. Multiple data alignment Identification
d. Quality control for data migration The identification of hazards (e.g., coating damage) helps in
e. User data analysis and validation either anticipating or further assessing integrity threats (e.g., cor-
f. User data update and sharing rosion) to the pipelines. Similarly, the receptors (e.g., populated
g. Data retention and maintenance areas, water bodies) need to be identified prior to establishing the
potential extent and severity of the consequences of a failure [13].
150 • Chapter 6 Risk Assessment for Pipelines

Sections 6.5.1 and 6.5.2 start discussing the assessment of for risk reduction. Decisions about selecting options to reduce risk
integrity threats and consequences. Furthermore, Chapters 4 will be part of the risk management process.
and 5 explain in detail the Hazard, Threat and Consequence and
Assessment process. 6.4.9 RA (Check)

6.4.6 RA (Do) 6.4.10 Validation of Risk Results

Validation of the risk assessment should be conducted by pipe-
6.4.7 Risk Analysis line-specific personnel and Subject Matter Experts (SME) from
Risk analysis is the first process that determines the probability multiple disciplines such as risk, integrity, operations, leak detec-
of failure of the integrity threats and their consequences (e.g., leak, tion, right-of-way inspection, and surveillance. This validation may
large leak, or rupture) per segment to determine the risk per pipeline involve running multiple iterations adjusting the risk model and
segment and along the profile of the pipeline. This qualitative risk their results; particularly, cases where the risk values and ranking
analysis can be based on the relative or indexed risk algorithms. are not representative of the actual reality portraying the risk to be
Risk factors per integrity threat and consequence are defined and unrealistically too high or too low, and an inverse ranking. The val-
data requirements mapped out to start the data gathering process. The idation process should ensure that the model and its results captures
risk factor data is expected to have an intrinsic uncertainty (e.g., low, to the extent possible, the phenomena causal and posing barriers of
medium, high) that need to be understood for providing context to the risks (e.g., design, construction, operations, and environment). The
risk analysis results. Even within the same integrity threat category validation should be able to reaffirm, modify, and reject risk results
(e.g., corrosion), differences in uncertainty and timing of the input data whether their mathematical rationale is logical.
(e.g., accuracy and year of In-Line Inspection –ILI-, Non-Destructive
Examination –NDE-, cathodic protection and coating surveys) may 6.4.11 Risk Evaluation and Sensitivity Analysis
not accurately describe a physical phenomenon (e.g., corrosion Risk evaluation process identifies the pipeline segments meeting
growth) impacting the representativeness of the risk analysis. and exceeding the risk acceptance criteria and proposing alterna-
If the risk factor data uncertainty is quantified and timing syn- tives for risk reduction. The evaluation process uses the ranking
chronized, risk may change in some pipeline segments over oth- of the pipeline segments by risk, probability, and consequence to
ers shifting more appropriately the risk ranking. This may cause identify the risk drivers of those highly ranked segments for sensi-
higher estimated risk value in some pipeline segments as a result tivity analysis purposes.
of the applied uncertainty, but causing the user to seek for better Sensitivity analyses can be conducted by increasing (causal) or
data to reflect their perception, but not necessarily for the need to decreasing (barrier) risk drivers. Furthermore, the effects of the
conduct risk reduction. It is a sound practice to separate higher risk uncertainty from the input data on risk can be understood and sim-
segments with high data uncertainty or unknowns from the seg- ulated by dynamically changing (up and down) the values of the
ments with higher risk values due to actual conditions. These two risk factors within an expected variability range and determining
(2) cases may have different risk management strategies (e.g., risk the range of change in risk. Sensitivity analysis can also help fine-
reduction, risk data gathering, and monitoring). tuning the data input associated to educated opinions or weighting
Risk drivers are the risk factors with the highest contribution to the factors used in the model.
estimated risk for a given pipeline segment. For instance, SCC risk
factors such as coating type (e.g., tape disbondment), cathodic pro- 6.4.12 RA (Act)
tection (e.g., ineffective), stress level (e.g., >60% SMYS) may be the The selection of a risk reduction effective plan is the next step
factors with the highest contribution to the estimated risk for a given that involves balancing the costs and efforts against their benefits.
segment becoming the risk drivers. Sometimes, true risk drivers con- Regulatory, legal, and other requirements such as safety of people,
sistently identified by the pipeline operator over time do not show up and the protection of the natural environment should be considered
on the initial risk model results requiring its iterative optimization. in selecting the most appropriate preventive and mitigation actions
to reduce risk.
6.4.8 Risk Estimation The evaluated risk may lead to a decision to perform further
Risk estimation provides the outcomes of probability and con- analysis or not to treat the risk in any way other than maintaining
sequences analysis and estimated risk results, and requires valida- controls of existing risks. This decision would need to be tested
tion of the risk model formulation (i.e., algorithm) and input data against company’s values, goals, and objectives.
creating make-sense and meaningful results. The validation of risk
model reviews the following aspects:
6.5 Risk Analysis
a. Formulation applicability and the completeness of the variables Risk analysis is a structured process used to identify both the
b. Data input used in the model identifying the level of uncertainty likelihood of integrity threats and extent of their consequences.
c. Make-sense of the estimated risks Risk analysis answers four fundamental questions [14]:

The frequency for evaluating risk of pipeline segments can be a. What can go wrong?
defined on either fixed interval (e.g., every 5 years) or driven by b. How likely is it?
change in the conditions (e.g., new consequence areas, higher/lower c. What are the consequences?
pressure, and service/product change or pipeline acquisitions). d. What is the level of risk?
The results of the risk assessment should be documented and
presented indicating the risk methodology, sources of data, assump- Risk analysis provides an input for risk evaluation and control
tions and challenges, pipeline segment ranking by risk, probability, providing the basis for making decisions involving different types
and consequence indicating their risk drivers, and options identified and levels of risks.
 pipeline integrity management systems – A practical approach • 151

As illustrated in the example in Figure 6.15, a risk analysis could Existing controls and their effectiveness and efficiency should
involve: also be taken into account. The way in which consequences and
likelihood are expressed and the way in which they are combined to
• Identification of hazards, integrity threats such as scenarios determine a level of risk should reflect the type of risk, the informa-
associated with pipeline materials (i.e., low Charpy V-Notch tion available and the purpose for which the risk assessment output
values for pre-1970 vintage pipelines), system, process and is to be used. These should all be consistent with the risk criteria. It
facilities (i.e., overpressure in a refined-product pipeline). is also important to consider the interdependence of different risks
• Determination of undesirable consequences to human, envi- and their sources [1].
ronmental, and economic impacts such as thermal radiation The confidence in determination of the level of risk and its sensi-
flux for fires (jet fire, flash fire, or fireball) in a propane termi- tivity to preconditions and assumptions should be considered in the
nal or pipeline ROW nearby a playground factoring both the analysis, and communicated effectively to decision makers and, as
existence and location of receptors. appropriate, other stakeholders. Factors such as divergence of opinion
• Estimation of possible risk scenarios among experts, uncertainty, availability, quality, quantity, and ongoing
• Identification of potential safeguard options (e.g., mitiga- relevance of information, or limitations on modeling should be stated.
tion, prevention, monitoring) needed to minimize the possible Risk analysis can be undertaken with varying degrees of detail
consequences depending on the level of consequence, the purpose of the analysis,
and the available information, data and resources. The analysis can
be qualitative, semi-quantitative, or quantitative. Risk estimation is
to estimate the total risk by determining the Probability of Failure
(POF) by the Consequence of Failure (COF).

6.5.1 Integrity Hazard and Threat Assessment

Hazard and Threat Assessment is the first element in the process
of risk analysis. Its prime purpose is to identify hazards leading to
threats that may become failure modes (causes) requiring the esti-
mation of the Probability of Failure (POF).
Anomalies or defects causing modes of failure are introduced
into a pipeline at any point during manufacturing or construc-
tion process or developed by contributing factors such as corro-
sion or cracking during in-service. They may worsen up over time
under specific operational or environmental conditions via failure
mechanisms such as fatigue-induced or environmentally-assisted
cracking causing in-service pipeline failures. Table 6.3 provides
examples of pipeline failure mechanisms. Please refer to Chapter
4 Integrity Hazard and Threat Assessment of this book for details.

6.5.2 Consequence Assessment

Consequences can be determined by modeling the outcomes of
an event or set of events, or by extrapolation from experimental
studies or from available data. Consequences can be expressed
in terms of tangible and intangible impacts. In some cases, more
than one numerical value or descriptor is required to specify conse-
quences for different times, places, groups, or situations.
Leak and rupture scenarios are caused by different failure modes
and mechanisms. Pipeline release scenarios could be leak, large
leak and rupture causing different types of consequences. A leak
scenario may lead to have a higher Probability of Failure; whereas,
a rupture scenario may lead to higher consequences depending on
the detection capabilities of the system or public discovery. The
rupture scenario could drive the risk outcomes as a worst-case sce-
nario; however, leaks may go undetected for a longer period of time
causing a large consequence.
The consequences of failure can be expressed in terms of popu-
lation density and/or concentration, the probability of ignition and
the size of the hazard area. The hazard area can be defined as the
area within which people would potentially be exposed to a lethal
heat dosage [13]. A range of mathematical models is available to
assist in estimating the consequences. Consequences models com-
monly used in the oil and gas pipeline industry are overland flow
modeling, source term modeling, jet fire, BLEVE, flash fire, vapor
Fig. 6.15 Example of Data for cloud explosion, and toxic gas dispersion. Please refer to Chapter 5
Integration (Source: from ASME B31.8-2014) Consequence Assessment of this book for details.
152 • Chapter 6 Risk Assessment for Pipelines

Table 6.3 Example of Failure Mechanisms

External Material
Corrosion Cracking Geohazards damage manufacturing Others
External corrosion Stress corrosion Scouring and bank First-party Defective long seam Fire
erosion damage weld
Internal corrosion Hydrogen induced Mass wasting Contractor Defective girth weld SCADA
(e.g., landslides) Second-party malfunction
damage
Sulfide stress Delaying cracking Subsidence Third-party Wrinkle, Human errors
corrosion (mechanical damage Buckle
damages) Ripple
Microbiological Immediate cracking Seismic Vandalism Defective pipe body Lightning
induced (mechanical (i.e., lamination,
corrosion (MIC) damages) slivers)

Example of Input for Consequence Modeling

6.6.2 Estimated Risk
Estimated risk is the exposure determined from the frequencies
• nature of fluid (e.g., flammable, toxic, reactive, etc.), of occurrence and consequences of the identified integrity threat.
• pipeline design, buried-or-aboveground topography, The estimated risk is calculated by multiplying the Probability of
• environmental conditions, Failure (POF) by the Consequence of Failure (COF). The POF is
• size of hole or ruptures, based on the probability or likelihood that an event or condition
• overland flow modeling, will result in failure, tempered by the confidence in the pipeline
• dispersion of fluid, data. Developing a balanced ROF component requires more data,
• probability of ignition and explosion following ignition, susceptibility and identification analysis; whereas, COF is some-
• toxic effects, what more straightforward relying on geographical data, modeling,
• ground/water pollution. and validation.

6.6.3 Comparison Criteria for Risk Evaluation

6.6 Risk Estimation
6.6.4 Risk Algorithm
Risk estimation measures the level of effect on safety, environ- Risk Algorithm is a set of logical rules that uses data and informa-
ment, and business for a specific integrity threat estimating the risk tion involving threats, hazards, variables, and attributes of variables
values for the purposes of identifying whether they are broadly in a qualitative risk approach to estimate a meaningful risk score.
acceptable, tolerable, or unacceptable. Developing a risk algorithm that reflects pipeline company’s needs is a
challenge. The pipeline industry has been introducing changes to risk
6.6.1 Risk Factors and Drivers algorithms in order to achieve risk results reflecting closely reality.
Risk factors (e.g., hazards, threats, or consequences) represent Risk algorithms can range from very simple screening tools and
some conditions related to risk, and these are estimated for a par- relative algorithms to an enormously complex set of logical rules,
ticular segment of pipeline. Selecting appropriate and realistic risk equations, and combination of them. Those algorithms can be cre-
factors will drive to clear risk outcomes avoiding subjective scores. ated using a simplistic spreadsheet or vendor’s solutions, which
Identification of adequate risk factors on both parts of the risk equa- provide configurable software solutions for running complex quan-
tion (i.e., probability and consequence) will determine representa- titative risk and qualitative risk models. Depending on the com-
tive risk estimation. Some risk factors may contribute higher to risk plexity of the risk models, the results of estimated risk should be
and considered as “risk drivers,” which can also used as barriers to easy to understand and defend, and successfully pass regulatory
help in reducing the risk. scrutiny providing transparency and justification to the risk results.
Model building, application, evaluation, and understanding are
therefore the foundation of the risk assessment. New algorithms
Example of Risk Drivers are now more intuitive, easier to configure with built-in data that
can dynamically integrate spatial, geographical, and tabular data at
• Depth of Cover (DoC) may be a risk driver directly contrib- runtime to maximize the goal of data integration. New algorithms
uting to higher probability for third-party mechanical dam- have the ability and flexibility to show risk results in either relative
age; however, deeper DoC may become the barrier needed terms for qualitative models or absolute terms for fully quantitative
for reducing the chance to access the pipeline by 3rd parties. risk modeling.
• Fracture toughness material property may be a risk driver The completeness and appropriateness of a risk algorithm can
directly contributing to higher probability of seam weld be achieved by
cracking; however, higher Charpy-V-Notch (CVN) values
may become the barrier needed for reducing the cracking
• Using all relevant and available data
growth rate and risk.
• Eliminating hides of effects
 pipeline integrity management systems – A practical approach • 153

• Removing blinded issues 6.7 Risk Evaluation and Sensitivity

• Making appropriate assumptions Analysis
• Understanding unmitigated hazards and threats that a pipeline
can be exposed 6.7.1 Risk Criteria and Acceptability
• Considering all potential mitigation effectiveness, and Risk criteria refer to elements and definitions used for evaluating
• Recognizing the pipeline resistance the risk significance of a given estimated risk related to the com-
pany, industry, or regulatory tolerance. Typically, the risk matrix
This approach definitely leads to accurate risk outcomes for provides the categorization of risk (e.g., acceptable, tolerable,
better risk management decisions preventing releases and enhanc- not acceptable) portraying the risk criteria that reflects the com-
ing the ability to comply with regulations, codes, and standards. pany values, goals, objectives and timing to respond according to
Subject Matter Experts (SME) facilitate the development of risk company’s risk management policy. Each company develops their
algorithms by interacting with the company personnel. The meet- own risk criteria accounting for legal, regulatory and stakeholder
ings are designed to assist the operator in setting up and custom- requirements.
izing the risk algorithm to arrive at a tailored set of evaluation that The way how probability and consequences of failure are
reflects operator’s risk management philosophies. expressed to determine the outcomes of risk assessment should
Generic algorithms as part of a software standard configuration always be consistent with the risk criteria outputs. Comparing the
do not represent any industry minimum standards nor should it be level of risk in the risk evaluation step with risk criteria established
used as recommended risk conditions. However, they can be used should be comparable.
as a reference for customization and identifying basic data require-
ments such as the following:
Example: Consistency Expressing Risk
• Industry incident data
• Industry studies, papers and researches (e.g., PRCI, ASME If probability of failure is expressed as “numerical,” the
International Pipeline Conference papers and industry asso- criteria for that probability should not be expressed as “low,
ciation studies such as CEPA, INGAA, AOPL) medium, or high.”
• International standards, regulations, and codes

The foundation of a successful risk assessment analysis is depen-

dent on company’s ability to accurately define an algorithm that The risk acceptability criteria established and compared with
captures its success and failure experiences specific to design, con- risk outcomes will influence the company decision and ultimately
struction, operation, maintenance, and integrity practices. the risk attitude and actions. Risk criteria are very dynamic over
Throughout an algorithm development process for a qualita- time and should be revised in the continuous improvement pro-
tive risk approach, the following terminology is recommended to cess once mitigation actions are implemented and risk level is
describe key risk facets: reduced.

Example of a Quantitative Risk Algorithm (Indexing Modelling Risk Algorithm)

Calculation of Risk of Failure (RoF) can be accomplished using the indexing modeling risk algorithm shown below. PoF and CoF
indexes can be calculated given weights to the threats, and receptors, respectively. Threat and impact indexes can be estimated given
weights to variables and score contributions to the attributes as illustrated. For instance:

RoF = PoF × CoF

PoF(index) = (% × ECindex) + (% × ICindex) + (% × TPDindex) + (% × Crackingindex) + (% × MFGindex) + (% × EQPindex) + (% × CONindex)

+ (% × IOindex) + (% × SCCindex)

PoF(index) = (0.15 × ECindex) + (0.1 × ICindex) + (0.15 × TPDindex) + (0.15 × Crackingindex) + (0.03 × MFGindex) + (0.08 × EQPindex)
+ ( 0.08 × IOindex) + (0.09 × CONindex) + (0.12 × SCCindex)

CoF(index) = (% × Peopleindex) + (% × Envindex) + (% × Employeeindex) + (% × Financialindex)

CoF(index) = (0.35 × Peopleindex) + (0.30 × Envindex) + (0.15 × Employeeindex) + (0.20 × Financialindex)

ECindex = S (External Corrosion Variable Weight × Score Contribution)

ECindex = (0.04 × Soil Type score) + (0.02 × Environment score) + (0.02 × pH Value score) + (0.03 × MIC location score)
+ (0.03 × Peak Temp score) + (0.03 × Coating Type score) + (0.03 × Coating age score) + …………..
+ (0.02 × Repair score)
154 • Chapter 6 Risk Assessment for Pipelines

Impact of People (IOP)index = S (IOP Variable Weight x Score Contribution)

Threat weights, variable weights and attribute scores are given based on experiences or Subject Matter Experts (SME) and brainstorm
meetings. Interpretation, analysis, and assessments of the threat and impact index contributions to RoF, PoF, and CoF depends on the
maximum and minimum values given for each variable weights and attribute scores.
 pipeline integrity management systems – A practical approach • 155

Examples of Risk Criteria and Acceptability Examples of Risk Acceptability for Indexed Scores Based on a
Distribution Criteria
• ALARP (As Low As Reasonably Practicable)
• Major Industrial Accidents Council of Canada (MIACC) • Statistical Mean (µ): Minimum risk score plus 50% of
• Critical region from statistical analysis (e.g., exceeding the numeric spread between Min and Max score of their sys-
1 or 2 standard deviation of the risk value distribution) tem. This approach makes it a moving target due to the
• Subject Matter Expert (SME) (i.e., Low, Medium, and High) acceptability limit gets recalculated every year.
• Iso-risk equating equivalent risk level/contours across the • Statistical mean + one (1) or two (2) standard deviation.
risk matrix This effectively will encompass 67% or 95% of the data,
• Quantitative risk criteria from adopted region-specific thereby allowing the company to concentrate on reducing
industry risk performance the risk of the top 33% or 5% of the system. This approach
• Fixed risk level translated into target reliability levels to be makes it a moving target due to the acceptability limit gets
achieved based on consequence recalculated every year.
• Risk criteria and acceptability benchmark (e.g., Aviation • Threshold numbers above which risk reduction is needed.
industry) The term “threshold” implies a value that will not change
as the mean of the database changes. Some users have
established these thresholds over time by analyzing known
Risk acceptability refers to the acceptable risk limits or ranges problematic pipelines in comparison to trouble-free pipe-
providing the reference to identify whether a pipeline segment lines. Some of the ways to establish a threshold can be
achieved the risk goals and objectives of the company. Risk accept- either
able limits can be individually established for each integrity threat, • Define a fixed value of the total risk (e.g., 90%)
consequence and associated risk. The probability acceptability can • Regression analyses (e.g., cost and tolerable risk rates)
be either a “fixed” or “ranged numerical value” depending on con-
sequence or resulting from a formulation (e.g., acceptable, critical
region). Figure 6.16 depicts comparison criteria calculation typically
Normal distribution is a representation of the risk, probability used on qualitative risk assessments.
and consequence level values that are used for calculation the com- The coefficient n may be selected as to 1 (67%), 1.28 (80%), or
parison criteria in an indexing modeling risk assessment. 2 (95%) based on the level of aversion desired by the company.

Fig. 6.16 Example of Comparison Criteria

Example: Acceptability Criteria Using a Qualitative Risk Method

As illustrated in Figure 6.17, the red lines depict the acceptability criteria defined by the company as to the mean + two (2) standard
deviations of the likelihood and consequence and risk score distribution.
As illustrated in Figure 6.18, the graphical representation of risk criteria and acceptability for qualitative indexed scores illustrating
the cumulative length (Y-axis) per each of the different risk score ranges (X-axis) achieved from the risk assessment of the pipeline. The
403 m of pipeline segment exceeded the calculated risk acceptability limit (i.e., µ + 2s = 38.91).
156 • Chapter 6 Risk Assessment for Pipelines

Fig. 6.17 Example of Likelihood and Consequence Acceptability Criteria From a Qualitative Risk
Method

Fig. 6.18 Example of Risk Acceptability Criteria Using a Qualitative Risk Method

When the risk analysis process has been completed, it is neces- As illustrated in Figure 6.19, graphical outputs are also available
sary to compare the estimated risks against risk criteria established for displaying the risk analysis results. The results can be also dis-
by the company. The risk criteria may include elements such as played as linear graphs, GIS, and pivot tables. Drill down reports
associated costs and benefits, legal and regulatory requirements, are also used, which can display the variables that are contributing
socioeconomic and environmental factors, concerns of stakehold- the most to the overall risk score as well as the potential reduction
ers. Risk evaluation is used to make decisions about the signifi- in risk score contribution for each of these variables.
cance of risks to the company and whether each specific risk should
be accepted or treated. 6.7.3 Sensitivity Analysis: Risk Reduction
and Benefit/Cost Ratio
6.7.2 Risk Drivers and Drill Down Analysis Benefit-cost analysis provides additional elements for ranking
There are several ways that the results from a risk assessment decision alternatives. This analysis can evaluate various alterna-
can be viewed for evaluation purposes. The basic output is in a grid tives as a function of time. Benefit-cost analysis on existing pipe-
format, which provides basic functionality for sorting and filtering. line systems with time-dependent damage mechanisms can assist,
 pipeline integrity management systems – A practical approach • 157

Fig. 6.19 Example of SCC Factors and Drivers From a Qualitative Risk Method

as one of the tools, in identifying the most suitable strategy to miti- 5. Talbot, Julian, ALARP (As Low As Reasonably Practicable), http://
gate risk and extend their remaining life. www.jakeman.com.au/media/alarp-as-low-as-reasonably-practicable.
Benefit-cost alternatives depend on each pipeline system case 6. Nessim, M., Zhou, W., Zhou, J., Rothwell, B., McLamb, M., N.,
depending on its integrity condition, location, consequences, prob- 2004, Target Reliability Levels for Design and Assessment of
ability of failure, mitigation options, threats and risk outcomes, and Onshore Natural Gas Pipelines, IPC04-0321, American Society of
other aspects such as company’s risk aversion and policy. Mechanical Engineers (ASME), Proceedings of the International
The general methodology for a benefit-cost analysis follows the Pipeline Conference, Calgary, Canada.
following steps [15]: 7. BSI, Pipeline systems. Steel pipelines on land. Guide to the application
of pipeline risk assessment to proposed developments in the vicinity of
• D Risk: Calculate the change in risk through applying each major accident hazard pipelines containing flammables, PD 8010-3,
mitigation alternative to the probability of failure and conse- British Standard Institution, London, United Kingdom (UK).
quence of failure models; 8. NTSB, Pacific Gas and Electric Company Natural Gas Transmission
• DCost: Estimate the cumulative costs involved with the imple- Pipeline Rupture and Fire San Bruno, California on September 9,
mentation of each alternative; 2010, Accident Report, National Transportation Safety Board,
• Benefit-cost: Calculate the benefit-cost ratio. NTSB/PAR-11/01, PB2011-916501, Washington, DC, 2011.
9. Nessim, M., Stephens, M., Adianto, R., 2012, Safety Levels Associated
To evaluate the benefit-cost ratio of each alternative, a common with the Reliability Targets in CSA-Z662, IPC2012-90450, American
base alternative can be taken to compare to the enduring alterna- Society of Mechanical Engineers (ASME), Proceedings of the
tives and implementation cost values against is required. As the International Pipeline Conference, Calgary, Canada.
purpose of a benefit-cost evaluation is to determine the effective- 10. Cote, E. I., Ferguson J., Tehsin, N., 2010, Statistical Predictive
ness of applying various mitigation alternatives, the base case Modelling: A Methodology to Prioritize Site Selection for Neutral
should represent the pipeline in its unmitigated state or common pH Stress Corrosion Cracking, American Society of Mechanical
base alternative. The associated risk of failure is a function of all Engineers, Proceedings of the 8th International Pipeline Conference,
known damage features and mechanisms. Calgary, Canada.
11. Muhlbauer, 2015, Pipeline Risk Management: The Definitive
Approach and its Role in Risk Management, Clarion Technical
6.8 References Publishers, Houston, TX, USA.
1. ISO, Anon., 2009, Risk management—Principles and Guidelines, 12. PODS, What is the PODS Pipeline Open Data Model?, http://www.
ISO 31000, International Organization of Standardization, Geneva, pods.org/pods-model/what-is-the-pods-pipeline-data-model/.
Switzerland. 13. Gin, G., Davis, J., 2012, Spill Impact Assessment—Crude Oil Pipeline
2. USA Department of Transportation, 2015, 49 Code Federal of ERCB #3353-1, International Pipeline Conference, American Society
Regulations, Part 192 Transportation of Natural Gas and Other Gas of Mechanical Engineers, Calgary, AB, Canada.
by Pipelines, U.S. Government Printing Office, Washington, USA. 14. CSA Z662, 2015, Oil and gas pipeline systems—Annex B Guidelines
3. Anon., 2012, ASME B31.4—2012 Pipeline Transportation Systems for risk assessment of pipeline systems, CSA Group, Toronto,
for Liquids and Slurries, American Society of Mechanical Engineers, Ontario, Canada.
New York, USA. 15. Blackwell, C., Cote, E., Gagne, C., Decision Making Methodology
4. CCPS, 2009, Guidelines for Developing Quantitative Safety Risk for Cost Effectively Managing Pipeline Risk, American Society of
Criteria—Appendix A, Center for Chemical Process Safety, New Mechanical Engineers, Proceeding of IPC 2012, 9th International
York, USA. Pipeline Conference, Calgary, Alberta, Canada.