Validating SMS – “all controls fail”

A colleague recently sent me this message:

… I experienced a lot of resistance within the workshop for the “All Controls Fail” scenario.  Several vocal members of the workshop were heard to say it was not relevant, overly conservative and provided no benefit to the protection of the pipeline.

I was not armed with good arguments in support of it.  All I could do was point to 2.3.6 in the code that says we need to consider it.  … We finally got through it, but with considerable pain.  I would like to have a better case ready for the next workshop.

This is about Clause 2.3.6 of AS 2885.1, which says (in full):

2.3.6 Demonstration of fault tolerance

To demonstrate the fault tolerance of the pipeline design, a situation where failure of threat control measures leads to pipe damage or loss of containment shall be considered as a threat. The residual risk of such threats shall be assessed and treated in accordance with Appendix F.


  1. Almost all pipeline incidents occur as a result of failure of control measures. Hence failure of threat controls is itself an important threat. The control failure threat(s) should be at a location where the consequences are most severe. It may be appropriate to address failures of different threat controls (e.g. external interference, corrosion) or different locations.
  2. It is recommended that such threats are identified toward the end of the safety management review by which time sufficient knowledge of the threats and controls will have been developed to identify locations where fault tolerance is an essential part of the design.

I refer to this as the “all controls fail” scenario, and I’ll admit that it might take a bit more explaining than the Standard provides.  The best way is by example:

The most recent SMS workshop I ran was very straightforward.  It concerned an earthworks project to restore serious erosion on the pipeline easement, and the contractor’s 20 t excavator would be working within a metre of the pipe, possibly closer.  But of course when properly managed this is routine work for a competent pipeline operating organisation.  As the workshop progressed through all the possible things that could go wrong we found that all were easily mitigated by either measures already thought of or additional things that we noted down as actions arising from the workshop.  At they end we hadn’t even got close to doing a risk evaluation on anything.

If the workshop had ended there there my mind would hold a niggling doubt – how can we be completely confident that we have everything under control?  Despite all the precautions that we honestly believed would be in place, what if something went badly wrong and the pipe was damaged?  How bad could it get?  Is that risk tolerable?

When you think about this case the answers may be obvious (or may not).  Regardless of that, formally considering and documenting a hypothetical worst case is good practice, required by the code, and might even help provide you with a comforting buffer against an aggressive barrister.

So we thought seriously about the worst plausible thing that we could imagine happening during this little earthworks project.  It was pretty minor – a serious bump to the pipe if the operator lost control of his machine for any reason (sudden critical distraction, bitten by an insect, etc).  It’s not likely, but it is not expected to be.  But it is plausible, in same way that it is plausible you will have a car accident the next time you drive somewhere.

So we did a quick risk evaluation on that excavator bump scenario.  Even simple things are not always simple.  The excavator might just scrape the coating (a real possibility but pretty harmless), or it might create a dent that could be repaired with a sleeve (a lot less likely but more serious), or the very worst we could conceive of was a serious dent and gouge that would require pressure reduction pending a cut-out repair, with consequent supply disruption (very much less likely and more serious again).  Note no loss of containment here – the machine involved would not be capable of penetrating the pipe.  So from the AS 2885 risk matrix all the risk ranks came out Negligible.

When you’ve been through the process of contemplating the worst you can imagine and the risk rank is Negligible, everyone can go away feeling very comfortable.  Testing an “all controls fail” scenario provides another level of confidence that the SMS process has been thorough and not glossed over anything through overconfidence.

Of course, this was a very straightforward example.  The outcome is not always that comforting.  It is not unusual to end up with an Intermediate risk rank and move on to the ALARP process required in that case.  And often the SMS has already considered a whole range of risk evaluations – what’s the point of more?  Discussion about some of these complications in the next post

This entry was posted in External interference, Risk assessment, Standards. Bookmark the permalink.

3 Responses to Validating SMS – “all controls fail”

  1. Kelvin says:

    I agree with the outcomes, but not so sure on how the result was obtained. I believe the resistance has come from “jumping” to the end result e.g. all controls fail. The standard asks for fault tolerance and this should be a systematic approach against each control and the failure of each control. The point is that not all controls need to fail to end up with damage to the pipeline and different controls apply to different threats. For example, pipeline markers are effective against third party threats and no pipeline markers increases the likelihood of third party interference. Of course this applies to third party threats and pipeline markers may not be effective for “scheduled” work within the pipeline easement. When all controls fail it is a near hypothetical event, but some controls are more important then others and looking at highly effective controls failing (in a workshop environment) may have greater significance to the workshop members rather than the “worst-case” event.

  2. Pingback: More on “all controls fail” | Pipelines OZ

  3. petertuft says:

    Fair comment, but I think you might be giving the SMS process more credit than it deserves as a precision analysis. While the process is very effective at identifying and managing threats (when properly done) it’s a bit of a blunt instrument when it comes to looking at the effectiveness of individual controls. I would’t object to someone doing what you suggest but rather doubt that there is sufficient information on control effectiveness to discriminate between outcomes resulting from various levels of control failure.

    I’ve always interpreted “fault tolerance” as referring to the SMS process itself, not the control measures. I’m interested in making sure that the SMS has not glossed over any significant failure modes and in doing so reached a poorly supported conclusion that the pipeline presents no risk, when in fact a more thorough exploration of what might go wrong would give a better indication of the risk level.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s