A colleague recently sent me this message:
… I experienced a lot of resistance within the workshop for the “All Controls Fail” scenario. Several vocal members of the workshop were heard to say it was not relevant, overly conservative and provided no benefit to the protection of the pipeline.
I was not armed with good arguments in support of it. All I could do was point to 2.3.6 in the code that says we need to consider it. … We finally got through it, but with considerable pain. I would like to have a better case ready for the next workshop.
This is about Clause 2.3.6 of AS 2885.1, which says (in full):
2.3.6 Demonstration of fault tolerance
To demonstrate the fault tolerance of the pipeline design, a situation where failure of threat control measures leads to pipe damage or loss of containment shall be considered as a threat. The residual risk of such threats shall be assessed and treated in accordance with Appendix F.
- Almost all pipeline incidents occur as a result of failure of control measures. Hence failure of threat controls is itself an important threat. The control failure threat(s) should be at a location where the consequences are most severe. It may be appropriate to address failures of different threat controls (e.g. external interference, corrosion) or different locations.
- It is recommended that such threats are identified toward the end of the safety management review by which time sufficient knowledge of the threats and controls will have been developed to identify locations where fault tolerance is an essential part of the design.
I refer to this as the “all controls fail” scenario, and I’ll admit that it might take a bit more explaining than the Standard provides. The best way is by example:
The most recent SMS workshop I ran was very straightforward. It concerned an earthworks project to restore serious erosion on the pipeline easement, and the contractor’s 20 t excavator would be working within a metre of the pipe, possibly closer. But of course when properly managed this is routine work for a competent pipeline operating organisation. As the workshop progressed through all the possible things that could go wrong we found that all were easily mitigated by either measures already thought of or additional things that we noted down as actions arising from the workshop. At they end we hadn’t even got close to doing a risk evaluation on anything.
If the workshop had ended there there my mind would hold a niggling doubt – how can we be completely confident that we have everything under control? Despite all the precautions that we honestly believed would be in place, what if something went badly wrong and the pipe was damaged? How bad could it get? Is that risk tolerable?
When you think about this case the answers may be obvious (or may not). Regardless of that, formally considering and documenting a hypothetical worst case is good practice, required by the code, and might even help provide you with a comforting buffer against an aggressive barrister.
So we thought seriously about the worst plausible thing that we could imagine happening during this little earthworks project. It was pretty minor – a serious bump to the pipe if the operator lost control of his machine for any reason (sudden critical distraction, bitten by an insect, etc). It’s not likely, but it is not expected to be. But it is plausible, in same way that it is plausible you will have a car accident the next time you drive somewhere.
So we did a quick risk evaluation on that excavator bump scenario. Even simple things are not always simple. The excavator might just scrape the coating (a real possibility but pretty harmless), or it might create a dent that could be repaired with a sleeve (a lot less likely but more serious), or the very worst we could conceive of was a serious dent and gouge that would require pressure reduction pending a cut-out repair, with consequent supply disruption (very much less likely and more serious again). Note no loss of containment here – the machine involved would not be capable of penetrating the pipe. So from the AS 2885 risk matrix all the risk ranks came out Negligible.
When you’ve been through the process of contemplating the worst you can imagine and the risk rank is Negligible, everyone can go away feeling very comfortable. Testing an “all controls fail” scenario provides another level of confidence that the SMS process has been thorough and not glossed over anything through overconfidence.
Of course, this was a very straightforward example. The outcome is not always that comforting. It is not unusual to end up with an Intermediate risk rank and move on to the ALARP process required in that case. And often the SMS has already considered a whole range of risk evaluations – what’s the point of more? Discussion about some of these complications in the next post