The “all controls fail” test case discussed in the previous post used a simple example from a simple SMS workshop. It isn’t always that straightforward (but nor does it tend to be very complicated).
Sometimes a workshop for a pipeline in a complex threat environment might have already considered a number of serious failure scenarios, just in the normal course of identifying threats and reviewing their mitigation. If you get to the end of such a workshop and turn to think about the “all controls fail” requirement of Clause 2.3.6 you might reasonably wonder if it is necessary. Which is fair enough. On a few occasions I’ve been in a workshop that has agreed there is no point doing more risk evaluations, on artificial situations, just for the sake of it. There is a bit of judgement required here. It depends on whether the evaluations already completed really did cover a worst-case instance of all controls failing. If you can’t think of any other plausible scenarios, then perhaps you have done all that is necessary.
There’s that word “plausible” again. If you are looking at an urban pipeline, and the only thing that could cause a full bore rupture is a D9 ripper, there is nothing that says you need to consider rupture as an “all controls fail” case if you believe that a D9 ripper working in a suburban street is non-credible. For a well-designed pipeline in an urban environment the worst plausible failure is often surprisingly minor. It might typically be damage from a power pole auger or a horizontal boring/drilling rig. (The latter in particular are increasingly becoming a worry because there are now a lot of small operators using these rigs – think NBN roll-out among other things – and the entry and exit points may not be close enough to the pipeline for a patroller to spot them.)
It can sometimes be quite difficult to think of a plausible failure scenario for a well-designed and well-protected pipeline. That’s fine – if the workshop spends 20 minutes thinking about the worst thing that can go wrong and only comes up with a gouge from an auger, that in itself is a useful outcome and test of the workshop process. It builds confidence that the workshop has been thorough, and that’s what Clause 2.3.6 is all about. It is worth noting in the SMS report that the workshop experienced difficulty in finding plausible failure scenarios.
One corollary of this difficulty (sometimes) in finding scenarios that are not non-credible is that the likelihood is of course very low. The frequency rating for the “all controls fail” cases will very often be Hypothetical (or at least, for the case where the event occurs AND leads to a serious loss of containment AND there are multiple fatalities, or whatever).
So far I’ve been talking about cases where the “all controls fail” scenario is only borderline credible and the outcomes are a low risk rank. On the other hand, one of the first times I used this approach we came up with a risk rank of Intermediate which (because of the ALARP requirement) forced us to think about what other mitigation could be provided.
The SMS was for construction of an upmarket golf course over the pipeline (originally designed for R1 conditions) with a clubhouse and new residential area adjacent. Up until this point all the threats had been judged to be fully controlled and no risk evaluation had been necessary . However because of the “all controls fail” case and the ALARP requirement the developer decided to modify his design so that only the bare minimum of construction would take place over the pipeline easement. It would be left as part of the natural areas on the golf course and not used for fairways, greens and water hazards (the latter in particular requiring excavation). That was a positive outcome for pipeline integrity and the safety of the new community, and it would not have emerged if not for the “all controls fail” review.