Recently I had to review a quantitative risk assessment for a pipeline. QRA is not much used for pipelines in Australia, apart from WA, so I only see such reports infrequently. I am consistently underwhelmed by the approach taken and conclusions drawn. It is possible to do a thoughtful pipeline QRA, such as the work done for the study reported here. That QRA report was a lengthly document that openly explained the methodology, assumptions and limitations. However it was the exception. Most pipeline QRA reports I have seen look as if they were produced by a recent graduate given some input data and black-box software from which they generate probabilities of fatality with lots of digits after the decimal place. (I emphasise that this comment relates to those I have seen – maybe I’ve just been unlucky and other analyses are better.)
The apparent precision in the results rings immediate alarm bells for me. I think there is a dangerously seductive appeal in crisply precise calculation results. It is dangerous because the results are only as good as the input data and the assumptions of the model, and if one or both are dubious then all those decimal places are misleading fiction.
Classical QRA relies on historical failure rates to predict future failure rates. For process plants there is reasonable historical data on flange leaks, valve failures and other mishaps, and provided that the plant is well maintained it seems fair to expect that failure rates will be much the same around the world. However pipeline failure rates are totally dependent on the environment of the pipeline. That environment includes the level of third party activity, the type of activity and (most importantly) the procedural protection measures put in place by the pipeline operator. We already know that pipeline failure rates vary wildly around the world, with Australian rates being at least an order of magnitude lower than those in North America and Europe. So how can the QRA analysts present, with a straight face, failure probabilities to three significant figures when they are based on northern hemisphere data that we know is wrong by an order of magnitude? It gets even worse than that, because I have also seen QRA reports that apply UK incident rate data to pipelines in the remote outback where there is essentially zero third party activity.
Planning Bulletin 87 of the WA Planning Commission specifies setback distances from pipelines that are based on QRA. It seems that the QRA was used to develop profiles of fatality risk versus distance from the pipeline. The semi-standard criteria for the probability of fatalities were then applied to determine the distances that are “safe”. In residential areas the risk criterion is a probability of fatality of 1E-6 per year, and in sensitive locations it is 0.5E-6 per year – widely accepted values for risk around hazardous industries. As a result the Bulletin determines that it is “safe” to have a residential area within, say 65 m of the pipeline, but sensitive land uses (schools etc) are not “safe” until they are 70 m from the pipeline. 5 m makes all the difference? Based on an analysis that may contain errors in the input data of an order of magnitude or so?
The AS 2885 approach would look at the possibility of rupture and can recognise that rupture might not be a credible outcome from the threats that exist in the area. It would also look at the radiation distances from the hole caused by the maximum credible threat, which is enabled by a fine-grained identification of all possible threats in the location. It happens that the particular segment of pipeline I was looking at did indeed meet the “No Rupture” criteria, and had a radiation distance from the maximum credible hole that was less than the setback distance in Planning Bulletin 87.
One other fundamental difference between QRA and the AS 2885 approach is that the former has very limited scope for mitigating risk, other than saying “keep away”. On the other hand AS 2885 is underlain by a tacit “cause and control” model of risk which requires that every threat be identified and mitigated; a fine-grained analysis as mentioned above. Those threats that present the greatest risk deserve the greatest mitigation effort. Philosophically this is very different to the virtually all-or-none approach of QRA.
Despite appearances my mind is not (quite) completely closed on the subject of QRA for pipelines. But many of those who try to use it are not helping their cause by blind formulaic application.