The most prolific commenter on this blog is Chris Hughes of OSD who is passionate about good pipeline engineering. Chris and I communicate regularly off-line as well, and he has offered the following for me to reproduce here. I’ll add a comment or two at the end.
Far too many people in the pipeline industry seem to think that the SMS is a workshop where a group of people sort out the design of the pipeline from a safety point of view, whereas the workshop is only one stage in an ongoing process of ensuring the integrity of a pipeline and the safety of the operators and the public.
AS2885.1 Clause 184.108.40.206 states very clearly:
For new pipelines, or modifications to existing pipelines, the detailed design and the safety management study are undertaken as integrated iterative processes. The output of these processes is a design (generally shown on alignment sheets), and a safety management study document (generally recorded on a database).
In other words the design process should at all times be considering the threats to the pipeline and how to best mitigate those threats, and documenting all the reasoning behind their decisions. The first part of 220.127.116.11 makes this clear by saying:
All aspects of the safety management process shall be documented with sufficient detail for independent or future users of the safety management study to make an informed assessment of the integrity of the process and its outcomes, including the identification of threats and the reasoning behind the assessment of the effectiveness of the control measures applied.
I have lost count of the number of times I have turned up to facilitate an SMS workshop only to find that there was no pre-populated list of threats, let alone a detailed assessment of how the design was intended to mitigate those threats – I have even been asked to bring my own list of generic threats. How anyone thinks they can design a pipeline without knowing what the threats to it are is beyond me – except of course they probably think they can use AS 2885 as a design cookbook to avoid having to think.
The workshop phase of the SMS is for validation purposes only: it should never be used to populate the threat list. And the mitigations need to be thought through properly for each threat and not just cut and pasted from threat to threat: I have seen SMS threat and mitigation lists presented to a workshop where DBYD and patrolling are listed as mitigations against a truck bogging in the trench. The validation workshop should be just that – a validation of a properly thought out SMS prepared as an integral part of the design process.
The normative Appendix B states in B3.2:
The safety management study shall be undertaken by personnel with expertise in each component of the design, construction and operation of the pipeline, including, or with the support of, personnel closely familiar with the land uses and environments along the entire route.
In other words the pipeline designer needs to be aware of how the pipeline will be constructed and operated, and also must take into account the needs and requirements of the owners of the land across which the pipeline is laid. Again in many cases I have seen the construction, operation and land use specialists invited to the workshop only for them to tell the workshop that the pipeline can’t (or won’t) be built or operated in the way the designer assumed, and that the landowners do things that the designer had not anticipated: the designer should be acquiring this information during the design phase rather than at the workshop so that the design takes all these factors into account.
So please remember and appreciate that the SMS process starts the moment the contract is signed for any design work to commence, be that feasibility, FEED or detailed design, and is not just an irritation stuck on to the end of the design process.
On first receiving this I was a little taken aback by one paragraph, because I routinely run workshops where there is no pre-populated list of threats. In fact in many cases the value of the workshop is in the synergy of group brainstorming to identify threats that might otherwise be overlooked. However SMS workshops are run for a surprisingly wide range of purposes, and for a detailed design SMS, undertaken when the design is mature, I agree 100% with Chris that the workshop is indeed just a validation review of work that should have already identified and mitigated all conceivable threats.
For workshops run for other purposes, such as conceptual design, early FEED phase, encroachments or operational review there are several reasons why a fully pre-populated threat list might not be the best approach. In the early stages of design the workshop brainstorming is valuable, and will identify many more issues than could be found by a design engineer sitting alone at his desk. For an encroachment situation involving external stakeholders the workshop is a very effective means of getting all the parties to understand each others’ positions and then identify threats and negotiate solutions accordingly. None of which contradicts Chris’ view that the detail design SMS requires all threats to have been fully identified and mitigated before the workshop starts.
Re-read Chris’ last paragraph above – I couldn’t agree more.