l3 gas reference model algorithm documentation whitepaper.v3 · 2019-10-05 · regulations based on...

L3 ‐ Quantitative Risk Reference Model

For Pipelines

Revised | August 2008 White Paper

Written by: Elaine Hendren Steve Gosse Kent Muhlbauer Revised: Chris Kobilan – Senior Engineer

Published August 2008 © American Innovations – Integrity Management Division

All rights reserved. This publication, or any part of it, may not be reproduced or adapted, by any method whatsoever.

Important Notice

This report contains data and information up‐to‐date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore American Innovations cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. American Innovations will not be liable for any interpretations or decisions made by you.

1

TABLE OF CONTENTS

Executive Summary.............................................................................................................................3 Introduction ........................................................................................................................................4 Why L3 Gas Reference Model .............................................................................................................5 Elements of the Quantitative Risk Reference Model Algorithm...........................................................7

Risk Triad...............................................................................................................................7 Model Features .....................................................................................................................7 Elements of Quantitative Risk Reference Model ...................................................................8

Exposure .................................................................................................................8 Mitigation .............................................................................................................11 Resistance .............................................................................................................12

Threats Covered .................................................................................................................12 Time Dependent....................................................................................................12 Time Independent.................................................................................................12 Why not Construction and Manufacturing? ..........................................................13

Quantitative Risk Reference ModelBasic ConceptS ...........................................................................15 Mathematical Concepts ......................................................................................................15

Orders of Magnitude.............................................................................................15 Effective Zero ........................................................................................................15 OR and AND Gates ................................................................................................15 OR Gates ...............................................................................................................15 AND Gate ..............................................................................................................16 Probability of Failure .............................................................................................16 TTF to PoF .............................................................................................................17

Other Concepts ...................................................................................................................18 Effective Wall Pipe ................................................................................................18

Likelihood of Failure..........................................................................................................................24 Time Dependent .................................................................................................................24 Time Independent...............................................................................................................24

Probability of Failure .........................................................................................................................25 Overall Pipeline PoF ............................................................................................................25 Time Dependent PoF...........................................................................................................25 Time Independent PoFs.......................................................................................................26

Consequence of Failure.....................................................................................................................27 Consequence of Failure Concepts .......................................................................................27

2

Receptors ............................................................................................................................28 Hazard Factor......................................................................................................................28 Reduction Factor.................................................................................................................28

Total Risk – PoF*CoF .........................................................................................................................29 Calibration & Validation ....................................................................................................................29 Customization of AI‐IMD Templates..................................................................................................31

Algorithm Meeting ..............................................................................................................31 Software Configuration .......................................................................................................31 Algorithm Tuning ................................................................................................................31 Algorithm Delivery ..............................................................................................................31

Migration to L3..................................................................................................................................32 References ........................................................................................................................................33

3

EXECUTIVE SUMMARY

While the previous generation of indexing algorithms serve the industry well, the associated technical compromises are troublesome in today's environment of increasing regulatory and public oversight. Risk analyses are the centerpiece of most legal, regulatory, or public proceedings. This prompts the need for analysis techniques that produce risk estimates anchored in absolute terms, such as “consequences per mile year”.

Accordingly, a new generation of algorithms was developed to meet today’s needs without a costly revamping of previously collected data or increasing the costs of risk analysis. The regrouping of variables into the categories of “exposure”, “mitigation”, and ‘resistance’ must be rescored. There are changes in the mathematics of combining variables in order to transition from older scoring models into the new approach. The advantages of this new generation algorithm are significant since it:

• is more intuitive using the exposure, mitigation, and resistance categories

• closely models reality provided true mathematical relationships are represented

• leads to improved risk management decisions by distinguishing between unmitigated exposure to a threat, mitigation effectiveness, and system resistance

• undergoes a reweighing and balancing requirement for all the exposure, mitigation, and resistance variables

• offers flexibility to present results in either absolute (probabilistic) terms or relative indexing terms (hybrid), depending on the user requirements

The challenge is to accomplish these tasks without losing the advantages of earlier approaches. One intent of the new algorithm is to avoid overly‐analytic techniques that often accompany more absolute quantifications of risk. This report demonstrates this new generation algorithm to accommodate the changing needs of risk analysis within the pipeline industry.

4

INTRODUCTION

Pipeline risk models and the results they produce are at the core of many pipeline integrity programs, both in the US and internationally. Beginning in the 1980’s, oil and gas pipeline operators use an indexing approach to evaluate/calculate the risk of failure along their pipeline systems. This methodology does provide a creditable and relative risk ranking estimate of pipeline system assets by systematically identifying areas of converging risk factors.

There is a need in today’s risk management to provide more than a list of risk ranked pipeline segments. Pipeline integrity managers find it necessary to apply a risk based approach to manage a pipeline integrity program. Examples include:

• using risk results to rank assets for integrity assessment. This involves a traditional risk ranking of the assets.

• using threat based risk results to determine which assessments to perform. This requires the operator to investigate deeper into the algorithm to evaluate threat specific risk results.

• using threat based risk results to apply preventive and mitigative measures. Integrity managers must determine capital allocations for the more immediate threat based projects or ones that provides the greatest value via a cost benefit analysis.

• using risk results as a metric for the company’s assessment/mitigation program effectiveness. This often includes geographically dispersed operating areas. A measure of mitigation for each threat location along a pipeline system is valuable for this task

The traditional risk ranking algorithm approach is still very useful. They are intuitive, easy to implement, and commonplace in the oil and gas pipeline industry. However, when tasked with the challenges presented above, the integrity manager may question how to accomplish the multiple requirements using only a simple risk ranking.

This report outlines an approach that builds on the previous algorithm development effort. It is both intuitive and probabilistic in nature. This new generation type algorithm also provides the following advantages:

• uses much of the existing data already collected

• allows the operator to closely model the reality of threats and effect on assets

• prepares the risk program and corresponding results to withstand the multiple requirements imposed on pipeline integrity programs

• provides approximated time based results from determined rates and frequencies

5

WHY L3 GAS REFERENCE MODEL

The typical index algorithm uses its variables to determine a component risk ranking. The operator determines the importance of each variable as a percentage based upon the cumulative knowledge, experience, and education of subject matter experts (SMEs). Each threat and consequence is derived from multiple variables that total 100%. A rollup is performed for both LOF and COF where each is weighted using a percentage to determine each contribution to the overall ROF. The final analysis provides the operator with a prioritized list of components based on the index score. The final result is a risk ranked list based on the asset most threatened. This identifies to the operator which segment has the greatest risk of failure and where to direct capital, maintenance, and personnel resources.

The Quantitative Risk Reference Model algorithm uses a different approach to pipeline integrity. This model requires the more data and equations to be converted rates. These are then used to calculate an asset time to failure approximation. The final outcome is a prioritized list based on time to failure.

The Quantitative Risk Reference Model algorithm offers several advantages that operators need to consider when selecting a risk algorithm approach. As always, new requirements are driving operators to consider a rate based algorithm. The algorithm has positive advantages which become clearer as the reader progresses to the later sections of this paper. The Quantitative Risk Reference Model approach:

• allows the operator to effectively comply with the new Pipeline Integrity Management regulations based on time to failure. (49 CFR 192, 49 CFR 195, API 1160, ASME B31.8s)

• the algorithm is distinguished (from a risk modeling standpoint) between unmitigated exposure to a threat, mitigation effectiveness and system resistance to failure in the presence of the threat. This provides the integrity manager with a quantitative method that provides a mitigation or resistance index directly.

• results from the algorithm allow operators to go beyond a simple asset ranking. It facilitates in actually forecasting real failure rates provided real incident data is used. This in turn is used to estimate the costs associated with failures.

• these results aid in the challenges associated with determining re‐assessment intervals. Operators will be able to leverage their pipeline data in this analysis.

• allows the operator to model the case where there is one very large risk factor that drives a high level of threat. Those familiar with the traditional indexing approach realize the impact from individual variables or risk drivers is often dampened. Likewise, the this approach allows for the modeling of a single, very effective mitigation measure to essentially eliminate or significantly reduce a threat.

• allows the operator to make distinctions between the exposure to a threat and the likelihood of failure from that threat. It is important to note that these are not the same thing.

• allows the risk analyst to consider the interaction between variables or risk factors. This is a task that is sometimes beyond the ability of a traditional indexing risk algorithm.

• the structure allows for the addition of risk factors or mitigation techniques to the model.

• it takes advantage of today’s software applications and abilities utilizing dynamic segmentation and higher order mathematical functions. This allows the model to consider real failure frequencies and probabilities that may span several orders of magnitude.

6

American Innovations Integrity Management Division has developed a “template” Quantitative Risk Reference Model algorithm within their IMP™ database.

The template algorithm defines the variables used as well as the metadata (i.e. variables and dependent attributes). The template defines the variable relationships, but relies on the operator’s Subject Matter Experts (SMEs) to customize the scoring and the variable usage. The template algorithm is customized to reflect the operator SME opinions during a 3‐5 day meeting. During the meeting, each Exposure, Mitigation and Resistance variable is reviewed and the scoring is discussed with the SMEs.

7

ELEMENTS OF THE QUANTITATIVE RISK REFERENCE MODEL ALGORITHM

The Quantitative Risk Reference Model algorithm is characterized by three elements which are used to examine each failure mechanism in the evaluation of a pipeline’s Probability of Failure (PoF). These three elements of the Risk Triad are defined as follows:

• Exposure ‐ likelihood of force or failure mechanism reaching the pipeline when no is mitigation applied.

• Mitigation ‐ actions that keep the force or failure mechanism event from occurring or reduces the affect on the pipe line.

• Resistance ‐ the system’s ability to resist a force or failure mechanism applied to the pipeline.

Most often, it is unclear as to whether the method used is assessing the probability of damage or the probability of failure. There is a subtle but important distinction since damage does not always result in failure. Damage without immediate failure is addressed using only two of the three elements: exposure and mitigation.

Probability of Damage = f (exposure, mitigation) Probability of Failure (PoF) = f (PoD, resistance)

The use of these three elements provides the user a more accurate method to validate their risk model. In turn the operator is better equipped to direct resources more appropriately. This approach provides the operator an improved understanding of the exposure levels, independent of the mitigation, and the system’s ability to resist a failure mechanism; and visa versa.

Other characteristics that differentiate this model from previous risk assessment approaches include the following:

1. Measurement Scales

The Quantitative Risk Reference Model algorithm uses mathematical scales that simulate the logarithmic nature of risk levels to capture the orders‐of‐magnitude differences between ‘high’ risk and ‘low’ risk. For example, a section of pipeline struck by excavation equipment 10 times per year; if not mitigated, the annual hit rate for that section of pipeline is 10. Another section of pipeline may incur damage in 1000 years giving it an annual hit rate of 0.001.

Additionally, the new approach also accounts for individual mitigation measures on the basis of the amount of exposure each can independently mitigate. For example, “depth of cover” can independently remove almost all threat of third party damage. Pipelines buried deep enough poses a very small chance of third party damage, regardless of other mitigative measure taken. When used in a risk model, this “depth of cover” variable conceivably mitigates approximately 95‐99% of the third party damage exposure. Conversely, “public education”, while an important mitigation measure, cannot independently be as effective as “depth of cover” in preventing third party damage.

Improved valuation scales also indicate a more direct assessment of the number of failures are avoided when the pipeline is more resistant or invulnerable to certain damages.

Risk Triad

Model Features

8

2. Variable Interactions

This model uses combinatorial optimization mathematics to captures both the influences of strong, single factors as well as the cumulative effects of lesser factors. For example, three mitigation measures that are conducted each with an effectiveness of 20% yields a combined mitigation effect of approximately 49%. This is equivalent to a combination of three measures rated as 40%, 10%, and 5% respectively. In other cases, all aspects of a particular mitigation must simultaneously be in effect before any mitigation benefit is achieved. An example is high patrol frequency with low effectiveness or a powerful In‐Line Inspection but with inadequate confirmatory investigations.

This illustrates the need for “OR and AND gates” as methods to effectively combine variables which eliminate the need for “importance‐weightings”.

The new approach also provides for improved modeling of interactions. For instance, if some of the available pipe strength is used to resist an external force threat, less strength is available to resist certain other threats.

3. Meaningful Units

The Quantitative Risk Reference Model supports direct production of absolute risk estimates. The model is calibrated to express risk results in consistent, absolute terms. An example is “fatalities per mile per year”. These absolute values are readily obtainable and easily converted into relative risk values when preferable.

Exposure

Exposure is the threat level in which the pipeline segment is exposed, provided no mitigation measures are present. It is a measure of the failure mechanism activity in the pipeline environment. Each failure mechanism contributes some threat exposure to each pipeline segment. Exposure for absolute algorithms is measured differently for the two different categories of failure mechanisms:

Mils per Year (MPY) for degradation or time‐dependent mechanisms

• external corrosion

• internal corrosion

• fatigue

• stress corrosion cracking (SCC)

Events per length‐time (mile‐year, for instance) for time independent and random mechanisms

• third party

• incorrect operations

• weather

• land movements (geohazards)

• equipment failures

• theft/sabotage

MPY. The unmitigated exposure for time‐dependent threats is measured in mpy. The mpy values for all of these threats lead to an estimate of Time to Failure (TTF).

Elements of Quantitative Risk Reference Model

9

Estimating an unmitigated exposure level for time‐dependent threats is more straightforward than for time‐independent mechanisms. In the case of corrosion, the pipe material reaction to its environment establishes a rate for metal loss by corrosion. For stress corrosion cracking, the relationship is more complex, involving the environment, stress levels, and metallurgy.

Each pipeline segment has varying degrees of exposure to each time‐dependent mechanisms:

• external corrosion

• internal corrosion

• fatigue

• stress corrosion cracking

Exposure to corrosion and fatigue type phenomena are expressed as metal degradation rates of pipe wall loss where 1 mil is equivalent to 1/1000th of an inch. The metal loss is best characterized by a loss of volume. Using a one‐dimensional measure, the variable “depth of metal loss” conservatively assumes a narrow and deep corrosion versus broad and shallow. It is the loss of effective wall thickness that is of primary importance in judging impending loss of integrity for time‐dependent failure mechanisms. MPY is also the metric used by corrosion control experts to characterize metal loss. In some cases, considerations of volume or weight loss instead of thickness loss are warranted. For example, the difference in depth associated with a 1 lb/year metal loss when pitting mechanisms are involved versus a generalized surface corrosion.

To fully estimate cracking potential, concepts of fracture mechanics are required. This includes the presence of defects, type of defects, stress levels, stress concentrators, metallurgy, etc. A critical variable is the fatigue cycles which are measured in terms of magnitude and frequency. The two general types of fatigue loadings commonly seen are large magnitude, low frequency cycles from internal pressure fluctuations and smaller magnitude, high frequency cycles from traffic or temperature loading scenarios.

The scenarios involving all combinations of frequency and magnitude need to be identified. Most are additive in nature. In other cases, OR gate math applied to all simultaneous causes ensures that any scenario can independently drive fatigue. They also show the cumulative effect of several lesser exposures.

SCC is a unique form of degradation involving both cracking and corrosion. Since aggressive corrosion can actually slow SCC crack‐growth rates, the interplay of cracking and corrosion phenomena is difficult to model macroscopically. Recent literature has identified factors that are present in most instances of SCC. These factors are used to estimate an exposure level. This exposure is added to internal corrosion, external corrosion, and fatigue crack‐growth for an overall exposure level.

Other forms of environmental cracking, blistering, or other damages, must be considered in the exposure estimates for time‐dependent mechanisms.

As a modeling convenience, mpy and mils lost assumes uniform damage rate. This is normally not the case. Allowances for more aggressive, shorter duration damage rates might be warranted.

Theoretically, the mpy rate applies to every square inch of a pipe segment since the degradation occurs everywhere simultaneously. The reason for this is that the model does not differentiate along the pipe wall within a segment. For modeling purposes, all characteristics are constant, as established by the dynamic segmentation process.

There are multiple published sources (NACE, ASME, IPC, etc…) suggesting possible defaults or estimates for corrosion rates and crack growth rates. However, it is advisable for the operator to determine its specific rates since most published rates are experimental. These published rates can not account for the various operating environments. The rates differ depending on the current environment in which the pipeline is exposed. The operator must determine and provide their specific rates for internal and external corrosion, fatigue, and SCC.

10

Events per length‐time. For time‐independent threats, exposure is quantified independently of any mitigation. Since historical data and typical pipeline experience does not include mitigation‐free scenarios, this type of analysis may seem unusual. However, quantifying threats in this manner provides a better understanding of the exposure and helps in tuning the model to actual experience.

The concept of measuring a threat as if there was absolutely no mitigation applied normally requires some forethought. In the case of third party damage, one must envision the pipeline in a completely unmarked ROW (actually indistinguishable as a ROW), with no one‐call system in place, no public education dissemination, and buried with only a few millimeters of cover. Then, a probabilistic ‘hit rate’ is determined from the number of times the pipeline is struck by agricultural equipment, homeowner activity, new construction, etc… This example does require a probabilistic relationship between the mitigation and exposure of the current system.

A range of possibilities are useful in setting boundaries for assigning exposure levels to specific situations. A process for estimating a level of exposure range is:

• envisioning the worst case scenario for a completely unprotected, specific length of pipe and extrapolating or interpolating that scenario as if it applied uniformly over a mile of pipe

• envisioning the best case scenario and extrapolating or interpolating that scenario as if it applied uniformly over a mile of pipe

Examples

• Example worst case (third party): One half mile of pipe with 1" cover, no signs, no information available to excavators, located in an active construction zone with potential for line strikes every week. Assessor assigns a value of 50 hits per year for ½ mi. = 100 hits/mi‐yr.

• Example best case: 10 miles of pipe in controlled, uninhabited desert, no utilities, area with limited access. Assessor assigns 1 hit on 10 miles in 100 years = 0.001 hits/mi‐yr.

In order to help anchor the estimates, a guidance chart is used:

Failures / Year Years To Fail Approximate Rule Of Thumb

10000 0.0001 continuous failure

1000 0.001 fails ~3 times per day

00 0.01 fails about twice a week

10 0.1 fails about every month

1 1

0.1 10 once every 10 years

0.01 100 failure once a century

0.001 1000

0.0001 10000

0.00001 100000

0.000001 1000000 effectively, it never fails

11

It is sometimes difficult to imagine the lower ends of the exposure scale. Values implying frequencies like once every 100,000 years or 10,000,000 years are not normally mentioned in the pipeline industry. The reality, however, is that these are real and valid numbers for many stretches of pipeline. A 0.1 mile stretch of pipeline with one exposure (hit or near miss) in 80 years implies a frequency of 0.00125 (once every thousand years). If there were no exposures in 80 years—and many lines do exist for decades with no exposures—then one could reasonably assign a frequency of 1/100,000 or higher. When there is little or no historical data, a comparable situation and/or judgment can be used.

Unmitigated exposures for each pipeline segment are estimated using frequency of occurrence per unit length and time. Estimating an unmitigated exposure level will be a departure from previous approaches for many practitioners. However, once it is understood, several distinct advantages of the approach become apparent:

• Estimates can often be validated over time

• Estimate values from several causes are additive in nature. For example, many external force threats such as falling objects, landslide, subsidence, etc, each with their own frequency of occurrence can be added together for an overall exposure level.

• Estimates are in a form that considers segment‐length effects and supports PoF estimates in absolute terms (failures per mile‐year) when such units are desired.

• Avoids the need to standardize qualitative measures such as ‘high’, ‘medium’, and ‘low’. Experience has shown us that such standardizations often still leave much room for interpretation and also tend to erode over time and when different assessors become involved.

• Can directly incorporate pertinent historical data.

• When historical data is not available, this approach forces subject matter experts (SME) to provide more considered values. It is more difficult to present a number such as 1 hit every 2 years, compared to a qualitative labels such as “high”.

Many geo hazards are already commonly expressed in units that are directly linked to event frequency. Recurrence intervals for earthquakes, floods, and other events can be used to establish exposure.

Mitigation

Threat reduction occurs either through reducing the exposure to the threat by mitigation or reducing the failure likelihood through resistance.

In this model, a percentage is assigned to a mitigation measure which reflects its possible impact on risk reduction. For example, a value of 90% indicates that a measure would independently reduce the damage potential by 90%. A mitigation range for each measure is set by the best‐case amount of mitigation the variable can independently contribute. Therefore, the “best” possible level of mitigation is an estimate of how effective the measure is if it is accomplished as envisioned. A very robust mitigation theoretically reduces the threat level to a very low level to include independently eliminating most of the threat.

Two methods of applying mitigation benefit are used in this model:

• for time‐dependent mechanisms: threat x (1‐mitigation) where mitigation equates to a simple percentage

• for time‐independent mechanisms: threat / (mitigation) where mitigation equates to a simple percentage applied to the order of magnitude

12

In order to capture the belief that mitigation effects are dominated by either strong independent measures or by accumulation of lesser measures OR gate math is used. An underlying premise in assigning values, is mitigation and resistance work together to eliminate most of the threat.

Resistance

Resistance allows a distinction between the damage potential and the failure potential. Resistance is the systems ability to resist failure in the presence of the failure mechanism. For time‐dependent mechanisms, it is a measure of available strength, including:

1. wall thickness

2. wall thickness utilized for known loadings

3. possible weaknesses in the pipe wall

4. material strength including toughness

For time‐independent mechanisms, resistance includes the above factors plus considerations for external loadings:

1. buckling resistance

2. puncture resistance

3. D/t ratio

4. geometry

This is where the model considers most construction and manufacture issues involving longitudinal seams, girth welds, appurtenances, and metallurgy, as discussed in a later section.

Time Dependent

For absolute algorithms, time‐to‐failure (TTF) is defined as the time period before failure would occur, using an assumed wall loss and available strength assumptions. TTF is an intermediate calculation leading to the probability of failure estimate.

PoF time‐dep = f (TTF) where TTF = “time to failure” = 1 / [(available pipe wall) ‐ (wall loss rate) x (1 – mitigation effectiveness)]

This calculation involves many considerations and several steps as discussed below. The relationship between probability of failure and TTF is established by the model designer.

Time Independent

For time independent failure mechanisms in absolute algorithms, the underlying form of this calculation is as follows:

PoF = [unmitigated event frequency] / 10[threat reduction] where [threat reduction] = f (mitigation effectiveness, resistance)

Threats Covered

13

Threats are modeled as primarily a random occurrence for third party, theft, sabotage, incorrect operations, geohazards, etc… These are sensitive to segment length since the threat is assumed to be uniformly distributed across the entire pipeline section. This results in a leak rate per length per time period (such as PoF / mile / year) which is then multiplied by the analysis segment length to obtain a failure probability for the analysis segment. A direct multiplication or summation of failure probabilities is acceptable when numerical values are very small.

One of the keys to the new approach in risk assessment is to capture the orders of magnitude spans between risk levels. Older scoring systems did not normally provide for this.

Why not Construction and Manufacturing?

Instead of the six time independent threat categories presented in B31.8S (i.e. MFG, CONS, EQ, TP, IO, and WOF), American Innovations recommends the probability of failure be assessed using three threat categories which are exactly as stipulated in B31.8S (i.e. TP, IO, and WOF). Two threats from B31.8S are reassigned more realistic roles as ‘resistance’ variables. The Manufacturing and Construction threat categories are omitted. They are more realistically modeled as contributing factors to other threat mechanisms or system vulnerabilities rather than causes of failure.

In this Quantitative Risk Reference Model approach, all possible weaknesses are best captured as a variable impacting the resistance rather than threat categories since they are not themselves failure mechanisms. Resistance is the second term of the “Threat Reduction” equation (1) along with the Mitigation term. Resistance is the ability to withstand a force or failure mechanism applied to the pipe.

(1) Threat Reduction = 1 – [(1 – Mitigation) * (1 – Resistance)]

For time‐independent threat mechanisms (i.e. TP, WOF, and IO), resistance includes the following factors as a measure of available strength:

1. wall thickness

2. wall thickness “use up” for known loading

3. possible weaknesses on the wall

4. material strength including toughness

And other factors as a measure of external loadings:

1. buckling resistance

2. puncture resistance

3. diameter to wall thickness (D/w) ratio

4. Pipe Geometry (2)

(2) Pipe Geometry = 1 / t^2 + 12 / D [5]

14

The “Resistance” model is where the “Construction and Manufacturing” issues are considered involving longitudinal seam weld, girth weld, appurtenances, pipe material, and metallurgy. The “Effective Pipe Wall” calculation takes uses an “OR” Index named “Pipe Wall Adjust”. This includes possible manufacturing and/or construction weaknesses or variables such as:

1. historic manufacturer issues

2. pipe material

3. seam type

4. seam failure history

5. manufacturing anomaly type

6. toughness

7. joint type

8. questionable reinforcement

9. seals/packing/gaskets/o‐rings

10. valve type

11. bend method

Finally, the “Available Pipe Wall” factor, used in Time‐dependent mechanisms, is calculated based on the “Effective Pipe Wall” calculation. The “Effective Pipe Wall” calculation is used for the external force resistance model in both the “Third Party”, and “Weather‐Ground Movement” evaluation models as puncture resistance and buckling resistance, respectively.

15

QUANTITATIVE RISK REFERENCE MODEL BASIC CONCEPTS

Orders of Magnitude

As noted, logarithmic scales are used to characterize the range of failure probabilities. It is a necessary aspect to properly mirror real‐world effects and express risk estimates in absolute terms.

While logarithmic scales are necessary, it is more intuitive to relate this in terms of orders of magnitude. An order of magnitude is synonymous with a factor of 10 or ‘10 times’ or ‘10X’; similar to the operation of logarithmic scales. A range of values from 10E2 to 10E‐6 (102 to 10‐6) represents 8 orders of magnitude (also shown by: log (10E2) – log (10E‐6) = 2‐(‐6) = 8). This PoF model measures mitigation effectiveness and resistance to failure in terms of simple percentages which apply to the range of possibilities.

For example, taking into account an orders of magnitude range of 8, a mitigation measure with the effectiveness of 40% in reducing exposure has the effect of reducing the PoF by 3.2 orders of magnitude. Therefore, if the initial PoF was 0.1 or the event was happening once every 10 years on average, it reduces to 0.1 / 10(40% x 8) = 0.1 / 10 3.2 = 6.3E‐5. This indicates the mitigation reduces the event frequency by over 1000 times.

Effective Zero

For some calculations, a lower limit or “effective zero” is necessary to ensure the mathematical relationships perform properly. An effective zero is a method of assigning a value to an event with a very small probability of occurring (i.e. 1 in a trillion or 1x10‐12). This is used as the “effective zero” value in risk assessment equations. Also, an “effective zero” is subject to change when a risk model is calibrated to produce results in absolute terms such as failures per mile‐year.

OR and AND Gates

The probabilistic math used to combine variables to capture both the effects of single, large contributors and the accumulation of lesser contributors is termed “OR” and “AND” “gates”. Their use in pipeline risk assessment modeling represents the most significant change over previous models. This method reflects reality since it uses probabilistic theory of accumulating impacts to:

• avoid masking influences

• captures single, large impacts

• accumulation of lesser effects

• shows diminishing returns

• avoids the need to have pre‐set, pre‐balanced list of variables

• provides an easy way to add new variables

• avoids the need for re‐balancing when new information arrives

OR Gates

OR Gates imply independent measures which are additive. The OR Gate function calculates the probability that any of the input events will occur. If there are input events, each assigned with a probability of occurrence Pi, then the probability that any of the Pi events’ occurring is:

Mathematical Concepts

16

P = 1 – [(1‐P1) * (1‐P2) * (1‐P3) *……..*(1‐Pi)]

Example: To estimate the probability of failure based on individual probabilities of failure for SCC, External Corrosion and Internal Corrosion, the following formula is used:

Pfailure = OR[PSCC, PEC, PIC] = OR [1.05E‐06, 7.99E‐05, 3.08E‐08] = 1‐ [(1‐1.05E‐06)*(1‐7.99E‐05)*(1‐3.08E‐08)] = 8.10E‐5

The OR gate is also used for calculating the overall mitigation effectiveness from several mitigation measures. This function captures the idea that probability (or mitigation effectiveness) rises due to the effect of either a single factor with a high influence or the accumulation of factors with lesser influences (or any combination).

Mitigation% = mit1 OR mit2 OR mit3 ….. where mitigation % = 1‐[(1‐mit1) x (1‐mit2) x (1‐mit3)…]

or, examining this from a different perspective,

Mitigation % = 1 ‐ (remaining threat) where remaining threat = (remnant from mit1) AND (remnant from mit2) AND (remnant from mit3) ….

AND Gate

AND Gates imply a multiplication. For instance, when all events in a series happen and there is dependence among the events, then the result is the product of all probabilities. In measuring mitigation, when all things have to happen in concert to gage the mitigation benefit, AND Gates are used which implies a dependent relationship rather than the independent relationship that is implied by the OR gate.

An example is assessing a variable called ‘CP effectiveness’ where all sub‐variables reflect true conditions to be confident of CP effectiveness, such as [good pipe‐to‐soil readings] AND [readings close to segment of interest] AND [readings are recent] AND [proper consideration of IR performed] AND [low chance of interference] AND [low chance of shielding] . . . etc. If any sub‐variable is not up to par, then overall confidence in CP effectiveness is reduced. This is captured by multiplying the sub‐variables.

When the modeler wishes the contribution from each variable to be slight, the range for each contributor is kept fairly tight. Consider if 4 of the mentioned tasks are performed well with an effectiveness of 80% confidence, the resultant of a combined effectiveness is approximately 30% using straight multiplication.

Probability of Failure

The most compelling definition of probability is in a degree of belief regarding the likelihood of an event occurring in a specified future period. Probability is expressed as a decimal less than or equal to 1.0 or a percentage less than or equal to 100%. Historical statistical data establishes a degree of belief about future events. This data is not the only source of probability estimates.

17

Probability is a forecast of future events. In this application, the expression has the same units as a measured event frequency, i.e. events per time period. When event frequencies are very small, they are for practical purposes, interchangeable with probabilities: 0.01 failure per year is essentially the same as a 1% probability of one or more failures per year. When event frequencies are larger, a mathematical relationship is used to convert them into probabilities, ensuring that probabilities are always between 0 and 100%.

The pipeline risk assessment model described here is designed to incorporate all conceivable failure mechanisms. It is then calibrated using historical incident rates, tempered by knowledge of changing conditions. This results in estimates of failure probabilities that match the judgments and intuition of those most knowledgeable about the pipelines, in addition to recent failure experience.

TTF to PoF

The probability of failure is calculated as the chance of one or more failures occurring in a given time period. The degradation rate is assumed to occur everywhere simultaneously. Therefore, the number of degradation points in a segment does not theoretically impact the estimate. In reality, there is an uncertainty associated with each degradation estimate. Larger segments will have more possible degradation points and increased chance of outliers; locations having larger than estimated degradation rates. The calculated probability assumes at least one point in the segment is experiencing the estimated degradation rate and no point is experiencing a more aggressive degradation rate.

The relationship between TTF and year one PoF is an opportunity to include segment length as a consideration. A relationship that shows increasing PoF as segment length increases is defensible since the longer length logically means more uncertainty about consistency of variables and more opportunities for deviation from estimated degradation rates.

The PoF calculation estimates the time to failure, measured in time units since the last integrity verification, by using the estimated metal loss rate, the theoretical pipe wall thickness, and strength. It is initially tempting to use the reciprocal of this days‐to‐failure number as a leak rate. For instance, 1800 days to failure implies a failure rate of once every (1800/365) = 4.9 years or 1/(1800/365) = 0.202 leaks per year. However, a logical examination of the estimate shows that it is not really predicting a uniform leak rate. The estimate is actually predicting a failure rate of approximately zero for 4 years and then a nearly 100% chance of failure in the fifth year.

An exponential relationship is used to show the relationship between probability of failure in year one and TTF. The relationship: PoF = 1‐EXP(‐1/ TTF) where PoF = (probability of failure, per mile, in year one) produces a smooth curve that never exceeds PoF = 1.0 (100%), but produces a fairly uniform probability until TTF is below about 10 (i.e., a 20 yr TTF produces ~5% PoF). This does not really reflect the belief that PoFs are very low in the first years and reach high levels only in the very last years of the TTF period. The use of a factor in the denominator will shift the curve such that PoF values are more representative of this belief. A Poisson relationship or Weibull function can also show this, as can a relationship of the form PoF = 1 / (fctr x TTF2) with a logic trap to prevent PoF from exceeding 100%. The relationship that best reflects real world PoF for a particular assessment is difficult if not impossible to determine. Therefore, the recommendation is to choose a relationship that seems to best represent the peculiarities of the particular assessment, chiefly the uncertainty surrounding key variables and confidence of results. The relationship is then modified as the model is tuned or calibrated towards what is believed to be a representative failure distribution.

18

Effective Wall Pipe

An evaluation of pipe strength is critical to risk assessment. This plays a critical role in evaluating failure probability from all mechanisms, especially time‐dependent mechanisms.

Pipe wall thickness is a measure of pipe strength. Its ability to resist failure incorporates pipe specifications, current operating conditions, recent inspection or assessment results, unknown pipe properties such as toughness and seam condition, known or suspected stress concentrators, and special external loading scenarios. This model captures these in a variable called “effective pipe wall”.

Aspects of structural reliability analysis (SRA) are implicit in this approach since probability of defects is overlain with stresses or loads. A very robust SRA uses probability distributions to fully characterize the loads and resistances‐to‐loads, while this simplified approach uses point estimates. Simplifications employed here allow more direct calculations instead of Monte Carlo type routines often used in the more robust SRA calculations.

Measured pipe wall thickness is used directly to calculate remaining strength (available wall) if there is confidence the measurement captures all defects that currently exist, there are no imperfections/weaknesses in the steel, and there are no unintended stresses that are ‘using up’ some strength.

Realistically, all measurements have limitations and many pipelines have age‐of‐manufacture issues as well as other issues that question the true available pipe strength. Issues include low freq ERW seam, inclusions, laminations, low toughness, girth weld processes, weakening from other threat exposures, etc. Effective pipe wall captures such uncertainty about true pipe strength by reducing the estimated pipe wall thickness in proportion to uncertainty about possible wall weaknesses.

Estimates of Effective Pipe Wall ‐ This is a more complex aspect of the risk evaluation because the use of available and anticipated information must be completed in several iterative steps. It is a fairly comprehensive analysis, incorporating the following:

• pipe specification

• last measured wall thickness

• age of last measured wall thickness

• wall thickness implied by last pressure test

• age of last pressure test

• estimated metal loss since last measurement in mpy

• estimated cracking since last measurement in mpy

• maximum depth of a defect surviving at last pressure test

• maximum depth of a defect surviving at normal operating pressure (NOP) or last known pressure peak

• detection capabilities of last ILI, including data analyses and confirmatory excavations

• penalties for possible manufacturing/construction weaknesses (see following section for details)

Other Concepts

19

In simultaneously considering all of these variables, the model is able to more accurately respond to queries regarding the value of performing new pressure tests or new in line inspections. The value is readily apparent as are suggested re‐assessment intervals. All data and assumptions regarding exposure and mitigation are easily viewed and changed to facilitate model tuning and/or what‐if scenarios.

The analysis begins with what is known about the pipe wall. In general, an owner will always know:

• the pipe is not failing at its current pressure and stress condition (NOP)

• the wall thickness last measured (visual, UT, ILI, implied by pressure test, etc or default to nominal design)

The analysis begins with these two factors. Additionally, the owner (in the US) is also required by regulation to estimate the damage potential to the pipe since the last inspection. This estimated damage rate is used to calculate an effective wall thickness after the last measurement was taken. An integrity verification inspection or test adjusts the estimated effective wall thickness.

Steps to Effective Wall Estimate ‐ The steps required in the model’s time‐dependent failure mechanism analysis are as follows:

1. NOP‐based wall: Produce an estimated wall thickness, based on leak‐free operation at current NOP. This may include an estimate of the deepest non‐leaking defect that could be present at this pressure.

2. Pressure test based wall: Calculate an estimated wall thickness based on the most recent pressure test. This may be the original post‐construction test. It can also be a recent, higher‐than‐normal pressure to which the segment has been exposed.

3. ILI based wall: Calculate an estimated wall thickness based on the most recent inspection. This is normally ILI, but can also be bell hole exams where reliable and comprehensive wall thickness measurements were taken. The accuracy of the inspection for all types of possible defects should be a part of this estimate.

4. Exposure: Produce an estimate of steel metal‐loss / crack‐growth in the absence of any mitigation. This includes at least external corrosion, internal corrosion, and cracking and should reflect, for instance in the case of external corrosion, the corrosion rate of the pipe if it was buried uncoated and unprotected in the segment’s environment.

5. Mitigation: Evaluate the effectiveness of current mitigation measures. This effectiveness is used to directly offset (reduce) the steel deterioration rate that would otherwise occur.

6. Estimated pipe wall: Calculate an estimated pipe wall. This is the larger of the pipe wall thickness estimates based respectively on:

• NOP (and largest surviving defect)

• last pressure test minus possible metal‐loss / crack‐growth since

• last inspection minus possible metal‐loss / crack‐growth since

In some cases, there might be additional estimates when metal‐loss and cracking scenarios are evaluated separately.

1. Effective pipe wall: Assign a penalty to reduce pipe strength whenever there is the possibility of manufacture or construction issues that reduces the pipe strength. This is an adjustment factor used to move from an estimated pipe wall to an effective pipe wall.

20

2. Resistance: Calculate the available pipe wall by comparing the effective pipe wall with the wall thickness needed to contain NOP.

3. TTF: Calculate the TTF by dividing the metal‐loss / crack‐growth rate into the available wall.

4. PoF: Convert the TTF into a PoF for the current year. This value is combined with the time‐independent failure assessments for an overall PoF for each pipeline segment.

It is recognized that this modeling approach makes several simplifying assumptions that does not fully account for the complex relationships between anomaly sizes, types, and configurations with leak potential, rupture potential, and fracture mechanics theories. In addition, metal loss and cracking phenomena known to progress in non‐linear fashion, sometimes alternating between rapid progression and complete stability. A constant deterioration rate is used only as a modeling convenience in the absence of more robust predictive capabilities. It must be noted that remaining strength calculations and TTF estimates should not be taken as precise values, but rather as relative measures that characterize overall system behavior and may be significantly inaccurate for isolated scenarios.

Nonetheless, after accounting for uncertainty and application of appropriate safety factors, the TTF values directly support integrity management in a way that previous approaches do not. A re‐assessment interval is readily apparent from these calculations. Integrity assessment schedules are directly linked to calculations that fully integrate all pertinent data.

More details of these steps follow:

NOP‐based wall ‐ For a burst‐model, the wall thickness implied by leak‐free operation at NOP is calculated by using the Barlow relationship with NOP to infer a minimum wall thickness. Since defects are present and not causing failure, a value for “max depth of defect surviving NOP” is also assumed. This value is somewhat arbitrary since the defect depth that can survive at any pressure is a function of the defect geometry. The assumed wall thickness based solely on operating leak‐free at NOP is calculated as follows:

pipe_wall_barlow_NOP = ([NOP]*[Diameter]/(2*[SMYS]*1000) ‐ (max depth defect surviving NOP)

This simple analysis accounts for defects that are present but are small enough that they do not impact effective pipe strength by using the variable “max depth of defect surviving NOP”. The analysis is made stronger by incorporating a table or chart of defect types and sizes that are present even though the pipe has integrity at NOP. An appropriate value is selected knowing that a pressure test at 100% SMYS on 16", 0.312, X52 pipe could leave anomalies that range from 90% deep, 0.6" long to 20% deep, 12" long. All geometry combinations having deeper and/or longer dimensions would fail. Curves showing failure envelopes can be developed for any pipe.

Pressure test based wall thickness estimate ‐To conclude that there is greater wall thickness than implied by NOP, additional information must support this premise. The above analysis is repeated using the test pressure instead of the NOP. Then, using an estimated deterioration rate (discussed below) from the test time until the present moment, another pipe wall estimate is produced. This is compared to the estimate from the NOP. If this conservative estimate of deterioration suggests a greater wall thickness than implied by the Barlow‐NOP calculation, then this value is used instead of the minimum wall needed for NOP per Barlow.

21

ILI based wall thickness estimate ‐ This calculation uses the last actual measurement taken, including the uncertainty surrounding the measurement and the age of the measurement. This measured pipe wall value overrides the other wall thickness estimates (from NOP and since the last pressure test), if the measured value shows with confidence that even more pipe wall is available. The capability of the measurement tool and the validation process is important. Increased knowledge, obtained by either greater detection capability of all possible defects and/or a more aggressive validation program, reduces uncertainty in the measurement. As with the estimate based on pressure test, this estimate includes possible degradation of pipe wall since the measurement.

If an integrity assessment, including accuracy considerations, indicates no anomaly, there could be an anomaly present that is below the detection capability of the assessment. However, it is not normally appropriate to assume that such below‐detection anomalies exist everywhere. Such ultra‐conservatism is counterproductive to risk management. It is appropriate to use knowledge of possible failure mechanisms to estimate possible defects.

The modeler uses an assessment of integrity inspection capability (IIC) to adjust all measured or inferred wall thicknesses. The adjustment is based on the largest surviving defect after the most recent inspection. It can also consider the severity of the defect in that it might contribute to likelihood of failure. For instance, a detected lamination is normally not a significant threat to integrity unless it is very severe or also has the potential for blistering or crack initiation.

A complication in evaluating IIC is that several defect types must be considered. IIC is not consistent among inspection tools and defect types, and generalizations are needed. Examples of defect types include metal loss (internal or external corrosion), axial cracks, circumferential cracks, narrow axial corrosion, long seam imperfections, SCC, dents, buckles, laminations, inclusions. Inspection or assessment techniques often focus on one or two of these with limited detection capabilities for the others. Since most ILI assessments provide unequal information on cracking versus metal loss, a two‐part calculation is required in the TTF assessment. This is illustrated in Example 1 below.

A matrix can be set up capturing the beliefs about IIC. For example:

This matrix is a simplification and is based on interpretation of information available at the time of the study. It is modified when the user has more information available.

Values shown represent defect sizes (depths normally), expressed as percentage of wall thickness, that might remain after the assessment. A value of 100 means that the assessment technique has no detection capabilities for that defect type. The last 2 columns aggregate the various defects into two categories and assign an IIC to each category based on the capabilities for the specific defects. As an example of the use of this matrix, consider a pipeline that was evaluated with a High Resolution MFL tool with a routine validation protocol. The corresponding maximum surviving defects for this assessment are 10% of wall for metal loss and 100% of wall for axial cracks. Therefore, no information regarding crack presence is obtained.

22

Exposure ‐ For the purposes of estimating wall loss since the last pressure test or other inspection, the same values are used as for the current exposures. Only if the user knows that exposures have changed significantly in the period of time since the last inspection should different values be considered.

Mitigation ‐ For the purposes of estimating wall loss since the last pressure test or other inspection, only mitigation strategies that have been in place for that time period should be considered. This will likely require the modeler to calculate separate mitigation values for this estimate than for current mitigation situations.

Estimated pipe wall ‐ The estimated pipe wall reflects the best estimate of how much metal is present and available to resist failure. Either cracking or metal loss may dominate the calculation, depending upon the estimated aggressiveness of each and the date/type of assessments performed. For many risk assessments, the two phenomena are best tracked independently.

Remaining wall thickness, or maximum surviving defect sizing, is estimated using some simple relationships like the Barlow equation specified in US pipeline regulations. This has limitations since it does not accurately capture the effects of defect size (depth versus length and width are important) or type (cracking phenomena are not captured by the Barlow relationship). When increased accuracy is required, metal loss sizing routines such as RSTRENG, ASME B31.8G, or fracture mechanics relationships are substituted. It is recommended that the more robust calculations are used when data is available since the Barlow will produce overly conservative results. For example, in a 72% design factor pipeline, with a 12.5% wall thickness manufacturing tolerance, only 15% wall loss would predict failure. Ignoring the manufacturing tolerance is often suggested in order to reduce the over‐conservatism when Barlow is used. This is consistent since ASME recommendations are to use nominal wall value in Barlow calculations.

Effective pipe wall ‐ An estimated pipe wall thickness has now been created. The effective pipe wall calculation begins with this value and adjusts or penalizes it for anything that implies a reduced strength in that metal. A potential weakness is modeled as being equivalent to reduced wall thickness.

Possible manufacturing/construction weaknesses are identified for each pipeline segment. Typical age‐of‐manufacture/construction issues include:

• Increased longitudinal seam susceptibilities (low freq ERW, for instance)

• hard spots

• laminations

• low toughness

• girth weld weaknesses

• miter joints

• wrinkle bends

• stress concentrators

• sub‐standard appurtenances

• other possible weaknesses

The amount of weakness actually produced by these factors is often very situation‐specific. Generalizations are used to avoid the sophisticated finite element analysis that is required to fully model all of the possibilities. Some generalizations are available from industry standards and even regulations. Note the seam factor used in U.S. regulations for pipeline design is an example of an adjustment value.

23

The effective pipe wall estimate is now used for available wall calculation (time‐dependent mechanisms) and in external force resistance models (third party pipe wall puncture resistance and landslide buckling resistance). However, nominal pipe wall is often used in certain external force variables such as D/t and geometry factor since their influences are very coarse. Using effective pipe wall everywhere can lead to circular calculations, therefore simplifications are at times needed.

Resistance (available pipe wall) ‐ The difference between the available pipe wall thickness and the thickness required for anticipated loads (internal pressure, external loads) is the thickness of metal that is lost before failure occurs. This estimated ‘extra’ wall thickness represents a safety margin, where failure potential is reduced as this increases since the TTF is increased. This ‘available wall’ is used in subsequent estimates of resistance to other failure mechanisms such as external forces. Similarly, the available wall estimate is reduced on the basis of other results from the risk assessment. For instance, when external forces require more pipe strength, this reduces strength available to withstand other failure mechanisms.

Again, some significant simplifying assumptions underlie this value and should be carefully considered by the user.

TTF ‐ This represents the time period before failure occurs, under the assumed wall loss and available strength assumptions. TTF = 1 / [(available pipe wall) ‐ (wall loss rate) x (1 – mitigation effectiveness)]. For these time‐dependent mechanisms, TTF is an intermediate calculation leading to a PoF estimate.

New integrity inspections can ‘re‐set the clock’ for this calculation as can any new information that leads to a revised wall thickness estimate.

24

LIKELIHOOD OF FAILURE

This model recognizes that the two general types of failure mechanisms, time dependent and independent, require slightly different calculation routines. Time dependent mechanisms of corrosion and fatigue are initially measured in terms of the amount of damage they are cause over time. Mils per year (mpy) is a common measure of corrosion metal loss and is used to measure crack growth rates if some simplifying assumptions are used. The initial ‘damage rate’ measurement is used to calculate a time‐to‐failure (TTF) and then a probability of failure (PoF), in failures/mile/year. TTF and PoF are estimated using common engineering and statistical relationships, either very complex (fracture mechanics, finite element analyses, etc) or with simple approximations (% of Barlow‐required thickness, etc).

For time‐independent failure mechanisms such as third party damage, weather, human error, and earth movement events, the process is simpler. Constant failure rate or random failure rate events are assessed with a simple ‘frequency of occurrence’ analysis. The estimated frequency of occurrence of each time‐independent failure mechanism is directly related to a failure probability. Then it is combined with the PoFs from the time‐dependent mechanisms. As previously noted, the frequency and probability values are numerically the same at the low levels that is seen in most pipelines.

Time‐independent failure modes are assumed to either cause immediate failure or create a defect that leads to a time‐dependent failure mechanism.

The Time Dependent variables are fully discussed in the attached appendices demonstrating the equations, terms, and variables.

SCC – Appendix A

IC – Appendix B

Fatigue – Appendix C

EC – Appendix D

Time Dependent Resistance – Appendix F

The Time Independent variables are fully discussed in the attached appendices demonstrating the equations, terms, and variables.

Third Party Damage – Appendix H

Weather and Ground Movement – Appendix G

Incorrect Operations – Appendix J

Time Dependent

Time Independent

25

PROBABILITY OF FAILURE

In the risk assessment, a probability of failure is calculated for each pipeline segment for each threat. Under the assumption that each failure mechanism is independent, these probabilities are combined to give an overall failure probability for the segment. The segment probabilities are combined to give an overall PoF.

PoF = f(PoF time‐indep, PoF time‐dep)

PoF values associated with each failure mechanism are combined using the widely accepted premise in probability theory that the “chance of one or more failures by any cause is equal to 1 minus the chance of surviving cause A” times “the chance of surviving cause B” times etc... Hence, for a model that has categorized threats into third party, TTF, theft/sabotage, incorrect operations, and geo‐hazard, the relationship is:

PoF overall = 1‐[(1‐PoFthdpty) x (1‐PoFTTF) x (1‐PoFtheftsab) x (1‐PoFincops) x (1‐PoFgeohazard)] where PX= Failure Probability associated with failure mechanism X (Probability of one or more failures/ (mile*yr) or other appropriate units).

A simple summation of failure probabilities is acceptable when numerical values are very small.

While the assumption of independence is made for purposes of probabilistic math, dependences are also modeled. For example, the effective pipe wall calculated in the TTF routines is used in the resistance calculations for external forces. Similarly, the effects of external loadings influences the ‘available wall’ calculations in the TTF routines.

Combining Segments ‐ Threats modeled as random in nature including third party, theft, sabotage, incorrect operations, geohazards, etc…, are sensitive to segment length since the PoF is based on an exposure per unit length. Therefore, longer length segments have more exposure and hence, more PoF. A simple multiplication of segment length by its PoF per unit length yields the segment’s total PoF.

The PoF calculation from TTF is theoretically not segment‐length‐sensitive, for reasons previously noted. However, to further account for uncertainty in TTF estimates, including a segment length consideration might be justified.

TTF is defined as the time period before failure occurs, under the assumed wall loss and available strength assumptions. TTF is an intermediate calculation leading to a probability estimate.

PoF time‐dep = f (TTF) where TTF = “time to failure” = 1 / [(available pipe wall) ‐ (wall loss rate) x (1 – mitigation effectiveness)]

This calculation involves many considerations and several steps as discussed below. The relationship between probability of failure and TTF is established by the model designer.

Overall Pipeline PoF

Time Dependent PoF

26

For time independent failure mechanisms, the underlying form of this calculation is:

PoF = [unmitigated event frequency] / 10[threat reduction] where [threat reduction] = f (mitigation effectiveness, resistance)

Threats modeled as random in nature, third party, theft, sabotage, incorrect operations, geohazards, etc…, are sensitive to segment length since the threat is assumed to be uniformly distributed across the entire segment. This results in a leak rate per length per time period (such as PoF / mile / year) which is then multiplied by the segment length to obtain a failure probability for the segment. A direct multiplication or summation of failure probabilities is acceptable when numerical values are very small.

One of the keys to the Quantitative Risk Reference Model approach in risk assessment is to capture the orders of magnitude spans between risk levels. Older scoring systems did not normally provide for this aspect.

Time Independent PoF

27

CONSEQUENCE OF FAILURE

Evaluations of the consequences from a pipeline failure must address the entire environment harmed by a pipeline failure and the damage extent. The consequence parameters include specifics and interactions of receptors, product, spill size and dispersion. Since there are an infinite number of combinations of receptors interacting with an infinite number of spill scenarios, the range of possibilities are infinite. Therefore, all algorithms include simplifications and assumptions in order to make the solution process manageable. Lower level models tend to model only worst case scenarios, disregarding the normally very low probability of such scenarios actually occurring. Higher level models will characterize the range of possibilities, perhaps even producing a distribution to represent all possible scenarios.

The receptor is the object or focal point that receives the negative impact if there is a rupture in the pipeline. This may include fatalities, environmental and property damage, and service interruption. This factor takes into account population densities based on DOT classification in conjunction with the impact on high consequence areas. The objective is to identify areas along the pipeline where consequences are elevated. This provides the operator the opportunity to mitigate consequences by knowing where the greatest damage may occur.

To quantify consequence, a choice of a measurable level of harm or damage is first required. Fatalities or dollar values are common measures. Alternatively, the effect of the thermal radiation level or overpressure level implies a certain possible range of damages.

As with PoF, the designer of the CoF assessment model must strike a balance between complexity and utility, using enough information to capture all meaningful nuances and satisfy data requirements of all regulatory oversight.

The enhancements recommended here improve upon consequence assessments typically associated with scoring or indexing risk assessments. The main enhancements are:

1. characterize the range of consequence scenarios, including their respective probabilities of occurrence, rather than basing the assessment on a point estimate like ‘worst case’

2. use of hazard zones

3. characterize receptors and their potential damage rates within hazard zones

In some cases, a measure of relative consequences is the only metric needed. For those, there is normally not a need to calibrate or tune the relative consequence results to actual consequences measured in dollars or other ‘cost’ units.

When a simple, relative consequence model is needed, the key aspects of consequences are combined in a simple multiplication. The main components of the assessment are:

LIF = PH x R x S x D where Product hazard (PH); Receptors (R); Spill volume (S); Spread range or dispersion (D);

Consequence of Failure Concepts

28

This equation shows that if any one of the four components is zero, then the consequence, or the risk, is zero. Therefore, if the product is absolutely non‐hazardous (including pressurization effects), there is no risk. If the spill volume or dispersion is zero, either from 'no leak' or from some type of secondary containment, then there is no risk. Similarly, if there are no receptors (human, environmental, or property value) to be endangered from a leak, then there is no risk. As each component increases, the consequence and overall risk increases.

The critical importance to any risk assessment is an evaluation of the types and quantities of receptors that may be exposed to a hazard from the pipeline. For these purposes, the term receptor refers to any creature, structure, land area, etc., that could “receive” damage from a pipeline rupture. The intent is to capture relative vulnerabilities of various receptors, as part of the consequence assessment.

Possible pipeline rupture impacts on the surrounding environmental and population receptors are highly location specific due to the potential for ignition and/or vapor cloud explosion. Variables include the migration of the oil spill or leak, the amount of shelter and barriers, and the time of exposure. Ideally, a damage threshold would lead to a hazard area estimation that would lead to a characterization of receptor vulnerability within that hazard area.

The hazard factor takes into account the probability of ignition based on population density as well as the spill volume. The more hydrocarbon that is released into the environment, the greater it increases the likelihood of the product to reach an ignition source.

The consequence reduction factor is a combination of several variables that reduces the receptor damage via regulations, maintenance, and mitigation protocols. This particular calculation uses variables which mitigate the potential damage due to a release. The operator uses particular resources and protections to prevent and contain product releases through actions as maintenance inspections, patrols, and leak compliance.

Receptors

Hazard Factor

Reduction Factor

29

TOTAL RISK – POF*COF

Once the final PoF is determined from both time dependent and independent variables, the PoF is simply multiplied with the resultant CoF. This produces a unit‐less number which ranks each segment of pipeline accordingly. The pipe segment with the greatest value has the highest risk of failure due to either PoF variables or CoF variables.

The variables are easily traced back to its respective origin to determine the driving variable that increases the total risk. When this is determined, the operator can choose to expend resources to mitigate or eliminate the variable, thus reducing the risk for that specific segment. This allows for a relatively simple method to allocate capital funds using a logical system which provides the necessary evidence to justify the expense.

CALIBRATION & VALIDATION

For some applications of pipeline risk assessment, especially in the early stages, relative risk values are the only values that are required. Relative values often adequately support prioritization and ranking protocols. The need for calibration, where tuning the model output such that it reflects actual event frequencies, is necessary to measure the program effectiveness. Then as time progresses, only validation, ensuring consistent and believable output from the model, is required.

Prior to the need for PoF results expressed in absolute terms, failures per mile‐year for instance, the PoF values are stripped of their time period implication and used as relative numbers of density. A 2.3% PoF does not mean a 2.3% annual probability of failure until the risk assessment is calibrated. It only means a 2.3% chance of failure over some time period. This might be one year or one hundred years. Until the calibration is done, the 2.3% value is used as a relative measure of PoF.

Experience has shown, however, that risk management permeates many aspects of the organization that a good risk model’s role is eventually expanded. As its output becomes more familiar, new users and new applications arise. Ultimately most assessments are asked to anchor their output in absolute if not monetary terms. When this happens, the need for both validation and calibration arises.

Incident history is one of the important aspects of evidence to consider when calibrating risk assessment results. This includes all incidences of measured metal loss, crack like indications, damages found, anomalies detected, plus actual failures. In most cases, knowledge of all previous repairs is relevant.

An incident impacts our degree of belief about future failure potential in proportion to its relevance as a predictor. Some will directly impact exposure estimates. Even if it has little or no direct relevance as a predictor, the related investigation certainly yields information useful in effective pipe wall calculations.

A mechanism must exist to remove the ‘penalty’ when there is no longer any relevance. An example is where an ineffective coating is the root cause of a corrosion incident and that coating is subsequently replaced. Another example is a high incidence of third party damages or near‐misses associated with some land use that has since changed.

All PoF estimates are calibrated using relevant historical failure rates when available. This generally involves the following steps:

• perform detailed analysis of historical incident data

30

• discover or determine the root cause to define the incident to threat relationship

• evaluate data in the context of similar pipelines (similar environments and O&M practices) in other companies

• determine relevance of each incident to all segments of the pipeline

• use relevant data to calibrate or tune the algorithms such that absolute risk levels, expressed in annualized costs, are produced

Failures outside of the segment of interest might or might not be relevant such that historical data is adjusted on the basis of engineering judgment and experience.

If model results are not consistent with a chosen benchmark, any of several things might be happening:

• benchmark is not representative of the assessed segments

• exposure estimates are too high or too low

• mitigation effectiveness is judged too high or too low

• resistance to failure is judged too high or too low

The distinction between PoF and probability of damage (but not failure) is useful in diagnosing where the model is not reflecting reality. Mitigation measures have several aspects that are tuned. The orders of magnitude range established for measuring mitigation is critical to the result, as is the maximum benefit from each mitigation activity, and the currently judged effectiveness of each. A trial and error procedure might be required to balance all these aspects for the model to produce credible results for all inputs.

Similar to the use of a benchmark for model validation, a carefully structured interview with SMEs identifies model weaknesses (and also often be a learning experience for SMEs). If an SME reaches a risk conclusion that is different from the risk assessment results, a drill down into both the model and the SMEs basis of belief is performed. Any disconnect between the two represents either a model error or an inappropriate conclusion by the SME. Either is readily corrected. The objective is to make the risk assessment model house the collective knowledge of the organization.

Regardless of the extent of the modeling rigor employed, assumptions and simplifications are still needed in the analysis. The uncertainty surrounding a risk assessment is not eliminated and a model without some simplifications is not justifiable in such a highly uncertain environment. The very nature of extremely rare events makes planning difficult.

Even though the more robust algorithms discussed here use almost all pertinent information, they are still created to receive and produce point estimates only. In reality, many variables vary over time as well as along a pipeline. To better model reality, the changes in many parameters like pressure, soil resistivity, wall thicknesses, etc…, are captured by creating a distribution of the variations over time or space. Such distributions are at least to partially quantify the uncertainty surrounding all measurements. The range of possibilities for all pertinent variables must be understood and accounted for in producing the risk estimates.

31

CUSTOMIZATION OF AI‐IMD TEMPLATES

Once a client makes a contract with American Innovations – IMD, there are multitudes of information that must be exchanged. AI and the client determine when to meet at the client facility. This meeting typically lasts three to five days and is facilitated by AI engineers. The meeting has a three‐fold purpose. First, AI engineers come to this meeting with a standard template algorithm to identify critical information requirements in order to fill the IMP models with information used to calculate the risk. Secondly, to assemble the clients SMEs to determine how each variable is to be scored and/or weighted within the algorithm. Last, the AI engineers sit with the client integrity manager to respond to questions and concerns about the software.

Software configuration begins with inputting the algorithm values into the respective equations and schedules, transforming raw client data for input into models, assigning the reference system, and creating specific evaluation and collapse models.

AI engineers work directly with the client integrity managers to resolve any issues, pose questions, and implement the client requests. A continual stream of communication is used via email, telephone, and web based conferences to keep the client informed. The standard AI database quickly becomes fine tuned to a client’s specified system. The client is involved throughout the entire process.

The AI engineer uses the software’s built‐in tools, output models and manipulated columns to extract relevant information from the input models. Also, the IMP software has the flexibility to retain the client’s nomenclature for variables tailoring the models to the clients system. During this molding process, the engineer applies numerous quality control checks to ensure the correct information is used and performs hand calculations to ensure the IMP program is performing as expected. When this is complete, the evaluations are performed and then rigorously examined for errors.

After the final quality control inspection is complete, the algorithm, software, reports, and supporting documentation are delivered to the client for approval. As the client reviews the completed project, the AI engineer is available to discuss any part of the project. Once the client accepts the project work, the software is downloaded to the client’s server where the user can create reports, graphs, etc. to manage the pipeline.

Algorithm Meeting

Software Configuration

Algorithm Tuning

Algorithm Delivery

32

MIGRATION TO L3

Fortunately, a migration from an indexing method to a probabilistic risk assessment does provide the operator with a more realistic analysis in relation to TTF. The new method retains the much of the same data, but does require additional information, and uses different mathematics. Weightings are needed and valuations are still required. The valuations need to come from engineering judgment and expert experience when ‘hard data’ is not available.

Developing a Quantitative Risk Reference Model type of algorithm and making the model work within a modern pipeline integrity database is a daunting task. American Innovations Integrity Management Division has developed a “template” Quantitative Risk Reference Model algorithm within their IMP™ application.

The template algorithm defines the variables to be used as well as the metadata (i.e. variables and their attributes). The template also defines the variable relationships, but depends on the operator’s Subject Matter Experts (SMEs) to customize the scoring and the variable usage. The template algorithm can be customized to reflect the operator SME opinions after a 3‐5 day meeting. During the meeting, each Exposure, Mitigation and resistance variable is reviewed and the scoring is discussed with the SMEs.

At this point, the algorithm specifics are configured into the database. A gap analysis directs the operator to the newly required data and the integrity manager is well on the way to having a risk assessment performed using the Quantitative Risk Reference Model risk algorithm. The benefits of using the template algorithm include:

• all of the benefits associated with the Quantitative Risk Reference Model Risk Algorithm

• ease of implementation/configuration

• provides the basis for establishing data collection priority

33

REFERENCES

1. Muhlbauer, W. Kent Pipe Risk Management Manual. 3rd ed. Boston, MA: Elsevier Inc. 2004.

2. Muhlbauer, W. Kent. “Enhanced Pipeline Risk Assessment Part 1 – Probability of Failure Assessments.” Rev. 2.1, 2006. http://www.pipelinerisk.com.

3. Muhlbauer, W. Kent. “Enhanced Pipeline Risk Assessment Part 2 – Assessment of Pipeline Failure Consequences.” Rev. 1, 2006. http://www.pipelinerisk.com.

4. Muhlbauer, W. Kent, Derek Johnson, Elaine Hendren, Steve Gosse, A L3 Gas Reference Modeleration of Pipeline Risk Algorithms. IPC06‐10178, Proceedings of International Pipeline Conference, 25‐29 September 2006, Calgary, Alberta, Canada.

5. Kiefner, John F. A Risk Management Tool for Establishing Budget Priorities http://www.kiefner.com/

2

7810 Shaffer Pkwy, Suite 150 Littleton, CO 80127 Direct: 303‐948‐0119 FAX: 303‐948‐0479 www.amerinnovations.com

l3 gas reference model algorithm documentation whitepaper.v3 · 2019-10-05 · regulations based on...

Documents