Page 239 - Pipeline Risk Management Manual Ideas, Techniques, and Resources
P. 239
10l216 Service Interruption Risk
Prevention activities for service interruptions caused by Five years of operation shows no delivery parameter devia-
equipment malhnctions include tion due to equipment failure. Because many potential points of
failure exist, the evaluator would score the potential as high.
Strong equipment maintenance practices However, with a fairly long history of no excursions, the score
0 Regular and thorough inspections and calibrations including is set at 8 points, closer to a “medium” potential.
all monitoring and transmitting devices Note that none of the equipment failures in the above exam-
0 Redundancy so that one erroneous signal will not unilater- ple would cause apipeline failure, but a service interruption has
ally cause a shutdown. a high chance of occurring.
The evaluator should consider the number and nature of B4. Operator error
devices that could malfunction and cause a delivery upset.
Taken together with the system dynamics and mechanisms that As part of the risk of service interruption, the potential for
prevent equipment failure, the probability can be assessed. human errors and omissions should be assessed. The incorrect
Potential for delivery parameter deviation due to equipment operations index in the basic risk assessment addresses the
failure is as follows: human error potential in pipeline failure. An additional qualita-
tive assessment is made here specifically to address the impact
High 0 pts of errors in service interruption.
Excursions are happening or have happened recently. Customer While the potential for human error underlies this entire
impacts occur or are only narrowly avoided (near misses) evaluation, a special circumstance has not yet been given
by preventive actions. Weather-related interruptions are enough consideration. That circumstance is the potential for an
common. on-line operational error such as an inadvertent valve closure,
Medium 10 pts an instrument miscalibration, unintentional trip of a pump or
Excursions have happened in the past in essentially the same compressor, or other errors that do not endanger the pipeline
system, but not recently; or theoretically, a real possibility integrity but can temporarily interrupt pipeline operation. To be
exists in that a relatively simple (high-probability) event can complete, errors during maintenance, calibration, and opera-
precipitate an excursion. Occasional weather-related inter- tion of the equipment must all be considered. The evaluator
ruptions. Preventive mechanisms (bypass, redundancy, etc.) should identify the service interruption events of the highest
minimize customer impacts. potential and examine them from a human error standpoint.
Low 15 pts Where a single error from a single operator can precipitate an
Rare excursions have happened under extreme conditions. excursion, the evaluator should examine the training and test-
Highly effective and reliable prevention mechanisms exist to ing program for assurances that measures are in place to avoid
correct these rare occurrences. Customer impacts are almost such errors. Other error prevention activities include warning
nonexistent. The number ofdevices is few, and failure poten- signs or signals, the use of checklists and procedures, and sce-
tial is extremely low. nario designs that require a sequence of errors before an excur-
None 20 pts sion is possible. A high possibility for human error should be
System configuration virtually disallows contamination possi- reflected in scoring the potentials for contamination and deliv-
bility. A customer impact never occurred in the present sys- ery parameter violation.
tem configuration. High reliability, redundant measures are Sensitivity of operation to human error can be scored using a
employed to virtually eliminate possibility of customer scale similar to the following:
impact. There is no equipment in the section.
High 0 pts
Reference is made to the phrase ‘‘single point of failure.” For An error is easy to make and consequences could be severe.
purposes here, this will mean that one event is sufficient to One or more single points of failure opportmities exist. Very
cause the equipment to fail in a fashion that would precipitate a little or no checking is in place to catch carelessness.
service interruption. Examples include failures of valve seats, Medium 10 pts
pressure sensors, relief valve springs, relief valve pilots, instru- Relatively difficult for a single error to precipitate a service
ment power supply, instrument supply lines, vent lines, and interruption. A good deal of checks (through teams or con-
SCADA signal processing. trol room) are made to prevent careless errors.
Low 15 pts
Example IO. I: Equipment failure potential System or customer is relatively insensitive to possible single
errors. High levels of redundancy exist or this is an extremely
Single points of failure on a section of a high-pressure gas stable system that can be disrupted only with highly unusual
transmission system are identified as circumstances allowed to continue for long periods of time.
None 20 pts
Pressure controller at customer gate It is virtually impossible for even a combination of errors to
Control valve at meter site (Failure possibilities include miscal- cause a service interruption.
ibration or failure of pressure sensor, loss of instrument power
supply, fail closed, incorrect signal from SCADA system.) C. Intervention adjustment (IA)
Three automatic mainline block valves
Mainline compressor station where station bypass would not In the basic risk assessment, the possibility for interventions to
allow sufficient downstream pressure. prevent pipeline failures is included in the index items that are
