Stations and Surface Facilities

Stations and Surface Facilities

13/257 Stations and Surface Facilities i Contents I. Background 13/257 Types of facilities 13/259 II. Station risk assessment 13/260 Scope 13/260 Se...

3MB Sizes 0 Downloads 83 Views

13/257

Stations and Surface Facilities i

Contents I. Background 13/257 Types of facilities 13/259 II. Station risk assessment 13/260 Scope 13/260 Sectioning 13/260 Data requirements 13/261 Model design 13/263 Weightings 13/263 Process 13/264 III. Risk assessment model 13/264 Risk model components 13/265

I. Background Most pipelines will have surface (above ground) facilities in addition to buried pipeline. These include pump and compressor stations, tank farms, as well as metering and valve locations. Such facilities differ from pipe-only portions of the pipeline in significant ways and, yet, must be included in most decisions regarding risk management. Typical operating and maintenance processes involve prioritizing work on tanks, pumps, and compressors with ROW activities. Many modern risk assessments are including surface facilities in a manner

Equivalent surface area 13/265 External forces index 13/266 Corrosion index 13/267 Design index 13/268 Incorrect operations index 13/268 Leak impact factor 13/271 V. Modeling ideas I 13/275 VI. Modeling ideas II 13/277 VII. Modeling ideas III 13/278 IX. Example of risk management application 13/286 X. Comparing pipelines and stations 13/287 XI. Station risk variables 13/288

~

that accounts for the differences in risk and still allows direct comparisons among various system components. This chapter outlines some techniques for such risk assessements. Many station facilities employ design techniques, such as piping corrosion allowances, reliability-based equipment maintenance, and best preventive maintenance practices. Facilities otten include pieces of large rotating equipment (e.g., compressors, pumps, motor operated valves), as well as sophisticated electronic monitoring equipment (e.g., SCADA, programmable logic controllers, leak detection, on-site control centers, etc.).

13/258Stationsand SurfaceFacilities Identify risk assessment model structure

t

Station facilities risk assessment model (document)

....

I

"-....

...... .; ~ s

Identify all probability variables and consequence variables Risk model flowchart r---1

Identify critical variables to be included in model

.... s/S

J

J

.

ss

s

,,s Determine weighting factors for all variables

Risk model (spreadsheet/ database)

I

t""

[

Risk assessment procedures

L-I

(manual)

Establish scoring and

t .............

9

auditing procedures

Perform necessary supporting J calculations (stresses, release

.

parameters, etc.)

"-,

Gather data, apply algorithm to

."

s

s

pilot facilities ,'

'I

'-'

I

]'_

I

Establish on-going risk

'

management program

L..... I

I I I I I

Risk Management: Risk assessment program

Data analysis Decision support tools

I I I I I I I I

~I Resource allocation model 'I Prioritized maintenance planning iI Administrative procedures I I

Figure 13.1 Riskmanagementsystemfor stations. Because of increased property control and opportunities for observation, the cause, size, duration, and impact of leaks at stations are often smaller than a pipeline failure. Liquid facilities usually have spill containment berms and storm water collection systems, as well as equipment leak detection and capture systems, so the potential for a product release to reach the surrounding environment is significantly mitigated compared with a release

on the pipeline ROW. Stations handling gaseous products normally have vents, flares, and safety systems designed to minimize off-site excursions of product releases. Given the differences between pipeline ROW and the associated surface facilities, it is not surprising that leak experiences are also different. Figure 13.2 shows that liquid pipeline station facility leak volumes are approximately 35% of line pipe leak volumes, per

Types of facilities 13/259

o~ 45

4

40

I

O) v--

d

Tank/Pump

D

Line Pipe

35-

m

L

~ 30

m o o0

25

~L

20

>

<

15

t-


10

Line Pipe: Tank/Pump:

37%

17%

13%

16%

1%

6%

7%

5%

4%

2%

1%

4%

18%

38%

3%

26%

9%

-

0%

-

2%

-

Figure 13.2 Liquidpipelinefailure causes: line pipe versus station facilities.

an ASME B31.4 Committee Station study from U.S. reportable leak data. These data also highlight that equipment failures are the primary cause (38%) of station facility leaks, compared with third-party damage for line pipe (37%) [9a]. Surface facilities are sometimes subjected to different regulatory requirements, compared with pipeline operations on the ROW. The majority of the larger, hazardous liquid pipeline station facilities in the United States comply with process safety management (PSM) regulations, mandated by OSHA in 1992, which require specific actions related to pre-startup safety reviews, process hazard analyses, creation of operating procedures, training, qualifications of contractors, assurance of mechanical integrity, hot work permits, management of change, incident investigations, emergency planning, compliance with safety audits, and employee participation in safety programs. Most U.S. natural gas pipeline station facilities are exempt from compliance with PSM regulations, but many operators adopt at least portions of such regulations as part of prudent operating processes. Some special environmental regulations will also apply to any surface facility in the United States. In addition, the U.S. Department of Transportation (DOT) is in the process of promulgating various pipeline integrity management (PIM) regulations that require all jurisdictional hazardous liquid and gas pipeline facilities to perform a risk assessment as the basis for creating a integrity assessment plan. Several states, such as Texas, are also imposing PIM-related regulations for intrastate pipeline facilities.

II. Types of facilities In this chapter, the term facility applies to a collection of equipment, whereas station refers to a tank farm, pumping station, or

other well-defined collection of mostly aboveground facilities. All stations have facilities--even if only a single block valve. Facilities to be evaluated in a risk assessment might include 9 9 9 9 9 9 9 9 9 9

Atmospheric storage tanks (AST) Underground storage tanks (UST) Sumps Racks (loading and unloading, truck, rail, marine) Additive systems Piping and manifolds Valves Pumps Compressors Subsurface storage caverns.

Comparisons between and among facilities and stations is often desirable. Most pipeline liquid storage stations consist primarily of aboveground tanks and related facilities that receive and store products for reinjection and continued transportation by a pipeline or transfer to another mode of transportation, such as truck, railcar, or vessel. Most storage tanks for products that are in a liquid state under standard conditions are designed to operate near atmospheric pressure, whereas pressurized vessels are used to store highly volatile liquids (HVLs). Liquid pipeline facilities include pumps, meters, piping, manifolds, instrumentation, overpressure protection devices and other safety systems, flow and pressure control valves, block valves, additive injection systems, and breakout tanks. Pipeline gaseous product storage facilities serve the same purpose as liquid tank farms, but include buried high-pressure bottle-type holders, aboveground low-pressure tanks, and/or underground caverns. Gas pipeline facilities used to manage

13/260 Stations and Surface Facilities

product flow through the mainline include compressors, meters, piping, manifolds, instrumentation, regulators, and pressure relief devices and other safety systems, and block valves. Smaller station facilities, such as block valves, manifolds, meters, and regulators, are often located within small, protected aboveground areas, or inside buried vaults, often made of concrete. Larger pipeline stations, such as pump/compressor stations or tank farms, can cover many acres and be heavily secured. Most station facilities could be more accessible than a buffed pipeline, so they typically have unauthorized access prevention measures such as fencing, locked gates, barbed wire, concrete barriers, berms, lighting, and security systems. Depending on the station's size and use, they may be manned continuously or visited by operations or maintenance personnel periodically. Station piping and equipment are sometimes built from different materials and operate at different pressures than the pipeline. Ancillary hazardous materials and processes can also be present at liquid stations, which adds to the level of risk and complexity.

Tanks Product storage tanks might warrant their own rating system since they are often critical components with many specific risk considerations unique to each individual tank. A risk model can use industry standard inspection protocols such as API 653, which specify many variables that contribute to tank failure potential. Common variables seen in tank inspection criteria are 9 9 9 9 9 9 9 9 9 9 9 9

Year tank was built Previous inspection type, date, and results Product Changes in product service Types of repairs and repair history Internal corrosion potential and corrosion mitigation Construction type Shell design, materials, seam type Roof design Leak detection Anodes under tank If bottom was replaced, year bottom replaced, minimum bottom before repair, and minimum bottom after repair 9 Corrosion rate 9 Cycling frequency 9 Cathodic protection.

sections as part of a corrosion prevention program, and not include all factors that could be considered to support a relative cost/benefit analysis for a comprehensive risk-based maintenance budget. Evaluators can and should use the results from other risk analysis methods, such as matrix or process hazard analysis (PHA) techniques, to provide information supporting an indexbased analysis (see Chapter 2). PHAs (e.g., HAZOP, "what-if" scenarios, FMEA) are sometimes completed every several years to meet PSM requirements, but they do not routinely gather and integrate large volumes of facility data as would a comprehensive risk model. Existing PHA action items can be evaluated for risk reduction effectiveness by developing a relative risk mitigation scenario (defined in risk model terms) and calculating a cost/benefit ratio (action cost/score reduction). This is discussed in Chapter 15.

Scope As discussed in Chapter 2, the scope of a risk assessment should be established as part of the model design. This chapter assumes a risk assessment effort that focuses on risks to public safety, including environmental issues, and covers all failure modes except for sabotage. Sabotage can be thought of as intentional third-party damage. The risk of sabotage commands a special consideration for surface facilities, which are more often targeted compared to buried pipelines. Sabotage often has complex sociopolitical underpinnings. As such, the likelihood of incidents is usually difficult to judge. Even under higher likelihood situations, mitigative actions, both direct and indirect, are possible. The potential for attack and an assessment of the preventive measures used, are fully described in Chapter 9. As noted in Chapter 1, reliability issues overlap risk issues in many regards. This is especially true in stations where specialized and mission-critical equipment is often a part of the transportation, storage, and transfer operations. Those involved with station maintenance will often have long lists of variables that impact equipment reliability. Predictive-Preventive Maintenance (PPM) programs can be very data intensive-considering temperatures, vibrations, fuel consumption, filtering activity, etc. in very sophisticated statistical algorithms. When a risk assessment focuses solely on public safety, the emphasis is on failures that lead to loss of pipeline product. Since PPM variables measure all aspects of equipment availability, many are not pertinent to a risk assessment unless service interruption consequences are included in the assessment (see Chapter 10). Some PPM variables will of course apply to both types of consequence and are appropriately included in any form of risk assessment. See page 19 for discussions on reliability concepts.

III. Station risk assessment A station risk assessment model is just one of several important tools normally used within a pipeline operator's overall risk management program. Ideally, the station risk model would have a flexible user-defined structure and be modular, allowing the evaluator to scale the risk assessment to the needs of the analysis. For example, the user may decide to simply employ an index-based approach to prioritize higher risk pipeline facility

Sectioning For purposes of risk assessment, it may not be practical to assess a station facility's relative risks by examining each instation section of piping, each valve, each tank, or each transfer pump for instance. It is often useful to examine the general areas within a station that are of relatively higher risk than other areas. For example, due to the perceived increased hazard asso-

Station risk assessment 13/261

ciated with the storage of large volumes of flammable liquids, one station section may consist of all components located in a bermed storage tank area, including tank (floor, walls, roof), transfer pump, piping, safety system, and secondary containment. This section would receive a risk score reflecting the risks specific to that portion of the station. The risk evaluations for each section can be combined for an overall station risk score or kept independent for comparisons with similar sections in other stations. Ot~en, a station's geographical layout provides a good opportunity for sectioning. There are usually discrete areas for pumps, manifold, truck loading/unloading, additives, tanks, compressors, etc., that provide appropriate sections for risk assessment purposes. Further distinctions could be made to account for differences in tanks, pumps, compressors, etc., thereby creating smaller sections that have more similar characteristics. In certain cases, it might be advantageous to create contiguous or grouped station sections. In the above example, a section could then include all piping, independent of the tank, pump, or process facility to which it is connected. Another approach could be to include all liquid pipeline station tanks in one section, independent of their type, location, and service. The sectioning strategy should take into account the types of comparisons that will be done for risk management. If individual tanks must be compared (perhaps to set specific inspection frequencies), then each tank should probably have its own evaluation. If all "compressor areas," from station to station, are to be compared, that should lead to an accomodating sectioning strategy. A sectioning strategy should also consider the need to produce cumulative, length-sensitive scores for comparison to pipeline lengths. This is discussed on page 287.

Data requirements As noted in Chapter 1, a model is a simplified representation of the real world. The way to simplify real-world processes into an accurate facilities model is to first completely understand the real-world processes in their full complexity. Only then are we able to judge which variables are critical and how they can be logically combined into a valid model. The objective is not to simulate reality, but to model it accurately. The ideal station risk model must be able to withstand a critical engineering evaluation, in addition to its application in real-world risk management decision making. As with line pipe, the quality and quantity of safety data are limited for pipeline station facilities. Therefore, few statistically based correlations can be drawn from all of the factors believed to play a significant role in failure frequency and consequence. The contributing factors, however, can be identified and considered in a more qualitative sense, pending the acquisition of more statistically significant data. Concepts from statistical failure analysis are useful and underlie portions of this station risk model. However, given the unavailability of data, the uncertainty associated with the rare event data, and the complexities of even the simplest facility, a departure from strict statistical analysis is warranted. This departure requires the inclusion of experience and judgment, even when such judgment is only weakly supported by histori-

cal data. It is acknowledged and accepted that in using most risk assessment models, some realism is being sacrificed in the interest of understandability and usability. This is consistent with the intent of most models. The ideal risk assessment methodology works well under conditions of "very little data" as well as conditions of "very extensive data." An overview assessment, where data are scarce, might base an assessment on only a few variables such as

9 9 9 9 9 9

Nearby population density Presence of special environmental areas Quantity of stored products Type of products handled Incident history at the facility Date of last AP1653 out-of-service inspection (for tanks).

In this case, the model would not provide much guidance on specific equipment or procedural changes for a specific tank. It could, however, point to areas where the greatest amounts of resources are best sent. A more detailed version of the methodology, designed to help in detailed decision making, might use a data set including all of the above as well as the following: Tank surface area Tank profile (height/width ratio) Tank joint type (bolt, rivet, weld) Tank year of construction Tank foundation type Tank level alarms Tank level alarm actions (local, remote, automatic, etc.) Tank corrosion rate Staffing level Traffic flow patterns Traffic barriers Security fences Visitor control Programmable logic controller (PLC) usage Critical instrument program Management of change program Operator training specifics Use of SCADA systems UT inspection program MF inspection program Pump type Pump speed Pump seal type Pump seal secondary containment Fatigue sources Material toughness Etc. This list can easily extend into hundreds of variables as shown at the end of this chapter. The risk assessment methodology should work for operators who wish to work with limited data as well as those with extensive, pre-existing databases that need to be incorporated. Figure 13.3 provides an example of an overall station risk model, showing some of the variables chosen for one of the facility modules.

13/262Stationsand SurfaceFacilities

Station Risk Score I

t

I

Consequence of failure

Probability of failure

t

I Component risk scores ,,,

I

AST risk score

1

t

I

Racks risk score

UST/sump risk score

I

I

Loading facility risk score

Piping risk score

,,[

I

Additive facility] risk score |

/

I Risk I

Consequence of failure

Probability of failure

t Product hazards Hc MW Vapor pressure Densities Boiling point Soil permeability Water miscibility Pressure Diameter Volume Population density Highly sensitive areas High-value areas Business risk

,,

I External corrosion

T

Age Soil Coatings Interference Inspections ,,

fo..].,.~om~..t.

I

Internal corrosion

I

External forces

!

I

System operations

Design/ materials

Ground movements

t1

Potential preventions

Size Tank count Sympathetic failures Separations Barriers Initial failures Enclosures Traffic Weather Sabotage Product preventions

L

Pressure testing Design factors Stress levels Fatigue

Loadings/unloadings Fill levels Training Procedures Substance-abuse testing Safety programs Safety systems "Susceptibility to error" factor Design and construction issues Maintenance programs

Figure 13.3 Sampleof stationriskmodelstructure.

I

Station risk assessment 13/263

Model design

Table 13.1

Typical database fields for risk variables

For those desiring to develop a custom station risk model, a database-structured approach to model development could be used. Here, a database of all possible variables is first created. Then, depending on the modeling needs, a specific risk model is created from a selection of appropriate variables. The comprehensive station risk variable database will identify the contribution of any and all possible risk variables. The user will then be able to quantify the relative risk benefit or penalty of an action, device, design specification, etc. However, more than 400 variables can be readily identified (see page 288) as possible contributors to station risk. Some add to the risk, others reduce it, and they do not impact the risk equally. One of the initial objectives of a model design should be to determine the critical variables to be considered, which is a function of the level of detail desired. A cost/benefit balance will otten need to be struck between a low- and high-level risk assessment. A comprehensive, highresolution station facilities risk model will include all possible variables, rigorously defined to allow for consistent quantitative data gathering. A more manageable low-resolution (highlevelwscreening only) station model will include only variables making a larger impact to risk. The large volume of detailed data necessary to support a detailed risk model often has initial and maintenance data gathering costs that are many times the costs of gathering a moderate volume of general data that can be filtered from existing sources. The risk variables database should be structured to allow sorting, filtering, and selection of variables based on any of the database fields to provide optimum flexibility. The evaluator can easily create multiple custom risk models, or continuously change a model, depending on requirements for level of detail, cost of evaluation, or changes in the perceived importance of specific variables. Within the context of overall risk assessment, making adjustments to the list of variables will not diminish the model's effectiveness. On the contrary, customizing for desired resolution and company-specific issues should improve the model's effectiveness. To support this approach to model design, each potential model variable should be classified using several database fields to allow for sorting and filtering. The fields shown in Table 13.1 are examples, selected from many possible database fields, that can define each variable. For example, a variable such as pump motor type would be classified as a high-level-of-detail variable, applying to pumps, when consequences of business interruption are considered in the model; while a variable such aspopulation density would be a low-level-of-detail variable that would probably be included in even the simplist risk model. Screening of the database for appropriate variables to include in the model is done using the fields shown in Table 13.1, perhaps beginning with the "Level of detail" field. This initial screening can assist the evaluator in identifying the appropriate number of variables to include in high-, medium-, or low-resolution models. The grouping of variables by failure modes is done for two reasons:

Databasefield

Example entries

Type of data (used to estimate the cost of modeling the variable)

Engineering: data that are directly counted or measured with common measuring tools Frequency: measurable events that occur otten enough to have predictive power Semiquantitative: combination of frequency data and forecasting (where frequency data are rare, but potential exists) and/or a judgment of quality Third-party damage Corrosion Design Incorrect operations Health Environmental Business Aboveground storage tanks Underground storage tanks Collection sumps Transfer racks Additive systems Pumps Compressors Engines Piping High--use only for very detailed models Medium--use for models of moderate complexity Low--use for all models

,

1. Data handling, analysis, and reactions are enhanced because specific failure modes can be singled out for comparisons, deeper study, and detailed improvement projects.

Type of failure m o d e

Type of impact Type of facility

Level of detail

t

i

2. The ability to compare modeling results is better preserved, even if the choice of variables changes from user to user or the model structure changes. For example, the relative risk of failure due to internal corrosion can be compared to assessments from other models or can be judged by an alternate selection of variables.

Weightings Each variable in the database should be assigned a weight based on its relative contribution to the risk. Whether the variable represents a potential condition/threat (risk-increasing factor) or a prevention/mitigation (risk reduction factor), it can be first assessed based on a scale such as that shown in Table 13.2. The number of variables included in the model will determine each variable's influence within the model since the total risk is distributed among all the variables. This raises a model resolution issue: The more variables included in the model, the smaller the role of each variable because of a dilution effect if all weightings sum to 100%. Overall company risk management philosophy guidelines should be established to govern model building decisions. Example guidelines on how risk uncertainty can be addressed include these:

13/264 Stations and Surface Facilities Table 13.2

Variable risk contribution weighting

4. Volume of product stored, product hazards, prevention, and mitigation systems all drive the magnitude of consequences.

Conditions~threats 5 4 3 2 1

Variablecan easily, independently cause failure--highest weight Variablecan possibly independently cause failure Variableis significant contributor to failure scenarios Variable,in concert with others, could cause failure Variableplays minor role in this failure mode--lowest weight

Preventions~mitigations 5 4 3 2 1

Variablecan easily, independently prevent failure--highest weight Variablecan possibly independently prevent failure Variableis significant obstacle to failure scenarios Variable,in concert with others, could prevent failure Variableplays minor role in this failure mode--lowest weight

1. Results from older surveys and inspections (e.g., tank inspections, CP readings) will have less impact on risk assessments. The "deterioration" of information value depends on many factors and is specific to the survey/ inspection/equipment type (see Chapter 2). 2. Estimated data will have less impact on risk scores than data with a known level of accuracy (e.g., depth of cover, coating condition) (see Chapter 8). Uncertainty is further discussed in Chapters 1 and 2. When deciding on a particular risk model structure, many cost and effectiveness factors should be considered, such as minimizing duplication of existing databases, efficiently extracting information from multiple sources, capturing experts' knowledge, and periodically collecting critical data. All risk model data are best gathered based on data collection protocols (e.g., restricted vocabulary, unknown defaults, underlying assumptions) as discussed in earlier chapters. A lower level risk model should be structured to allow "drilling down" to assess individual equipment, whereas a high-level risk model may be structured to allow assessment at only the overall station level. The following are general risk beliefs that, if accepted by the model designer, can be used to help structure the model. 1. A more complex facility will generally have a higher likelihood of failure. A facility with many tanks and piping will have a greater area of opportunity for something to go wrong, compared to one with fewer such facilities (if all other factors are the same). A way to evaluate this is described on pages 265-266. 2. A manned facility with no site-specific operating procedures and/or less training emphasis will have a greater incorrect operations-related likelihood of human error than one with appropriate level of procedures and personnel training. 3. A facility handling a liquefied gas, which has the mechanical energy of compression as well as chemical energy and the ability to produce vapor cloud explosions, creates considerably more potential health and safety-related consequence than does a low vapor pressure liquid, which has no mechanical energy and is much harder to ignite. On the other hand, some nonvolatile liquids can create considerably more environmentally related consequences.

Process To outline a risk model based on the optimum number of variables from all of the possibilities shown in the database, the following procedure can be used: 1. Conceptualize a level of data collection effort that is acceptable--perhaps in terms of hours of data collection per station. This can be the criterion by which the final variable list is determined. 2. Begin with an extensive list of possible risk variables, since any variable could be critical in some scenario. See the sample variable list at the end of this chapter. 3. Filter out variables that apply to excluded types ofthreatsm ones that will never be a consideration for facilities assessed (e.g., if there is no volcano potential, then the volcanorelated variables can be filtered out; similarly, threats from meteors, hurricanes, freezes, etc., might not be appropriate). 4. Examine the total variable count, estimated cost of data, and distribution of variables across the failure modes--if acceptable, exit this procedure, determine how best to combine the variables, and create data collection forms to populate a database. 5. To minimize the level of detail (and associated costs) of the model, examine the lower weighted variables and filter out variables that have minimal application. In effect, the model designer is beginning at the bottom of the list of critical variables and removing variables until the model becomes more manageable without sacrificing too much risk-distinguishing capability. This becomes increasingly subjective and use-specific. At any time in this process, variables can be edited and new ones added. As implied in this procedure, care should be taken that certain failure modes are not over- or underweighted. This procedure can be applied for each failure mode independently to ensure that a fair balance occurs. Each failure mode could also have a preassigned weighting. Such weighting might be the result of company incident experience or industry experience. This should be done carefully, however, since drawing attention away from certain failure modes might eventually negatively change the incident frequency. Having determined the optimum level of detail and a corresponding list of critical variables, the model designer will now have to determine the way in which the variables relate to each other and combine to represent the complete risk picture. The following sections describe some overall model structures in order to give the designer ideas of how others have addressed the design issue. Most emphasis is placed on the first approach since it parallels Chapters 3 through 7 of this text.

III. Risk assessment model This approach suggests a methodology to generate risk assessments that are very similar to those generated for the pipe-only portions of a pipeline system. It is based on the evaluation system described in Chapters 3 through 7. For facilities that are for

Risk assessment model 13/265

the most part aboveground, such as terminals, tank farms, and pump stations, and are usually on property completely controlled by the owner, the approach described in those chapters should be somewhat modified. Some suggested modifications are designed to better capture the risks unique to surface facilities, while maintaining a direct comparability between these facilities and the pipe-only portions of the pipeline system. The basic components of the risk score for any station facility are shown in Table 13.3.

Risk model components In the revised model, variables in the corrosion, design, and incorrect operations indexes are scored as described in Chapters 4 through 6, respectively, with only minor modifications. The leak impactfactor (LIF) is similarly scored with only a slight possible modification, as described later. The main difference in the revised model entails the treatment of certain external forces. In Chapter 3, an index called the third-party damage index is used to assess the likelihood of unintentional outside forces damaging a buried pipeline or a small aboveground component such as a valve station. A different set of outside forces can impact a surface facility so this index title has been changed to External Forces for use in station assessments. Comparisons and references to the basic model are made in the descriptions of scorable items that follow. After customization, the risk model for pipeline station facilities could have the following items:

External Forces Index Corrosion Index A. Atmospheric Corrosion B. Internal Corrosion C. Subsurface Corrosion

Design Index A. B. C. D. E.

Safety Factor Fatigue Surge Potential Integrity Verification Land Movements

Table 13.3

Basic components of a risk score for a station facility ,,

Risk model component Typeof information needed Probability Probability variables Area of opportunity Consequence Product hazard Spill size Receptors

Conditions and activities that are integrity threats; qualities of variables and weightings Physical equipment and material sizes; counts of more problematic components Acute and chronic product hazards; stored energy quantities Volumes stored; leak detection capabilities; secondary containment Population, environmental receptors, highvalue area considerations; rangeability; loss control systems

Risk score = probabilityx consequence = [Index Sum] / [LIF]

Incorrect Operations Index A. Design B. Construction C. Operations D. Maintenance Leak lmpact Factor Product Hazard Spill Size Dispersion Receptors [Index Sum] -- [External Forces] + [Corrosion] + [Design] + [Incorrect Operations] [Relative Risk] = [Index Sum] / [LIF] Given the many types of stations that might be evaluated witi~ this model, an additional adjustment factor, to take into account the relative size and complexity of a station, is recommended. This is called the equivalent surface area, discussed next, and it is used to adjust the index sum.

Equivalent surface area In this risk assessment approach, the failure probability of a station is thought to be directly proportional to the station's complexity and density of more "problematic" components. The facility dimensions, adjusted for components that historically are more problematic, provide a relative "area of opportunity" for failures. Specifically, larger surface areas result in more chances for corrosion, traffic impacts, fire impingement, projectile loadings, wind loadings, and often complexity--which can lead to human error. It is reasonable to believe that more tankage, more piping, more pumps, more vessels, etc., lead to more risk of failure. Under this premise, stations will show higher failure probabilities overall as they become larger and more complex, compared to cross-country pipe or smaller stations. This is consistent with commonly held beliefs and seems to be supported by many company's incident databases. A measuring scale can be developed to capture the relative complexity and nature of facilities. This scale is called the equivalent surface area. It selects a base case, such as 1 square foot of aboveground piping. All other station components will be related to this base case in terms of their relative propensity to initiate or exacerbate leaks and other failures. The equivalent surface area measure first evaluates the physical area of assessed facilities. Actual surface area is calculated based on facility dimensions: combined surface areas of all piping, tankage, compressors, etc. Adjustments are then made for higher leak-incident components by converting a count of such components into an equivalent surface area. Table 13.4 is a sample table of equivalencies for some commonly encountered station components. The relationships shown in Table 13.4 are established based on any available, published failure frequency data (in any industry) or on company experience and expert judgment otherwise. Table 13.4 implies that, from a leak incident standpoint, 1000 ft2 of above-ground piping = 200 ft2 of tank bottom = 1/2 of a Dresser coupling = 5 other mechanical couplings = 20 tandem pump seals. This reflects a belief that couplings and tank bottoms cause more problems than aboveground piping.

13/266 Stations and Surface Facilities

Table 13.4

Components and their equivalent surface areas

Component Piping (above ground) Tanks Tank bottom Dressercoupling Other mechanical coupling Pump seal, tandem Pump seal, single Already corroded/damaged material Atmospheric corrosion hot spots Pump (per horsepower) Valves Penalty for buried component

Equivalent area (ft 2) 1 2 5 2000 200 50 100 20 5 10 10 0.5

Table 13.4 also shows that the equivalency designers believe that buried components are twice as problematic as above ground. A penalty is assigned for buried or otherwise difficult to inspect portions of the facility. While buried portions enjoy a reduced risk from external forces and fire, on balance it is felt that the inability to inspect and the increased opportunity for more severe corrosion, warrants a penalty. This is contrary to the case of cross-country pipelines where, on balance, buried components are thought to present a reduced risk. The penalty assigned to station buried facilities results in increasing the equivalent surface area by 50%, in the example table above. A good way to develop these relationships in the absence of actual failure data is to ask station maintenance experts collectively questions such as "From a maintenance standpoint, how much piping would you rather have than one pump seal?" This puts the issue in perspective and allows the group to come up with the equivalencies needed. The scale should be flexible since knowledge will change over time. Changes to the equivalent lengths can automatically convert into new risk scores if a robust computer model is used. The equivalent surface area is numerically scaled from the highest to lowest among stations and facilities to be assessed. That is, the largest equivalent area station sets the high mark on the relative scale. The low mark can be taken at 0 or the smallest station, depending on model resolution needs. The equivalent surface area factornthe ratio of the station's score to the highest score of any facility to be evaluated--is then used to adjust the index sum. So, if the index sum for two facilities turns out to be exactly equal, then the one with the larger equivalent surface area will show a higher failure probability level. The exact amount of impact that the equivalent surface area has on the index sum is a matter ofjudgrnent. Saying that the most complex station will have a failure probability of 50% more than the least complex or that the failure rate is 10 times higher than the least complex station are both justifiable decisions, depending on the station types, operator experience, historical data, etc. The mathematics is therefore left to the evaluator to determine.

External forces index For surface facilities, the third-party damage index can be replaced by the external forces index. This index is more

fully explained here. Based on 100 points maximum (safest situation = 100 points), as with the other indexes, the external forces index assesses risks from possible outside forces related to 9 Traffic 9 Weather 9 Successive reactions.

Traffic The potential for damage by outside force increases with increasing activity levels, which include the type, frequency, intensity, complexity, and urgency of station activities. This also includes the qualifications of personnel who are active in the station, weather conditions, lighting, third-party access, traffic barriers, security, and a third-party awareness/damage prevention program. Vehicle impact against some facility component is a threat. The type of vehicular traffic, the frequency, and the speed of those vehicles determine the level of threat. Vehicle movements inside and near the station should be considered, including 9 9 9 9 9 9

Aircratl Trucks Rail traffic Marine traffic Passenger vehicles Maintenance vehicles (lawn mowers, etc.).

Vehicles might be engaged in loading/unloading operations, station maintenance, or may simply be operating nearby. Traffic flow patterns within the station can be considered: Is the layout designed to reduce chances of impact to equipment? Use of signs, curbs, barriers, supervising personnel, operations by personnel unfamiliar with the station (perhaps remote access by nonemployee truckers), lighting, and turn radii are all considerations. With closer facility spacing, larger surface areas, and poor traffic control, the potential for damage increases. Type and speed of vehicles can be assessed as a momentum factor, where momentum is defined in the classic physics sense of vehicle speed multiplied by vehicle mass (weight). Momentum can be assessed in a quantitative or qualitative sense, with a qualitative approach requiting only the assignment of relative categories such as high, medium, and low momentum. The frequency can be similarly judged in a relative sense. Note that relative frequency scales can and should be different for different vehicle types. For example, a high frequency of aircratt might be two or three planes per hour, whereas a high frequency for trucks might be several hundred per hour (on a busy highway). For each type of vehicle, the frequency can be combined with the momentum to yield a point score. Where the potential for more than one type of vehicle impact exists, the points are additive. Where protective measures such as barrier walls or protective railings have been installed, the momentum component for the respective vehicle can be reduced. Similarly, natural barriers such as distance, ditches, and trees can be included here. This is consistent with the physical reality of the situation, since the barrier will indeed reduce the momentuna before the impact to the facilities occurs.

Risk assessment model 13/267

Weather

A. Atmospheric corrosion

The threat associated with meteorological events can be assessed here. Events such as a wind storm, tornado, hurricane, lightning, freezing, hail, wave action, snow, and ice loadings should be considered. (Note that earth movements such as earthquakes and landslides are considered in the design index.) A relative, qualitative scale can be used to judge the frequency of occurrence for each possible event and the potential damages resulting from any and all events. In areas where multiple damaging events are possible, the score should reflect the higher potential threats. Mitigation measures can reduce threat levels.

Atmospheric corrosion potential is a function of facility design, environment, coating systems, and preventive maintenance practices. There are many opportunities for "hot spots" as described in Chapter 4. Many station facilities are located in heavy industrial areas or near waterways to allow for vessel transfers. Industrial and marine environments are considered to be the most severe for atmospheric corrosion, whereas inland dry climates are often the least severe. Score the potential for atmospheric corrosion as shown in Chapter 4.

Successive reactions The threat associated with one portion of the facility (or a neighboring facility) causing damage to another portion of the facility is assessed here. Examples include vessels containing flammable materials that, on accidental release and ignition, can cause flame impingement or explosion overpressure damages (including projectile damages) to adjacent components of the facility. Therefore, portions of a facility that are more susceptible to such secondary accident effects will show a higher risk. The threat value associated with this external force is logically less since another event must first occur before this event becomes a threat. This reduces the probability of the successive reaction event. A qualitative scale can be used to judge this risk level including the damage potential of the causal event. The type and quantity of the material stored determines the damage potential. A calculation of the overpressure (blast wave) effects from an explosion scenario is a valid measure of this potential (see Chapters 7 and 14). Where such calculations are not performed, an approximation can be made based on the type, quantity, and distance of the nearby flammables. Points are assigned based on the vulnerability of nearby facilities. Where protective shields, barriers, or distance reduce the likelihood of damage from the causal event, the threat is reduced and point assignments should reflect the lower potential. Protective barriers and shields should be assessed for their realistic ability to protect adjacent components from thermal and blast effects. Note that, for simplicity, the likelihood of failure of the causal event is usually not considered since such consideration involves another complete risk assessment. This additional assessment might not be possible if the causal event can occur from a neighboring facility that is not under company control.

Corrosion index Depending on the materials being used, the same corrosion mechanisms are at work on pipeline station facilities as are found in buried or aboveground pipe on the ROW. However, it is not unusual to find station piping that has little or no coating, or other means of corrosion prevention, and is more susceptible to corrosion. As in the basic line pipe model, corrosion potential is assessed in the three categories of atmospheric, internal, and subsurface.

B. Internal corrosion During normal operations, station facilities are generally exposed to the same internal corrosion potential as described in Chapter 4. However, certain facilities can be exposed to corrosive materials in higher concentrations and for longer durations. Sections of station piping, equipment, and vessels can be isolated as "dead legs" for weeks or even years. The lack of product flow through these isolated sections can allow internal corrosion cells to remain active. Also, certain product additive and waste collection systems can also concentrate corrosion promoting compounds in station systems designed to transport products within line pipe specifications. Score the items for internal corrosion, product corrosivity, and internal protection as described elsewhere in this text.

C. Subsurface corrosion In some older buried metal station facility designs, little or no corrosion prevention provisions were included. If the station facilities were constructed during a time when corrosion prevention was not undertaken, or added after several years, then one would expect a history of corrosion-caused leaks. Lack of initial cathodic protection was fairly common for buried station piping constructed prior to 1975. If it can be demonstrated that corrosion will not occur in a certain area due to unsupportive soil conditions, CP might not be required. The evaluator should ensure that adequate tests of each possible corrosion-enhancing condition at various soil moisture levels during a year have been made, before subsurface corrosion is dismissed as a failure mechanism. Modern stations employ the standard two-part defense of coatings and cathodic protection detailed in Chapter 4. Subsurface corrosion potential can be evaluated as described in that chapter, with consideration for some issues. Older, poorly coated, buried steel facilities will have quite different CP current requirements than will newer, well-coated steel lines. These sections must often be well isolated (electrically) from each other to allow cathodic protection to be effective. Given the isolation of buried piping and vessels, a system of strategically placed anodes is often more efficient than a rectifier impressed current system at pipeline stations. It is common to experience electrical interferences among buffed station facilities where shorting (unwanted electrical connectivity) of protective current occurs with other metals and may lead to accelerated corrosion. Even within a given pipeline station, soil conditions can change. For instance, tank farm operators once disposed of tank bottom sludges and other chemical wastes on site, which can

13/268 Stations and Surface Facilities

cause highly localized and variable corrosive conditions. In addition, some older tank bottoms have a history of leaking products over a long period of time into the surrounding soils and into shallow groundwater tables. Some materials may promote corrosion by acting as a strong electrolyte, attacking the pipe coating or harboring bacteria that add corrosion mechanisms. Station soil conditions should ideally be tested to identify placement of non-native material and soils known to be corrosion promoting. Station piping of different ages and/or coating conditions may be joined. Dissimilar metals can create galvanic cells and promote corrosion in such piping connections. Pipeline stations sometimes use facilities as an electrical ground for a control building's electrical system, which can possibly impact the cathodic protection system, corrosion rates, and spark generation. AC induction is a potential problem in station facilities anytime high voltages are present. Large compressor and pump stations, as well as tank farms, normally carry high-voltage and high-current electrical loads. Therefore, nearby buried metal can act as a conduit, becoming charged with AC current. Although AC induction is primarily a worker safety hazard, it has also been shown to be disruptive to the station's protective DC current and a direct cause of metal loss.

Design index As detailed in Chapter 5, the design index is a collection of failure mechanisms and mitigations related to original design conditions. The main variables described there are also appropriate for a station risk model. Those factors are: A. B. C. D. E.

Safety Factor Fatigue Surge Potential Integrity Verification Land Movements

Some additional issues arise regarding the

safety factor and

fatigue assessments, as are discussed here. A. Safety factor Although pipeline station facilities are typically constructed of carbon steel, other construction materials are also used. Because station equipment can be made of a composite of different materials, it can be useful to distinguish between materials that influence the risk picture differently. In scoring the safety factor, the evaluator should take into account material differences and other pipe design factors peculiar to station facilities. The stress level of a component, measured as a percentage of maximum allowable stress or pressure, shows how much margin exists between normal operating levels and component maximum stress levels. At stress levels close to absolute tolerances, unknown material defects or unanticipated additional stresses can easily result in component failure. Systems that are being operated at levels far below their design levels have a safety margin or safety factor. Many pressure vessels and pipe components have safety factors of 1.5 to 2.0. When the safety factor is close to 1.0, there is little or no margin for error or to

handle unanticipated stresses. Components with complex shapes are often difficult to calculate. Manufacturer information is often used in those cases. Either normal operating pressures or maximum operating pressures can be used in calculating stress levels, just as long as one or the other is consistently applied. Adjustments for joint efficiencies in tanks and piping might also be appropriate. Materials with a lack of ductility also have reduced toughness. This makes the material more prone to fatigue-type failures and temperature-related failures and also increases the chances for brittle failures. Brittle failures are often much more consequential than ductile failures since the potential exists for larger product releases and increased projectile loadings. The potential for catastrophic tank failure should be considered, perhaps measured by shell and seam construction and membrane stress levels for susceptibility to brittle fracture.

B. Fatigue As one of the most common failure mechanisms in steel, fatigue potential is assessed as discussed on pages 000--000. Instances of high stress levels at very rapid loading and unloading (high frequency of stress cycles) are the most damaging scenario. The threat is reduced as cycle frequency or magnitude is reduced. It is common practice to put extra strength components with very high ductility into applications where high fatigue loadings are anticipated. Common causes of fatigue on buried components and aboveground connections to equipment include loading cycles from traffic, wind loadings, water impingements, harmonics in piping, rotating equipment, pressure cycles, temperature cycles, and ground freezing/thawing cycling. Mitigation options include the removal or reduction of the cycles or, as previously mentioned, the use of special materials.

Vibration monitoring As a further measure of potential fatigue loadings, sources of vibration can be assessed. As a prime contributor to vibration effects, rotating equipment vibrations can be directly measured or inferred from evidence such as action type (piston versus centrifugal, for example), speed, operating efficiency point, and cavitation potential. Common practices to minimize vibration effects include careful attention to equipment supports, PPM practices, pulsation dampers, and the use of high ductility materials operating far from their maximum stress levels. Incorrect operations index Human error is a significant factor to consider when scoring risk at a pipeline station. Human error is often the true root cause of facility failures when one considers that proper design, construction, testing, operations, inspection, and maintenance should prevent almost all equipment and product containment integrity failures. A station environment provides many more opportunities for human error but also provides more chances to interrupt an accident sequence through mitigation measures to avoid human error. This part of the assessment builds on Chapter 6. Several previously described risk variables are discussed here that are specific to the station environment.

Risk assessment model 13/269

A. Design

B. Construction

Overpressurepotential A measure of the susceptibility of the

Because of the age of many station facilities and the construction philosophies of the past, complete construction and test records of the facilities are typically not available. Evidence to score construction-related items might have to be accumulated from information such as leak/failure histories, visual inspections of the systems, and comparisons with similar systems in other areas. Score these items for inspection, materials, joining, backfill, handling, and coatings as described on pages 124--125.

facility to overstressing is a valid risk variable. The safest condition is when no pressure source exists that can generate sufficient pressure to exceed allowable stresses. Where pressure sources can overstress systems and safety systems are needed to protect the facility, then risk increases. This includes consideration of the pumping head, which can overfill a tank. It also includes consideration of changing allowable stresses due to changes in temperature. Note that the adequacy of safety systems and the potential for specialized stresses such as surges and fatigue are examined elsewhere in this model. It is common in the industry for systems to contain pressure sources that can far exceed allowable stresses. Overpressure of customer facilities should also be considered for station facilities. It is primarily the responsibility of the customer to protect their facilities downstream from a custody transfer station from an overpressure event. When in-station piping directly supplies adjacent customer stations, or when it laterals off a mainline pipe end at a custody transfer station (e.g., block valve, manifold, regulators, meter set), the customer's downstream overpressure protection scheme should be examined to confirm that their safety system capabilities are designed to prevent overpressure of downstream equipment an d piping. In general, score these items for design, hazard ID, MAOP potential, safety systems, material selection, and checks as described on pages 119-124.

Safety systems Risk is reduced as safety systems are able to reliably take independent action--without human intervent i o n - t o prevent or minimize releases. Although there is no real standard in the industry, most agree that if false alarms can be minimized, then safety systems that close valves, stop pumps, and/or isolate equipment automatically in extreme conditions are very valuable. Early warning alarms and status alerts when actions are taken should ideally be sent to a monitored control center. Also valuable is the ability of a manned control center to remotely activate isolation and shutdowns to minimize damages. Not as valuable, especially for unmanned, infrequently visited sites, are safety systems that merely produce a local indication of abnormal conditions. Safety system actions that provide increasing station facility overpressure protection include equipment shutdown, equipment isolation, equipment lock-out, station isolation, station lock-out, and full capacity relief. Lock-out typically requires a person to inspect the station conditions prior to resetting trips and restarting systems.

C Operations Station operations typically have more opportunities for errors such as overpressure due to inadvertent valve closures and incorrect product transfer resulting in product to the wrong tank or to overfilled tanks. Some changes are made from the basic risk assessment model for scoring items in this part of the incorrect operations index, as discussed next.

C1. Procedures Score as described on pages 125-126, with the following additional considerations. A comprehensive and effective "procedures program" effort should capture all current station facility design, construction, maintenance, operations, testing, emergency response, and management related procedures. Current station procedures that are considered important or required to adequately operate the station should be available at each station or easily accessible to station personnel. Key station-related activity procedures should allow for the recording of data on procedure forms (records) for personnel review and future use. There should be no recent history of station procedure-related problems. All procedures should be appropriate for the necessary type (design, operations, maintenance, etc.), conditions (location, personnel skills, systems complexity, etc.), best practices (industry, company, etc.), communications method (written, verbal, video), and needs (job safety analysis, job task analysis, job needs analysis). Several layers of procedures should be in place, ranging from general corporate policies (i.e., 10 principles of conduct) to guideline standard practices (i.e., damage prevention program) to station-specific procedures (i.e., abnormal operations procedures) to detailed job task recommended practices (i.e., valve manufacture maintenance procedures). Many technical writing 'best practices' could be listed to provide guidelines for "what makes an excellent procedure," but this is outside the scope of this text. Management of change A formal management of change

Safety systems evaluation To ensure the adequacy of safety systems, periodic reviews are valuable. Such reviews should also be triggered by formal management of change policies or anytime a change in made in a facility. HAZOPS or other hazard evaluation techniques are commonly used to first assess the need and/or adequacy of safety systems. This is often followed by a review of the design calculations and supporting assumptions used in specifying the type and actions of the device. The most successful program will have responsibilities, frequencies, and personnel qualifications clearly spelled out. DOT requires or implies an annual review frequency for overpressure safety devices.

(MOC) process should be in place that identifies facility procedure-related changes that may affect the procedures program and provides adequacy review guidelines (see below). A formal written process should exist that provides best practices for field personnel's modification of company procedures, including communication of changes, procedure revision, and change distribution and implementation. Recent procedure changes should be incorporated into company standards, recommended practices, and local procedures for daily use by station personnel. Procedure changes that are more than 3 months old should be reflected in newly issued procedures accompanied by a change log.

13/270 Stations and Surface Facilities

C2. SCADA/communications A SCADA system allows remote monitoring and some control functions, normally from a central location, such as a control center. Standard industry practice seems to be 24-hours-per-day monitoring of "realtime" critical data with audible and visible indicators (alarms) set for abnormal conditions. At a minimum, control center operators should have the ability to safely shut down critical equipment remotely when abnormal conditions are seen. Modern communication pathways and scan rates should bring in flesh data every few seconds with 99.9% + reliability and with redundant (often manually implemented dial-up telephone lines) pathways in case of extreme pathway interruptions. Protocols that require field personnel to coordinate all station activities with a control room offer an opportunity for a second set of eyes to interrupt an error sequence. Critical stations are identified and must be physically occupied if SCADA communications are interrupted for specified periods of time. Proven reliable voice communications between the control center and field should be present. When a host computer provides calculations and control functions in addition to local station logic, all control and alarm functions should be routinely tested from the data source all the way through final actions. As a means of reducing human errors, the use of supervisory control and data acquisition (SCADA) systems and/or other safety-related systems, which provide for regular communications between field operations and a central control, is normally scored as an error reducer in the basic risk model. As a means of early problem detection and human error reduction, the presence of a SCADA system and a control center that monitors instation transfer systems can be similarly scored as shown on pages 126-128.

should be recorded electronically (database) or on forms (records) for personnel review and future use. There should be no recent history of station documentation-related problems. All as-built station data and drawings should accurately reflect the current facility conditions. A formal MOC process should be in place that identifies facility activity or condition changes that may affect the documentation program and provides adequacy review guidelines (see below). A formal written process should exist for the modification of station facility data and drawings (records, procedures, maps, schematics, alignment sheets, plot plans, etc.) that provides standard practices for field personnel modification of records/drawings, communication of information, database/drawing revision, and change distribution and use. Recent facility modifications should be noted on station drawings for daily use by station personnel. Station modifications more than 3 months old should be reflected on newly issued station drawings, records, and procedures (including equipment labeling) and noted in a change log.

Vibration monitoring program As a component of maintenance or as a type of survey, a vibration monitoring program might be appropriate in many stations. The details of a successful vibration monitoring program are highly situation specific. PPM practices should define requirements to prevent excessive vibrations that might shorten the service life of equipment and endanger components subject to increased fatigue loading. Industry practices are based on equipment types, specific equipment vibration history, and general experience. The PPM program should consider susceptibility of equipment and exposed components and specify frequency of monitoring, type of monitoring, type of acceptable corrective actions, type of early warning indicators, etc.

C3. Drug testing Score this item as described on page 128. C4. Safetyprograms Score this item as described on page 128. Good "housekeeping" practices can be included under this risk variable. Housekeeping can include treatment of critical equipment and materials so they are easily identifiable (using, for instance, a high-contrast or multiple-color scheme), easily accessible (next to work area or central storage building), clearly identified (signs, markings, ID tags) and clean (washed, painted, repaired). Housekeeping also includes general grounds maintenance so that tools, equipment, or debris are not left unattended or equipment left disassembled. All safetyrelated materials and equipment should be maintained in good working order and replaced as recommended by the manufacturer. Station log and reference materials and drawings should be current and easily accessible.

C5. Survey~maps/records Score this item as detailed on pages 128-129. For maximum risk-reduction credit under this evaluation, a comprehensive and effective "documentation program" effort should have captured all current station facility design, construction, testing, maintenance, and operations related data and drawings. Current, or as-built, station data and drawings, which are considered important or required to adequately operate the station, should be available at each station or easily accessible to station personnel. Key station activities and conditions data

C6. Training Score this item as described on pages 129-131, with additional considerations as discussed below. For full risk-reduction credit under this variable, a comprehensive and effective job needs analysis (JNA), job task analysis (JTA), or job safety analysis (JSA) effort should document all current station personnel tasks related to design, construction, maintenance, operations, testing, emergency response, and management activities (including contract positions). Current employee skills, tasks, or knowledge that are considered important or required to safely and adequately operate the station should be identified for each task/position and used as the basis for qualification of personnel on each task/position specific requirement. Key position requirements are outlined and described in a JNA, which is the basis for creating position descriptions. Position descriptions outline primary responsibilities, tasks, authority, communications, training and testing levels, etc. Key job task requirements are outlined and described and can form the basis for creating task-based procedures. Key job safety requirements can be outlined and described as the basis for creating safety-based procedures. There should be no recent history of station position-related problems. All training should be appropriate for the position type (design, operations, maintenance, etc.), effectiveness (completeness, appropriateness, retention, detail, etc.), best practices (industry, company, etc.), method (written, verbal, video, simulator, CBT [computer-based training], OJT [on-the-job training], etc.), and needs. All testing should be consistent with

Risk assessment model 13/271

the training being conducted and clear task/position qualification objectives, testing methods, minimum requirements, and refresher requirements should be documented as part of an overall company personnel qualification program. Several layers of training and testing may need to be in place to cover general corporate policies, standard practices, stationspecific procedures, and detailed job task recommended practices. Many personnel training and testing details could be listed to provide guidelines for "what makes an excellent qualifications program" but this is outside the scope of this book. A formal MOC process should be in place that identifies personnel qualification-related changes that may affect the qualifications program and provides adequacy review guidelines (see below). A formal written process should exist that provides best practices for field personnel's modification of local qualification requirements, including task/position changes, communication of changes, and change distribution and implementation. Recent program changes should be incorporated into company practices, procedures, and documents for daily use by station personnel. Program changes more than 3 months old should be reflected in newly issued program documents accompanied by a change log. C7. Mechanical error preventers This variable is fully described on pages 131-132. As a means of reducing human error potential and enhancing operations control, computer permissives are routines established in local logic controllers (field computers) or central host computers (see earlier discussion of SCADA systems). These routines help to ensure that unsafe or improper actions, including improper sequencing of actions, cannot be performed. They are most often employed in complicated, multistep procedures such as station starts and stops and pump line-ups. Also in this category are control functions that cover more complex routines to interpret raw data and that take actions when preset tolerances are exceeded. Examples of computer permissives include routines that prevent a pump from starting when the discharge valve is closed, delay a pump shutdown until a control valve has reached a certain position, open a bypass valve when a surge is detected, and automatically start or stop additional pumps when flow and pressure conditions are correct. D. Maintenance

As in the pipe-only assessment, a low score in maintenance should cause doubts regarding the adequacy of any safety system that relies on equipment operation. Because features such as overpressure protection and tank overfill protection are critical aspects in a station facility, maintenance of pressure control devices and safety systems is critical. Score the maintenance practices for documentation, schedule, and procedures as described on page 132. Whereas some regulations mandate inspection and calibration frequencies of certain safety devices, it is common industry practice to perform regular PPM activities on all "critical instruments." The term critical instrument should be defined and all devices so labeled should be identified and placed on a special, formal PPM program. Commonly, pressure relief valves, rupture disks, and certain pressure, temperature, and flow sensors and switches are considered critical devices,

depending on the consequences of their failure to perform as designed. Where reliance is placed on another company's safety system, risk is increased. The extra risk can be partially reduced to the extent that witnessing of the other company's PPM activities takes place. Antifreeze program In many regions, freeze prevention is a critical part of failure avoidance. This can be added to the risk assessment when appropriate. For maximum risk-reduction credit, each potential "dead space" that can be exposed to product and subzero ambient temperatures should be on a seasonal or annual "antifreeze" maintenance program that includes identifying all potential equipment, component, piping, tubing, or sump areas where water can collect and freeze causing material stresses, cracks, or failures. Examples of practices to prevent freeze problems include the following:

9 To protect station sensing tubing/pots, an appropriate solution of fluid is injected every fall where facilities are vulnerable. 9 To protect station piping, low spots are removed or pigged and dead legs are flushed periodically during cold weather. 9 Station valve stems and lubrication tubing are injected with low-temperature grease each fall. 9 Pump drains and sumps are periodically flushed during cold or heat traced aboveground (buried below grade). The risk evaluator should look for a comprehensive and effective "antifreeze" effort that is incorporated into the station PPM program. Specific facility design, maintenance, and operations procedures should also exist and be maintained to cover all program requirements. A formal MOC process should be in place that identifies facility conditions or designrelated changes that may affect the antifreeze program and provides adequacy review guidelines (see below). There should be no recent history of equipment/material freezerelated problems.

Leak impact factor The potential consequences from a station spill or release can be assessed in the general way described in Chapter 7. This involves assessment of the following consequence components: Product Hazard Spill Size Dispersion Receptors Where special considerations for stations are warranted, they are discussed here. In most modem hydrocarbon pipeline stations, a leak of any significant size would be cause for immediate action. Gaseous product pipeline stations typically control compressor or pressure relief discharges by venting the gas through a vent stack within the station. In the case of high-pressure/volume releases, large-diameter flare stacks (with a piloted ignition flame) combust vented gases into the atmosphere. Gas facilities are normally leak checked periodically and remotely monitored for equipment or piping leaks.

13/272 Stations and Surface Facilities

Liquid stations often have several levels of leak monitoring systems (e.g., relief device, tank overfill, tank bottom, seal piping, and sump float sensors/alarms), operations systems (e.g., SCADA, flow-balancing algorithms), secondary containment (e.g., seal leak piping, collection sumps, equipment pad drains, tank berms, stormwater controls), and emergency response actions. Therefore, small liquid station equipment-related leaks are normally detected and corrective actions taken before they can progress into large leaks. If redundant safety systems fail, larger incorrect operations-related spills are typically detected quickly and contained within station berms. In some cases, stormwater is gathered and sampled for hydrocarbon contamination prior to discharge. Note that the chronic component of theproduct hazard is often enhanced where a leaking liquid can accumulate under station facilities.

Product hazard As with a pipeline failure on the ROW, a station product release can present several hazards. The fire hazard scenarios of concern for all hydrocarbon product types at station facilities include the following: 9

9

9

9

9

Fireball--where a gaseous fluid is released from a highpressure vessel, usually engulfed in flames, and violently explodes, creating a large fireball with the generation of intense radiant heat. Also referred to as a boiling liquid expanding vapor explosion (BLEVE) episode. Liquid pool fire--where a pool of product (HVLs and liquids) forms, ignites, and creates a direct and radiant heat hazard. Vapor cloudfire/explosion--where a product (gases, liquefied gases, and HVLs) vapor cloud encounters an ignition source and causes the entire cloud to combust as air and fuel are drawn together in a flash fire. This is not an expected fire scenario for crude oil and most refined products that remain in a liquid state. Flame jet--where an ignited stream of product (gases, liquified gases, HVLs, and liquids) leaving a pressurized vessel or pipe creates a long horizontal to vertical flame jet with associated radiant heat hazards and the possibility of a direct impingement of flame on other nearby equipment. Contamination----can cause soil, groundwater, surface water, and environmental damages due to spilled product.

As a measure of increased exposure due to increased quantities of flammable or unstable materials, an energy factor can be included as part of the product hazard or the potential spill size. This will distinguish between facilities that are storing volumes of higher energy products that could lead to more extensive damages. The heat of combustion, Hc (BTU/lb) is a candidate for measure of energy content. Another product characteristic that can used to measure the energy content is the boiling point. The boiling point is a readily available property that correlates reasonably well with specific heat ratios and hence burning velocity. This allows relative consequence comparisons since burning velocity is related to fire size, duration, and radient heat levels (emissive power), for both pool fires and torches. The energy factor can be multiplied by the lbs of product contained to set up an energy-content adjustmet scale to modify the LIE

Spill size A spill or leak size in any scenario is a function of many factors such as the failure mechanism, facility design, product characteristics, and surrounding environment. Smaller leak rates tend to occur due to corrosion (pinholes) or design (mechanical connections) failure modes. The most damaging leaks at station facilities may be small leaks persisting below detection levels for long periods of time. Larger leak rates tend to occur under catastrophic failures such as external force (e.g., equipment impact, ground movement) and avalanche crack failures. There may be little advantage in directly correlating a wide range of possible leak sizes with specific failure modes in a risk assessment. Up to the maximum station facility volume, almost any size leak is possible in any facility component. The potential leak volume and leak rate must both be considered in modeling potential spill size. Certain station spill sizes are volume dependent--more so than leak rate dependent. Spills from catastrophic vessel failures or failures of any isolated station component, such as failure of an overfilled liquid storage tank, reach a size dependent upon the volume of product contained in the vessel or component. Such spill events are not appropriately measured by leak rates because the entire volume of a vessel can be release within seconds. Human error spills can otten involve immediate loss of limited volumes of product. Leak rate is important since higher rates of release can cause more spread of hazardous product (more acute impacts), whereas lower rates are influenced by detectability (more chronic impacts). Leaked volume, as a function of leak rate, leak detection, reaction time, and facility capacity, adds to the vulnerability of receptors due to normally wider spreading and increases costs associated. Two effective spill volumes therefore come into consideration. The first is the facility's capacity-dependent leak volumes and represents the catastrophic station spill scenario (V0). The second is the leak-rate-dependent volume, which is based on the area under the curve of the "leak rate versus time to detect" curve (Fig 7.7). In this graph, "time to detect" includes identification, recognition, reaction, and isolation times. As shown in Figure 7.7, depending on the equation of the curve, volume V 1 can quickly become the dominant consideration as product containment size increases, but volume V 2 becomes dominant as smaller leaks continue for long periods. The shape of this curve is logically asymptotic to each axis since some leak rate level is never detectable and because an instant release of large volumes approaches an infinite leak rate. Because leak detection is equally valuable in smaller facility containment volumes as in larger, it is not practical to directly combine V 1 with V 2 for a station risk assessment. A simple combination will always point to higher-volume containment as warranting more risk mitigation than smaller containments--a premise that is not always correct. Some mathematical relationship can be used to amplify the leak rate-dependent volume to provide the desired sensitivity and balance. The amplification factor is used to inflate the influence of small leak detection since the smaller leaks tend to be more prevalent and can also be very consequential. With this provision, the model can more realistically represent the negative impact of such leaks, which far exceed the impacts predicted by a simple proportion to leak rate. For example, a 1 gal/day leak detected after 100 days is often far worse than a 100 gal/day leak rate

Risk assessment model 13/273

detected in 1 day, even though the same amount of product is spilled in either case. Unknown and complex interactions between small spills, subsurface transport, and groundwater contamination, as well as the increased ground transport opportunity, account for the increased chronic hazard. One application of such an amplification factor established an equivalency by saying that a 200,000-barrel (bbl) containment area with very good leak detection capabilities is roughly equivalent to a 500-bbl containment area with very poor leak detection capabilities--from a risk perspective. The larger containment area has a greater potential leak volume due to its larger stored volume, but either can produce a smaller, but consequential leak. Making these two scenarios equivalent emphasizes the importance of leak detection capabilities and limits the 'penalty' associated with higher storage volumes. This equivalency seems to be reasonable, although any ratio will suit the purposes of a relative assessment. With a desired amplification factor fixed, various combinations of containment volume and leak detection capabilities can be assessed, used to produce spill scores, and then compared on a relative basis. Improvements to the spill score are made by reducing the product containment volume in the case of volume-dependent spills, and by reducing the source (e.g., pressure, density, head, hole, time-to-detect) in the case of rate-dependent spills. Note that improvements in leak detection also effectively reduce the source, in the leak-rate dependent case. In assessing station leak detection capabilities, all opportunities to detect can be considered. Therefore, leak detection systems that can be evaluated are shown in Table 13.5. The time to detect various leak volumes (T 1 through T1000, in Table 13.5, representing volumes from 1 bbl to 1000 bbl of spilled product and defined in Table 7.13) can be estimated to produce a leak detection curve similar to Figure 7.7 for each type of leak detection as well as for the combined capabilities at the station. The second column, reaction time, is for an estimate of how long it would take to isolate and contain the leak, after detection. This recognizes that some leak detection opportunities, such as 24-7 staffing of a station, provide for more immediate reactions compared to patrol or off-site SCADA monitoring. This can be factored into assessments that place values on various leak detection methodologies.

Station staffing As an opportunity to detect and react to a leak, the staffing level of a facility can be evaluated by the following relationship:

Opportunity to detect = [(inspection hours) + (happenstance detection)] where Inspection hour

= an inspection that occurs within each hour Happenstance detection = 50% of manned time per week.

In this relationship, it is assumed that station personnel would have a 50% chance of detecting any size leak while they were on site. This is of course a simplification since some leaks would not be detectable and others (larger in size) would be 100% detectable by sound, sight, or odor. Additional factors that are ignored in the interest of simplicity include training, thoroughness of inspection, and product characteristics that assist in detectability. An alternate approach to evaluating the staffing level as it relates to detection is to consider the maximum interval in which the station is unmanned: Worst case = maximum interval unobserved Examples of evaluating various staffing protocols using the two techniques are shown in Table 13.6. The last column shows the results of a "maximum interval unobserved" calculation while the next to the last column shows the "opportunity to detect" calculation. The maximum unobserved interval method is simple, but it appears worthwhile to also consider the slightly more complicated "opportunity" method, since the "max interval" method ignores the benefit of actions taken while a station is manned, that is, while performing formal inspections of station equipment--rounds. The "opportunity" method, while providing similar relative scores, also shows benefits that more closely agree with the belief that more directed attention during episodes of occupancy (performing inspection rounds) are valuable.

Table 13.5 Leak detection opportunities

Leak detection system

7 x 24 manning with formal, scheduled "rounds" 5 x 8 staffing with formal, scheduled rounds 7 • 24 staffing, no formal rounds 5 x> 8 staffing, no formal rounds Other staffing combinations Occasional site visits (weekly) Mass balance for facility Mass balance for station Pressure point analysis Acoustic monitoring SCADA real-time monitoring Groundwater monitoring Surface drain system (monitored) Soil vapor monitoring Passerby reporting

Reaction time

7"1

7"1o

rloo

rlooo

13/274 Stations and Surface Facilities Table 13.6

Station staffing for leak detection

Field operations and maintenance staffing

Hours per week on site

Inspection hours per week

Happenstance hours

Opportunity hours

Max interval hours

168

84

50% • 168

168

2

40 168 40 2

20 0 0 2

50% • 40 50% x 168 50% x 40 50% x 2

40 84 20 3

60 10 est. 60 166

7 days per week x 24 hours per day, with rounds (every 2 hr) 5 x 8, with rounds (2 hr) 7 x 24, no rounds 5 x 8, no rounds Once/week, 2 hr on site

i

Note: Partial credit for remote surveillance can also be included in this scheme.

A drawback of the "opportunity" scheme is the inability to show preference of a 1 hr per day x 5 days per week staffing protocol over a 5 hours x 1 day per week protocol, even though most would intuitively believe the former to be more effective. To obtain the best results, the two methods are merged through the use of a ratio: (maximum unobserved interval) / (opportunity), and this ratio is in units of"opportunity-hours." Staffing levels from the Table 13.6 are converted to leak detection capabilities (scores) using detection sensitivity and opportunity assumptions and are shown in Table 13.7. Detection sensitivity assumptions are as follows: 1. A leak rate of 1000 gal/day is detected on the first opportunity-hour (immediately). 2. A leak rate of 100 gal/day is detected on the 10th opportunity-hour (100 gal/day leak rates have a 10% probability of detection during any hour). 3. A leak rate of 10 gal/day is detected on the 50th opportunity-hour (a 2% chance of detection during any hour). 4. A leak rate of 1 gal/day is detected on the 100th opportunity-hour (a 1% probability of detection during any hour). In the example shown in Table 13.7, a leak detection score for each spill volume is calculated for various staffing scenarios. Higher numbers represent longer relative times to detect the spill volume indicated. A 7-24 staffing arrangement, with forTable 13.7

mal inspection rounds, has leak detection capabilities several orders of magnitude better than a weekly station visit, in this example. The important message from this exercise is that various 'staffing of stations' scenarios can be evaluated in terms of their leak detection contributions and those contributions can be a part of the overall risk assessment. Staffing, as a means of leak detection, is seen to supplement and partially overlap any other means of leak detection that might be present. As such, the staffing level leak detection can be combined with other types of leak detection. The combination is not seen as a straight summation, because the benefit is normally more of a redundancy rather than an increased sensitivity. For example, the combination can be done by taking the best value (the smallest leak quantity, as set by the best leak detection system) from among the parallel leak detection systems, and improving that number by 50% of the next best value and then adding back in the difference between the two. This recognizes the benefit of a secondary system that is as good or almost as good as the first line of defense, with diminishing benefit as the secondary system is less effective. No credit is given for additional parallel systems beyond the second level, and the primary spill score is never worsened by this calculation. For example, a leak detection system with a spill quantity of 3000 bbl is supplemented by a staffing level that equates to a leak detection capability of 2000 bbl. When

Example station staffing leak detection car~bilities

Leak rate detection scores

T~

7"1o

rloo

rlOOO

Assumed detection sensitivity (opportunity hours before detection)

Staffing scenario

7 x 24, with rounds 7 x 24 5 x 8 with rounds 5x 8 Weekly

Opportunity a (hr)

Maximum unobserved time a (hr)

168 84

2 10

0.01

1

0.11

11

40 20 3

60 60 166

1.5 3.0 55.3

Ratio

100

150 300 5530

50

0.5 6 75 150 2765

10

1

0.1 1.1 15 30 553

0.01

0.11 1.5 3.0 55.3 t

a See Table 13'6.

Modeling ideas I 13/275

both of these "systems" are employed, the spill quantity to be used in the model is 2000 b b l - [1/2 x (3000 bbl)] + ( 3 0 0 0 2000) = 1500 bbl. If the first spill volume is 4500 bbl, then the model value is 2000- [ 1/2 x (4500 bbl)] + (4500- 2000) = 2000 bbl (since the primary score should not be worsened by this exercise). The value of 50% is rather arbitrary--as is the mathematical relationship used--and can be replaced by any value or scoring approach more suitable to the evaluator. Consistency is more critical than the absolute value, in this case. Recall that "penalties" in the form of increased surface area, are also assigned to portions of the facility that are hidden from view (buried) and therefore have less opportunity for leak detection by some methods. Added to the detection time is the reaction time, which is generally defined as the amount of additional time that will probably elapse between the strong leak indication and the isolation of the leaking facility (including drain downtime). Here, consideration is given to automatic operations, remote operations, proximity of shutdown devices, etc. As a simple way to account for various reaction times in the aforementioned scoring protocols, the following rationale can be used: A spill volume equal to (a leak rate of 1000 gal/day) • (the most probable reaction time) is added to the original spill volume. Benefits of remote and automatic operations as well as staffing levels are captured here. This is thought to fairly represent the value of reaction time. Of course, for a large leak, this value is probably understated and for a small leak it is probably overstated, but, over the range of model uses and for a relative assessment, this approach might be appropriate. In one application of a methodology similar to the one outlined here, a sensitivity analysis showed that changes in leak detection and reaction capabilities from 5,000 to 10,000 gallons changed the spill score and also the overall risk by 2 to 3%. This seemed reasonable for the resolution level of that risk assessment. In a situation where the spill score is less dominated by the leak-volume component of the calculation and/or where the range of the spill calculation is smaller, the impact on the spill score and the risk would be greater.

Secondary containment With any spill size scenario, the presence of secondary containment can be considered as an opportunity to reduce (or eliminate) the "area of opportunity" for consequences to occur. Secondary containment must be evaluated in terms of its ability to 9 Contain the majority of all foreseeable spills. 9 Contain 100% of a potential spill plus firewater, debris, or other volume reducers that might compete for containment space--largest tank contents plus 30 minutes of maximum firewater flow is sometimes used [26]. 9 Contain spilled volumes safely--not exposing additional equipment to hazards. 9 Contain spills until removal can be effected--no leaks. Note that ease of cleanup of the containment area is a secondary consideration (business risk). Risk is reduced as secondary containment improves. The risk "credit" can be in the form of a reduced spill size rating or evaluated as an independent variable assessing the dispersion potential, when secondary containment is present. In the case

of the former, the greater the protection offered by secondary containment, the smaller the spill size to be used in modeling spill consequences: Spill size reduction percentage = [(secondary containment %) (adjustment factor)] where Secondary containment % =portion of total facility volume that can be held Adjustment factor = obtained by adding all conditions that apply to the secondary containment, up to the value of the secondary containment %, as shown in Table 13.8. In this table, items are detractors from secondary containment effectiveness, except the first. Limited secondary containments such as pump seal vessels and sumps are designed to capture specific leaks. As such they provide risk reduction for only a limited range of scenarios. Risk reduction credit can be given for secondary containment proportional to the size of the effective area it protects. Using this approach in one recent application, the credit was capped at a maximum of 90%, regardless of the mathematical results, as shown in Table 13.9.

V. Modeling ideas l Dow Chemical Company's Fire and Explosion Index [26] is a well-regarded loss estimation system for process plants. It is an indexing type assessment used for estimating the damage that would probably result from an incident in a chemical process plant. The F&EI system is not designed for public safety evaluations or environmental risk assessments, but provides some useful concepts that can be used in such assessments. The process plant incidents addressed in this evaluation include 9 9 9 9

A blast wave or deflagration Fire exposure Missile impact Other releases as secondary events.

The secondary events become more significant as the type and storage amounts of other hazardous materials increase. The F&EI is directly related to the area of exposure. In performing F&EI calculations, the nature of the threat is assessed by examining three components: a material safety

Table 13.8 Secondary containment sample adjustment factors

Condition Impervious liner Semipervious liner No immediate fill indication No overflowalarms Additional equipment exposed to spilled product

Adjustmentfactor (%) 15 40 5 5 10

13/276 Stations and Surface Facilities Table 13.9 Secondarycontainment sample credit

Type of secondary containment

Facility coverage (%)

Adjustments

Spill size reduction (%)

125% facility containment (containment holds 25% more volume than tank volume); impervious dike for single tank

100

15 impervious liner

125 - 25 = 100 90% cap applies

Double-walled tank; with alarms 100% facility containment; impervious dike; alarms 75% facility containment; impervious dike; alarms 100% facility containment; semipervious dike, shared with other tanks

100 100 75

10 no fill or overflow alarms 15 15 15

100-15= 85 100-15 = 85 75 -15 = 60

Pump sump, 50% of facility volume Pump seal vessel, leak detection alarm via SCADA, effective surface area ratio = 100/1000 ft2 None

50

40liner 10 additional exposures 10 no alarms 10+10

10% of effective 0

NA

100

factor, general process hazards, and special process hazards. A material safety factor is first calculated as a measure of the "intrinsic rate of potential energy release from fire or explosion produced by combustion or other chemical reaction." It uses the same NFPA factors for flammability (Nf) and reactivity (Nr) , which are used in the relative risk model and described in Chapter 7. The general process hazards are aspects thought to play a significant role in the potential magnitude of a loss. General Process Hazards 9 Exothermic chemical reactions. 9 Endothermicprocesses. 9 Materials handling and transfer. Adds risk factors for loading, unloading, and warehousing of materials. 9 Enclosed or indoor process units. Adds risk factors for enclosed or partially enclosed processes since the lack of free ventilation can increase damage potential. Credit for effective mechanical ventilation is provided. 9 Access. Consideration is given to ease of access to the process unit by emergency equipment. 9 Drainage and spill control. Adds risk factors for situations where large spills could be contained around process equipment instead of being safely drained away. This factor requires calculation of process capacity and containment capacity. For highly volatile materials such as those considered in this study, this factor is not significant. The special process hazards are thought to play a significant role in the probability of a loss.

Special Process Hazards 9 Toxic materials. Insofar as toxic materials can complicate an emergency response, their presence, based on the NFPA N h factor, is considered here. 9 Subatmospheric pressure. Adds risk factors when the introduction of air into a process is a hazard possibility. 9 Operation in/nearflammable range. Adds risk factors when air can be introduced into the process to create a mixture in a flammable range. Considers the ease with which the flammable mixture is achieved.

100 - 60 = 40 50-20=30 10 0

9 Dustexplosion. 9 Relief pressure. Adds risk factors dependent on the pressure level of the process. Equipment maintenance and design become more critical at elevated pressures, because spill potential greatly increases in such a situation. 9 Low temperature. Adds risk factors when temperaturerelated brittleness of materials is a potential concem. 9 Quantity offlammable materials. Adds risk factors based on the quantities of materials in the process, in storage outside the process area, and combustible solids in the process. 9 Corrosion and erosion. Considers the corrosion rate as the sum of external and internal corrosion. 9 Leakage. Adds risk factors where minor leaks around joints, packing, glands, etc., can present an increased hazard. Considers thermal cycling as a factor. 9 Use offired heaters. Historically problematic equipment. 9 Hot oil exchange systems. Historically problematic equipment. 9 Hot rotating equipment. Historically problematic equipment. Adds risk factors for rotating equipment, contingent on the horsepower. The general process and special process hazards are combined with the material safetyfactorto generate the F&EI score. The F&EI score can then be used to estimate hazard areas and magnitudes of loss. In making such estimates, the evaluator takes credit for any plant features that would reasonably be expected to reduce the loss. Loss reduction can be accomplished by either reducing or controlling the potential consequences. These loss control credit factors are selected based on the contribution they are thought to actually make in a loss episode. The three categories of loss control credit factors are (1) process control, (2) material isolation, and (3) fire protection. In Table 13.10, the items evaluated within each category are listed along with some possible "credit percentages" that could be used to reduce the potential loss amount. This table suggests that these factors, if all applied together, can reduce the maximum probable damage by a large amount. The loss control credit factors do not impact the F&EI score. They only impact the estimated losses arising from an episode.

Modeling ideas II 13/277 Table 13.10 Maximumprobable property damage reduction factors

Propertydamagereductionfactors

Creditmultiplier

shown below. This shows factors, called risk drivers, that were determined to be critical risk indicators. The relative weightings of the probability and consequence categories are also shown.

Process Control Factors

Emergency power Cooling Explosion control Emergency shutdown Computer control Inert gas Operating instructions/procedures Reactive chemical review (can substitute "risk management program") TOTALimpact of process control factors

0.98 0.97 0.84 0.96 0.94 0.91 0.91 0.91 54%

Material Isolation

Remote control valves Dump/blowdown Drainage Interlock TOTALimpact of material isolation factors

0.96 0.96 0.91 0.98 82%

Fire Protection

Leak detection Structural steel Buried and double-walledtanks Water supply Special systems Sprinkler systems Water curtains Foam Hand extinguishers Cable protection TOTAL impact of fire protection factors

0.94 0.95 0.84 0.94 0.91 0.74 0.97 0.92 0.95 0.94 38%

[0.27Peq + 0.22Pdd+ 0.19P,,l,~+ 0.15Pnc + 0.17P3,,] x [0.4Cip + 0Cenv+ v~ = total station riskr 0.6Cbus] where: Peq = Probability of an equipment-related event Pdd Probability of a design deficiency-related event pie = Probability of a pipeline contamination-related event nc = Probability of an event related to natural causes 3p = Probability of damage by a third party lp = Consequence to life or property env = Consequence to the environment Cbus = Consequence to business. =

This algorithm contains weightings for both probability and consequence factors. For instance, the designer shows that "natural causes" constitutes 15% of the total probability of failure and 60% of potential consequences are business related. Environmental consequences are assigned a 0 weighting. The failure probability categories are comprised of factors as follows:

Equipment issues

A failure due to the malfunction of a piece of station equipment.

Risk Drivers Obsolete equipment Antiquated equipment Equipment complexity.

Design deficiencies Using the maximum credit for every item would reduce the loss to 17% of an uncredited amount (an 83% reduction in potential damages). Of course, to achieve the maximum credit, many expensive systems would need to be installed, including foam systems, water curtains, leak detection, dump/blowdowns, and double-walled tanks. The loss control credits, as originally intended, do not account for secondary containment. The loss control variables shown here are generally applied to spill volumes that have escaped both primary and secondary containment. They can also be applied when they minimize the product hazard during secondary containment (before cleanup). Table 13.10 is for illustration of the approach only. The evaluator would need to define the parameters under which credit could be awarded for each of these. The percentage loss reduction may not be appropriate in all cases. Within station limits, the drainage of spills away from other equipment is important. A slope of at least 2% (1% on hard surfaces) to a safe impoundment area of sufficient volume is seen as adequate. Details regarding other factors can be found in Ref. [26].

Vl. Modeling ideas II Another possible scoring algorithm that has been recommended by an operator of natural gas station facilities is

A failure due to a deficiency in design. The deficiency is either a result of improper design or changes in the operation of the station after construction.

Risk Drivers Improper capacity Velocity > 100 fps Adequacy of filtration Control loops. Equipment separation Vaults and lids Valves Venting Manufacturer flaws.

Pipeline contaminants

A failure caused by contaminants in

the gas stream.

Risk Drivers Pipeline liquids Construction debris Rust scale and sand Valve grease Bacteria (internal corrosion)

Employee safety. An injury or accident involving an employee. Note that this factor is not used in the preceding algorithm.

13/278 Stations and Surface Facilities Table 13.11 Design/materials algorithm variables

Risk Drivers

i

Neighborhood Ergonomics (workspace, equipment access) Exposure to hazard (confined space, traffic, environmental exposure).

Natural causes

A failure caused by the forces of nature.

Atm-Corr

Soil-Side-Corr

Risk Drivers Earthquake Landslide Stream erosion Floods Groundwater Atmospheric corrosion Fire.

Internal-Corr

Design

Damage by a third party third parties.

A failure caused by damage from

Risk Drivers Traffic hazard Railway hazard Vandalism AC electric impacts. Human-Error

Operator error A failure due to operator error. Note that this factor is not used in the preceding algorithm. Risk Drivers Equipment tagging Station drawings Clearance procedures Maintenance instructions Employee competence Incident record Quality of response plans. It appears that this algorithm was designed for future expansion. Several variables are identified, included as 'place-holders' in the model, but not yet used in the risk calculations.

VII. Modeling ideas III Here we look at another example of an assessment system for probability of failure within station facilities. In this scheme, higher points mean higher risk, and scores assigned to variables are summed to get category weights. The scoring protocols were unfinished in this example, so weightings do not always sum to 100%. Some variables are left in their abbreviated form, but their meanings should be apparent to the reader experienced with pipeline station facilities.

Design and materials algorithm variables Table 13.11 lists the design and materials algorithm variables. Examples of scoring scales for some of these variables are then provided. Examples of some variable scoring scales for the variables in Table 13.11 are provided next.

Outside-Force

Atm-Corrosion-Control-Program Arm-CoatingAdequacy CorrosiveAtmosphericConditions Facility-Age Soil-Agressive Corr-Hot-Spot Coating CP-Syst-Perform NDE-Metal-Loss-Insp Facility-Age Internal-Corr-Control-Prog Product-Corr Internal-Coating Internal-CP NDE-Metal-Loss-Insp Static-LiquidConditons Safety-Syst-Adequ-Review Safety-Syst-PPM Material-Cyclic-Stress Pressure-Test-Stress Pressure-Test-Year Vibration Monitoring Safety-SystemExceedance Safety-Syst-Actions Housekeeping Anti-Freeze-Program SCADA-System Documentation-Prog Critical-Equip-Security Computer-Permissives Security-Detection-Systems Lighting-Systems Protective-Barriers Severe-Weather Ground-Movements Traffic-Damage Station-Activity-Level

40% 30% 30% 10% 15% 20% 25% 30% adj 10% 25% 20% 15% 10% adj 20% 15% 15% 10% 10% 10% 10% 15% 15% 10% 10% 20% 20% 20% 20% 15% 5% 20% 15% 15% 15% 15%

Material susceptibility [Material Operating Stress]-- Evaluation of various in-service material stress levels by comparing the maximum operating pressure (MOP) to maximum design pressure (MDP). Expressed as a percentage: (MOP/MDP* 100%). 0.0 pts [Not Applicable] 2.0 pts [MOP <24% of SMYS]--Low operating stress level 4.0 pts [MOP 24% to 48% of SMYS]--Moderate operating stress level 6.0 pts [MOP 48% to 72% of SMYS]--High operating stress level 10.0 pts [MOP >72% of SMYS]--Very high operating stress level 5.0 pts [Unknown Operating Stress]

[MaterialDuctility]-- Evaluation of various in-service material's ductile properties. 0.0 pts [Not Applicable] 2.0 pts [High Ductility]--Material ductility is >32 ft-lb 4.0 pts [Moderate Ductility]--Material ductility is 10-32 ft-lb

Modeling ideas III 13/279

10.0 pts [Low Ductility]--Material is < 10 ft-lb 5.0 pts [Unknown Ductility]

[Material Cyclic Stress]-- Evaluation of various in-service material's frequency, duration, and level and location of cyclic stresses, including severe pump starts/stops, pressure cycles, fill cycles, traffic loadings, etc. 0.0 pts [Not Applicable] 2.0 pts [Low Cyclic Stress]--Material is subjected to low cycle frequency (number of events/time), short cycle duration (time), low cycle magnitude (condition change amount), and/or distant proximity from source (feet) 4.0 pts [Moderate Cyclic Stress]mMaterial is subjected to moderate cycle frequency, moderate cycle duration, moderate cycle magnitude and/or moderate proximity from source 10.0 pts [High Cyclic Stress]--Material is subjected to high cycle frequency, long cycle duration, high cycle magnitude, and/or proximity from source 5.0 pts [Unknown Cyclic Stress]

[Material Vibration]-- Evaluation of various in-service equipment/material's frequency, duration, level and location of vibration stresses from various sources, including pumps, rotating equipment, wind, throttling valves, surges, temperature changes, ground movements, traffic, etc. 0.0 pts [Not Applicable] 2.0 pts [Low Vibration Stress]mMaterial is subjected to low vibration frequency (# events/time), short vibration duration (time), low vibration magnitude (condition change amount) and/or distant proximity from vibration source (feet). 4.0 pts [Moderate Vibration Stress]--Material is subjected to moderate vibration frequency, moderate vibration duration, moderate vibration magnitude and/or moderate proximity from vibration source. 10.0 pts [High Vibration Stress]--Material is subjected to high vibration frequency, long vibration duration, high vibration magnitude and/or close proximity from vibration source. 5.0 pts [Unknown Vibration Stress]

[Pressure Test Stress]-- Evaluation of pipe, vessel and component pressure test levels by comparing the minimum test pressure (MTP) and SMYS. Expressed as a percentage: (MTP / SMYS * 100%). 0.0 pts [Not Applicable] 2.0 pts [MTP > 100% SMYS]--High test pressure level 5.0 pts [MTP 80% to100% SMYS]--Moderate test pressure level 10.0 pts [MTP <80% SMYS]--Low test pressure level 5.0 pts [Unknown Test Stress]

[Pressure TestAge]-- Evaluation of pipe, vessel, and component pressure test ages by recording the time since the last appropriate facility test. 0.0 pts [Not Applicable] 2.0 pts [< 5 Yrs Old] 10.0 pts [>5 Yrs Old] 5.0 pts [Unknown Test]

[Vibration Monitoring]-- Monitoring of in-service equipment/material's frequency, duration, and level and location of vibration stresses from various sources, including pumps, rotating equipment, wind, throttling valves, surges, temperature changes, ground movements, traffic, etc. 0.0 pts [Not Applicable] 2.0 pts [No Vibration Monitoring Needed]mEquipment/mate rial is subjected to low or no vibration so does not require monitoring 4.0pts [Continuous Vibration Monitoring w/Shutdown]Equipment/material is monitored for vibration frequency, vibration duration, and vibration magnitude and/or proximity from vibration source, which shuts down equipment on vibration limit exceedence 6.0pts [Continuous Vibration Monitoring w/Alarm]Equipment/material is monitored for vibration frequency, vibration duration, and vibration magnitude and/or proximity from vibration source which alarms locally/remotely on vibration limit exceedence. 8.0 pts [Manual Vibration Monitoring]--Equipment/material is monitored for vibration frequency, vibration duration, and vibration magnitude and/or proximity from vibration source manually on a periodic basis (less than one time per year) 10.0 pts [No Vibration Monitoring]--Equipment/material is not monitored for vibration 5.0 pts [Unknown Vibration Monitoring]

[Safety Systems Exceedence Overstress Potential]m Evaluation of the potential to exceed any level, pressure, temperature, or flow safe operating limits based on maximum system operating conditions, equipment design limits, and safety system limitations 0.0pts [No Exceedence Potential or Not Applicable]-Maximum system operating conditions cannot exceed equipment design or safety system limits 2.0 pts [Low Exceedence Potential]--Maximum system operating conditions occasionally exceed equipment safety system limits but not design limits 4.0 pts [Moderate Exceedence Potential]--Maximum system operating conditions routinely exceed equipment safety system limits but not design limits 10.0pts [High Exceedence Potential]--Maximum system operating conditions routinely exceed equipment design limits and safety system limits 5.0 pts [Unknown Exceedence Potential]

[Safety Systems Actions]-- Evaluation of the various actions that initiate, or are initiated by, station safety systems involving changing level, flow, temperature, and pressure conditions. 0.0 pts [Not Applicable] 2.0 pts [Automatic Equipment/Station Shutdown]-Condition-sensing device or permissive limit exceedences automatically initiate a full, or partial, shutdown of affected station equipment, with an alarm to remote/local personnel 4.0 pts [Remote Equipment/Station Shutdown]--Conditionsensing device or permissive limit exceedences alarm at a continuously manned location and requires operators to

13/280 Stations and Surface Facilities

evaluate the conditions and remotely initiate a full, or partial, shutdown of affected station equipment 6.0 pts [Remote Monitoring Only]---Condition-sensing device or permissive limit exceedences alarm at a continuously manned location and requires operators to evaluate the conditions and on-site manually initiate a full, or partial, shutdown of affected station equipment 8.0 pts [Local Alarms Only]---Condition-sensing device or permissive limit exceedences alarm at a noncontinuously manned location and requires operators to evaluate the conditions and on-site manually initiate a full, or partial, shutdown of affected station equipment 10.0 pts [No Safety Systems]--No safety systems present, including condition sensing, permissives, alarms, or other devices 5.0 pts [Unknown Safety Systems]

Human error algorithm variables

[Safety Systems Adequacy Review Program]-- Evaluation of the adequacy of various station safety systems, including associated sensing, measurement, and control devices

[Anti-FreezeProgram]m Evaluation of antifreeze program for all facilities, including water drains, control valves, instrumentation.

0.0 pts [Not Applicable] 1.0 pts [Excellent Adequacy Review Program]~A formal program exists that exceeds all company and industry minimum recommended or required safety system design and "adequacy for service" review practices 4.0 pts [Adequate Adequacy Review Program]NA semiformal program exists that meets all company and industry minimum recommended or required safety system design and "adequacy for service" review practices 8.0 pts [Inadequate Adequacy Review Program]--An informal program exists that does not meet all company and industry minimum recommended or required safety system design and "adequacy for service" review practices 10.0 pts [No Adequacy Review Program]--No known program exists and few company and industry minimum recommended or required safety system design and "adequacy for service" review practices are met 5.0 pts [Unknown Adequacy Review]

0.0 pts [Not Applicable] 1.0 pts [Excellent Anti-Freeze Program]--A formal program exists that exceeds all company and industry minimum recommended or required antifreeze practices 3.0 pts [Adequate Anti-Freeze Program]~A semiformal program exists that meets all company and industry minimum recommended or required antifreeze practices 8.0pts [Inadequate Anti-Freeze Program]uAn informal program exists that does not meet all company and industry minimum recommended or required antifreeze practices 10.0 pts [No Anti-Freeze Program]--No known program exists and few company and industry minimum recommended or required antifreeze practices are met 5.0 pts [Unknown Anti-Freeze Program]

[Safety Systems PPM]-- Evaluation of various station safety system's "predictive and preventative maintenance" (PPM) programs, including equipment/component inspections, monitoring, cleaning, testing, calibration, measurements, repair, modifications and replacements. 0.0 pts [Not Applicable] 1.0 pts [Excellent PPM Program]~A formal program exists which exceeds all company and industry minimum recommended or required PPM practices. 4.0 pts [Adequate PPM Program]--A semi-formal program exists which meets all company and industry minimum recommended or required PPM practices. 8.0 pts [Inadequate PPM Program]--An informal program exists which does not meet all company and industry minimum recommended or required PPM practices. 10.0 pts [No PPM Program]--No known program exists and few company and industry minimum recommended or required PPM practices are met. 5.0 pts [Unknown PPM Program]

[Housekeeping]-- Evaluation of facility equipment/materials organization and overall maintenance. 0.0 pts [Not Applicable] 1.0 pts [Excellent Housekeeping]--All equipment and materials are well marked, accessible, maintained, and exceed industry and company best practices 3.0 pts [Adequate Housekeeping]~All equipment and materials are marked, accessible, and maintained per industry and company best practices 10.0 pts [Inadequate Housekeeping]--Equipment and materials are not well marked, accessible, and/or maintained per industry and company best practices 5.0 pts [Unknown Housekeeping]

[Computer PermissivesProgram]-- Evaluation of a computer permissives program for all facilities, including PLC, PLCC, SCADA, and other logic-based application programs. Permissive programs that control safe operations of valve alignments, pressures, flows, and temperatures are considered. 0.0 pts [Not Applicable] 1.0 pts [Excellent Permissives Program]--A comprehensive computer-based program exists that exceeds all company and industry minimum recommended or required permissive practices 3.0 pts [Adequate Permissives Program]--A semiformal computer-based program exists that meets all company and industry minimum recommended or required permissive practices 8.0 pts [Inadequate Permissives Program]--An informal computer-based program exists that does not meet all company and industry minimum recommended or required permissive practices 10.0 pts [No Permissives Program]--No known computerbased program exists and few company and industry minimum recommended or required permissive practices are met 5.0 pts [Unknown Permissives Program]

Modeling ideas III 13/281

[SCADA System]-- Evaluation of a centralized SCADA system for all facilities, including RTU, PLC, PLCC-based application programs, conditions monitoring, remote control capabilities, automatic alarms/shutdown capabilities, protocols and communication systems. 0.0 pts [Not Applicable] 1.0pts [Excellent SCADA System]--A comprehensive SCADA system exists that exceeds all company and industry minimum recommended or required system monitoring and control practices 3.0 pts [Adequate SCADA System]--A semiformal SCADA system exists that meets all company and industry minimum recommended or required system monitoring and control practices 8.0 pts [Inadequate SCADA System]--An informal SCADA system exists that does not meet all company and industry minimum recommended or required system monitoring and control practices 10.0 pts [No SCADA System]~No known SCADA system exists and few company and industry minimum recommended or required system monitoring and control practices are met 5.0 pts [Unknown SCADA System]

[Documentation Program]-- Evaluation of various forms of documenting current facility conditions and activities, including maps, drawings, records, electronic data, etc. 0.0 pts [Not Applicable] 1.0 pts [Excellent Documentation Program]--A formal program exists that exceeds all company and industry minimum recommended or required documentation practices 3.0 pts [Adequate Documentation Program]--A semiformal program exists that meets all company and industry minimum recommended or required documentation practices 8.0 pts [Inadequate Documentation Program]--An informal program exists that does not meet all company and industry minimum recommended or required documentation practices 10.0 pts [No Documentation Program]mNo known program exists and few company and industry minimum recommended or required documentation practices are met 5.0 pts [Unknown Documentation Program]

[ProceduresProgram]-- Evaluation of the types, overall condition, adequacy, and appropriateness of various operations, maintenance, engineering, construction, testing and management procedures. 0.0 pts [Not Applicable] 1.0 pts [Excellent Procedures Program]--A formal program exists that exceeds all company and industry minimum recomrnended or required procedure best practices 3.0 pts [Adequate Procedures Program]--A semiformal program exists that meets all company and industry minimum recommended or required procedure best practices 8.0 pts [Inadequate Procedures Program]--An informal program exists that does not meet all company and industry minimum recommended or required procedure best practices

10.0 pts [No Procedures Program]--No known program exists and few company and industry minimum recommended or required procedure best practices are met 5.0 pts [Unknown Procedures Program]

[PersonnelQualificationsProgram]-- Evaluation of the types of training and testing methods, overall effectiveness, adequacy, and appropriateness of operations, maintenance, engineering, construction, testing and management personnel's qualification for performing position requirements. 0.0 pts [Not Applicable] 1.0 pts [Excellent Qualifications Program]--A formal program exists that exceeds all company and industry minimum recommended or required personnel qualification best practices 3.0pts [Adequate Qualifications Program]--A semiformal program exists that meets all company and industry minimum recommended or required personnel qualification best practices 8.0pts [Inadequate Qualifications Program]--An informal program exists that does not meet all company and industry minimum recommended or required personnel qualification best practices 10.0pts [No Qualifications Program]--No known program exists and few company and industry minimum recommended or required personnel qualification best practices are met 5.0 pts [Unknown Qualifications Program]

[PositionAnalysis]-- Evaluation of the analysis that went into defining position responsibilities, tasks, authority, communications, training and testing levels, safety, etc. Includes maintenance, engineering, construction, testing, and management positions. 0.0 pts [Not Applicable] 1.0 pts [Excellent Position Analysis]--A formal analysis exists that exceeds all company and industry minimum recommended or required position analysis best practices. 3.0 pts [Adequate Position Analysis]--A semiformal analysis exists that meets all company and industry minimum recommended or required position analysis best practices 8.0 pts [Inadequate Position Analysis]--A informal analysis exists that does not meet all company and industry minimum recommended or required position analysis best practices 10.0 pts [No Position Analysis]--No known analysis exists and few company and industry minimum recommended or required position analysis best practices are met. 5.0 pts [Unknown Position Analysis]

[HazardAnalyses]-- Evaluation of the historical hazard analyses conducted for station facilities, including HAZOP, "what-if" scenarios, fault trees, and relative risk assessment, as part of failure investigations or an overall company risk management program. Analyses should be appropriate, comprehensive, and recent, with follow-up of risk reduction recommendations. 0.0 pts [Not Applicable] 1.0 pts [Excellent Hazard Analyses]--Formal analyses exists that exceed all company and industry minimum recommended or required hazard analysis best practices

13/282 Stations and Surface Facilities

3.0 pts [Adequate Hazard Analyses]--Semiformal analyses exists that meet all company and industry minimum recommended or required hazard analysis best practices 8.0pts [Inadequate Hazard Analyses]~Informal analyses exists that do not meet all company and industry minimum recommended or required hazard analysis best practices 10.0 pts [No Hazard Analyses]~No known analyses exist and few company and industry minimum recommended or required hazard analysis best practices are met 5.0 pts [Unknown Hazard Analyses]

{Critical Equipment Security]-- Evaluation of security for critical or key facility equipment and systems access, including building locks, locks, keys, chains, protocols, etc. 0.0 pts [Not Applicable] 1.0 pts [Excellent Equipment Security]--All critical equipment is well secured, marked, and maintained in a manner exceeding industry and company best practices (or is not needed) 3.0 pts [Adequate Equipment Security]~All critical equipment is secured, marked, and maintained to meet industry and company best practices 10.0 pts [Inadequate Equipment Security]--Equipment and materials are not well secured, marked, and/or maintained to meet industry and company best practices 5.0 pts [Unknown Equipment Security]

Outside force algorithm variables

Site Security Mitigation [Security Detection Systems]-- Evaluation of various station security detection systems and equipment, including gas/flame detectors, motion detectors, audio/video surveillance, etc. Security system appropriateness, adequacy for service conditions, coverage completeness, and PPM are evaluated. 0.0 pts [Not Applicable] 1.0 pts [Excellent Security Detection Systems]~Systems are very effective and exceed industry and company required or recommended security detection systems best practices (or are not needed) 3.0 pts [Adequate Security Detection Systems]~Systems are effective and meet industry and company required or recommended security detection systems best practices 8.0 pts [Inadequate Security Detection Systems]~Systems are not effective and do not meet industry and company required or recommended security detection systems best practices 10.0 pts [No Security Detection Systems]--No systems exist 5.0 pts [Unknown Security Detection Systems]

[Lighting Systems]-- Evaluation of various station lighting systems, including security and perimeter systems and equipment and working areas. System appropriateness, adequacy for service conditions, coverage completeness, and PPM are evaluated. 0.0 pts [Not Applicable] 1.0 pts [Excellent Lighting System]--System is very effective and exceeds industry and company required or recommended lighting system best practices (or are not needed)

3.0 pts [Adequate Lighting System]--System is effective and meets industry and company required or recommended lighting system best practices 8.0 pts [Inadequate Lighting System]mSystem is not effective and does not meet industry and company required or recommended lighting system best practices 10.0 pts [No Lighting System]wNo system exists 5.0 pts [Unknown Lighting System]

[Protective Barriers]-- Evaluation of various station thirdparty and vehicle access barriers, including railings, 6-ft chainlink fence, barbed wire, walls, ditches, chains, and locks. Barrier appropriateness, adequacy for conditions, strength, coverage completeness, and PPM are evaluated. 0.0 pts [Not Applicable] 1.0pts [Excellent Protective Barriers]--Barriers are very effective and exceed industry and company required or recommended best practices (or are not necessary) 3.0 pts [Adequate Protective Barriers]~Barriers are effective and meet industry and company required or recommended best practices 8.0pts [Inadequate Protective Barriers]wBarriers are not effective and do not meet industry and company required or recommended best practices 10.0 pts [No Protective Barriers]mNo barriers exist 5.0 pts [Unknown Protective Barriers]

Outsideforce susceptibility [Severe Weather]-- Evaluation of various hazardous weather events, including extreme rainfall, floods, freezing, hail, ice, snow, lightning, and/or winds. The hazardous event potential is determined by historical frequency, severity, duration, and damage caused. 0.0 pts [Not Applicable] 2.0 pts [Low Severe Weather Potential]--Low potential of one or more severe weather events occurring during an average year with the potential to cause significant facility damage 5.0pts [Moderate Severe Weather Potential]--Moderate potential of one or more severe weather events occurring during an average year with the potential to cause significant facility damage 10.0 pts [High Severe Weather Potential]--High potential of one or more severe weather events occurring during an average year with the potential to cause significant facility damage 5.0 pts [Unknown Severe Weather Potential]

[Ground Movement]--Evaluation of various hazardous ground movement events, including severe earthquakes, erosion, washouts, expansive soil movement, frost heave, landslide, subsidence or blasting. The hazardous event potential is determined by historical frequency, severity, duration, and damage caused. 0.0 pts [Not Applicable] 2.0 pts [Low Ground Movement Potential]--Low potential of one or more severe ground movement events occurring during an average year with the potential to cause significant facility damage

Modeling ideas III 13/283

5.0 pts [Moderate Ground Movement Potential]--Moderate potential of one or more severe ground movement events occurring during an average year with the potential to cause significant facility damage 10.0 pts [High Ground Movement Potential]--High potential of one or more severe ground movement events occurring during an average year with the potential to cause significant facility damage 5.0 pts [Unknown Ground Movement Potential]

2.0pts [Mild Atmospheric Conditions]--Mild corrosive atmospheric conditions exist 6.0 pts [Moderate Atmospheric Conditions]--Moderate corrosive atmospheric conditions exist 10.0 pts [Severe Atmospheric Conditions]wSevere corrosive atmospheric conditions exist

External corrosion susceptibility [Facility Age]-- Evaluation of station facilities (pumps, pip-

~raffic Damage]-- Evaluation of various hazardous traffic events, including moving object congestion, frequency, duration, direction, mass, speed, and distance to facilities. The hazardous event potential is determined by historical accident frequency, severity and damage caused by cars, trucks, rail cars, vessels, and/or plane impacts from within and outside the station. 0.0 pts [Not Applicable] 2.0 pts [Low Traffic Damage Potential]--Low potential of one or more hazardous traffic events occurring during an average year with the potential to cause significant facility damage 5.0pts [Moderate Traffic Damage Potential]wModerate potential of one or more hazardous traffic events occurring during an average year with the potential to cause significant facility damage 10.0 pts [High Traffic Damage Potential]--High potential of one or more hazardous traffic events occurring during an average year with the potential to cause significant facility damage 5.0 pts [Unknown Traffic Damage Potential]

[Activity Level]-- Evaluation of the overall station activity levels, including the frequency and duration of in-station excavations, facility modifications, and vehicle traffic. Controlled access, third-party facilities present, and continuous work inspection are also evaluated. 0.0 pts [Not Applicable] 2.0 pts [Low Activity Level]--Annual (average of 1/yr) hazardous activities occur during an average year with the potential to cause significant facility damage 4.0 pts [Moderate Activity Level]~Monthly (average 1/month) hazardous activities occur during an average year with the potential to cause significant facility damage 7.0 pts [High Activity Level]~Weekly (average 1/wk) hazardous activities occur during an average year with the potential to cause significant facility damage 10.0 pts [Very High Activity Level]~Daily (average 1/day) hazardous activities occur during an average year with the potential to cause significant facility damage 5.0 pts [Unknown Activity Level]

Corrosion algorithm variables

Atmospheric corrosion susceptibility

ing, vessels, equipment, and components) ages by recording the last facility installation or replacement date. 0.0 pts [<1 yr]--Very recent test (last facility installed?) 2.0 pts [ 1-5 yrs] 6.0 pts [5-10 yrs] 8.0 pts [ 10-20 yrs] 8.0 pts [20-30 yrs] 5.0 pts [Unknown Age]

[Corrosive Ground Conditions]--Evaluation of various ground corrosivity conditions, including soil resistivity, chlorides, pH, temperature, moisture level changes, chemicals, transition zone, etc. 0.0 pts [No Ground Conditions]--No corrosive ground conditions exist 2.0 pts [Mild Ground Conditions]--Mild corrosive ground conditions exist 6.0 pts [Moderate Ground Conditions]--Moderate corrosive ground conditions exist 10.0pts [Severe Ground Conditions]--Severe corrosive ground conditions exist

[Corrosive "Hot Spot" Conditions]-- Evaluation of the presence and significance of CP interferences, including casings, bundled piping, foreign line crossings, interference crossings, DC/AC stray currents. 0.0 pts [No "Hot Spot" Conditions]--No structures or stray currents are present that could interfere with CP systems, or create a corrosion hot spot, causing significant buried metal loss 5.0 pts [Single "Hot Spot" Condition]--One type of structure or stray current is present that could interfere with CP systems, or create a corrosion hot spot, causing significant buried metal loss 10.0 pts [Multiple "Hot Spot" Conditions]--Multiple structures or stray currents are present that could interfere with CP systems, or create corrosion hot spots, causing significant buried metal loss

Internal corrosion susceptibility

atmospheric corrosivity conditions, including contaminants, temperature, moisture, chemicals, splash zones, etc.

[Static Liquids Condition]-- Evaluation of piping facilities where liquids are static, including piping dead-legs, pig traps and out-of-service equipment. Also evaluate frequency, duration, and product movements related to static conditions.

0.0 pts [No Atmospheric Conditions]--No corrosive atmospheric conditions exist

0.0 pts [No Static Conditions]--No corrosive static conditions exist

[Corrosive Atmospheric Conditions]-- Evaluation of various

13/284 Stations and Surface Facilities

2.0 pts [Mild Static Conditions]~Mild corrosive static conditions exist 6.0 pts [Moderate Ground Conditions]wModerate corrosive static conditions exist 10.0 pts [Severe Ground Conditions]--Severe corrosive static conditions exist

[Product Corrosivity]-- Evaluation of various product (crude oil and refined products) corrosivity conditions, including chlorides, pH, temperature, bacteria, moisture, dissolved gases (CO 2, 0 2, H2S), and contaminant levels. 0.0 pts [No Product Conditions]wNo corrosive product conditions exist 2.0 pts [Mild Product Conditions]--Mild corrosive product conditions exist 6.0 pts [Moderate Product Conditions]mModerate corrosive product conditions exist 10.0 pts [Severe Product Conditions]--Severe corrosive product conditions exist

Atmospheric corrosion mitigation [Atmospheric Corrosion Control Program]-- Evaluation of various atmospheric corrosion control, including coating appropriateness, adequacy for conditions, coverage completeness, installation, and PPM. Also includes API 653 inspection on tanks and hot-spot protection as part of the PPM program. 0.0 pts [Excellent Atmospheric Corrosion Program]--A formal program exists that exceeds all company and industry minimum recommended or required atmospheric corrosion control best practices 1.0 pts [Adequate Atmospheric Corrosion Program]mA semiformal program exists that meets all company and industry minimum recommended or required atmospheric corrosion control best practices 5.0 pts [Inadequate Atmospheric Corrosion Program]~An informal program exists that does not meet all company and industry minimum recommended or required atmospheric corrosion control best practices 10.0 pts [No Atmospheric Corrosion Program]--No known program exists and few company and industry minimum recommended or required atmospheric corrosion control best practices are met

External corrosion mitigation [Buried Metal CoatingAdequacy~Type?I-- Evaluation of various buffed metal coatings, including appropriateness, adequacy for conditions, coverage completeness, installation, and PPM. PPM includes AP1653 inspections and bellhole inspections. 0.0 pts [Excellent Buffed Metal Coating]---Coating exists that exceeds all company and industry minimum recommended or required external coating best practices [Excellent coatings typically include fusion bonded epoxy (FBE) types in good condition.] 2.0 pts [Adequate Buffed Metal Coating]--Coating exists that meets all company and industry minimum recommended or

required external coating best practices [Adequate coatings typically include somastic, asphaltic, coal tar, poly jacket, and tar/glass/felt (TGF) types in good condition.] 7.0 pts [Inadequate Buffed Metal Coating]--Coating exists that does not meet all company and industry minimum recommended or required external coating best practices [Inadequate coatings typically include any disbonded, improperly installed or damaged coating.] 10.0 pts [No Buffed Metal Coating]--No known coating exists and few company and industry minimum recommended or required external coating best practices are met. [No coatings typically exist on cartier pipe within a casing or old pipe.]

[Buried Metal Corrosion Control Program]-- Evaluation of various buffed metal corrosion control measures including program appropriateness and system adequacy for conditions, coverage completeness and PPM. PPM program includes API 653 inspection on tanks and hot-spot protection. 0.0 pts [Excellent Buffed Metal Corrosion Program]mA formal program exists that exceeds all company and industry minimum recommended or required buried metal corrosion control best practices 2.0 pts [Adequate Buffed Metal Corrosion Program]mA semiformal program exists that meets all company and industry minimum recommended or required buffed metal corrosion control best practices 7.0 pts [Inadequate Buried Metal Corrosion Program]--An informal program exists that does not meet all company and industry minimum recommended or required buffed metal corrosion control best practices 10.0 pts [No Buffed Metal Corrosion Program]--No known coating program exists and few company and industry minimum recommended or required buffed metal corrosion best practices are met

[CP System Performance]-- Evaluation of CP system effectiveness in controlling external corrosion based on CP performance criteria used, number and location of test points (coverage), frequency of test point readings, variance of readings from criteria, corrective actions and timeliness, data and activities documentation, system equipment PPM, etc. 0.0 pts [Excellent CP System]--An effective CP system exists that exceeds all company and industry minimum recommended or required buried metal corrosion control best practices 2.0 pts [Adequate CP System]--A CP system exists that meets all company and industry minimum recommended or required buried metal corrosion control best practices 7.0 pts [Inadequate CP System]--A CP system exists that does not meet all company and industry minimum recommended or required buffed metal corrosion control best practices 10.0 pts [No CP System]--No known CP system exists and few company and industry minimum recommended or required buried metal corrosion best practices are met

[CIS Performance]m Evaluation of the effectiveness of a close interval survey (CIS) for identifying CP system problems and external corrosion hot spots based on the CP performance

Modeling ideas III 13/285

criteria used, number and location of test points (coverage), frequency of test point readings, variance of readings from criteria, corrective actions and timeliness, data and activities documentation, equipment used and its PPM, etc. 0.0 pts [Excellent CIS Performance]--An effective CIS was conducted that exceeds all company and industry minimum recommended or required CIS corrosion control best practices 2.0 pts [Adequate CIS Performance]--A CIS was conducted that meets all company and industry minimum recommended or required CIS corrosion control best practices 7.0 pts [Inadequate CIS Performance]--A CIS was conducted that does not meet all company and industry minimum recommended or required CIS corrosion control best practices 10.0 pts [No CIS Conducted]~No known CIS was conducted and few company and industry minimum recommended or required CIS corrosion best practices are met

[NDE Performance]-- Evaluation of the effectiveness of a nondestructive examination (NDE) for identifying system metal loss problems and external corrosion hot spots based on the NDE performance criteria used, number and location of inspection points (coverage), frequency of inspection point readings, variance of readings from criteria, corrective actions and timeliness, data and activities documentation, equipment used and its PPM, etc. 0.0 pts [Excellent NDE Performance]--An effective NDE was conducted that exceeds all company and industry minimum recommended or required NDE corrosion control best practices 2.0 pts [Adequate NDE Performance]--A CIS was conducted that meets all company and industry minimum recommended or required NDE corrosion control best practices 7.0pts [Inadequate NDE Performance]--A CIS was conducted that does not meet all company and industry minimum recommended or required NDE corrosion control best practices 10.0 pts [No NDE Conducted]--No known NDE inspections were conducted and few company and industry minimum recommended or required NDE corrosion best practices are met

Internal corrosion mitigation [Internal CoatingAdequacy]-- Evaluation of various internal metal coatings, including coating appropriateness, adequacy for conditions, coverage completeness, installation, and PPM. 0.0 pts [Excellent Internal Metal Coating]--Coating exists that exceeds all company and industry minimum recommended or required internal coating best practices 2.0 pts [Adequate Internal Metal Coating]--Coating exists that meets all company and industry minimum recommended or required internal coating best practices 7.0 pts [Inadequate Internal Metal Coating]---Coating exists that does not meet all company and industry minimum recommended or required internal coating best practices 10.0pts [No Internal Metal Coating]~No known coating exists and few company and industry minimum recommended or required internal coating best practices are met

[Internal Corrosion Control Program]-- Evaluation of various intemal corrosion control measures including performance criteria appropriateness, inhibitor and metal loss measurement frequency and adequacy for conditions, inhibitor coverage completeness, and system installation and PPM. Also includes API 653 inspection on tanks and hot-spot protection as part of the PPM program. 0.0 pts [Excellent Internal Corrosion Program]--A formal program exists that exceeds all company and industry minimum recommended or required internal corrosion control best practices 2.0 pts [Adequate Internal Corrosion Program]--A semiformal program exists that meets all company and industry minimum recommended or required internal corrosion control best practices 7.0 pts [Inadequate Internal Corrosion Program]~An informal program exists that does not meet all company and industry minimum recommended or required internal corrosion control best practices 10.0 pts [No Internal Corrosion Program]--No known program exists and few company and industry minimum recommended or required internal corrosion best practices are met

[NDE Performance]-- Evaluation of the effectiveness of NDE for identifying system metal loss problems and internal corrosion hot spots based on the NDE performance criteria used, number and location of inspection points (coverage), frequency of inspection point readings, variance of readings from criteria, corrective actions and timeliness, data and activities documentation, equipment used and its PPM, etc. 0.0 pts [Excellent NDE Performance]--An effective NDE was conducted that exceeds all company and industry minimum recommended or required NDE corrosion control best practices 2.0 pts [Adequate NDE Performance]mA NDE was conducted that meets all company and industry minimum recommended or required NDE corrosion control best practices 7.0 pts [Inadequate NDE Performance]--A NDE was conducted that does not meet all company and industry minimum recommended or required NDE corrosion control best practices 10.0 pts [No NDE Conducted]--No known NDE inspections were conducted and few company and industry minimum recommended or required NDE corrosion best practices are met

[Tank Mixer Adequacy]-- Evaluation of tank mixers, including appropriateness and adequacy for conditions, effective coverage, and PPM. 0.0 pts [Excellent Mixing]--One or more mixers exist that exceed all company and industry minimum recommended or required tank mixing best practices (or mixers not needed) 2.0 pts [Adequate Mixing]--One or more mixers exist that meets all company and industry minimum recommended or required tank mixing best practices 7.0 pts [Inadequate Mixing]---One or more mixers exist that do not meet all company and industry minimum recommended or required mixing best practices 10.0 pts [No Mixers]--No known mixing is performed

13/286 Stations and Surface Facilities

IX. Example of risk management application

mode and determine that some resources should be allocated to certain risk reduction actions. Specifically, they want to reduce the risk of"human error" and "design issues" type failures on three tanks at the Metropolis Station (see Table 13.13). This will target "overfill" scenarios and other possible failures that involve aspects of human error and design issues. Operator AST Inc. drills deeper into their risk data to see why risks are greater for these tanks and to see where their risk mitigation efforts could be best applied. Because each failure category is comprised of many risk variables, they can retrieve those variables to see why the risk level is too high. They see that the risk variables listed in Table 13.14 are seen to be weak, relative to other tanks and company standards. Operator AST Inc. can view the risk components of likelihood and consequences separately. They see that there are more (and cheaper) possible actions to prevent---or reduce the likelihood of--an event compared with impacting the consequences. Most of their alternatives in better controlling an event after it occurs (consequence reducers) are very expensive. Some immediately rejected consequence-limiting actions include the following:

Tank farm operator AST Inc. has performed a basic risk assessment for all of their facilities. They now have risk scores for each station and for each tank within each station. They also have risk numbers for sumps, pumps, piping, loading/unloading facilities, and other equipment groupings. The risk scores represent all available information regarding the facility to which it applies. They are readily compared to a statistic or some measure of acceptability, as shown in Table 13.12 for a sample of their data from the Metropolis Station. The risk score is a summary number that can be broken into failure categories of external forces, corrosion, human error, and design issues as well as a "consequence-of- failure" value (Table 13.13). Risk score = (likelihood) x (consequence) Likelihood = P 1 + P2 + P3 + P4 and, for example, P2 = f{product corrosivity,atmospheric conditions, soil resistivity, moisture content, pipe-to-soil voltages, inspection procedures, liners, coatings, interference potential, inhibitors, anodes, etc. }

9 Changing product type (less flammable, less persistent in environment, lower energy content, less toxic, etc.) 9 Changing the receptors (move the station, move the nearby town, etc.).

AST Inc. has evaluated their data carefully. They determine which tanks pose the greatest risks, which tanks have the greater likelihood of failure, and which have the greater consequences, should failure occur. They analyze their data by failure Table 13.12

Summary of relative risk assessment results

Equipment tag

Risk score

Deviation from average (or "acceptable ") (%)

154 146 235

-14.0 -12.5 -28.1

Tank l01 Tank315 Tank655

Table 13.13

Breakdown of summary risk scores

Equipment tag

Tank l01 Tank315 Tank655

Table 13.14

Other consequence-reduction possibilities that are more practical include emergency response, increased leak detection capabilities, fire suppression systems, better secondary containment, and others. Whereas all options can be investigated, AST Inc. chooses to concentrate for now only on the secondary containment alternative for consequence reduction. Noting which risk variables are relatively weak also points directly to what corrective actions can be applied. From preestablished project lists and cost data, the operator assesses the costs of several mitigative actions. They compare these costs with the benefit--the risk reductionmpredicted by their model,

Risks Score

Likelihood

Consequence

P1---externalforces

P2-Corrosion

P3--Design issues

P4--Human error

154 146 235

77 76 49

2.0 1.9 4.8

22 21 14

19 24 17

25 22 16

11 9 2

Evaluation of risk variables

Risk variable

Consequence receptors (for Tank 655 only) Tank level alarms Staffing levels Personnel training Secondary containment

Deviation from average (or "acceptable "risk) (%)

-32 -8

-2 -4 -11

Notes

Higher risks due to proximity to population center, water intakes, and predicted rangeability of spill (flowing river nearby) HHA (high-high alarm) only alarms locally--panel light in office flashes Once per week visits currently No formal training for loaders--pamphlet only Dikes in need of repair, too permeable, not sufficient volume for large releases

Comparing pipelines and station 13/287

as shown in Table 13.15. From this table, a cost/benefit ratio is easily calculated. This ratio is used to help prioritize maintenance and capital expenditures for the next period. AST Inc. utilizes all of their lower cost (high cost/benefit ratio) options first. They do this with the confidence that their process is automatically compensating for risk reduction benef i t s - t h a t is, because all risk points are of the same magnitude, it makes sense to first exhaust the low-cost alternatives to improve risk. Then, the more expensive alternatives can be explored if risks are still seen as being unacceptable. This yields the greatest amount of benefits because resources are most efficiently utilized. AST Inc. decides to focus improvement efforts on Tank 655 first, given the higher risks (higher consequences) seen there. They further decide to budget additional resources toward improved secondary containment only for Tank 655. This partially offsets the higher receptor risk in that area. The other tanks, having lower risks, will have their secondary containment improvements prioritized among all alternative uses of resources. The projected impact on risk is demonstrated in Table 13.16. Note from Table 13.16 that AST Inc. controls both the risk level and the rate of change in this risk management process. They decide whether to systematically and slowly improve their entire tank population or rather to target identified hot spots for immediate improvements. (Note that the numbers used in this example merely provide the reader with a sense o f the methodology; they are not necessarily in correct proportion, mathematically correct, or representative o f actual data.)

X. Comparing pipelines and stations Operators often want to compare pipeline segments with stations or parts of stations--facilities within stations. This might

Table 13.15

be for reasons of project prioritization or to assist in design decisions such as pipeline loops versus more pump stations. The pipeline relative risk scores represent the relative level of risk that each point along the pipeline presents to its surroundings. The scores are usually insensitive to length. If two pipeline segments, 100 and 2600 ft, respectively, have the same risk score, then each point along the 100-ft segment presents the same risk as does each point along the 2600-fi length. Of course, the 2600-fi length presents more overall risk than does the 100-ft length because it has many more risk-producing points. A cumulative risk calculation as described in Chapter 14 adds the length aspect to a risk score so that a 100-ft length of pipeline with one risk score can be compared against a 2600-ft length with a different risk score. A direct and intuitive way to make comparisons with station facilities is to recognize that, just as with the pipeline risk scores, each point within the station (or station section, if several portions of a station are scored separately) presents a certain risk to its surroundings. To quantify the total risk introduced by the station, we can use the station's length and width summed together, just as we use the pipeline segment's length to get a cumulative risk score for the pipeline. So, a station that is 50 tt wide by 100 ft long has a risk score that applies to 150 ft. It has the same cumulative risk as a 150-ft-long pipeline with the same risk score, or as a pipeline segment that is 300 ft long with half the risk score, and so forth. With this simple approach, all station scores can be compared to pipeline segments using the cumulative risk relationship. Alternatively, the risk evaluator may choose to use a perimeter or 2 times the width + length as a better basis for comparison with pipeline ROW lengths. Where available, failure rates in stations and pipeline ROW respectively can be used to help establish a sizeequivalency relationship. This approach is consistent with the use of release volume calculations and implied hazard zones for releases. A station with

Cost-benefit analysis of risk mitigation

Project

Risk improvement (%)

Costa ($)

8 19 3 7 3 4 12 26 18

4K 21K 9K 16K 7K 18K 430K 620K 140K

Communicate HHA (tank level alarm) to central control room HHA to central control room plus automatic tank isolation valves Upgrade tank level gauge to laser model Increase station visits (with formal "rounds") by 5 hours per week Require orientation course for all station visitors Annual refresher training for employees Add impermeable liner to secondary containment Increase secondary containment volume by raising dike level Patch damaged dike areas

Notes

Replaces 12-yr-old mechanical model Improves several risk variables Improves "consequence" side of equation Improves "consequence" side of equation

,,

al0-yr NPV or equivalent calculation. Table 13.16 AST Inc.'s risk improvement plan

Risk scores Equipment tag Tank655 Tank l01 Tank315

Current

Next year plan

Five-yeartarget

235 154 146

178 151 130

140 130 130

Notes Projects 43C, 22, 16 next quarter; projects 18, 14D in subsequent years Project 22 next quarter; project 15 in 2 years Project 18, 22 next quarter; then maintain risk level

13/288 Stations and Surface Facilities

large stored volumes and/or a high density of complex equipment in a small area will have a cumulative risk score that suggests a more concentrated risk than one with a larger "footprint." A station blends different types of release points for modeling convenience--a release point on a tank shell is obviously different from a release point on a 4-in. pipe. The risk score only "knows" that there are release points within that station that present a certain level of risk, even if all possible release points are not equal, so worst case points will govern. If this is not acceptable, a different station segmenting strategy can be employed. Of course, this approach has many assumptions. It also allows for the possibility of sectioning strategies designed to present less risks. This may be possible by manipulation of section boundaries--geographic areas--around equipment with Table 13.17

varying release potentials in order to optimize the cumulative risk scores. Nevertheless, this approach can be a simple way to establish equivalencies among risk scores for different facility types, at least until more definitive relationships can be developed.

XI. Station risk variables Table 13.17 provides an extensive list of station risk variables that can be used to determine risk using the approaches outlined in this chapter. Note that these variables will vary in their impact on risk. The choice of risk variables in designing a risk assessment model is discussed elsewhere.

Station risk variables

aboveground coatings access (for emergency equipment) activity level/shared stations additive system pressure additive system volume adequacy of coating---external adequacy of coating--internal adequacy of procedures adequacy of training anticorrosion effectiveness--visual antifreeze actions taken area gas detectors area motion detectors area video/audio surveillance atmosphere moisture content atmosphere temperature atmospheric coating damage UM,freeze, ice, movements, etc. atmospheric corrosion hot spots atmospheric corrosion potential---overall atmospheric corrosive contaminants auto block valves availability of outside emergency responders average op pressures atmospheric corrosion control program traffic barrier effectiveness (strength/design) block valves booms, absorbants building design business loss to competition canned pumps check valves clean up costs cleanup equip/supplies availability company image damaged computer permissives computer permissives for critical procedures congestion construction phase error reductions construction year control room/SCADA protocols corrosion rates---external corrosion rates--internal cost of product cost of service interruption CP survey--CIS CP survey--coating CP survey--DCVG CP survey--metal-soil test lead

critical instruments program depth of cover design phase error reductions design verifications/checks design--use of extra heavy pipe and fittings diameter dike condition dike liner type dike volume dike wall materials dissimilar metals drainage and spill control dust generation earth movements--earthquake earth movements---erosion/washout earth movements---expansive soils earth movements--frost heave earth movements--landslide earth movements--monitoring earth movements--overall susceptibility earth movements--preventions earth movements--stress relief earth movements--subsidence earth movements--volcano electrical area classifications electrical cable protection electrical equipment areas--locks and fences electrical grounding electrical power lines in area electrical--static charges potential emergency drills emergency medical treatment emergency response capabilities, outside assistance emergency response capabilities, in-house emergency shutdown systems endangered species nearby engine mechanical alarms equipment profile (height/width total and ratio) facility lighting fatigue---high frequency, high stress fatigue--high frequency, low stress fatigue---low frequency, high stress fatigue--material susceptibility fences---6-tl chain link or equivalent fences--6+-ft chain link or equivalent fences---6-tt chain link plus barbed wire fines/penalties from regulatory agencies fire suppression systems---deluge/sprinklers

Station risk variables 13/289

fire suppression systems--auto/manual fire suppression systems---delivery rate/coverage fire suppression systems--foam system fire suppression systems--hand extinguishers, maintenance, records, marking fire suppression systems--hand extinguishers, number/location fire suppression systems--hand extinguishers, type fire suppression systemskmonitor guns fire suppression systems---overall effectiveness fire suppression systems--redundancy fire suppression systemsmvolume available fire suppression systemsmwater curtains flame arrestors flammable, combustible materials nearby flexible connections foundations fugitive emissions gaskets, joint seals, packing groundwater depth hazard identification program high-value areas nearby historic sites nearby housekeeping incident follow-ups incident history incident history (type, frequency, preventions) incident investigations increased regulatory oversight inert gas padding of flammable vapors In-line pipe inspection inspections for atmospheric corrosion inspections for buried metal corrosion inspections for internal corrosion Inspections, overall mspector qualifications interference corrosion potential--AC interference corrosion potential--buried metals interference corrosion potential---other stray currents interior vessel inspection---dye penetrant interior vessel inspection--ultrasound interior vessel inspection--visual key-lock sequencing for critical procedures known structural flaws language/comprehension issues leak detectionmacoustic/ultrasonic/infrared leak detection---coverage: additive systems leak detection---coverage: pump seals leak detection---coverage: racks leak detection--coverage: USTs leak detection--ground monitoring well leak detection--instrumented ground patrol leak detection--mass balance (station) leak detection--mass balance all mainlines leak detection--reaction time leak detection--realtime model leak detection--soil/vapor monitoring leak detection--visual length of dead-leg piping length of dead-leg piping--above ground length of dead-leg piping--buried liner effectiveness loading/unloading automation loading/unloading operations loading/unloading rack safety systems loading/unloading system complexity loading/unloading system pressure loading/unloading system volume loading/unloading--number of systems

locks maintenance program management of change protocols maps, records, drawings marking of critical equipment/instrumentation material strength material stress levels (MAOP vs. NOP) material toughness material transition temperature meteor events monitoring by station personnel nonfailure causes of service interruption number of additive systems number of ASTs number of loading/unloading systems number of USTs, sumps overpressure relief devices overpressure source strength/potential pathways to receptors (slopes, ravines, surface roughness, etc.) patrols--air (altitude, speed, observer, etc.) patrols--ground personal protective equipment personnel occupancy pipe joint count by type pipe joint type piping flange gasket type piping joints--butt weld piping joints--Dresser couplings piping j oints--flanges piping j oints--welded plpmg--coating piping--location, marking (subsurface) piping--protection from external force piping--seam design population density population type (commercial, residential, etc.) power backup systems pressure testing--stress levels pressure testing--time since last pressure testing--which facilities procedures---draining procedures----enforcement procedures--loading/unloading procedures--lock out/tag out procedures--number/complexity of actions during routine operations procedures---overall adequacy procedures--pump seal installation/maintenance procedures--pump start/stop procedures----qualification to procedures--review/testing frequencies procedures--training effectiveness procedures--use of checklists in field procedures--written content product CO2, H2S, content product contamination product corrosivity product flammability product gravity product MIC potential product moisture content product persistence product reactivity product temperature product toxicity product velocity / intermittent flows product viscosity Product--acute hazards Product--boiling point Continued

13/290 Stations and Surface Facilities

Table 13.17

Station risk variables---cont'd

Product--chemical additives used Product--chronic hazards Product--conductivity (dissolved solids) Product---contamination Product---densities Product--dissolved gases (CO 2, H2S, 02) ProductoH c (heat of combustion) Product--NFPA product ratings Product--pH Product--RQ ratings Product--suspended solids Product--type Product--vapor pressure public awareness--advertisement impact public awareness---door-to-door public awareness--mailouts public awareness--meet with local responders public awareness---overall effectiveness public awareness--public forums effectiveness public awareness--public officials meetings pump bearing temp shutdown pump criticality for product movement pump high flow shut down pump inspection frequency and effectiveness pump mechanical safety systems pump motor type pump overpressure shut down pump overvoltage, current shutdowns pump pressure/volume pump product temperature shutdown pump pulsation dampers pump seal flush lines pump seal leak potential pump seal secondary containment pump seal secondary seal pump type pump vibration monitoring rails--strong barriers against traffic rails--weak relief valves--design verifications restricted access provisions risk management program / PHA sabotage potential sabotage susceptibility sabotage--physical preventions sabotage--prior attacks or threats sabotage--regional instability sabotage--social preventions safety factors safety program safety systems--adequacy safety systems---calibration/maintenance safety systems--fail safe strategies safety systemsinspection/calibration/maintenance safety systems--levels of redundancy safety systems---ownership satellite imaging SCADA control SCADA monitoring SCC secondary containment security for critical equipment (locks, chains, etc.) security measures, miscellaneous shorelines/riverbanks nearby signs smoke detection

soil aggressiveness soil chlorides soil corrosivity soil MIC potential soil moisture content soil permeability soil pH soil sulfates soil type spark generation potential SRB induced corrosion--external SRB induced corrosion--internal station effective surface area station equipment count/sizes/hp/complexity stauon personnel monitoring frequency and duration station piping count/volume station size (area, volume) station staffing level station subsurface drain with skimmer--alarmed station subsurface drain with skimmer--monitored station--number of block valves station--number of buried mechanical connectors substance abuse program successwe reaction potential successive reactions--barriers successive reactions----overall susceptibility successive reactions--potential force successive reactions--probability successwe reactions--separation distances sump safety systems sumps--product retention time supervision of excavation sites surface runoffretention and analysis surge potential surge--preventions tank capacities tank condition (dents, buckling, level, thinning, etc.) tank design--AP1650, 653 tank design--bolted tank design--proper venting, AP1650 tank design--rivets tank design--roof supports tank design--vacuum collapse potential tank design--welded tank fill levels tank foundation--asphalt ring tank foundation---concrete pad tank foundation---concrete ring tank foundation--gravel tank foundation--sand tank mixer--fixed angle tank mixer--variable angle tank--age tank--AP1653 inspection tank--bottom external corrosion prevention tank--bottom inspection, floor scan tank--bottom inspection, mag, dye tank--bottom inspection, vacuum weld test tank--bottom inspection, visual tank--bottom liner age/condition tank--bottom liner design/installation tank--bottom liner type (thick or thin) tank--bottom wall thickness tank--bottom corrosion monitoring central point tank--bottom corrosion monitoring perimeter points tank---cracking inspections

Station risk variables 13/291

tank---cracking visual inspection tank---depth of water bottoms tank---diameter tank---double bottom tank---external liner type tank---external loads considered/documented tank--foundation condition tank--foundation inspection tank--foundation risk factors present tankmheight tank--inspection for external atmospheric corrosion tank--inspection frequencies tank--internal anode distribution tank--level alarm (H only) tank--level alarm actions--alarm only tank--level alarm actionsmstation shutdown tank--level alarm actionsmtank isolation tank--level alarm types tank--level alarms (H and HH) tank--level alarms test frequency tank--metal loss inspections tank--mixers (erosion-corrosion) tank--pressure tank--repair history tank--roof type, cone tank--roof type, internal floating tank--roof type, external floating tank--seam condition tank--settlement inspections/history tank--stairway fencing and locks tank--turnover frequency/fill cycles tank--under-tank monitor tank--visuals external inspection tank--visuals external inspection frequency tank--volume tank--wall inspection for internal corrosion tank--wall temperature > 60~ tank--wall thickness > 0.5 in.

thermal relief devices thermal relief valves--inspection/maintenance torque specs/torque inspections traffic exposures--air/marine traffic exposures--ground, outside station traffic exposures---overall susceptibility traffic exposures--preventions traffic exposures--ground, within station traffic patterns/routing/flow training--completeness of subject matter training--job needs analysis training--testing, certification, and retesting use of colors/signs/locks/"idiot-proofing" use of temporary workers UST--material of construction UST pressure UST volume UST--number of independent walls vacuum truck(s) vessel level safety systems vibration vibration: antivibration actions wall thickness walls < 6 tt high walls > 6 ft high water bodies nearby water body type (river, stream, creek, lake, etc.) water intakes nearby weather events--floods weather events--freeze weather events--hail/ice/snow loading weather events--lightning weather events--potential weather events--windstorm wetlands nearby workplace ergonomics workplace human stress environment