PHMSA Gas Integrity Management Protocols
Explanation of Protocol Format
Each protocol element will have top-tier protocols that address the high level requirements. The regulatory requirement upon which the protocol is based is contained in brackets; e.g., [§192.905(a)]
Each top-tier protocol will have detailed "sub-tier" protocols which collectively lead the inspector to draw overall conclusions about compliance with the top-tier protocol. The regulatory requirement, upon which each sub-tier protocol is based, is also contained in brackets.
Notes on protocols:
- The typical sentence structure used in the protocols follows the form of "Verify that [describe the requirement]." The use and meaning of the term "verify" is expanded upon below.
- PHMSA will "verify" an operator’s compliance status with respect to each requirement. In order to perform this verification, PHMSA will inspect the operator’s documented processes and procedures in order to determine if a program has been established that complies with rule requirements. In addition, PHMSA will inspect an operator’s implementation records to determine if the operator is effectively implementing its programs and processes. The purpose of the PHMSA verification/inspection is not to perform a quality check of every integrity related activity. The PHMSA inspection is conducted in the form of an audit. As a result, the PHMSA inspection will typically perform an inspection of selected operator records sufficient in breadth and depth to give the inspection team adequate understanding regarding the degree of an operator's commitment to compliance with applicable requirements and/or the degree to which the operator's program has been effective with respect to achieving compliance. PHMSA may use any number of inspection or audit techniques to identify potential compliance issues. Program documents may be inspected to determine if adequate processes have been developed and documented to the degree necessary for competent professionals to understand and effectively implement the process with results that are consistent and repeatable. For example, one technique that might be used by the inspection team is a "vertical slice" in which a specific covered segment or pipeline system is selected to perform a detailed inspection of every aspect of integrity management, thus following a specific example through the entire process of integrity management. Based on those reviews, OPS will identify potential non-compliances with rule requirements. PHMSA can not and will not certify nor conclude that an operator is in full compliance with rule requirements, even if the inspection does not identify any areas of non-compliance. Operators are wholly responsible for compliance with regulations.
- References to regulatory requirements may include references to specific rule sections/paragraphs and/or to industry standards that are invoked in the rule. As specified in §192.7, any requirement invoked by reference is a requirement of the rule as though it were set out in full in the regulation.
- Protocols are subject to change without notice.
- Protocols are an initial guide for use by OPS inspectors during Integrity Management inspections. Inspectors will develop additional questioning during the course of the inspection to investigate the specifics of an operator's program. Protocols are not to be construed as an exhaustive list of questions that may be presented to operators during an inspection.
- Protocols are made publicly available as a courtesy to operators as they develop their Integrity Management program, as well as other stakeholders.
- C.01 Threat Identification
- C.02 Data Gathering and Integration
- C.03 Risk Assessment
- C.04 Validation of the Risk Assessment
- C.05 Plastic Transmission Pipeline
C.01 Threat Identification
Verify that the operator identifies and evaluates all potential threats to each covered pipeline segment. [§192.917(a)]
If the operator is following the prescriptive or performance-related approaches, verify that the following categories of failure have been considered and evaluated: [§192.917(a) and ASME B31.8S-2004, Section 2.2]
- external corrosion,
- internal corrosion,
- stress corrosion cracking;
- manufacturing-related defects, including the use of low frequency electric resistance welded (ERW) pipe, lap welded pipe, flash welded pipe, or other pipe potentially susceptible to manufacturing defects [§192.917(e)(4) and ASME B31.8S-2004, Appendix A4.3];
- welding- or fabrication-related defects,
- equipment failures;
- third party/mechanical damage [§192.917(e)(1)],
- incorrect operations (including human error),
- weather-related and outside force damage,
- cyclic fatigue or other loading condition [§192.917(e)(2)],
- all other potential threats.
C.01.b. If the operator is following the performance-based approach, verify that all 21 of the threats associated with the first nine failure categories listed above have been considered. [§192.917(a) and ASME B31.8S-2004, Section 2.2]
C.01.c. Verify that the operator's threat identification has considered interactive threats from different categories (e.g., manufacturing defects activated by pressure cycling, corrosion accelerated by third party or outside force damage) [ASME B31.8S-2004, Section 2.2].
C.01.d. Verify that the approach incorporates appropriate criteria for eliminating a specific threat for a particular pipeline segment. [ASME B31.8S-2004, Section 5.10]
C.02 Data Gathering and Integration
Verify that the operator gathers and integrates existing data and information on the entire pipeline that could be relevant to covered segments, and verify that the necessary pipeline data have been assembled and integrated. [§192.917(b)]
C.02.a. Verify that the operator has in place a comprehensive plan for collecting, reviewing, and analyzing the data. [ASME B31.8S-2004, Section 4.2 and ASME B31.8S-2004, Section 4.4]
Verify that the operator has assembled data sets for threat identification and risk assessment according to the requirements in ASME B31.8S-2004, Section 4.2, ASME B31.8S-2004, Section 4.3, and ASME B31.8S-2004, Section 4.4. At a minimum, an operator must gather and evaluate the set of data specified in ASME B31.8S-2004, Appendix A (summarized in ASME B31.8S-2004, Table 1) and consider the following on covered segments and similar non-covered segments [§192.917(b)]:
- Past incident history
- Corrosion control records
- Continuing surveillance records
- Patrolling records
- Maintenance history
- Internal inspection records
- All other conditions specific to each pipeline.
C.02.c. Verify that the operator has utilized the data sources listed in ASME B31.8S-2004, Table 2, for initiation of the integrity management program. [ASME B31.8S-2004, Section 4.3]
Verify that the operator has checked the data for accuracy. If the operator lacks sufficient data or where data quality is suspect, verify that the operator has followed the requirements in ASME B31.8S-2004, Section 4.2.1, ASME B31.8S-2004, Section 4.4, and ASME B31.8S-2004, Appendix A [ASME B31.8S-2004, Section 4.1, ASME B31.8S-2004, Section 4.2.1, ASME B31.8S-2004, Section 4.4, ASME B31.8S-2004, Section 5.7(e), and ASME B31.8S-2004, Appendix A]:
- Each threat covered by the missing or suspect data is assumed to apply to the segment being evaluated. The unavailability of identified data elements is not a justification for exclusion of a threat.
- Conservative assumptions are used in the risk assessment for that threat and segment or the segment is given higher priority.
- Records are maintained that identify how unsubstantiated data are used, so that the impact on the variability and accuracy of assessment results can be considered.
- Depending on the importance of the data, additional inspection actions or field data collection efforts may be required.
C.02.e. Verify that the operator's program includes measures to ensure that new information is incorporated in a timely and effective manner, as addressed in Protocol K. [§192.911(k), ASME B31.8S-2004, Section 11(b) and ASME B31.8S-2004, Section 11(d)]
Verify that individual data elements are brought together and analyzed in their context such that the integrated data can provide improved confidence with respect to determining the relevance of specific threats and can support an improved analysis of overall risk. [ASME B31.8S-2004, Section 4.5]. Data integration includes:
- A common spatial reference system that allows association of data elements with accurate locations on the pipeline [ASME B31.8S-2004, Section 4.5];
- Integration of ILI or ECDA results with data on encroachments or foreign line crossings in the same segment to define locations of potential third party damage [§192.917(e)(1)].
C.03 Risk Assessment
Verify that the operator has conducted a risk assessment that follows ASME B31.8S-2004, Section 5, and that considers the identified threats for each covered segment. [§192.917(c)] [Note: Application of the risk assessment to prioritize the covered segments for the baseline assessment is covered in Protocol B, continual reassessments in Protocol F, and additional preventive and mitigative measures in Protocol H.]
Verify that the operator's risk assessment supports the following objectives [ASME B31.8S-2004, Section 5.3 and ASME B31.8S-2004, Section 5.4]:
- prioritization of pipelines/segments for scheduling integrity assessments and mitigating action
- assessment of the benefits derived from mitigating action
- determination of the most effective mitigation measures for the identified threats
- assessment of the integrity impact from modified inspection intervals
- assessment of the use of or need for alternative inspection methodologies
- more effective resource allocation
- facilitation of decisions to address risks along a pipeline or within a facility
Verify that the operator utilizes one or more of the following risk assessment approaches [ASME B31.8S-2004, Section 5.5]:
- Subject matter experts (SMEs),
- Relative assessment models,
- Scenario-based models, or
- Probabilistic models
Verify that the risk assessment explicitly accounts for factors that could affect the likelihood of a release and for factors that could affect the consequences of potential releases, and that these factors are combined in an appropriate manner to produce a risk value for each pipeline segment. [ASME B31.8S-2004, Section 3.1, ASME B31.8S-2004, Section 3.3, ASME B31.8S-2004, Section 5.2, ASME B31.8S-2004, Section 5.3 and ASME B31.8S-2004, Section 5.7(j)] Verify that the risk assessment approach includes the following characteristics:
- The risk assessment approach contains a defined logic and is structured to provide a complete, accurate, and objective analysis of risk [ASME B31.8S-2004, Section 5.7(a)];
- The risk assessment considers the frequency and consequences of past events, using company and industry data [ASME B31.8S-2004, Section 5.7(c)];
- The risk assessment approach integrates the results of pipeline inspections in the development of risk estimates [ASME B31.8S-2004, Section 5.7(d)];
- The risk assessment process includes a structured set of weighting factors to indicate the relative level of influence of each risk assessment component [ASME B31.8S-2004, Section 5.7(i)];
- The risk assessment process incorporates sufficient resolution of pipeline segment size to analyze data as it exists along the pipeline [ASME B31.8S-2004, Section 5.7(k)].
Verify that the operator's process provides for revisions to the risk assessment if new information is obtained or conditions change on the pipeline segments. Verify that the provisions for change to the risk assessment address the following areas:
- the risk assessment plan calls for recalculating the risk for each segment to reflect the results from an integrity assessment or to account for completed prevention and mitigation actions. [ASME B31.8S-2004, Section 5.11, and ASME B31.8S-2004, Section 5.7(c)]
- the operator integrates the risk assessment process into field reporting, engineering, facility mapping, and other processes as necessary to ensure regular updates. [ASME B31.8S-2004, Section 5.4]
- the integrity management plan calls for revision to the risk assessment process if pipeline maintenance or other activities identify inaccuracies in the characterization of the risk for any segments. [§192.917(c) and ASME B31.8S-2004, Section 5.12]
- the operator uses a feedback mechanism to ensure that the risk model is subject to continuous validation and improvement. [§192.917(c) and ASME B31.8S-2004, Section 5.7(f)]
C.03.e. Verify that adequate time and personnel have been allocated to permit effective completion of the selected risk assessment approach. [ASME B31.8S-2004, Section 5.7(b)]
C.04 Validation of the Risk Assessment
Verify that the integrity management program identifies and documents a process to validate the results of the risk assessments. [§192.917(c) and ASME B31.8S-2004, Section 5.12]
C.04.a. Verify that the validation process includes a check that the risk results are logical and consistent with the operator's and other industry experience. [§192.917(c) and ASME B31.8S-2004, Section 5.12]
C.05 Plastic Transmission Pipeline
If the operator has plastic transmission pipelines, verify that the operator assesses applicable threats to each covered segment of plastic line. [§192.917(d)]
C.05.a. If the operator has plastic transmission lines, verify that the information in ASME B31.8S-2004, Section 4 and ASME B31.8S-2004, Section 5, and any unique threats to the integrity of plastic pipe have been considered when assessing the threats to each covered segment of plastic pipeline. [§192.917(d)]