February 2010 Vol. 237 No. 2
Features
New Control Room Management Regulations Require Structured Management Approach
On Dec. 3, 2009, the Pipeline and Hazardous Materials Safety Administration (PHMSA) published its final regulations for control room management (CRM). These regulations were the result of a multi-year effort to address concerns expressed by the National Transportation Safety Board (NTSB) related to human factor issues in pipeline control rooms and in response to specific requirements in the PIPES Act of 2006 that required PHMSA to have pipeline operators establish a human factors management plan that reduces risks, including fatigue for control room operators.
Industry participated actively in the rulemaking process and the final regulations are seen by many in industry to be a reasonable approach to addressing these issues. Operators must develop a CRM plan by Aug. 1, 2011 and implement that plan by Feb. 1, 2013 (the Dec. 3, 2009 rule had an implementation deadline of Feb.1, 2012, but PHMSA has since indicated that the correct implementation deadline is 2013, not 2012).
In the preamble to the rulemaking, PHMSA succinctly stated the purpose and scope of the rulemaking:
“PHMSA is amending the Federal pipeline safety regulations to address human factors and other aspects of control room management for pipelines where controllers use supervisory control and data acquisition (SCADA) systems. Under the final rule, affected pipeline operators must define the roles and responsibilities of controllers and provide controllers with the necessary information, training and processes to fulfill these responsibilities. Operators must also implement methods to prevent controller fatigue. The final rule further requires operators to manage SCADA alarms, assure control room considerations are taken into account when changing pipeline equipment or configurations and review reportable incidents or accidents to determine whether control room actions contributed to the event.”
This article summarizes the requirements in the rulemaking and describes some of the industry’s initiatives related to this rulemaking. It also describes the applicability of the regulation to various types of facilities and notes key differences in the rules for gas pipelines versus liquid pipelines.
Applicability And Definitions
As with all rulemakings, the devil is in the details, especially when it comes to the applicability section, which depends heavily on the definitions section.
According to the rule:
“This section applies to each operator of a pipeline facility with a controller working in a control room who monitors and controls all or part of a pipeline facility through a SCADA system.”
In the pipeline safety regulations, the “operator of a pipeline facility” refers to the company that operates the pipeline. Thus, the regulation applies to the pipeline operating company. The controller is not the operator.
Controller is defined as a qualified individual who remotely monitors and controls the safety-related operations of a pipeline facility via a SCADA system from a control room and who has operational authority and accountability for the remote operational functions of the pipeline facility.
Control room is defined as an operations center staffed by personnel charged with the responsibility for remotely monitoring and controlling a pipeline facility.
Supervisory Control and Data Acquisition (SCADA) system is defined as a computer-based system or systems used by a controller in a control room that collects and displays information about a pipeline facility and may have the ability to send commands back to the pipeline facility.
Note that for some operators, compressor stations may have controllers in a control room, operating a pipeline facility using a SCADA system. Each operator will need to review these definitions internally to determine which portions of their operations are affected.
Distribution operators with less than 250,000 services and transmission operators without a compressor station only have to comply with the rule sections related to fatigue mitigation, compliance validation and compliance and deviations.
Gas Versus Liquid
There are a few differences between the regulation for gas pipelines (49 CFR Part 192) and liquid pipelines (49 CFR Part 195). The liquid pipeline rule incorporates all of API RP 1165: “Recommended Practice for Pipeline SCADA Displays,” while the gas pipeline rule only incorporates sections 1 (Scope), 4 (Human Factors Engineering Considerations In Display Designs), 8 (Object Characteristics), 9 (Object Dynamics), 11.1 (Consistency Within A Company) and 11.3 (Consistency Between Control Centers And Remote Locations).
Liquid pipelines are specifically required to implement section 5 of API RP 1168 for documentation of shift-change procedures and to implement section 7 of API RP 1168 for control room management changes. In addition, liquid pipeline operators must verify the correct safety-related alarm set-point values and alarm descriptions each time associated field instruments are calibrated or changed.
CRM Plan Requirements
According to the rule: “Each operator must have and follow written control room management procedures that implement the requirements of this section.” In the CRM plan, operators must:
- Define a controller’s roles, responsibilities and authorities during normal operations, abnormal operations and emergencies, even when the controller in not the first to detect the situation,
- Provide adequate information to the controllers to perform those duties,
- Establish a method to record shift changes,
- Establish shift lengths, schedule rotations and establish maximum hours-of-service1 to ensure controllers can achieve eight hours of sleep (emergency deviations are allowed in some circumstances) and
- Educate and train applicable staff on fatigue and fatigue mitigation.
Operators are required to incorporate lessons learned, including a specific review of all reportable incidents or accidents, in their CRM procedures and must maintain documentation to demonstrate that any deviation from the procedures was necessary for the safe operation of the pipeline facility. For pipeline operating setups that are periodically, but infrequently used, the operator must provide an opportunity for controllers to review relevant procedures in advance of their application. Each operator must ensure that physical changes to the pipeline equipment and configuration are coordinated between control room representatives, operations management and field personnel and that field personnel contact control room personnel when emergency conditions exist.
Annually, not to exceed 15 months, each operator must:
- Test and verify the internal communications plan for manual operation of the pipeline; and
- Test any backup SCADA systems.
Training
Each operator must develop a training program to give each controller a working knowledge of the pipeline system and prepare them to carry out the roles and responsibilities defined by the operator, recognize and respond to abnormal operating conditions and communicate in emergency conditions. Operators are required to review the controller training program each year and to incorporate lessons learned in CRM training.
SCADA Verification
Operators must “Conduct a point-to-point verification between SCADA displays and related field equipment when field equipment is added or moved and when other changes that affect pipeline safety are made to field equipment or SCADA displays.”
While this section does not require an operator to verify all existing SCADA information, each operator will need to determine which changes “affect pipeline safety,” and conduct (and document) this review as needed for future system modifications.
Alarm Management
Each operator must have a written alarm management plan. The rule defines “alarm” as an audible or visible means of indicating to the controller that equipment or processes are outside operator-defined, safety-related parameters. This will require that each operator review their system to determine which “alarms” pertain to “safety-related” parameters. Many alarms in a traditional SCADA system may not meet the regulatory definition of “alarm” in this rulemaking.
In the plan, the operator must review SCADA safety-related alarm operations “using a process that ensures alarms are accurate and support safe pipeline operations.” Operators must review alarms once a month to identify points affecting safety that were:
- Taken off scan,
- Inhibited,
- False,
- Forced or manual values longer than needed for maintenance or operations.
Operators must annually:
- Verify the correct safety-related alarm set-point values and alarm descriptions,
- Review the alarm management plan to determine the effectiveness of the plan,
- Monitor the content and volume of general activity being directed to and required of each controller to ensure controllers have sufficient time to analyze and react to incoming alarms and
- Address any deficiencies identified during the monthly or annual reviews.
End Note:
1. Several operators intend to establish a maximum normal shift duration of 12 hours (12.5 hours including 15 minutes at the start and end of each shift change for transitions), with a service limit of 63 hours in a five-day period, followed by 36 hours of time off.
Industry Initiatives/Other Reference Materials
Several industry associations have undertaken (or are undertaking) initiatives and the development of practices that are related to this rulemaking, as given here.
American Gas Association (AGA).
AGA’s Gas Control Committee developed a white paper entitled “Alarm Management for Control Room Operations in the Natural Gas Industry,” Oct. 13, 2009. This document provides natural gas pipeline operators with guidance on developing alarm management policies and procedures for their control room operations. The committee took into account the control room differences inherent in distribution and transmission operations when developing this white paper.
American Petroleum Institute (API)
All or parts of API RP 1165: “Recommended Practice for Pipeline SCADA Displays” and API RP 1168 ‘‘Pipeline Control Room Management’’ are incorporated into the current rulemaking.
An API workgroup is developing API RP 1167 concerning alarm management. API RP 1167 is intended to provide pipeline operators with recommended industry practices in the development, implementation, maintenance and validation of an alarm management program for SCADA systems. It will provide guidance on elements that include, but are not limited to, alarm definition, alarm philosophy, documentation, management of change and auditing. API 1167 is dedicated to the management of software generated alarms from SCADA systems in pipeline control centers and control rooms. API 1167 does not focus on alarms generated external to the SCADA system.
API RP 1113: “Developing a Pipeline Supervisory Control Center, First Edition,”
American Petroleum Institute/01-Sep-2007/10 pages. This document focuses on the design aspects that may be considered appropriate for developing or revamping a control center. This document is not all-inclusive. It is intended to cover best practices and provide guidelines for developing a control center only. It does not dictate operational control philosophy or overall SCADA system functionality.
Battelle (for PHMSA and PRCI)
“Liquid Pipeline Operator’s Control Room Human Factors Risk Assessment And Management Guide,” Nov. 26, 2008. The current version of the Guide is 415 pages in length. It contains two rating instruments, several calculation procedures, numerous worksheets and summary forms and two major sets of guidance that are intended to support worksheet preparation. Each of the separate guide elements is intended to support a progressive, integrated process of information gathering, analysis and documentation. Much of the information, data and results obtained from individual steps are intended to be transferred to data sets or forms used in subsequent steps. It was specifically designed for large liquid pipeline control room operations and has not been customized for gas pipelines or small control room operations.
The guide describes an eight-step process to identify, quantify, prioritize and address human-risk factors in the control room. It identifies 138 performance factors which represent specific human factors in control room working conditions, including the characteristics of controllers (e.g., experience, fatigue), workspaces (e.g., display monitors, lighting), job tools (e.g., batch tracking, SCADA), job design (e.g., control tasks and activities) and other factors that affect the controller’s ability to effectively monitor and control pipeline operations. The performance factors are organized into 29 human factors topics, which are themselves organized into 11 human factors areas.
The Guide is accompanied by the “Human Factors Analysis Of Pipeline Monitoring And Control Operations: Final Technical Report,” prepared by Battelle for PHMSA and PRCI, Nov. 26, 2008.
The Engineering Equipment and Materials Users Association (EEMUA)
EEMUA has developed Publication 191: “Alarm Systems – A Guide to Design, Management and Procurement.” This publication offers direction on designing, managing and procuring an effective alarm system.
Gas Piping Technology Committee (GPTC)
The GPTC is working on guidance material to incorporate into the “GPTC Guide for Gas Transmission and Distribution Piping Systems (ANSI Z380.1-2009),” to address the requirements in the final rule.
International Society of Automation (ISA), Committee 18
The ISA18 committee develops standards, technical reports and guidelines for alarm systems including annunciators, process automation systems and the general development, design, installation and management of alarm systems in the process industries, to establish terminology and practices for alarm systems, including the definition, design, installation, operation, maintenance and modification and work processes recommended to effectively maintain an alarm system over time. The committee is focused on the development of the revision of ANSI/ISA-18.1-1979 (R2004), “Annunciator Sequences and Specifications” and the development of six technical reports for ISA-18.02, “Management of Alarm Systems for the Process Industries.” Other working groups are:
* WG1 – Alarm Philosophy.
* WG2 – Alarm Identification and Rationalization.
* WG3 – Basic Alarm Design.
* WG4 – Enhanced and Advanced Alarm Methods.
* WG5 – Alarm Monitoring, Assessment and Audit.
* WG6 – Alarm Design for Batch and Discrete Processes.
Author
W. R. (Bill) Byrd, PE (wrb@rcp.com) is president of RCP Inc., a professional engineering and regulatory consulting firm that serves the energy pipeline industry. He holds a BS and MS in mechanical engineering from the Georgia Institute of Technology, and is a registered professional engineer in Texas, Louisiana, Mississippi, and Alabama. He can be reached at (888) 727-9937 and wrbyrd@rcp.com.
Comments