[Federal Register: September 12, 2008 (Volume 73, Number 178)]
[Proposed Rules]
[Page 53075-53104]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr12se08-26]
[[Page 53075]]
-----------------------------------------------------------------------
Part II
Department of Transportation
-----------------------------------------------------------------------
Pipeline and Hazardous Materials Safety Administration
-----------------------------------------------------------------------
49 CFR Parts 192, 193, and 195
Pipeline Safety: Control Room Management/Human Factors; Proposed Rule
[[Page 53076]]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Pipeline and Hazardous Materials Safety Administration
49 CFR Parts 192, 193, and 195
[Docket ID PHMSA-2007-27954]
RIN 2137-AE28
Pipeline Safety: Control Room Management/Human Factors
AGENCY: Pipeline and Hazardous Materials Safety Administration (PHMSA),
DOT.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: PHMSA proposes to revise the Federal pipeline safety
regulations to address human factors and other components of control
room management. The proposed rules would require operators of
hazardous liquid pipelines, gas pipelines, and liquefied natural gas
(LNG) facilities to amend their existing written operations and
maintenance procedures, operator qualification (OQ) programs, and
emergency plans to assure controllers and control room management
practices and procedures used maintain pipeline safety and integrity.
This proposed rule results from a PHMSA study of controllers and
controller performance issues known as the Controller Certification
Project (CCERT), a National Transportation Safety Board study, safety-
related condition reports, operator visits and inspections, and
inquiries. This rule would improve opportunities to reduce risk through
more effective control of pipelines and require the human factors
management plan mandated by the Pipeline Inspection, Protection,
Enforcement, and Safety Act of 2006 (PIPES Act). These regulations
would enhance pipeline safety by coupling strengthened control room
management, including automated control systems, with improved
controller training and qualifications and fatigue management. PHMSA
expects these regulations will complement efforts already underway in
the pipeline industry to address human factors and control room
management, such as the development of new national consensus
standards, including an American Petroleum Institute (API) recommended
practices on roles and responsibilities, shift operations, management
of change, fatigue management, alarm management and SCADA display
standard, as well as comparable business practices at some pipeline
companies.
DATES: Anyone interested in filing written comments on this proposal
must do so by November 12, 2008. PHMSA will consider late comments
filed so far as practical.
ADDRESSES: Comments should reference Docket No. PHMSA-2007-27954 and
may be submitted the following ways:
E-Gov Web site: http://www.regulations.gov. This Web site
allows the public to enter comments on any Federal Register notice
issued by any agency. Follow the instructions for submitting comments.
Fax: 1-202-493-2251.
Mail: DOT Docket Management System: U.S. Department of
Transportation, Docket Operations, M-30, West Building Ground Floor,
Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 20590-0001.
Hand Delivery: DOT Docket Management System; West Building
Ground Floor, Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC
20590-0001 between 9 a.m. and 5 p.m., Monday through Friday, except
Federal holidays.
Instructions: You should identify the docket ID, PHMSA-2007-27954,
at the beginning of your comments. If you submit your comments by mail,
submit two copies. To receive confirmation that PHMSA received your
comments, include a self-addressed stamped postcard. Internet users may
submit comments at http://www.regulations.gov.
Note: Comments are posted without changes or edits to http://
www.regulations.gov, including any personal information provided.
There is a privacy statement published on http://
www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Byron Coy at (609) 989-2180 or by e-
mail at Byron.Coy@dot.gov.
SUPPLEMENTARY INFORMATION:
I. Prevention Through People
Over the past several years, PHMSA's integrity management (IM)
programs have been successfully driving down the two leading causes of
pipeline failure--excavation damage and corrosion. IM programs help
operators understand the threats affecting the integrity of their
systems and implement appropriate actions to mitigate risks associated
with these threats.
Excavation damage and corrosion are, however, only part of the
safety picture. The next logical area of program development is to
examine the role people play in operating and maintaining pipelines.
With this proposed rule, PHMSA is beginning implementation of a program
that recognizes the importance of human interactions and opportunities
for preventing risk, both errors and mitigating actions, to pipeline
systems through a Prevention Through People (PTP) program. PTP
addresses human impacts on pipeline system integrity. Human impacts
include errors contributing to events, intervention to prevent or
mitigate events, and the recognition of events that may begin the need
for increased vigilance. The role of people, including controllers and
those interacting with control center operations, is a vital component
in preventing and reducing risk associated with pipeline systems. The
proposed rule addresses requirements applicable to controllers and
control room management.
PHMSA has long recognized that controllers can play a key role in
pipeline safety. Congress recognized the importance of this role in the
Pipeline Safety Improvement Act of 2002 (PSIA) (Pub. L. 107-355) and
the PIPES Act. A controller's actions can mitigate risk, but they can
also introduce the potential for upset conditions. Human error
(including those caused by mistake or fatigue) can cause or exacerbate
events involving releases leading to safety hazards and environmental
impacts. Controllers also respond to indications of abnormal conditions
on the pipeline. Appropriate human response to abnormal situations can
mitigate events, helping to prevent accidents leading to adverse
consequences. As part of the PTP program, this proposed rule addresses
requirements applicable to controllers, key players among the people
who can affect pipeline safety.
Several existing regulations strengthen the effectiveness of the
role of people in managing safety. These include regulations on damage
prevention programs (49 CFR 192.614 and 195.442), public awareness
(Sec. Sec. 192.616 and 195.440), qualification of pipeline personnel
(part 192, subpart N, part 193, subpart H, and part 195, subpart G),
and drug and alcohol testing regulations and procedures (parts 40 and
199). Explicitly incorporating a PTP element in IM plans would
emphasize the role of people both in contributing to, and in reducing,
risks. PHMSA believes this may be the best means of fostering a
holistic approach to managing the safety impact of people on the
integrity of pipelines. This proposed rule adds requirements applicable
to control room management. In the future, PHMSA plans to address
additional risks associated with human factors as well as the
opportunities for people to mitigate risks. In addition to regulations,
PHMSA plans to identify and promote noteworthy best practices in PTP.
[[Page 53077]]
PHMSA recently reported to Congress on its work examining control
room management issues as mandated in the PSIA. The report, titled
``Qualification of Pipeline Personnel,'' includes a summary of the
CCERT Project, a four-year effort examining control room issues in PTP.
Although the project began with examination of qualification issues,
during the course of the project, we identified other control room
issues impacting the safety performance of controllers. PHMSA concluded
that validating the adequacy of controller-related processes,
procedures, training, and the controllers' credentials would improve
management of control rooms, thereby enhancing safety for the public,
the environment and pipeline employees. PHMSA also identified areas in
which additional measures could enhance control room safety and
minimize the risk associated with fatigue and interaction with computer
equipment. These areas include annual validation of controller
qualifications by senior level executives of pipeline companies,
clearly defined responsibilities for controllers in responding to
abnormal operating conditions, the use of formalized procedures for
information exchange during shift turnover, and clearly established
shift lengths combined with education on strategies to reduce the
contribution of non-work activities to fatigue. These areas are
addressed by requirements included in this proposed rule.
II. Background
A. Pipelines and LNG Plants
Approximately two-thirds of our domestic energy supplies are
transported by pipeline. There are roughly 170,000 miles of hazardous
liquid pipelines, 295,000 miles of gas transmission pipelines, and 1.9
million miles of gas distribution pipelines in the United States.
Hazardous liquid pipelines carry crude oil to refineries and refined
products to locations where these products are consumed. Hazardous
liquid pipelines also transport highly volatile liquids (HVLs), other
hazardous liquids such as anhydrous ammonia, and carbon dioxide. The
regulations in 49 CFR part 195 apply to owners and operators of
pipelines used in the transportation of hazardous liquids and carbon
dioxide. Throughout this document, the term ``operator'' refers to both
owners and operators of pipeline facilities.
Gas transmission pipelines typically carry natural gas over long
distances from gas gathering, supply, or import facilities to
localities where it is used to heat homes, generate electricity, and
fuel industry. Gas distribution pipelines take natural gas from
transmission pipelines and distribute it to residential, commercial,
and industrial customers. The regulations in 49 CFR part 192 apply to
operators of pipelines that transport natural gas, flammable gas, or
gas which is toxic and corrosive. Throughout this document, the term
``gas'' refers to all gases in pipelines regulated under part 192.
Additionally, there are currently 109 LNG import and peak shaving
plants connected to our natural gas transmission and distribution
pipeline systems. The volume of natural gas is reduced about 600 times
when the gas is cooled to a liquid form. This allows large quantities
of natural gas to be transported by ship and to be stored in insulated
tanks. LNG import plants allow the U.S. to use natural gas produced in
other countries and transported by ship. According to the Department of
Energy, imported LNG provided 2% of U.S. natural gas supplies in 2003
but that proportion is expected to grow to 21% by 2025.\1\ LNG peak
shaving plants allow gas pipeline operators to liquefy and store
natural gas during off-peak periods. The stored LNG is then converted
back to natural gas when needed for periods of peak consumption. The
risks inherent in control of these facilities can be reduced by
application of this proposed rule.
---------------------------------------------------------------------------
\1\ U.S. Department of Energy, Office of Fossil Energy Web site
(http://www.fossil.energy.gov/programs/oilgas/storage/lng/feature/
whyimportant.html).
---------------------------------------------------------------------------
B. Control Rooms and Controllers
Most pipelines are underground and operate without disturbing the
environment or negatively impacting public safety. However, accidents
\2\ do occasionally occur. Effective control is one key component of
accident prevention. Controllers can help identify risks, prevent
accidents, and minimize commodity losses if provided with the necessary
tools and working environment. Therefore, this proposed rule is
intended to increase the likelihood that pipeline and LNG controllers
have the necessary knowledge, skills, abilities, and qualifications to
help prevent accidents and that operators provide controllers with the
training, tools, procedures, management support, and environment where
a controller's actions can help prevent accidents and minimize
commodity losses.
---------------------------------------------------------------------------
\2\ The pipeline safety regulations in 49 CFR parts 191, 192,
and 193 refer to certain harmful events on a gas pipeline system or
LNG facility as ``incidents'' while part 195 refers to certain
failures on a hazardous liquid pipeline system as ``accidents.''
Throughout this document the terms ``accident'' and ``incident'' may
be used interchangeably to mean an event or failure on a gas or
hazardous liquid pipeline system or LNG facility.
---------------------------------------------------------------------------
i. Background
Pipeline systems vary from small, simple systems, to complex
systems covering thousands of miles. Combined, these systems make up a
vast network of pipelines reaching across the United States. Pipeline
systems include pumps, compressors, storage tanks, valves, and other
components. A pump station, compressor station, or terminal is usually
a major installation consisting of large pumps, compressors, storage
tanks, and other service equipment. Pipeline systems also include
valves used to control pressure and to direct flow during normal
operations, to isolate sections of pipeline for maintenance or
emergency activities, or to maintain operating pressures within
allowable limits.
Most operators monitor pumps, compressors, valves, and other
equipment from single or multiple locations, often hundreds of miles
away. Such locations are commonly known as ``control rooms.'' The
individuals who work in control rooms are ``controllers.'' \3\ A
control room may have one or more controllers, who could be union or
non-union employees. Both union and non-union controllers may work for
the same operating company and a control room is likely to be
operational 24 hours a day, 365 days a year, or less, depending on the
complexity and nature of the pipeline system or LNG facilities served.
---------------------------------------------------------------------------
\3\ Different titles exist in the industry for personnel who
operate computer-based systems for controlling and monitoring the
operations of pipeline facilities, some of which are controllers,
dispatchers, operators, and board operators, but all are considered
``controllers'' in this document.
---------------------------------------------------------------------------
Most operators use computer-based supervisory control and data
acquisition (SCADA) systems, distributed control systems (DCS), or
other less sophisticated systems to gather key information
electronically from field locations.\4\ These systems are configured to
present field data to the controllers, and may include additional
historical, trending, and alarm management information. Controllers
track routine operations continuously and watch for possible developing
abnormal operating or emergency conditions. A controller may take
direct action through the SCADA system to correct the conditions
[[Page 53078]]
or the controller may alert and defer action to others.
---------------------------------------------------------------------------
\4\ SCADA and DCS systems perform similar functions. Throughout
this document, where the term SCADA is used, it should be
interpreted to mean SCADA or DCS.
---------------------------------------------------------------------------
ii. Importance of Control Rooms and Controllers
Control rooms and controllers are critical to the safe operation of
pipeline systems and LNG facilities. Control rooms often serve as the
hub or command center for decisions such as adjusting commodity flow or
facilitating an operator's initial response to an emergency. The
control room is the central location where humans or computers receive
data from field sensors. Commands from the control room may be
transmitted back to remotely controlled equipment. Field personnel also
receive significant information from the control room. In essence, the
control room is the ``brain'' of the pipeline system or LNG plant.
Errors made in control rooms can have significant effects on the
controlled systems. A controller's errors can initiate or exacerbate an
accident. A controller's improper action or lack of action can place
undue stresses on a pipeline segment or an LNG facility, which could
result in a subsequent failure, the loss of service, or an increase in
lost commodity, leading to risk to people, the environment, and the
fuel supply. Controller responses to developing abnormal operating
conditions or accidents can alleviate or exacerbate the consequences of
some events regardless of the initial cause.
A brief description of a few accidents can help illustrate the
importance of control rooms and controllers to safe pipeline operation.
More often than not, however, control rooms and controllers are a
significant part of an operator's response to abnormal and emergency
events rather than the cause.
A batch of hazardous liquid expected to fill several tanks
was being received at a tank terminal. A tank switchover was scheduled
to occur late in a controller's shift. The switchover did not occur at
the scheduled time due to a reduction in flow rate in the pipeline, but
the controller failed to inform the relief controller at shift change.
The oncoming controller assumed the switchover had happened as
scheduled, and therefore did not monitor the levels in the tank being
filled. The liquid overflowed the tank and was ignited. The resulting
fire caused considerable damage including the destruction of two large
storage tanks.
A seldom-used manual valve in a hazardous liquid pipeline
system had been closed to facilitate maintenance. The controller was
aware that the valve was closed. The controller was not aware, however,
that the indication on his computer display of pressure near the valve
came from a transducer downstream of the valve. The display indicated
it was from the upstream side of the valve. While filling the isolated
portion of the pipeline to return it to service, the controller over-
pressurized the line, resulting in a rupture.
While diverting hazardous liquid pipeline flow from one
facility to another, an elevated pressure caused the rupture of a
pipeline at a location weakened by previous third party damage. Pumps
had automatically shut off due to the high pressures. Despite a sharp
drop in line pressure, the controller did not recognize that the
pipeline had failed, and re-started the pumps. As a result, a
significant amount of product was released through the ruptured line,
ignited, and resulted in several fatalities. Maintenance activities
being performed on the computers of the SCADA system at the time of the
vent hampered the controller from recognizing and reacting to the
failure.
A slug of contaminants was introduced into a gas
transmission pipeline when gas was drawn from storage. The contaminants
affected instruments and regulators as the slug moved down the
pipeline, resulting in many control room alarms. The controller
operating the pipeline did not recognize what was happening and failed
to initiate corrective action in time to avoid loss of gas supply to
several towns.
A citizen called a gas pipeline control room to report a
sheen on a creek in a right-of-way shared with hazardous liquid
pipelines. The citizen called the gas control room because its
telephone number was on the pipeline marker the citizen located in the
corridor. The controller of the gas pipeline failed to contact the
controllers of the liquid pipelines in the shared corridor, and
referred the information from the call to a field office that was
unattended at the time. The result was a delay of several days in
responding to a potential failure of one of the liquid pipelines.
In a similar situation, a citizen telephoned a gas control
room and reported a leak. The controller concluded the company had no
facilities in the area, that any problem was thus not theirs, and did
not follow up. The leak persisted and subsequent calls to regulatory
agencies resulted in locating a number of leaks in the area affecting
facilities operated by the control room that took the original call.
iii. Local Control and LNG
Many pipeline systems and LNG plants have equipment that is locally
controlled via a control panel located on or near the field equipment.
The individuals who operate this equipment using the control panel
could be considered controllers depending on their shared and
associated responsibilities with controllers at other locations. This
may also depend on the specific equipment being controlled and whether
or not the controlled equipment is within direct observation of the
individual at the local control panel.
Gas pipeline operations are sometimes associated with LNG plants.
LNG facilities are operated from control rooms and can have locally-
controlled equipment in the same manner as pipeline facilities. In
addition, some LNG control rooms also control pipeline systems
connected to the LNG plant. Working from control rooms, controllers
operate LNG facilities, pipelines associated with the facilities, and
locally controlled equipment within LNG plants.
Most pipeline systems today have control rooms. These facilities
can be located at some distance from the pipeline, or they may be in
close proximity to the pipeline. Many pipelines also have locally
controlled equipment operated by controllers. This proposed rule
addresses all of these situations. Pipeline and LNG facilities include
compressor stations, hazardous liquid terminals, pump stations, LNG
plants, and any other locations where controllers are located. In
addition, control room also means a control center, control station, or
any other such terminology.
iv. Providing Tools for Effective Controller Performance
Pipeline and LNG controllers impact the safety and integrity of the
pipeline and LNG facilities they operate by being vigilant during
normal operations and by properly responding to abnormal operating
conditions and potential emergency situations. Public safety can be
enhanced when a pipeline or LNG operator provides a controller the
necessary tools and management support, while implementing and tracking
thoroughly developed processes used by controllers.
SCADA systems, which are widely used throughout the pipeline
industry, can be as simple as computerized field equipment that allows
an individual to monitor alarms or control equipment within a pipeline
facility; or they can be more complex and diverse to allow a
[[Page 53079]]
controller to monitor, or monitor and control, many facilities as part
of a complex pipeline network involving various communications mediums,
often from a control room that is hundreds of miles away. For some
pipeline operators, the application of SCADA systems has resulted in a
reduction of pipeline field personnel, making the role of the
controller even more critical to the safety and integrity of pipeline
facilities.
Pipeline and LNG controllers also must have adequate and up-to-date
information about the conditions and operating status of the equipment
they monitor, or monitor and control, if they are to succeed in
maintaining pipeline safety. Incorrect, delayed, missing, or poorly
displayed data may confuse a controller and can lead to problems
despite the extensive training, qualification, and abilities of the
controller.
v. Controller Knowledge and Abilities
Operators should assure that controllers perform their duties
promptly and accurately, including routine operations and response to
developing abnormal operating conditions or emergency circumstances, to
help maintain pipeline and LNG facility safety. Existing operator
qualification (OQ) regulations for pipeline personnel currently address
a portion of the processes affecting a controller's ability to succeed
in maintaining pipeline safety and integrity.
A controller should possess certain abilities, and attain the
knowledge and skills necessary to complete the various tasks required
for a specific pipeline system or LNG facility. To attain the necessary
knowledge and skills, the controller is typically required to complete
extensive on-the-job training and is often closely observed by an
experienced controller for a period of time. The controller must also
review and understand appropriate procedures, including those
associated with emergency response, and repeatedly practice the correct
responses to a variety of abnormal operating conditions. A controller's
skills and knowledge are then evaluated through the pipeline operator's
OQ process. Many pipeline operators require additional company-specific
performance requirements that are outside of the operator's OQ program.
Many controllers routinely monitor and send commands to change flow
rates and pressures, open and close valves, start and stop compressors
or pumps, monitor tank levels, identify abnormal operating and
emergency conditions, and perform a key role when a safety response is
needed. In some pipeline systems, controllers also monitor corrosion
control rectifiers, odorant systems, purge operations, leak detection
equipment, and security systems. Prompted by an assortment of factors,
controllers re-direct flow, start and stop pipeline segments, or
further adjust flow rates to accommodate market conditions, maintenance
activities, and weather conditions on a regional or national basis. For
these pipelines, dynamic operating conditions require controllers to
have a high level of knowledge, skills, and abilities to safely
maintain systems and to promptly recognize abnormal operating
conditions or other anomalies as situations develop. In other pipelines
and distribution systems, controllers use computers to closely monitor
operating conditions, and then alert field personnel to take action
when upset, abnormal or emergency conditions arise.
A controller needs adequate, thorough training and qualifications
as well as appropriate timely data, a control system designed to aid in
the prompt identification of abnormal conditions, and an understanding
of the controller's authority to take appropriate actions.
vi. Control Room Management
All of this must occur within an environment that facilitates
appropriate and correct actions. Operators must appropriately manage
the factors affecting the controller, including relevant human factors
and operator processes and procedures. PHMSA refers to the combination
of all these factors as control room management.
Centralized pipeline and facility control operations generally fall
into one of three control function categories or into a hybrid
combination:
1. Monitor, detect, and perform full remote control.
2. Monitor, detect, and direct field operating personnel to perform
specific actions.
3. Monitor, detect, and alert field operating personnel, and defer
action to field personnel.
Controllers use SCADA systems to detect and monitor operational
conditions. A controller then performs the required control function or
directs or defers to field operations for needed attention based on the
controller's responsibility, authority, and assessment of the
situation.
Individual station computer control may be implemented through:
1. A unified control system within the station or plant, or
2. Individual unit-mounted control panels for each piece of
equipment or groupings of equipment.
Pipeline operations can vary significantly based on the physical
properties of the commodities transported. For example, compressibility
is a fundamental difference between natural gas and some hazardous
liquids. SCADA system configuration, communication schemes, control
modes and applied instrumentation, pipeline system configuration and
complexities, size, procedures, and practices can further differentiate
pipeline operations. These differences can have dramatic effects on the
required content and scope of a controller's training and
qualifications, and on operational procedures and configuration of
applied SCADA control systems. Differences in pipeline operations can
also exist because some controllers are union employees governed by
contract conditions and some are not. This can impact the number of
hours worked, activities performed, number of controllers on shift, and
other factors such as shift schedules.
All controllers have some opportunity to mitigate risks. The degree
to which they can affect pipeline safety may vary. For example, all
controllers, including those that monitor only, can affect minor events
(i.e. those not meeting reporting thresholds) and can influence the
impact of future incidents in a positive manner. Pipeline controllers
require similar cognitive and analytical skills. Additionally, control
room procedures, pipeline controller tools, training, skills, and
qualifications can impact controller performance.
The nature of a particular control arrangement and the commodity
transported will affect the actions an operator must take to manage the
control environment and permit controllers to be successful in
maintaining pipeline safety. None of these differences, though, obviate
the need for control room management.
C. The Safety Pyramid
Operators of gas pipeline systems must submit to PHMSA written
reports of events meeting certain criteria as incidents. Over the past
10 years, gas pipeline operators have submitted written reports for
approximately 100 incidents per year on approximately 300,000 miles of
gas transmission pipelines and approximately 130 incidents per year on
approximately 2 million miles of distribution pipelines. Similarly,
operators of hazardous liquid pipeline systems must submit to PHMSA
written reports of
[[Page 53080]]
pipeline system failures meeting certain criteria as accidents. Over
the same 10 years, hazardous liquid pipeline operators have reported an
average of approximately 140 accidents per year on approximately
160,000 miles of pipeline. The total number of accidents reported to
PHMSA is about 370 per year.
There are far more events, failures and near misses that occur on
pipelines than those that require written reports. Some involve off-
normal conditions for which controllers or automated safety systems
intercede to prevent serious consequences. Others do not progress to
the point of needing controller or safety system involvement. Pipeline
operators document some near misses, but not all. PHMSA believes there
are other low-order events, failures and near misses that occur
unobserved.
The term ``safety pyramid'' was used by Dr. D.W. Heinrich (1881-
1962), an insurance company analyst who analyzed industrial accident
prevention in the 1930s. In particular, he studied the relationship of
events of varying significance and concluded that serious events (e.g.,
those resulting in fatalities) in any system occur in much smaller
numbers than events of lesser significance. His work generally divided
events into a 300-29-1 ratio, where there is 1 significant failure and
29 notable events in every 300. Heinrich called this relationship the
``safety pyramid.'' In turn, the number of errors and situations not
recognized as ``events'' is even larger. Reportable pipeline accidents
and incidents are only the tip of the safety pyramid. More events and
failures occur at lower levels of the pyramid, including many near-miss
events. Information about these near-miss events, whether affecting a
gas pipeline, hazardous liquid pipeline, or LNG facility, can lead to
identifying key elements that can prevent events and failures from
reaching the tip of the safety pyramid. Controller vigilance and
appropriate response to lower-level events thus serves to prevent
reportable pipeline incidents from occurring.
D. Learning From Industry-Wide Operating Experience
The proposed rule would require operators to establish a program to
evaluate events that occur on their pipeline systems to identify
lessons that can be used to improve control room performance. PHMSA
believes it would be useful for the pipeline industry to establish a
program to perform the same function for events occurring across the
pipeline industry and to disseminate to all pipeline operators the
lessons learned.
It is self-evident that more events occur within the pipeline
industry than on any individual pipeline system. The industry's safety
pyramid is larger than that for any individual operator. This larger
database of experience would provide more opportunity to learn lessons
that can be used to improve the ability of controllers to maintain
pipeline safety. For example, the airline industry and nuclear power
plants have processes to collect and analyze operating experience and
to share important lessons across their sectors. No such process exists
within the pipeline or LNG industries. Some information about failures
can be gleaned from news reports and discussions in trade association
meetings, but pipeline and LNG operators do not usually share the
details of failures. Operators are even less likely to share
information about the bulk of close-calls and other minor events in the
lower sector of the safety pyramid. Events with significant
consequences (e.g., the 1999 hazardous liquid pipeline leak and
explosion in Bellingham, Washington, or the 2001 gas transmission
pipeline explosion near Carlsbad, New Mexico) get considerable press
attention and become well known. The NTSB investigates significant
pipeline events and issues reports and recommendations. Some events of
lesser significance may be reported in trade press or by informal
communications among pipeline operators, but there is no formalized
process to collect and analyze information regarding close-call events
or problems with more limited consequences in the pipeline industry.
For larger pipeline operators, the sheer number of pipeline
segments and stations may allow for the creation of a sufficiently
large database of events to yield analytical value, but for most
operators, their own experiences are not adequate to do so. Industry
trade associations or other cooperative organizations could sponsor an
industry-wide process to collect and analyze such information. Issues
of proprietary information and perceived industry collusion are real
constraints, but these have been dealt with in other industries.
While the proposed rule would require each operator to establish a
program to evaluate events that occur on its pipeline system, the rule
would not require an intra-industry operating experience review
process. PHMSA believes such intra-industry review could be useful, but
does not consider it appropriate at this time to avoid the issues of
unnecessary disclosure of proprietary information and perceived
industry collusion. PHMSA encourages these industries to consider
establishing such processes and invites the public and industry to
comment on the value of such an inter-company review process.
III. Human Factors Studies
A. PHMSA Controller Study
PHMSA had been studying and evaluating control room operations for
many years and began developing control room inspection guidance in
1999. Subsequently, Congress enacted the PSIA, which the President
signed into law on December 17, 2002. Section 13 of the PSIA required
the DOT to conduct a pilot program to evaluate whether pipeline
controllers should be certified based on tests and other requirements.
In response to the PSIA, PHMSA conducted the CCERT study and reported
findings to Congress in a report dated December 17, 2006, entitled
``Qualification of Pipeline Personnel.'' This project included a
comprehensive review of existing controller training, qualification
processes, procedures, and practices. This review also included
identifying potential enhancements such as validation and certification
processes currently used in other industries to enhance public safety.
Understanding the attributes traditionally contained in existing
operators' training and qualification programs was an essential element
of CCERT. Process techniques, practices, and procedures are significant
and valuable tools to train and qualify controllers. PHMSA identified
techniques, practices, and procedures through interviews with numerous
pipeline operators and controllers in a variety of situations. This
included pipelines of a wide array of types and sizes and both union
and non-union controllers.
PHMSA determined what actions would lead to an additional assurance
that pipeline controllers are adequately qualified to perform safety-
sensitive tasks. The project team also identified key processes and
procedures critical to control room safety and reviewed certification
programs. To consider validation or certification of pipeline
operators' qualification processes, the training and qualification
programs should be thorough and adequately administered. PHMSA's
primary project objectives were to review and evaluate the structure
and content of operators' training and qualification programs and to
identify controller procedures that can have an impact on pipeline
safety and integrity.
[[Page 53081]]
The project focused on the content of the pipeline operators'
administrative, training, and evaluation techniques that make up the
controller training and qualification processes, and included a review
of related safety and integrity procedures. Ultimately this information
helped to:
Identify content that should be included in an operator's
training program for controllers.
Identify content that should be included in the
qualification programs to provide a higher assurance that controllers
possess adequate knowledge, skills, and abilities to maintain the
safety and integrity of the pipeline.
Determine what form of validation should be used to
ascertain that pipeline controllers are adequately qualified and
sustain those qualifications.
Identify aspects of safety and integrity practices and
procedures that are critical to controllers.
PHMSA established and implemented a strategy for receiving and
encouraging ongoing stakeholder interaction early in the project. This
approach involved the participation of numerous stakeholders that
provided information including a focus group with representatives of
the public, industry trade associations, pipeline operators, state and
Federal pipeline safety agencies, and academia. PHMSA shared insights
regarding key operational and logistical considerations for the project
and collected comments from the group at key phases of the project.
Information came directly from the focus group participants and
indirectly from members of their respective constituencies. In
addition, PHMSA presented project updates at numerous trade association
meetings and other stakeholder forums to solicit additional feedback.
PHMSA gathered supplemental information regarding controller
qualifications from pipeline operators transporting various commodities
with diverse control room characteristics, complex control operations
and minimal monitoring operations, union and nonunion work
environments, and varying pipeline mileage. Additional information was
also obtained from the following sources:
National Transportation Safety Board (NTSB);
PHMSA Pipeline Technical Advisory Committees;
National Association of Pipeline Safety Representatives
(NAPSR);
Pipeline trade organizations such as the
[ctrcir] American Petroleum Institute (API),
[ctrcir] Association of Oil Pipelines (AOPL),
[ctrcir] American Gas Association (AGA),
[ctrcir] American Public Gas Association (APGA), and
[ctrcir] Interstate Natural Gas Association of America (INGAA);
Research by
[ctrcir] Najmedin (Najm) Meshkati, Professor of Civil/Environmental
Engineering and Professor of Industrial and Systems Engineering at the
University of Southern California,
[ctrcir] Craig Harvey, Industrial and Manufacturing Systems
Engineering, Louisiana State University, and
[ctrcir] Marvin McCallum, Christian Richard, Battelle Seattle
Research Centers;
Related product and system vendors;
Public advocate discussion lists (such as http://
tech.groups.yahoo.com/group/safepipelines)
Other industries utilizing validation and certification
programs, including:
[ctrcir] Aviation,
[ctrcir] Railroad,
[ctrcir] Nuclear power, and
[ctrcir] Electric power transmission.
PHMSA gathered additional information from the Environmental
Protection Agency, the Occupational Safety and Health Administration,
and the Chemical Safety Board. Because training, qualification, and
certification programs are implemented in various forms, discussions
about lessons learned in the development, implementation, and
maintenance of programs in other industries were especially valuable.
PHMSA sponsored two public workshops (June 27, 2006, and May 23,
2007) that provided various stakeholders an opportunity to discuss
options to enhance the adequacy of control room management, provide
substantiation of existing pipeline control management processes,
discuss human fatigue issues, present existing qualification processes,
and provide insights on other programs or methods used to provide for
effective monitoring and control of pipelines.
The workshops provided additional information and promoted
discussion on the most critical factors emerging from the CCERT and the
NTSB recommendations (discussed below) affecting the control and
monitoring of gas and hazardous liquid pipelines. PHMSA provided an
opportunity to discuss findings as a basis for providing further
assurance about the effectiveness of pipeline control and the skills
and qualifications of controllers. To foster discussion, PHMSA posed a
number of specific questions in the Federal Register notices announcing
the workshops, which were then discussed during the workshops, yielding
valuable information, ideas, and opinions from a broad assortment of
stakeholders.
The first workshop was divided into several sessions, each
highlighted by panel discussions and an open question and answer
period. The panels were made up of subject matter experts from the
public, industry, and government. The panelists discussed formalized
procedures to control shift rotation schedules, shift changeover
practices and possible ways to improve training on fatigue. Discussions
included the CCERT recommendations providing clear direction regarding
the controller's authority and responsibility to promote prompt
detection and appropriate response to abnormal operating and emergency
conditions and ways to address major changes in the controller's
operating environment.
The panelists discussed the importance of operators routinely
reviewing alarm and event displays to identify when changes are
necessary as well as additional measures to further protect against
unauthorized access to the SCADA area. Different types of training
associated with the recognition of abnormal operating conditions,
emergencies, and maintaining personnel qualifications were also
reviewed. A more detailed summary of the workshop is available in the
CCERT docket, PHMSA-RSPA-2004-18584.
The significant outcome of CCERT was the identification of elements
that can provide value in controller training and qualification
processes and the recognition of the importance of thoroughness and
clarity of controller-related procedures that affect pipeline safety
and integrity. Also of value was the identification of a validation
process for the implementation and review of these same processes and
procedures. Enhancements to operator programs affecting controllers can
be realized with thorough and formalized procedures and practices,
additions to training and qualification programs, stimulated
discussions in industry fostering a continued sharing of best
practices, and the development of industry-wide recommended practices
and standards. Other factors can also influence a controller's ability
to succeed. Pipeline operators should identify a controller's physical
work environment, visual and aural distractions, ancillary work
assignments that dilute a controller's attentiveness, workload, and
SCADA system performance.
The CCERT team concluded that a single controller certification
process for the entire pipeline industry would not be appropriate for a
number of reasons. First, because of the wide variability
[[Page 53082]]
among pipeline systems, a uniform controller qualification
(certification) examination would have to be very general. Second, a
general exam would need to be supplemented by significant and specific
material for each system by each operator before a controller could
adequately perform his duties. Third, a uniform controller
qualification or certification test for the entire industry would not
address many operator-specific and sometimes unique tasks critical to
individual pipeline safety and integrity.
The CCERT team concluded, however, that requiring operators to
validate, review, and continuously improve the adequacy of controller-
related training, qualification, and procedures specific to each
operator's pipeline would lead to improved public safety and better
safety management in control rooms.
The CCERT team also concluded:
As a cause or contributor to pipeline events or failures,
control rooms rank very low compared to corrosion, material defects,
and third party damage, but controllers must respond appropriately to
each of these identified contributing factors.
Controllers are in a position of great importance to
detect and react to abnormal operating and emergency conditions,
thereby helping to avert failures and mitigate damage after a failure
occurs.
Controllers are key players in a company's response to
abnormal operating and emergency conditions.
The low probability of controller error is offset by the
potentially high consequence of damages and injuries as a result of
their improper actions.
Remote monitoring or control through the use of a computer
system may be performed in a formal control room, or numerous less
formal settings such as an individual's office, service vehicle, or
residence.
The location of monitor or control functions does not
define the nature or complexity of operations.
Established definitions used in other regulations such as
large or small operators based on pipeline mileage, location of the
facility, or less than 20% of the specified minimum yield strength
(SMYS) of the pipeline, are not good qualifiers in defining control
room risks.
More complex and diverse operations call for more thorough
control room systems and processes.
Involvement of field personnel in control activities has
the potential to positively or negatively influence risk control.
Although some operators still use 8-hour shifts, most
operators have moved to 12-hour shifts.
Choice of shift plan and rotation schedule is usually not
supported by analytical review for fatigue.
Most operators are performing at least a subset of the
actions included in this proposed rule, but frequently without
documentation of the basis for their process design choices or
implementation methods, and sometimes without formalized procedures to
maintain consistency or to provide for continuous improvement through
review.
Because controllers can have a great influence on the outcome of
abnormal operating and emergency conditions, it is important that we
provide for adequacy of controller knowledge, skills, abilities, and
performance and their maintenance over time. PHMSA has identified
fundamental operating procedures and practices, which should be used by
pipeline controllers to enhance public safety. Most operators are
currently using a subset of these procedures and practices, but use of
these procedures and practices is not universal throughout the
industry. The project team concluded that operators should be required
to have more thorough, formalized procedures and processes for
controller training and qualification which would be evaluated by the
appropriate Federal or state regulatory authority.
PHMSA collected and reviewed information from recent accident data
analysis, complaints, inquiries, safety related condition reports,
operator visits, PHMSA CCERT team operating experience, and the CCERT
pilot program to be certain the activities of the pilot project
operators and subsequent recommendations included recognition of
lessons learned from those events that have been attributed to, or
aggravated by, controller action or lack of action. While information
reviewed indicates there is low probability for controller error to be
the primary cause of an accident when compared to corrosion and other
causal factors, this can be offset by the potentially high consequence
of controller actions or inaction. Other industries, which employ
validation and certification programs for control room personnel, also
provided lessons learned in the development, implementation, and
maintenance of validation and certification programs.
Through the CCERT study, PHMSA identified a number of areas
associated with the performance of control rooms that require
enhancement. These areas were identified through numerous control room
observations, PHMSA CCERT team operating experience, the collection of
related research and project activities, controller cognitive skills
review, the pilot program, and the comparisons with control room
management issues in parallel industries. The enhancement areas
incorporated into this proposed rule are as follows:
Clearly define the roles and responsibilities of
controllers to promote their prompt and appropriate response to
abnormal operating conditions.
Formalize procedures for recording critical information
and for exchanging information during shift turnover or other times
when a controller needs to be away from the desk and duties.
Establish shift lengths, maximum hours of service
limitations, and schedule rotations that provide sufficient time off
work for rest in order to protect against the onset of fatigue that
could affect the performance of pipeline controllers.
Educate controllers and controller supervisors in fatigue
mitigation strategies and how non-work activities contribute to fatigue
that could affect pipeline control and control room management.
Periodically review SCADA displays to ensure controllers
are getting clear and reliable information from field stations and
devices.
Periodically audit alarm configurations and handling
procedures to provide confidence in alarm signals and to foster
controller effectiveness.
Involve controllers when planning and implementing changes
in operations.
Maintain strong communications between controllers and
field personnel.
Determine how to establish, maintain, and review
controller knowledge, skills, abilities, and qualifications.
Develop performance metrics with particular attention to
response to abnormal operating conditions.
Analyze operating experience, including accidents, for
possible involvement of the SCADA system, controller performance, and
fatigue.
Validate the adequacy of controller-related procedures and
training, and the qualifications of controllers annually through
involvement by senior-level executives of pipeline companies.
PHMSA considers annual senior executive validation a key element.
This would require a pipeline operator's senior executive responsible
for pipeline operations to attest to the content and thoroughness of
controller training and qualification programs and
[[Page 53083]]
related procedures that impact safety, and to verify that the
individuals who operated the pipeline or LNG facility during the year
have completed these training and qualification programs. The executive
validations would be subject to regulatory review and inspection, and
create a stronger ownership and responsibility of senior management in
regard to potential fines and court proceedings. A secondary benefit of
this validation process would be improved communication between
executive level management, control room supervision, and controllers
regarding concerns, duties, procedures, and processes resulting in an
elevated awareness within each pipeline operator regarding the critical
nature of a controller's job as well as the impact of controller duties
on the safety and integrity of pipeline operations.
Discussions in the first public workshop held June 27, 2006
reflected general acknowledgement by the pipeline industry that the
process outlined above was appropriate to reduce control room risk.
There was also general agreement that much of the process is in place
in many pipeline control operations. A summary of this workshop is
available in the docket PHMSA-RSPA-2004-18584.
PHMSA's second public workshop was held on May 23, 2007.
Representatives of the pipeline industry, trade associations, the NTSB,
other modes of transportation, and public interest groups presented
their views on issues ranging from operator fatigue to the need to
periodically review control room procedures. There was general
agreement among workshop participants that controllers play an
important role and that a human factors plan could have value. At the
same time, most agreed that there was no need for major changes to
current control room practices and staffing. A summary of this workshop
is available in the docket PHMSA-2007-27954.
B. NTSB SCADA Study
The NTSB conducted a safety study on hazardous liquid pipeline
SCADA systems during the same time period as PHMSA conducted the CCERT
study. The PHMSA project addressed a wider perspective of interest, but
includes findings similar to those in the NTSB Report.\5\ The NTSB
study identified areas for potential improvement, which resulted in
five recommendations; three are incorporated in this proposed rule.
PHMSA is addressing the other two recommendations independent of this
proposed rulemaking.
---------------------------------------------------------------------------
\5\ NTSB, ``Supervisory Control and Data Acquisition (SCADA)
Systems in Liquid Pipelines,'' Safety Study NTSB/SS-05-02, adopted
November 29, 2005.
---------------------------------------------------------------------------
The impetus of the NTSB study was a number of hazardous liquid
accidents investigated by the NTSB in which leaks went undetected after
the initial indications of a leak were apparently evident on the SCADA
system. The NTSB designed its SCADA study to examine how hazardous
liquid pipeline companies use SCADA systems to monitor and record
operating data and to evaluate the role of SCADA systems in leak
detection. The study identified five areas for potential improvement:
Display graphics.
Alarm management.
Controller training.
Controller fatigue data collection.
Leak detection systems.
While this NTSB SCADA study specifically addressed hazardous liquid
pipelines, NTSB included in the report an appendix listing all of its
SCADA-related recommendations, which resulted from investigations of
both hazardous liquid and gas pipeline accidents. Since 1976, the NTSB
has issued approximately 30 recommendations either directly or
indirectly related to SCADA systems involving both hazardous liquid and
gas pipeline systems. PHMSA considers that the NTSB recommendations
apply equally to gas and hazardous liquid pipelines and to LNG
facilities. The recommendations are as follows:
NTSB Recommendation P-05-1
Operators of hazardous liquid pipelines should be required to
follow the API Recommended Practice 1165 (API RP 1165) for the use of
graphics on the SCADA screens.
NTSB Recommendation P-05-2
PHMSA should require pipeline companies to have a policy for the
review and audit of SCADA-based alarms.
NTSB Recommendation P-05-3
Operators should be required to include simulator or non-
computerized simulations for training controllers in recognition of
abnormal operating conditions, in particular leak events.
NTSB Recommendation P-05-4
PHMSA should change the hazardous liquid accident reporting form
(PHMSA F 7000-1) and require operators to provide data related to
controller fatigue. PHMSA is addressing this recommendation in a
separate action.
NTSB Recommendation P-05-5
PHMSA should require operators to install computer-based leak
detection systems on all lines unless engineering analysis determines
that such a system is not necessary. PHMSA is publishing a report on
leak detection systems and technology in 2008.
PHMSA is addressing the first three recommendations in this
proposed rule. Based on PHMSA's review of accident and incident data,
the project team found that errant SCADA displays have the potential to
confuse or mislead controllers or field personnel. They also found very
few operators who consider the impact of color perception impairments
and screen clutter or who perform periodic point-to-point verifications
of screen display data with field instrumentation. Furthermore, the
team found that training of the controllers usually did not include
reference material to guide controllers to particular types of displays
to help resolve certain types of abnormal operating conditions quickly
or to address emergency response.
The CCERT team found through discussions with operators that
policies were seldom in place for systematically reviewing alarms on a
regular basis. Many operators were not analyzing the number of alarms,
seeking to eliminate unnecessary alarms, routinely determining if new
alarms were needed, studying alarms to consider if grouping could
consolidate information for more effective use, looking for systemic
alarms, or reviewing alarms to verify alarm descriptions were clear to
the controller. In addition, operators were not reviewing alarms to
determine if abnormal operating conditions were frequently occurring
together or consecutively. Rate-of-change alarms often were not being
used as operational tools for controllers. Most operators were not
looking for potential gradual degradation of controller response or
changes in controller performance. Operators may have to reduce
pressure because of concerns about the integrity of the pipeline, such
as anomalies discovered during integrity management assessments.
However, in many cases, the operators were not changing associated
alarm set-point values, or field relief values, correspondingly when
implementing these pressure reductions.
The CCERT team's discussions with controllers identified that
generic simulators and high-fidelity (frequently referred to as
``full'') simulators were preferred training tools. The controllers
interviewed generally found full simulators to have significant value.
Tabletop discussions and exercises, and computerized simulators, were
both found to be valuable resources for controllers in training for
response to
[[Page 53084]]
abnormal operating conditions. Direct controller involvement in
scenario development of tabletop exercises and computer-based
simulations can add safety value to these tools. Controllers can also
provide significant feedback on exercise performance. However,
controllers were frequently not represented in the development of
exercises and frequently did not participate in exercises other than to
call out appropriate responders. Controllers were seldom asked what
could be done to make an exercise more realistic, provide greater value
or improve team response performance.
C. DOT's Human Factors Coordinating Committee (HFCC)
The Secretary of Transportation established the HFCC in 1991 to
become the focal point for human factors issues within DOT. Since its
inception, the HFCC, a multi-modal team with government-wide liaisons,
has successfully addressed crosscutting human factors issues in
transportation. The HFCC has influenced the implementation of human
factors projects within and among DOT's operating administrations,
provided a mechanism for exchange of human factors and related
technical information, and provided synergy and continuity in
implementing transportation human factors research. DOT recognizes that
many human performance issues are crosscutting and will benefit from a
multi-modal approach. DOT needs coordinated human factors research to
permit large research efforts that modes cannot support individually,
to address multi-modal transportation issues, as well as to advocate
for timely human factors research in transportation system solutions.
PHMSA continues to actively participate on the HFCC, and has drawn
from the work of the HFCC to help identify fatigue management
strategies for control room management.
IV. PIPES Act of 2006
The PIPES Act of 2006 (Pub. L. 109-468) imposed additional
requirements on PHMSA with respect to control room management and human
factors. The PIPES Act requires PHMSA to issue regulations requiring
each operator of a gas or hazardous liquid pipeline to develop,
implement, and submit a human factors management plan designed to
reduce risks associated with human factors, including fatigue, in each
control room for the pipeline. Operator plans must include a maximum
limit on the hours a controller may work in a single shift between
periods of adequate rest. PHMSA, or a state authorized to exercise
safety oversight, is required to review and approve operators' human
factors plans, and operators are required to notify PHMSA (or the
appropriate state) of deviations from the plan.
The PIPES Act also requires PHMSA to issue standards to implement
the first three recommendations of the NTSB SCADA safety study as
described above. Controllers using computer equipment to monitor or
operate pipeline facilities can be impacted by display information,
alarms, and abnormal operating conditions regardless of what type of
system they operate. PHMSA considers the recommendations to be equally
applicable to hazardous liquid and gas pipelines (transmission and
distribution) as well as LNG facilities. This proposed rule will
respond to the mandates in the PIPES Act relative to control room
management, human factors, and SCADA.
V. Standards, Recommended Practices, and Guidelines
One of the actions identified by CCERT was the development of
consensus-based best practices to promote controller success. PHMSA is
encouraged by recent industry efforts, including industry review of
existing standards (such as the Instrument Society of America SP-18 and
the Engineering Equipment and Materials Users Association 191A),
guidance material in development by the Transportation Security
Administration (TSA) focusing on SCADA CyperSecurity, and the
development of other guidance, recommended practices, and standard
documents. The structured development process used to establish this
type of material has historically yielded great safety value. Such
efforts focused on Control Room Management have the potential of
enhancing safety, especially when all key stakeholders are included and
contribute to the process.
The following is a list of identified applicable standards,
recommended practices, white papers, and guidance material that have
been established, revised, or that are currently under development:
API RP-1165, SCADA Display Standard.
American Society of Mechanical Engineers (ASME) B31Q,
Operator Qualifications.
API 1164, SCADA Security.
API RP1167, Alarm Management.
AGA, Alarm Management.
API RP 1161, Qualification of Liquid Pipeline Personnel.
TSA, SCADA CyperSecurity Guidance Material.
API RP 1168, Control Room Management.
ISA SP-18, Instrument Signals and Alarms.
EEMUA 191A, Alarm Systems--A Guide to Design, Management
and Procurement.
API recommended practice on control room management was initiated
in February, 2008 and is anticipated to be completed in February, 2009.
It is anticipated this document will address four of the nine
enhancement areas addressed in PHMSA research and required in the PIPES
Act. Specific guidance anticipated in this recommended practice will
address: (1) Roles and Responsibilities, (2) Shift Operations, (3)
Management of Change, and (4) Fatigue. PHMSA anticipates guidance on
such aspects as clarifying operator's expectations for controllers to
take action, information flow needed on field activities that could
affect pipeline operations, direction of shift rotation and time
between shifts, extent of off-duty activity and fatigue management
strategy, personal responsibility for rest, how to recognize and
mitigate fatigue, and the content of education programs to share with
families of the controllers.
PHMSA and NAPSR have been participating in the development of this
recommended practice and other national consensus document efforts and
will continue to support, participate in, and encourage the development
of national consensus standards and recommended practices. Once these
materials are completed, PHMSA will review them and consider a
regulatory amendment to incorporate by reference all or parts of such
applicable documents in amended regulations.
VI. PHMSA's Proposed Approach
PHMSA is proposing to require that appropriate control room
management elements be incorporated into operator plans and procedures
already required by existing regulations. PHMSA believes this approach
will minimize the burden on operators and will prove more effective in
the long term, because it will integrate these elements directly into
the existing operator programs associated with these actions. This will
also avoid operators having another plan that may create or exacerbate
internal communication complexities. As is the case with other
regulations, an operator would not be expected to establish processes
and procedures for those tasks not applicable to their operations.
These requirements would apply to operators of hazardous liquid,
gas transmission, and gas distribution pipeline facilities, as well as
to
[[Page 53085]]
operators of LNG facilities. The requirements would not apply to
operators of master meters or petroleum gas systems unless the operator
transports gas as a primary activity. Master meter and petroleum gas
pipeline systems are generally very simple and typically consist of
only pipe, service regulators, meters, and manual valves. These systems
do not typically include a control room, equipment requiring local
control or computer systems for operations, or provisions for
continuous remote monitoring. Operators of these systems are excluded
from the scope of this proposed regulation. This proposed exclusion is
consistent with other PHMSA initiatives and regulations.
The control room management elements describe ``what'' an operator
must include but not ``how'' an operator must carry out such elements.
This is typical of performance-based regulations and it recognizes the
significant diversity present among pipeline systems and control rooms.
One of the elements proposed is a plan that each operator would
develop and implement to limit the maximum length of time that a
controller could work in a single shift between periods of adequate
rest. The PIPES Act specifies that PHMSA (or a state authority) may not
approve a control room management plan that does not include such a
limit. This rule does not propose a maximum hours of service limit,
since PHMSA recognizes operator-specific factors may affect this limit
for each operator. Many controllers work 12-hour shifts, as do
individuals with similar jobs in other industries. PHMSA has no
technical objection to 12-hour shifts. For control rooms staffed on a
24-hour basis, we also recognize that additional time is required at
the beginning and end of each shift to accomplish a thorough shift
turnover between incoming and outgoing controllers. Thorough shift
turnover procedures are important and are one of the elements included
in this proposed rule.
Research performed by others has repeatedly identified a need for
individuals to have eight hours sleep each day to maintain their best
performance.\6\ PHMSA understands that operators have limited control
over what a controller does during off-shift hours, but the agency
expects that shift schedules will be established to provide a
reasonable opportunity for a controller to achieve eight hours of sleep
and for operators to educate controllers on the importance and need for
adequate rest. PHMSA expects operators to take these factors into
consideration when establishing a limit on the maximum hours an
individual controller would work in a single shift, between periods of
adequate rest. Operators should also consider other factors that may be
unique to their operations and should provide an adequate amount of
time between shifts so that controllers can rest and be expected to be
free from fatigue.
---------------------------------------------------------------------------
\6\ For a discussion of research concerning fatigue and need for
sleep, see Federal Motor Carrier Safety Administration proposed
rule, May 2, 2000 (65 FR 25540). PHMSA is not relying on any
particular study cited by FMCSA for its action here, but rather on
the totality of research indicating that an 8-hour sleep period is
necessary to provide for optimum human performance.
---------------------------------------------------------------------------
Shift change may not be the only time that controllers relieve each
other and need to communicate critical information. Operators need to
consider what other factors may determine when a thorough and complete
set of information is necessary to be communicated to controllers and
their supervisors. PHMSA will take all the above factors into
consideration when reviewing operators' shift plans, rotations and
schedules and educational programs about the importance of adequate
rest.
PHMSA will fulfill the PIPES Act requirement to review operator
plans by evaluating related programs, procedures, records, and related
documentation during inspections. PHMSA will also develop guidance to
assist inspectors in conducting comprehensive inspections and
evaluations addressing all required control room management elements.
This guidance will help Federal and State agencies achieve maximum
impact from the evaluation of operators' plans, maintain consistency
and uniformity among inspections, and reduce the amount of subjectivity
during inspections.
VII. The Proposed Rule
This proposed rule would affect operators of hazardous liquid, gas
transmission, and gas distribution pipelines and operators of LNG
facilities that use controllers. The nature of these facilities and
their related control rooms vary, as do the complexity of pipeline
systems and facilities. The proposed rule would not affect master meter
operators or operators of petroleum gas systems unless the operator
transports gas as a primary activity. This performance-based rule
describes the necessary elements and outcomes operators must accomplish
but does not prescribe exactly how operators must incorporate each
element. Each operator must have documented procedures, guidelines or
practices, tailored to the operator's specific systems, control regime,
and circumstances.
Controllers play a critical role in any system that uses human-
machine interface to monitor or control pipeline systems, LNG
facilities, or other equipment. The nature of that role varies with the
type of commodity and the relative complexity of the pipeline system
and facilities, but the analytical and cognitive skills needed are
similar in all cases. Gas industry trade groups have expressed their
view that controllers have limited opportunity to affect pipeline
safety; PHMSA disagrees. Furthermore, gas pipeline controllers
interviewed by PHMSA and those serving as subject matter experts on the
ASME B31Q \7\ national consensus standards team for operator
qualifications have also indicated that their actions could impact
safety. While the compressibility of gas and the rapid progression of
gas transmission pipeline failures generally make it unlikely that
controller actions can cause an incident or mitigate the immediate
effects of an incident, PHMSA believes that controller actions in gas
pipeline systems can make incidents more likely.
---------------------------------------------------------------------------
\7\ ASME B31Q is a national consensus standard governing
qualification of pipeline operating personnel. A team of experts
representing various technical disciplines within pipeline operating
companies, including controllers, developed the standard.
---------------------------------------------------------------------------
PHMSA also believes that controllers can hinder mitigative actions
after the initial consequences of a rupture; can recognize abnormal
operating conditions and intercede to prevent incidents; and can
routinely perform significant functions to operate the pipeline and
facilities in a safe manner. PHMSA also notes that all controllers
serve important functions in the response to incidents and accidents.
In many cases, controllers serve as the first line of defense to
prevent incidents and accidents, and thus serve an important safety
function requiring special training and qualification. PHMSA concludes
that the minimum actions required by this proposed rule, expressed in
simple performance terms, are necessary and reasonable. PHMSA also
concludes that many are these actions already being used or exceeded by
pipeline operators and that imposition of these requirements will
improve safety without unreasonable burden.
This proposed rule would add provisions to 49 CFR parts 192, 193,
and 195. Rather than describe these changes on a section-by-section
basis, this document describes them by topic
[[Page 53086]]
because the general content of the changes in each part is the same.
A. Changes to Operations and Maintenance (O&M) Manuals
PHMSA is proposing the human factors management plan required by
the PIPES Act be comprised of several enhancements in each operator's
written O&M procedures manual(s), OQ program, and emergency procedures
plan. PHMSA believes this makes it more likely that the actions
required in this proposed rule will be integrated effectively into
pipeline operations, thus limiting the potential for miscommunications
to occur.
PHMSA is proposing to include these requirements in a separate
section within each part because we believe the verification and
deviation reporting provisions of this proposed rule will be easier to
understand if included in a separate code section for control room
management.
B. Definitions
This proposed rule adds the definitions of four key terms to
improve the clarity of the proposed new requirements: Alarm,
controller, control room, and SCADA.
An alarm is defined as an indication provided by SCADA or a similar
monitoring system that a monitored parameter is outside normal or
expected operating conditions. Controllers need to be aware of these
conditions, and a number of these conditions need to be controlled in
order not to overwhelm the controllers. The proposed rule provides for
periodic actions to review alarm management. The new definition is
intended to make certain that treatment of these abnormal indications
is addressed as part of this management, whether or not individual
operators call them alarms.
Fundamentally, a controller is an individual who uses computer-
based equipment to monitor, or monitor and control, all or part of a
pipeline system or LNG facility. Individuals who monitor or control a
pipeline or LNG facility using computerized systems are controllers.
For the purposes of this rule, individuals who operate equipment
locally but who cannot actually see the equipment respond without using
a closed circuit television system or other external devices are
controllers when performing these activities, regardless of their job
title or whether their actions are overseen by other controllers or
supervisors. Conversely, individuals who operate equipment locally and
can see the equipment respond without using a closed circuit television
system or other external devices are not controllers. Maintenance and
other personnel accessing data from the control system are not
controllers.
While controller oversight of individuals operating equipment
locally can facilitate the recognition of inappropriate control actions
and possibly mitigate their consequences, the oversight does not
generally allow prevention of inappropriate actions before they create
adverse conditions. PHMSA believes that preventing actions that could
result in unfavorable consequences is more important than identifying
and possibly mitigating these actions after they occur. Therefore, we
conclude that treating individuals operating equipment locally as
controllers, even if they are subject to oversight or supervision by
other trained individuals, is necessary to maintain public safety.
A control room is traditionally a central location where a pipeline
system or LNG facility is monitored or controlled, regardless of
whether all, or only part, of a pipeline system or LNG facility is
monitored or controlled. Control rooms may include multiple stations
for individual controllers who monitor or control portions of the
pipeline system or facility, or instead may house a single controller.
Central locations within a field station (e.g., pump or compressor
station, terminals) that include controls for multiple pieces of
equipment are considered control rooms for purposes of this proposed
rule, though the equipment at such field locations may not include the
capability to monitor or control portions of the pipeline outside of
the field station. A control room is sometimes referred to as a control
center, control station or by other similar terminology. However, a
controller may perform his duties by non-traditional means such as
using a laptop in a vehicle.
This proposed rule adds a definition for SCADA. These are the
computer-based systems that collect and display information about the
status of the pipeline or facility and display that information to
controllers for their use in monitoring or controlling the pipeline or
facility. Many SCADA systems provide the capability to control pipeline
equipment from remote control panels but systems that only provide
monitoring information are also considered SCADA systems.
C. Implementation Schedules
PHMSA recognizes that different pipeline systems possess different
levels of risk from potential controller errors. We also recognize that
developing and implementing procedures for more complex systems that
pose the greatest risks needs to be thoroughly analyzed. Operators must
take the time necessary to be thorough in developing their procedures.
Complex systems often require additional time to train all personnel
and fully implement these procedures. For some pipelines, negotiations
with unions may be required to implement these requirements; such
negotiations take time. PHMSA has tried to balance these needs in the
implementation schedules included in this proposed rule.
Operators of hazardous liquid pipelines and gas transmission
pipelines controlled or monitored remotely and operators of LNG plants
with controllers would be required to develop procedures within one
year after the effective date of the final rule. These operators would
have one additional year to implement these procedures completely,
including all necessary training.
The proposed rule would require operators of hazardous liquid
pipelines and gas transmission pipelines to develop procedures for
control rooms that control only equipment within a single site (e.g.,
pump or compressor station) within two years after the effective date
of the final rule and to implement those procedures within an
additional six months. This reflects the relatively lower risk
associated with control rooms for these single facilities and allows
the operators of the more complex pipelines to focus their initial
efforts on remote-operation control rooms where potential risk is
greater.
Operators of gas distribution systems would have two years after
the effective date of the final rule to both develop and implement
procedures. These systems operate at lower pressures, usually have
field response crews in close proximity to instrumentation, and pose
lower consequence risks from controllers. Many gas distribution
operators are small companies or municipal departments that will
require additional time to manage limited technical resources available
to write procedures. At the same time, the relative simplicity of these
small systems makes it easier to train controllers and implement new
procedures.
Pipeline systems that rely solely on local control pose less
consequence risk than more automated and remote control actions. These
small pipeline systems generally rely on the most limited resources.
This proposed rule allows 30 months after the effective date of the
final rule for operators of these pipeline systems to both develop and
implement the necessary procedures.
[[Page 53087]]
Implementing changes for existing systems and facilities takes
time. The situation is different for new installations and existing
facilities that are significantly changed (e.g., implementation of a
new SCADA system). The proposal would require operators of systems with
control rooms that are placed in service or significantly modified more
than 12 months after the effective date of the final rule to develop
procedures as part of the design and installation of the new systems
and to implement those procedures when the control room is placed in
service. Control rooms that will be implemented within 12 months of the
effective date of the final rule are well along in design and planning
and PHMSA concludes it is best to treat these facilities as existing
control rooms.
Mergers and acquisitions can present a unique challenge for
controllers and control rooms. Controllers must develop an
understanding of the hydraulics of a new system; become familiar with
new display graphics; handle an increased workload on existing
consoles; learn new hardware and software systems using different
instrumentation or control methods and changed alarm designations and
priorities; and participate in a shadow control scheme until training
is complete. Detailed plans on how to introduce each element into the
remaining control room and how to train and qualify controllers on
newly introduced systems must be developed. For example, each operator
must develop and implement a plan that includes how controllers will
provide input on alarm descriptors, how this input will be implemented,
and how controllers will receive training on alarm descriptors before a
system is under their authority or responsibility for monitor or
control.
D. Roles and Responsibilities
The proposed rules require each operator to clearly define and
document the roles and responsibilities of controllers for prompt and
appropriate response to abnormal operating conditions and emergencies.
Such documentation will also define the controller's authority and the
pipeline operator's expectation for the controller to take action.
Controllers are often the first to become aware of developing abnormal
operating conditions or emergencies and can often play a critical role
in response to these events. Timely and appropriate controller actions
can arrest developing problems and return a pipeline system or LNG
facility to normal operations. Conversely, untimely or improper
controller actions can exacerbate abnormal operating conditions, which
could potentially lead to incidents and accidents.
Sometimes controllers are not the first to notice a problem.
Problems may be identified by field personnel or reported by the
public. Controllers must know their roles in responding to these
situations and in communicating with management, field staff, the
public, government agencies, emergency response personnel, and other
operators of pipelines or utilities that may share a common right-of-
way.
For situations that pose the most significant risks to public
safety and the environment, prompt action by controllers is often
needed. In other situations, management may expect controllers to
consult with them before taking actions. Therefore, controllers must
know the limits of their responsibility and authority for making
safety-related decisions and for taking safety-related actions in all
situations. The proposed rule requires operators to develop processes
so that management and controllers have uniform expectations and
understandings about response requirements before an abnormal operating
condition or emergency arises. The proposed rule would also require
operators to establish processes to allow controllers to seek and
receive management input in a timely manner when required.
E. Assuring Adequate Information
Controllers must have accurate and up-to-date information about the
status of the pipeline system, equipment, or facilities they monitor or
control. For example, they need to know pressures, flow rates, and
temperatures, as well as the operating status of compressor and pump
stations, the position of valves, and the availability of standby
equipment that might be substituted in the event of a failure. They
also need to know what effects power loss would have on equipment
status. Without timely and correct information, controllers cannot take
appropriate actions to control normal pipeline operations nor can they
promptly identify abnormal situations and take actions to arrest event
progression and prevent larger problems. This proposed rule requires
each operator to develop processes to provide that controllers receive
the timely and necessary information they need to fulfill their
responsibilities at all times.
F. SCADA
Many pipeline operators use SCADA, DCS, or internet-based systems
to allow controllers to monitor or control pipeline systems or LNG
facilities remotely. SCADA is used in this document to mean SCADA, DCS
or other methods of communicating data for monitoring or controlling
pipeline systems and LNG facilities.
SCADA systems must be configured and programmed to provide accurate
information to the controller and to transmit any command actions
accurately. It is also important for controllers to recognize and react
to information changes about the state of the pipeline. Cluttered or
poorly organized SCADA screens may not be logical to a controller.
Unless a controller quickly recognizes SCADA information, he or she may
not be able to process the information into knowledge upon which to
base control actions.
The API recognized the need for clear and logical SCADA displays
and published a recommended practice, API RP-1165. This recommended
practice provides guidance to operators to help them develop SCADA
screens that display information clearly, logically, and without
clutter to maximize the ability of controllers to use the information
effectively. This proposed rule requires pipeline operators with SCADA
systems to follow API RP-1165 or be able to demonstrate that the
recommended practice is inapplicable or impracticable.
SCADA information is only useful when accurate, timely, and
properly displayed. Complex SCADA systems receive information from
sensors, transmitters, and other equipment located throughout an LNG
plant or pipeline system and use algorithms to convert the information
into a more useful form for the controller. SCADA systems must also
provide for unexpected communication interruptions from one or more
instruments or transmitters. The loss of a few data points must not
result in a complete loss of system information or system malfunction
to the controller.
SCADA systems must have a backup communication system, which is
tested periodically to verify its performance. Alternatively, a
pipeline operator must have an adequate means to operate manually or
provisions to shut down the affected portion of the pipeline safely.
Server load should also be reviewed on a regular basis and monitored
for increased activity affecting controller-required tools. Operators
should be aware of software-specific concerns (e.g., through user-group
meetings) and should develop methods to prevent these issues from
affecting controller performance.
SCADA systems must have provisions to accommodate different kinds
of
[[Page 53088]]
problems, for example, stale data. When communications problems arise,
a SCADA system may present the most recent (though stale) data until
data communications are restored. SCADA systems must display this stale
data in a manner that is easily recognized by the controller,
particularly when the data have not been updated for a significant
amount of time. Not all SCADA systems are configured to provide
warnings (flags) to controllers to warn of stale data. Therefore, the
proposed rule requires operators to identify methods to allow
controllers to recognize stale data at all times.
SCADA system integrity is usually verified when the system is
initially installed by checking instrument readings and other data on
each display screen. The readings and data are checked for accuracy and
to ascertain that they match the readings on the corresponding field
equipment or transmitters. The installation also verifies that signals
issued from the SCADA panels result in the proper control of the
corresponding equipment in the field. SCADA data processing is also
verified during installation. While all this serves to verify the
initial SCADA installation, SCADA systems, pipeline systems, and LNG
facilities can change over time. Any of these changes can lead to
misinformation problems for both controllers and field personnel.
To verify that existing SCADA systems are accurate, this proposed
rule would require operators to conduct an initial point-to-point
baseline verification for each SCADA system to validate and document
that field equipment configurations agree with computer displays.
Operators would check from transmitter-to-display to verify that the
correct values (and units) are displayed on the SCADA screens at the
correct relative locations. Operators would also verify that alarm and
event functions occur at specific set-points or upon certain actions by
the correct corresponding equipment and that all controlled equipment
appropriately responds to SCADA inputs and outputs. This requirement is
intended to verify that existing SCADA systems are accurate despite
changes that may have been made without verification since the initial
installation.
Operators of pipeline systems with more than 500 miles would be
required to complete the baseline verification within three years of
the effective date of the final rule. However, because SCADA systems
for large pipeline systems can have tens of thousands of data points to
check, it is not practical to require a complete verification at one
time. To offer some relief for these more complex systems, the proposed
rule would allow operators to credit verifications conducted up to
three years before the effective date of the final rule towards the
baseline verification. Operators of pipeline systems with less than 500
miles would be required to complete validation within one year of the
effective date of the final rule. This reflects the relative simplicity
of performing verification for these smaller systems and PHMSA's belief
in the importance of prompt baseline verifications. PHMSA invites
comments on the appropriateness of these time periods. We further
invite comments on alternative approaches to achieve the intent of
assuring baseline verification for each SCADA system. Another approach,
for example, might be a risk-based schedule to build off the risk
analyses most operators have previously completed for their integrity
management programs.
Once the baseline SCADA system has been verified, operators should
document and verify changes as they occur. Therefore, the proposed rule
requires operators to verify SCADA screens versus field configurations
when modifications or repairs are made to field equipment. For SCADA
system changes or new SCADA systems, however, the proposed rule
requires point-to-point verifications as part of the implementation
process for all portions of the pipeline system or LNG facility
affected by the change. The rule would also require operators to
develop and implement procedures to handle system maintenance changes
and SCADA point verifications such as alarm set-points, display
locations, value confirmations, and the proper operation of software
algorithms. Operators must make maintenance change notifications to
controllers as they occur and set a maximum time limit for changes to
be made and verified to the appropriate SCADA system displays and alarm
features. Individual operators would also be required to develop a plan
for systematic re-verification of the accuracy of the SCADA system
display.
Lastly, the proposed rule would require SCADA changes brought about
by mergers or buy-outs to be treated as a new SCADA system
implementation and verified accordingly.
G. Shift Change
SCADA systems and other means of providing real-time information to
controllers concerning the status of pipeline systems are important,
but such systems are not the only information important to a controller
in carrying out his duties. Controllers need to be aware of activities
that have occurred, are underway, or planned that could affect pipeline
operations during a shift. This includes, but is not limited to,
planned modifications and maintenance activities, noted indicators of
possible near-term problems including alarms, indications of any
abnormal operating condition, communications concerns or malfunctions,
points taken off-scan, and the unavailability of key field personnel.
Field personnel must promptly inform controllers when work is done that
could affect controller duties or displayed information. Under the
proposal, an operator's procedures must provide for making this
necessary non-computer-based information available to controllers.
PHMSA considers verbal communications important because accurate
verbal contact can provide for immediate verification of maintenance
activities and equipment status, and can corroborate information
received from other sources. Therefore, the proposed rule requires that
operators provide for timely verbal communications between controllers
and field personnel. Controllers must contact field personnel, on
occasion, to investigate the reason for abnormal indications, to carry
out emergency response actions, or to perform actions that cannot be
done remotely from the control room. Field personnel must inform
controllers when equipment is taken out of service, when values are
forced or locked in place, or when events that can have a near-term
impact on safety occur. Field personnel must promptly contact
controllers when conditions are identified that could indicate a leak
or incipient accident. Field personnel should be trained and encouraged
to contact the control center as quickly as possible whenever a leak is
suspected. The proposed rule also requires that operators identify in
procedures those circumstances, actions, and conditions for which field
personnel must notify the control room.
Operators should implement individual console or system log-in
features, if these are available, or record on the shift-change records
the time and the name of the controller who is responsible during the
shift-change procedure. While most pipelines operate 24 hours a day,
seven days a week, some do not. Small pipelines, such as those
dedicated to a single facility, may operate only as needed or for only
certain hours of the day. Many transmission pipeline systems have
implemented more sophisticated and complex control schemes and can
require extensive involvement of technical personnel other than
[[Page 53089]]
controllers. More thorough procedures and processes are needed to
manage these activities. In all cases, it is important that controllers
have a complete understanding of the conditions and activities
affecting the pipeline, including non-computer based information.
The proposed rule addresses this need by requiring that critical
information be recorded during each shift. Oncoming controllers can
review the log to make themselves aware of recent activities and
current conditions, even in those cases where a pipeline is not in
continuous operation and there is no ``shift change'' between
controllers. Operators would demonstrate compliance with this
requirement by making documented information available during
regulatory inspections.
For pipelines that operate continuously, controllers are expected
to interact with those who relieve them in order to communicate
important information. Virtually all pipeline operators with multiple
shifts expect controllers to provide such a turnover of information.
Shift change is not the only time that controllers are relieved of
their duties. Individual pipeline operators may relieve controllers at
breaks or at times when the individual is required to perform other
duties. Exchange of critical information is essential to the safe
operation of pipeline facilities at these times. PHMSA's CCERT
interviews with pipeline operators and controllers identified several
instances where there were no formal procedures for conducting shift
turnover and no clear understanding of the information that was to be
communicated when personnel relief occurs. In those instances, each
individual controller determined what needed to be communicated. The
proposed rule requires that operators provide for exchange of
information during shift turnover, including defining the minimum set
of information that must be communicated (e.g., by check sheet).
Adequate information may vary across different parts of an operator's
entire pipeline system. Each operator would be expected to define this
set of information, as this information would be aligned to the
specific system requirements. Operators must also provide for an
overlap of controller shifts sufficient to accomplish the necessary
exchange of information.
Controllers often have duties to communicate with personnel outside
their companies as well. In many cases, pipelines share a common right-
of-way with other pipelines or utilities. A problem on the pipeline can
affect these other pipelines or utilities and controllers need to
understand when it is their responsibility to notify these other
companies of potential problems. Controllers also often receive calls
from the public or emergency responders reporting indication of
problems. Since a control room is often staffed continuously, pipeline
markers usually list the control room telephone number for the public
to report problems.
A controller answering a call from the public or emergency
responders must obtain enough information from the caller to understand
the nature of the problem. Operators should provide training for
controllers to help assist them in obtaining complete and accurate
information. A controller must determine whether the problem is on his
pipeline or area of responsibility. If a controller determines a
problem is not on the pipeline he or she controls, the controller must
communicate the information to those who can address the problem, even
if this is the operator of another pipeline in a shared right-of-way.
Operators need to make sure that controllers know who to contact in the
event of a potential problem in a shared right-of-way, regardless of
which pipeline is affected.
Controllers should also be required to contact other operators in a
common right-of-way when aware of a leak associated within their area
of responsibility. There may be conditions when repairing a pipeline
that may elevate the risk associated with another pipeline in the same
corridor. For this reason, when controllers discover or are made aware
of leaks in a common pipeline corridor, they should contact all of the
operators in that corridor and explain the situation so that all
pipeline operators can work together to minimize potential damage.
H. Fatigue
Fatigue is a key safety issue for PHMSA. The NTSB also considers
fatigue one of its ``top ten'' safety concerns for all modes of
transportation. Fatigue can result in a loss of vigilance or a lack of
effective attention by a pipeline controller. All pipelines and
facilities normally have safety systems in place to protect against
accidents. The prudent use of safety systems, however, does not reduce
the importance of controllers as the first line of defense in
preventing accidents.
In most instances, monotony, not physical exertion, causes
controller fatigue. Monitoring pipeline operations from a computer
panel for many hours can be quite monotonous, especially for normal,
uneventful operations during the usual overnight human rest cycle. It
is important that pipeline operators take actions to help ensure that
controllers are not unduly affected by fatigue and verify that
controllers remain vigilant.
Key among these actions is establishing shift length and schedule
rotations to protect against the onset of fatigue and providing
controllers the opportunity to get sufficient rest between work shifts.
Many pipeline controllers work rotating shifts; that is, a controller
may work day shifts, night shifts, and possibly swing shifts within the
same week or within a few weeks or a month. There has been extensive
research by specialists in human behavior concerning shift work and the
effect these shift changes have on sleep patterns and fatigue. Topics
addressed in the research include the direction of shift rotation
(i.e., forward or back), the amount of time between shifts to help
provide for adequate rest, and the effects of off-duty activities on
fatigue during duty hours.
Many pipelines operate on 12-hour shifts, while others operate on
eight-hour shifts or shifts of other lengths. PHMSA does not object to
12-hour shifts, but we do note that shift rotations have seldom been
established based on research or what is best for the pipeline
controllers. Instead, the CCERT team found that shift rotation and
length have usually been established through management-union
negotiations or because the controllers prefer a specific schedule.
Moreover, we found that controllers prefer 12-hour shifts because they
result in longer periods of time off. Maximizing time off, however,
does not necessarily maximize the mitigation of fatigue. Operators who
continue to use 12-hour shifts should have procedures that include
provisions for unexpected holdovers or call-outs and they must ensure
the shifts are managed in a manner that requires controllers to have
adequate periods of rest between shifts to help protect against the
onset of fatigue during controller shifts.
Additionally, research shows that individuals need to have eight
hours of sleep per day to maintain their best performance; and that
work schedules can have a detrimental impact on an individual's
circadian rhythm. PHMSA recognizes that pipeline and LNG facility
operators cannot control or monitor controllers' off-duty time, but
operators can educate controllers on the need for adequate periods of
rest. Because off-duty time activities can influence on-duty fatigue,
controllers must accept responsibility for structuring their off-duty
time to allow for adequate rest and eight hours of sleep. The proposed
rule requires operators to train controllers and their supervisors in
fatigue management
[[Page 53090]]
strategies and how non-work activities can contribute to fatigue.
Supervisors and controllers must also be trained to recognize and
mitigate the effects of fatigue among controllers on a shift. These
training programs will require controllers and supervisors to exercise
personal responsibility for having adequate rest and prudent fatigue
management. In addition, these education programs must include
information that can be shared with the family of controllers because
they too need to understand that off-duty activities must allow time
for adequate rest to avoid on-duty fatigue.
In many control rooms, multiple controllers work together on a
shift along with a supervisor. In these circumstances, controllers can
watch for signs of co-worker fatigue and supervisors can oversee
assigned staff to help identify and mitigate instances of fatigue. Some
control rooms, however, operate with a single controller on shift. In
those instances, there is no other person present to recognize when the
controller is affected by fatigue. Accordingly, the proposed rule
requires operators to establish provisions to verify that a single
controller remains vigilant.
While PHMSA is not establishing an overall limit on the maximum
length of time a controller can work in a single shift, this proposed
rule requires operators to include in their written procedures a limit
on the length of time a controller can work and a requirement for
adequate rest between shifts. This proposed rule will meet the
requirements of the PIPES Act. The proposed rule allows operators to
base the limit on the particular operating circumstances of each
pipeline and to include provisions for deviations in emergency
situations.
PHMSA believes operators should establish an hours-of-service limit
based on its normal pattern of operations and in a manner that will
preclude individual controllers from working more hours than the
operator expects under normal circumstances. Operators should address
unusual and emergency situations using provisions for approved
exceptions that should be included in written procedures. Operators
should maintain documentation of these situations.
I. Alarm Management
A principal function of SCADA systems is to ``alarm'' or notify a
controller of circumstances when pressure, flow, temperature, or other
key pipeline operating parameters are outside the expected norms. Many
controllers acknowledge an alarm or event by silencing an audible sound
or responding to a flashing indication on a control screen. Controllers
must then take action to address the cause of the alarm or the effect
on the pipeline or facility. In some cases immediate action is
required; in other cases action can be deferred. Sometimes, the alarm
may simply be related to system changes such as the expected startup of
another unit and no action is required. Qualified controllers use their
judgment, experience and training to manage alarm response. Management
should review controllers' response to alarms and appropriately address
situations that require immediate or deferred actions to maintain
pipeline safety.
Alarm response and associated event information can help determine
whether abnormal operating conditions are promptly recognized, that the
responses to these conditions are properly handled in a timely manner,
and that controller abilities are not degrading over time. Alarms and
notifications can also provide information about the health and
operational status of communication and SCADA systems.
The proposed rule requires two levels of alarm management review.
On no less than a weekly basis, operators would be required to review
pipeline operations and the alarms and events that have been received.
Operators would confirm that events on the pipeline that should have
triggered alarms actually did. Operators would review controller
response to alarms to identify if abnormal operating conditions had
occurred and that the controller took proper action in a suitable
amount of time. Operators must also identify any unexplained changes in
the number of alarms received or in controller management of those
alarms, and take actions, as needed, to arrest any potentially
degrading situations either in controller performance or equipment
problems. Operators must identify ``nuisance alarms'' for which action
is not required and determine whether controllers actually need to
receive such notifications so that the total number of alarms is not
excessive. Both nuisance alarms and an excessive number of non-nuisance
alarms can contribute to a sense of complacency about alarm response.
Complacency can contribute to a situation in which controllers
acknowledge alarms but do not take action to clear them on a timely
basis. This factor must also be considered in the weekly reviews and
the associated system or instrumentation maintenance activities.
However, operators may choose to capture other operational and
maintenance information through alarm systems that are channeled to
others responsible to manage such information.
Once each calendar year (with intervals not to exceed 15 months),
the proposed rule requires that operators undertake a more detailed
review of alarm configuration and management. This review must consider
the number of alarms, potential systemic issues related to field
equipment or the SCADA system, potential systemic issues resulting in
excessive or unusual alarms, unnecessary alarms, changes in controller
performance in response to alarms, and a review of alarm set-point
values. Operators must also consider alarm indications of abnormal
operating conditions, including identifying any that occur frequently
in combination and assuring that these combinations are included in
controller training. Alarm descriptors and naming conventions also need
to be reviewed for clarity and consistency. Operators must consider
controller workload with respect to the number and nature of alarms
received. Alarms should also be reviewed for ongoing maintenance issues
or communication problems that need to be solved. Incident and accident
reviews should include a provision to check alarm or notification
operations for any required changes. The procedure must have a
mechanism to provide for controller feedback to alarm and notification
modifications.
J. Change Management
Changes to the pipeline system are important and can affect the
ability of a controller to do his job. System changes can affect the
hydraulics of the pipeline and change the response to control inputs.
It is important that controllers be aware of changes being made and
that controllers are involved early in the change process to help
identify and alleviate any undesirable effects on controllers and
control room operations. Similarly, changes to the SCADA system, or to
the instruments it monitors, can also affect a controller's
understanding of conditions on the pipeline and his recognition of the
need for control actions.
The proposed rule requires operators to establish thorough and
frequent communications between controllers, management, and field
personnel when planning and implementing changes to pipeline equipment
and configuration. Maintenance procedures must ensure that problems
with SCADA or field instrumentation critical to controllers are
resolved promptly and properly documented. SCADA system modifications
must also be coordinated with controllers and affected pipeline
operating personnel. It is not always
[[Page 53091]]
practical to coordinate changes before they are made, particularly when
a change is in response to an emergency. In those instances, operators
must make affected personnel and controllers aware of the change as
soon as practical and document why this occurred. When field equipment,
pipeline configuration, or SCADA changes are planned in advance,
coordination should also be done so that controllers who are off-duty
get informed of these changes prior to implementation. Controllers
shall have time to study the implications of targeted changes and to
become familiar with the anticipated system changes before they are
initiated. Finally, controllers shall be represented by a controller,
controller supervisor or by someone very familiar with control room
operations when changes that can affect pipeline hydraulics,
configuration or control system changes are considered so that
controller perspectives and potential impacts can be considered early
in the planning process and appropriate adjustments and training can be
developed.
Whenever possible, operators should thoroughly test changes on an
off-line system. Management of change procedures shall also include how
operators will inform controllers of changes before they operate the
system, especially the controllers who are not on shift at the time the
changes are made.
K. Learning From Individual Operating Experience
Events that occur on a pipeline provide one of the best
opportunities to improve the operation of the pipeline. Such events
include those that must be reported to PHMSA by regulation and those
with little or no consequences. Reviewing the causes of an event can
help identify underlying problems, which, if properly addressed, would
reduce the risk of future events occurring or resulting in more
significant consequences. Reviewing the response to events can help
identify areas in which emergency response and abnormal operating
procedures can be improved or where additional training for controllers
and other personnel may be appropriate. Individual controller logs or
shift notes can provide valuable insight into maintenance requirements
or communication concerns, both those provided by instrumentation and
those required of other employees. Reviewing these logs and working to
remove problem instrumentation or communication concerns can help to
maintain pipeline safety.
The proposed rule requires operators to review all reportable
accidents and incidents on a routine basis to identify and correct
deficiencies related to:
Controller fatigue
Field equipment
Procedures
SCADA system configuration
SCADA system performance including communications
Simulator or non-simulator training programs
Operators must also review non-reportable events (e.g., ``close-
calls'') to identify and address those that could be significant if
left unaddressed or coupled with other events. Each operator would
establish a definition or event threshold for which a review would be
conducted. Once this definition or event threshold has been
established, procedures must require that operators review information
about each close-call and share information regarding the proper
response with all controllers.
L. Training
Training is a key element in assuring the success of pipeline
controllers in maintaining safe operations. Therefore, operators must
provide controllers the necessary training to completely understand the
pipeline and control systems they operate. The proposed rule would
require each operator to include certain content in its controller
training programs. The proposed rule includes a minimum set of elements
that overlap and supplement existing OQ programs. These elements are as
follows:
1. Response to abnormal operating conditions and emergencies. These
responses are a major element of controllers' contribution to safety.
Correct actions can mitigate events without significant consequences.
Incorrect actions can aggravate abnormal situations and make
consequences worse. Training for controllers must include emphasis on
generic and task specific abnormal conditions that are likely to occur
simultaneously or sequentially. Controllers shall be trained to respond
to such events and to recognize them as indicators or precursors of
potentially more serious situations.
2. Simulator or tabletop exercises for training controllers to
recognize abnormal operating conditions such as leaks or failures. Some
abnormal events occur infrequently. Thus, experience on the job does
not necessarily prepare a controller to identify and respond to all
abnormal events, nor does it verify that a controller's ability is
maintained over time. Computer-based simulators or tabletop exercises
afford the opportunity for controllers to practice identifying and
responding to safety-significant situations that controllers may not
encounter during routine shift operations. The proposed rule also
requires operators to involve controllers in the development and
improvement of training simulations. Operators should conduct tabletop
exercises or computerized simulations that require emergency response
field personnel and personnel involved with commodity movement to be
involved from terminals, compressor stations, pump stations, and on the
pipeline right-of-way.
3. Training controllers to understand the operator's public
awareness program in detail. Controllers are often involved in
communication with the public, particularly when the public reports
unexpected events. API Recommended Practice 1162, ``Public Awareness
Programs for Pipeline Operations'' (API RP-1162) recommends sharing
public awareness objectives, information and material used in its
public awareness program with employees. Many Public Awareness Programs
include components for key employee training in public awareness and
specific communication training for specific key employees. Controllers
shall be considered as specific key employees if they are responsible
for responding to public or emergency responder calls.\8\
---------------------------------------------------------------------------
\8\ Implementation of public awareness programs conforming to
API RP1162 is required for gas pipelines by Sec. 192.616 and for
hazardous liquid pipelines by Sec. 195.440.
---------------------------------------------------------------------------
4. Providing appropriate information to the public and emergency
response personnel during emergency situations. In some cases,
controllers may not ask the right questions or provide the correct
response when communicating with the public or emergency responders
during an emergency. Specific training will help ensure that the
information controllers provide to the public and to emergency
personnel will maximize public safety and that the information
exchanged is complete and accurate.
5. Periodic visits by controllers to a field installation similar
to that which the controllers monitor or control. These visits would
help familiarize controllers with the equipment, field terminology, and
equipment operation. They would see how weather might affect access to
a specific location and observe the functions of station personnel.
Normally pipeline equipment is displayed as an icon on a controller's
computer screen. When it is operated or something is amiss, it may
change color, flash or change shape. Controllers must understand what
these changes mean in
[[Page 53092]]
the field. In the past, many controllers moved up from field positions
and had a thorough knowledge of field operations. Today, many pipelines
hire controllers who do not have field experience and who have limited
knowledge of the physical and practical aspects of pipeline operations.
Providing an opportunity for controllers to actually see the equipment
and talk to station personnel will help expand the controllers'
awareness of site specific information. Further, discussions with field
personnel in routine, non-stressful situations can help establish a
familiarity that will facilitate more efficient and accurate
communication during abnormal events. Ideally, controllers would visit
the facilities they operate. PHMSA recognizes, however, that this is
not always practical. Many pipeline systems cover extensive geographic
areas, and controllers may be responsible for operating pipeline
segments many hundreds of miles from the control room where they work.
For this reason, the proposed rule specifies that visits should be to a
representative sampling of field installations similar to those for
which the controller is responsible.
6. Review of procedures for operating setups that occur
infrequently. Day-to-day experience does little to help controllers
retain knowledge related to functions not routinely performed. It is
thus important that training programs emphasize and provide instruction
on these unusual operating conditions.
7. Pipeline hydraulics training sufficient to obtain a thorough
knowledge of the pipeline system, especially the pipeline's response to
abnormal situations. Often, controllers know what to expect when the
operating set-up changes because the controllers have seen the impact
of these changes many times, but sometimes controllers do not
necessarily know why flows and pressures change the way they do. A
basic understanding of pipeline hydraulics, as applied to the pipeline
a controller monitors, will help the controller understand what typical
responses are to changes in the operating status of individual pieces
of equipment and what to expect in the event of a leak or failure. This
understanding will enable the controller to better identify situations
outside normal operations.
8. Specific training on how power failures affect sites of
controller responsibility. The operator should provide site-specific
training to the controllers regarding the state of equipment upon power
loss and what the effect will be. This will assist the controller in
identifying other field resources that may be needed to properly repair
or operate a location affected by natural disaster such as a flood,
hurricane, tornado or earthquake.
9. Specific system tools available to determine a leak or
significant failure. Controllers should receive training about what
tools exist, including trends or other displays, that help to determine
quickly the status of the pipeline or aid in leak and significant
failure detection.
M. Qualification
Operators already provide for the qualification of certain
individuals to evaluate their abilities and to determine that they are
able to apply the necessary knowledge and skills acquired in training.
The proposed rule would require additional controller qualifications to
measure or verify a controller's performance, including the prompt
detection of, and appropriate response to, abnormal and emergency
conditions that are likely to occur. Additions to controller
qualifications would be implemented in conjunction with an operator's
OQ program pursuant to the existing regulations in 49 CFR parts 192,
193, and 195. The rule would not prescribe a single means of evaluating
a controller's abilities. Operators can use observation of on-shift
activities to perform part of this verification. Simulators and
tabletop exercises can also be used to verify a controller's ability to
detect conditions not seen on shift and that the controller is ready
and able to take appropriate actions in response. PHMSA has found that
most operators' OQ programs call for re-qualification every three
years; however, this rule would require an annual qualifications review
for controllers. In addition, operators would be required to provide
ongoing controller performance metrics and evaluation between annual
qualifications review to help detect any gradual degradation in
performance.
Qualified controllers must have the physical abilities to perform
the job. Most pipeline control systems use different colors to
represent different operating states and display system information and
status using icons and text that may vary in size depending on the
complexity of an individual display. While many operators do not
explicitly test controllers for colorblindness or visual acuity, it is
essential that controllers be tested for these visual abilities. This
does not mean that controllers who are colorblind or who lack visual
acuity must be relieved of duties. Special accommodations may be
needed, such as using different shapes, flashing indications, or
increasing the size of icons and text on an individual controller's
screen. The rule would not prescribe a specific test for these physical
abilities, but operators would be required to ascertain through
periodic testing and associated documentation that any deficiencies in
these physical attributes would not negatively affect the controller's
performance of assigned duties.
The proposed rule would also require operators to specify the
reasons for which a controller's qualification must be revoked. The
reasons must include extended absence or time off-duty (for a duration
determined by the operator), inadequate performance, impaired abilities
(e.g., vision, hearing) beyond that which the operator can accommodate,
influence of drugs or alcohol, and any other circumstances for which
the operator considers revocation appropriate. Operators would also be
required to have procedures for restoring a revoked qualification,
which may include complete re-qualification, or limited testing, a
period of review, shadowing, retraining, or all of these.
Lastly, PHMSA recognizes that many operators use oral examinations
as part of their qualification programs. Experienced operators and
trainers quiz controllers on their knowledge of various aspects of
their job. PHMSA believes this can be a very effective means of judging
a person's abilities. Unlike a written test, an oral examination allows
the evaluator to probe apparent weaknesses in more depth. Oral
examiners can inquire in more detail in areas where the candidate
appears to be hesitant, weak or unsure of the answers. This can allow a
more thorough evaluation of a controller's knowledge to perform
required duties.
If an operator chooses to use oral examinations as part of its
controller qualification program, the rule would require the operator
to document the examination and include a list of the topics covered
during the oral examination. This documentation will facilitate
internal audits, assist with providing consistency in controller
training, and allow the operator's training personnel to vary the
content of future evaluations to test knowledge in other areas.
N. Validation
PHMSA considers controllers to be extremely important in providing
for pipeline safety. Accordingly, PHMSA believes that it is appropriate
to involve senior pipeline executives in helping to determine that
controllers are qualified, that internal communication is enhanced, and
that controller needs are being addressed. The proposed rule
[[Page 53093]]
would require that a senior executive officer validate certain aspects
of controller training, qualification, and compliance with the
requirements of this rule. Operators would be required to have a senior
executive officer sign a validation each calendar year that confirms
that the operator has:
Conducted a review of controller qualifications and
controller training and determined that both are adequate;
Permitted only qualified controllers to operate the
pipeline;
Implemented the requirements of the rule;
Continued to address ergonomic and fatigue factors; and
Involved controllers in finding ways to sustain and
improve safety and pipeline integrity through control room management.
O. Compliance and Deviations
The proposed rule would require operators to maintain records that
demonstrate compliance with the regulation and to document any
deviations from their control room management procedures. In addition,
the operators would be required to report any deviations upon request
by PHMSA or the appropriate state pipeline safety authority. These
requirements are derived from the PIPES Act, which specifies that
operators must document compliance with their human factors and control
room management plans and report any deviations. Operators would be
required to report deviations only when requested by PHMSA, or in the
case of an intrastate pipeline facility, when requested by the
appropriate state pipeline safety authority. Such a request is
anticipated to occur during a pipeline safety inspection, but may occur
at any time at the discretion of PHMSA or the state pipeline safety
authority.
VIII. Regulatory Analyses and Notices
Privacy Act Statement
Anyone may search the electronic form of comments received in
response to any of our dockets by the name of the individual submitting
the comment (or signing the comment if submitted for an association,
business, labor union, etc.). You may review DOT's complete Privacy Act
Statement in the Federal Register published on April 11, 2000 (65 FR
19477).
Executive Order 12866 and DOT Policies and Procedures
This proposed rulemaking is a significant regulatory action under
Executive Order 12866 (58 FR 51735; Oct. 4, 1993), and it is a
significant regulatory action under the U.S. Department of
Transportation regulatory policies and procedures (44 FR 11034; Feb.
26, 1979). Therefore, the Office of Management and Budget (OMB) has
received a copy of this proposed rulemaking to review.
The proposed rule is not expected to adversely affect the economy
or the environment. For those costs and benefits that can be quantified
the present value of net benefits are expected to be about $65 million
over a ten year period after all of the requirements are implemented.
The monetary costs of the rule are expected to average about $25
million per year. Therefore, within the meaning of Executive Order
12866, the proposed rule is not expected to be an economically
significant regulatory action due to cost because it will not exceed
the annual $100 million threshold for economic significance.
However, there is substantial congressional, industry, and public
interest in control room operations and human factors management plans.
The proposed rule's immediate impact is minimal because some of its
components are already included in existing regulations; moreover, in
some pipeline companies, other requirements are standard practice or
considered to be good business practices.
Regulatory Flexibility Act
Under the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), PHMSA
must consider whether rulemaking actions would have a significant
economic impact on a substantial number of small entities. While PHMSA
does not collect information on the number of employees or revenues of
pipeline operators, we do continuously seek information on the number
of small pipeline operators to more fully determine any impacts our
proposed regulations may have on small entities.
The Small Business Administration's criterion for defining a small
entity in the hazardous liquid pipeline industry is 1,500 or fewer
employees. PHMSA estimates there are 10 to 20 small entities in the
hazardous liquid pipeline industry. For the gas pipeline industry, the
size standard for a small natural gas gathering or transmission
business is $6.5 million or less in annual revenues and the size
standard for a small natural gas distribution business is 500 or fewer
employees. PHMSA estimates there are about 480 natural gas transmission
and gathering companies that have $6.5 million or less in annual
revenues and about 1,000 natural gas distribution companies that have
500 or fewer employees. Therefore, there are a total of about 1,500
small entities that would be affected by the proposed rule.
PHMSA has considered the effects of the proposed rule on small
pipeline operators. The total estimated aggregate annual costs of the
rule across the entire pipeline industry over 10 years ranges from
about $21 million per year to $37 million per year. Therefore, the
average annual cost to the approximately 2,500 companies (large and
small entities) is about $8,400 to $14,800 per year. For the larger
operators with more controllers, the costs will be higher than the
average. For the smaller operators with fewer controllers it will be
less than average. Based on these figures, PHMSA does not believe there
will be a significant impact on a substantial number of small entities,
but PHMSA seeks comments on this analysis.
Executive Order 13175
PHMSA has analyzed this rulemaking according to Executive Order
13175, ``Consultation and Coordination with Indian Tribal
Governments.'' Because the proposed rule would not significantly or
uniquely affect the communities of the Indian tribal governments or
impose substantial direct compliance costs, the funding and
consultation requirements of Executive Order 13175 do not apply.
Paperwork Reduction Act
PHMSA proposes to revise the Federal pipeline safety regulations to
address human factors and other components of control room management.
The proposed rules would require operators of hazardous liquid
pipelines, gas pipelines, and LNG facilities to amend their existing
written operations and maintenance procedures, operator qualification
programs, and emergency plans.
This proposed rule also contains some information collection
requirements. As required by the Paperwork Reduction Act of 1995 (44
U.S.C. 3507(d)), DOT will submit a copy of the Paperwork Reduction Act
analysis to OMB for its review. A copy of the analysis will also be
entered in the docket. PHMSA is proposing to require pipeline operators
to keep records and logs related to control room operations for
inspection purposes and to have a senior executive officer of each
operator validate that the operator has complied with the regulatory
requirements, reviewed its qualification and training, permitted only
qualified controllers to operate the pipeline, addressed fatigue
factors, and involved controllers in finding improvements. The record
keeping requirements in the proposed rule are consistent with good
business practices
[[Page 53094]]
and are designed to enhance current control room management practices.
To calculate the information collection burden for the record
keeping related to control room management practices, PHMSA estimates
there are approximately 2,500 pipeline and LNG facility operators that
would need to keep records and logs and that it would take
approximately one hour per week, per operator to generate and maintain
the necessary records. Therefore, PHMSA calculates it would take
slightly more than 130,000 hours per year for the 2,500 pipeline
operators to maintain the necessary records. PHMSA expects that most
operators currently maintain records and logs for inspection purposes
and that they generate records on a daily basis. Therefore, we estimate
the cost for the industry would be negligible since controllers
generally perform this function as part of the control room operations.
PHMSA acknowledges, however, that there may be some additional cost for
storage and filing, depending on what the records contain and how they
are packaged. Assuming that operators store between two and four cubic
feet of records (at $23.00 per cubic foot) within their facility per
year, PHMSA estimates that it would cost between $115,000 and $230,000
annually to store and maintain the records for inspection purposes.
Additionally, PHMSA estimates there are approximately 3,420
controllers in the pipeline industry and that it would take
approximately one hour per year, per employee to document performance
appraisals. Therefore, PHMSA calculates it would take pipeline
operators approximately 3,420 hours per year to document employees'
performance. We estimate it would take a senior official approximately
one-half hour to review and sign-off on a validation document for each
controller. PHMSA estimates the annual cost would be between $76,950
and $153,900 depending on the average wage rate used in the
calculation. The lower bound uses the average wage rate for a General
Operations Manager published by the Bureau of Labor Statistics of
$45.00 per hour ($22.50 per half-hour), while the upper bound uses the
industry estimates of $90.00 per hour ($45.00 per half-hour).
Therefore, PHMSA concludes that this proposed rule contains only minor
additional paperwork burden and procedure implementation.
Pursuant to 44 U.S.C. 3506(c)(2)(B), the PHMSA solicits comments
concerning: Whether these information collection requirements are
necessary for PHMSA to properly perform its functions, including
whether the information has practical utility; the accuracy of PHMSA's
estimates of the burden of the information collection requirements; the
quality, utility, and clarity of the information to be collected; and
whether the burden of collecting information on those who are to
respond, including through the use of automated collection techniques
or other forms of information technology, may be minimized.
Unfunded Mandates Reform Act of 1995
This proposed rulemaking does not impose unfunded mandates under
the Unfunded Mandates Reform Act of 1995. It does not result in costs
of $132 million or more to either State, local, or tribal governments,
in the aggregate, or to the private sector, and is the least burdensome
alternative that achieves the objective of the proposed rulemaking.
National Environmental Policy Act
PHMSA has analyzed the proposed rulemaking for purposes of the
National Environmental Policy Act (42 U.S.C. 4321 et seq. ) and
preliminarily determined the proposed rulemaking may provide beneficial
impacts on the quality of the human environment. If pipeline operators
comply with the technical elements of the proposed rule, this would
reduce adverse impacts on the physical environment by reducing the
number and severity of pipeline releases. For example, by addressing
the exchange of information at shift change and the length of shifts to
reduce controller fatigue, pipeline operators could reduce the number
of incidents and the consequences of releases that may harm the
physical environment. Similarly, the review of SCADA procedures and
alarm audits will lead to the use of better technology, which will have
a positive impact on operator response to abnormal operating
conditions, accidents, and incidents that have the potential for
adverse environmental impacts. The following elements of the proposed
rule will also lead to a better functioning control room and fewer
possibilities for environmental degradation: Involving controllers when
planning and implementing changes in operations; maintaining strong
communications between controllers and field personnel; determining how
to establish, maintain, and review controller qualifications, abilities
and performance metrics, with particular attention to response to
abnormal operating conditions; and analyzing operating experience
including accidents and incidents for possible involvement of the SCADA
system, controller performance, and fatigue. PHMSA's analysis suggests
there are no adverse significant environmental impacts associated with
the proposed rule. The draft environmental assessment is available for
review and comment in the docket. PHMSA will make a final determination
on environmental impact after reviewing the comments on this proposal.
Executive Order 13132
PHMSA has analyzed the proposed rulemaking according to Executive
Order 13132 (``Federalism''). The proposal does not have a substantial
direct effect on the States, the relationship between the national
government and the States, or the distribution of power and
responsibilities among the various levels of government. The proposed
rulemaking does not impose substantial direct compliance costs on State
and local governments. This proposed regulation would not preempt state
law for intrastate pipelines. Therefore, the consultation and funding
requirements of Executive Order 13132 do not apply.
Executive Order 13211
Transporting gas and hazardous liquids impacts the nation's
available energy supply. However, this proposed rulemaking is not a
``significant energy action'' under Executive Order 13211 and is not
likely to have a significant adverse effect on the supply,
distribution, or use of energy. Further, the Administrator of the
Office of Information and Regulatory Affairs has not identified this
proposal as a significant energy action.
List of Subjects
49 CFR Part 192
Incorporation by reference, Gas, Natural gas, Pipeline safety,
Reporting and recordkeeping requirements.
49 CFR Part 193
Liquefied natural gas, Incorporation by reference, Pipeline safety,
and Reporting and recordkeeping requirements.
49 CFR Part 195
Ammonia, Carbon dioxide, Incorporation by reference, Petroleum,
Pipeline safety, Reporting and recordkeeping requirements.
For the reasons provided in the preamble, PHMSA proposes to amend
49 CFR part 192, 193, and 195 as follows:
[[Page 53095]]
PART 192--TRANSPORTATION OF NATURAL GAS AND OTHER GAS BY PIPELINE:
MINIMUM FEDERAL SAFETY STANDARDS
1. The authority citation for part 192 is revised to read as
follows:
Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60110,
60113, 60116, 60118, and 60137; and 49 CFR 1.53.
2. In Sec. 192.3, add definitions for ``alarm,'' ``control room,''
``controller,'' and ``Supervisory Control and Data Acquisition System
(SCADA)'' as follows:
Sec. 192.3 Definitions.
* * * * *
Alarm means an indication provided by SCADA or similar monitoring
system that a parameter is outside normal or expected operating
conditions.
Control room means a central location or local station at which a
control panel, computerized device, or other instrument is used by a
controller to monitor or control all or part of a pipeline facility or
a component of a pipeline facility.
Controller means an individual who uses a control panel,
computerized device, or other equipment to monitor or control all or
part of a pipeline facility that the individual cannot directly observe
with the naked eye. An individual who operates equipment locally, but
who cannot see the equipment respond without using a closed circuit
television system or other external device, is a controller when
performing this activity regardless of job title or whether actions are
overseen by another controller or supervisor. An individual who
performs these functions on a part time basis is considered a
controller only when performing these functions.
* * * * *
Supervisory Control and Data Acquisition System (SCADA) means a
computer-based system that gathers field data, provides a structured
view of pipeline system or facility operations, and may provide a means
to control pipeline operations.
* * * * *
3. In Sec. 192.7, amend the table in paragraph (c)(2) by adding
item B.(7) to read as follows:
Sec. 192.7 What documents are incorporated by reference partly or
wholly in this part?
* * * * *
(c) * * *
(2) * * *
------------------------------------------------------------------------
------------------------------------------------------------------------
* * * * * * *
B. * * *
(7) API Recommended Practice 1165 Sec. 192.631(c)(1)
``Recommended Practice for Pipeline SCADA
Displays,'' (January 2007).
* * * * * * *
------------------------------------------------------------------------
4. Amend Sec. 192.605 by adding paragraph (b)(12) to read as
follows:
Sec. 192.605 Procedural manual for operations, maintenance, and
emergencies.
* * * * *
(b) * * *
(12) Implementing the applicable control room management procedures
required by Sec. 192.631.
* * * * *
5. Amend Sec. 192.615 by adding paragraph (a)(11) to read as
follows:
Sec. 192.615 Emergency plans.
(a) * * *
(11) Actions required to be taken by a controller during an
emergency in accordance with Sec. 192.631.
* * * * *
6. Add Sec. 192.631 to subpart L to read as follows:
Sec. 192.631 Control room management.
(a) General. Each operator of a pipeline facility with at least one
controller and control room must have and follow written control room
management procedures that implement the requirements of this section.
The procedures must be integrated, as appropriate, into the operator's
written manual of operations and maintenance procedures required by
Sec. 192.605, written qualification program required by Sec. 192.805,
and written emergency plans required by Sec. 192.615. The operator
must develop and implement the procedures no later than the dates in
the following table.
------------------------------------------------------------------------
Develop procedures Implement procedures
Control room type by: by:
------------------------------------------------------------------------
(1) Remote operations [insert date 12 [insert date 24
(control and/or monitoring) months after months after
of gas transmission effective date of effective date of
pipelines. final rule]. final rule].
(2) Remote operations of [insert date 24 [insert date 30
equipment within a single months after months after
site (e.g., compressor effective date of effective date of
station). final rule]. final rule].
(3) Gas distribution [insert date 24 [insert date 24
pipelines. months after months after
effective date of effective date of
final rule]. final rule].
(4) Gas pipelines with local [insert date 30 [insert date 30
control only. months after months after
effective date of effective date of
final rule]. final rule].
(5) Control rooms or local 12 months after 12 months after
control stations placed in placement in placement in
service after [insert service. service.
effective date of the final
rule], but before [insert
date 12 months after the
effective date of final
rule].
(6) Control rooms or local Before placing in Upon placing in
control stations placed in service. service.
service after [insert date
12 months after the
effective date of final
rule].
------------------------------------------------------------------------
(b) Roles and responsibilities. Each operator must define the roles
and responsibilities of a controller during normal, abnormal, and
emergency operating conditions. To provide for a controller's prompt
and appropriate response to operating conditions, each operator must
define:
(1) A controller's authority and responsibility to make decisions
and take actions during normal operations.
(2) A controller's role when an abnormal operating condition is
detected, even if the controller is not the first to detect the
condition, including the controller's responsibility to take
[[Page 53096]]
specific actions and to communicate with others.
(3) A controller's role during an emergency, even if the controller
is not the first to detect the emergency, including the controller's
responsibility to take specific actions and to communicate with others.
(4) A controller's responsibility to provide timely notification
and coordination with the operator of another pipeline in a common
corridor when a leak or failure is suspected, including upon receipt of
a notification from the public concerning a suspected leak on an asset
owned or operated by the other company but located in the same common
corridor or right-of-way.
(5) A method of recording when a controller is responsible for
monitoring or controlling any portion of a pipeline facility by
implementing an individual console or a system log-in feature or by
documenting in the shift records the time and name of each controller
who assumed the responsibility during a shift-change or other hand-over
of responsibility.
(c) Provide adequate information. Each operator must provide each
controller with the information necessary for the controller to carry
out the roles and responsibilities defined by the operator and must
verify that a controller knows the equipment, components and the
effects of the controller's actions on the pipeline or pipeline
facilities under the controller's control. Each operator must:
(1) Provide a controller with accurate, adequate, and timely data
concerning operation of the pipeline facility. Wherever a SCADA system
is used, the operator must implement API RP-1165 (incorporated by
reference, see Sec. 192.7) in its entirety, unless the operator can
adequately demonstrate that a provision of API RP-1165 is not
applicable or is impracticable in the SCADA system used.
(2) Validate that any SCADA system display accurately depicts field
equipment configuration by completing all of the following:
(i) Conduct and document a point-to-point baseline verification
between field equipment and all SCADA system displays to verify 100
percent of the system displays. An operator must complete the baseline
verification no later than [insert date three years after effective
date of final rule] or by [insert date one year after effective date of
final rule] for an operator of a pipeline system containing less than
500 miles of pipeline. An operator may use any documented point-to-
point verification completed after [insert date three years before
effective date of final rule] to meet some or all of this baseline
verification. A point-to-point verification must include equipment
locations, ranges, alarm set-point values, alarm activation, required
alarm visual or audible response, and proper equipment or software
response to SCADA system values.
(ii) Verify that SCADA displays accurately depict field
configuration when any modification is made to field equipment or
applicable software and conduct a point-to-point verification for
associated changes.
(iii) Perform a point-to-point verification as part of implementing
a SCADA system change for all portions of the pipeline system or
facility affected by the change.
(iv) Develop a plan for systematic re-verification of the accuracy
of the SCADA system display.
(3) Establish a means for timely verbal communication among a
controller, management, and field personnel.
(4) Identify circumstances that require field personnel to promptly
notify the controller. These circumstances must include the
identification by field personnel of a leak or situation that could
reasonably be expected to develop into an incident if left unaddressed.
(5) Define and record critical information during each shift.
(6) Provide for the exchange of information when a shift changes or
when another controller assumes responsibility for operations for any
reason.
(7) Establish sufficient overlap of controller shifts to permit the
exchange of necessary information.
(8) Periodically test and verify a backup communication system or
provide adequate means for manual operation or shutdown of the affected
portion of the pipeline safely.
(d) Fatigue mitigation. Each operator must implement methods to
prevent controller fatigue that could inhibit a controller's ability to
carry out the roles and responsibilities defined by the operator. To
protect against the onset of fatigue, each operator must:
(1) Establish shift lengths and schedule rotations that provide
controllers off-duty time sufficient to achieve eight hours of
continuous sleep;
(2) Educate a controller and his supervisor in fatigue mitigation
strategies and how off-duty activities contribute to fatigue;
(3) Train a controller and his supervisor to recognize and mitigate
the effects of fatigue;
(4) Implement additional measures to monitor for fatigue when a
single controller is on duty; and
(5) Establish a maximum limit on controller hours-of-service, which
may include an exception during an emergency with appropriate
management approval. An operator must specify emergency situations for
which a deviation from the hours-of-service maximum limit is permitted.
(e) Alarm management. Each operator using a SCADA system must
assure appropriate controller response to alarms and notifications. An
operator must:
(1) Review SCADA operations at least once each week for:
(i) Events that should have resulted in alarms or event indications
that did not do so;
(ii) Proper and timely controller response to alarms or events;
(iii) Identification of unexplained changes in the number of alarms
or controller management of alarms;
(iv) Identification of nuisance alarms;
(v) Verification that the number of alarms received is not
excessive;
(vi) Identification of instances in which alarms were acknowledged
but associated response actions were inadequate or untimely;
(vii) Identification of abnormal or emergency operating conditions
and a review of controller response actions;
(viii) Identification of system maintenance issues;
(ix) Identification of systemic problems, server load, or
communication problems;
(x) Identification of points that have been taken off scan or that
have had forced or manual values for extended periods; and
(xi) Comparison of controller logs or shift notes to SCADA alarm
records to identify maintenance requirements or training needs.
(2) Review SCADA configuration and alarm management operations at
least once each calendar year but at intervals not to exceed 15 months.
At a minimum, reviews must include consideration of the following
factors:
(i) Number of alarms;
(ii) Potential systemic issues;
(iii) Unnecessary alarms;
(iv) Individual controller's performance changes over time
regarding alarm or event response;
(v) Alarm indications of abnormal operating conditions;
(vi) Recurring combinations of abnormal operating conditions and
the inclusion of such combinations in controller training;
(vii) Alarm indications of emergency conditions;
(viii) Individual controller workload;
(ix) Clarity of alarm descriptors to the controllers so controllers
fully
[[Page 53097]]
understand the meaning and nature of each alarm; and
(x) Verification of correct alarm set-point values.
(3) Promptly address all deficiencies identified in the weekly and
calendar year SCADA reviews.
(f) Change management. Each operator must establish thorough and
frequent communications between a controller, management, and field
personnel when planning and implementing physical changes to pipeline
equipment and configuration. Field personnel must be required to
promptly notify a controller when emergency conditions exist or when
performing maintenance and making field changes.
(1) Maintenance procedures must include tracking and repair of
controller-identified problems with the SCADA system or field
instrumentation to provide for prompt response.
(2) SCADA system modifications must be coordinated in advance to
allow enough time for adequate controller training and familiarization
unless such modifications are made during an emergency response or
recovery operation.
(3) An operator shall seek control room participation when pipeline
hydraulic or configuration changes are being considered.
(4) Merger, acquisition, and divestiture plans must be developed
and used to establish and conduct controller training and qualification
prior to the implementation of any changes to the controller's
responsibilities.
(5) Changes to alarm set-point values, automated routine software,
and relief valve settings must be communicated to the controller prior
to implementation.
(6) An operator must thoroughly document and keep records for each
of these occurrences.
(g) Operating experience.
(1) Each operator must review control room operations following any
event that must be reported as an incident pursuant to 49 CFR part 191
to determine and correct, where necessary, deficiencies related to:
(i) Controller fatigue;
(ii) Field equipment;
(iii) The operation of any relief device;
(iv) Procedures;
(v) SCADA system configuration;
(vi) SCADA system performance;
(vii) Accuracy, timeliness, and portrayal of field information on
SCADA displays; and
(viii) Simulator or non-simulator training programs.
(2) Each operator must establish a definition or threshold for
close-call events to evaluate event significance. For those events the
operator determines to be significant, the operator must conduct the
review required by paragraph (g)(1) of this section and the operator
must share the information with all controllers.
(3) Each operator must review the accuracy and timeliness of SCADA
data and how it is portrayed on displays.
(h) Training. Each operator must establish a training program and
review the training program content to identify potential improvements
at least once each calendar year, but at intervals not to exceed 15
months. An operator must train each controller to carry out the roles
and responsibilities defined by the operator. In addition, the training
program must include the following elements:
(1) Responding to abnormal operating conditions likely to occur
simultaneously or in sequence.
(2) Use of a simulator or non-computerized (tabletop) method to
train controllers to recognize abnormal operating conditions, in
particular leak and failure events. Simulations and tabletop exercises
must include representative communications between controllers and
individuals that operators would expect to be involved during actual
events. Controllers will participate in improvement and development of
tabletop or simulation training scenarios.
(3) Providing appropriate information to the public and emergency
response personnel during emergency situations, and informing
controllers of the information being provided to the public or
emergency responders under Sec. 192.616 so that the controllers can
understand the context in which this information will be received.
(4) On-site visits by controllers to a representative sampling of
field installations similar to those for which each controller is
responsible to familiarize themselves with the equipment and with
station personnel functions.
(5) Review of procedures for pipeline operating setups that are
periodically, but infrequently used.
(6) Hydraulic pipeline training that is sufficient to obtain a
thorough knowledge of the pipeline system, especially during the
development of abnormal operating conditions.
(7) Site specific training on equipment failure modes.
(8) Specific training on system tools available to determine a leak
or significant failure and specific training on other operator contact
protocols when there is reason to suspect a leak in a common pipeline
corridor or right-of-way.
(i) Qualification. An operator must have a program in accordance
with subpart N of this part to determine that each controller is
qualified. An operator's procedures for the qualification of
controllers must include provisions to:
(1) Measure and verify a controller's performance including the
controller's ability to detect abnormal and emergency conditions
promptly and to respond appropriately.
(2) Evaluate a controller's physical abilities, including hearing,
colorblindness (color perception), and visual acuity, which could
affect the controller's ability to perform the assigned duties.
(3) Evaluate a controller's qualifications at least once each
calendar year, but at intervals not to exceed 15 months.
(4) Implement methods to address gradual degradation in performance
or physical abilities in a controller.
(5) Revoke a controller's qualification for extended time off-duty
or absence (of a duration determined by the operator based on the
complexity and significance of the controller's role), inadequate
performance, impaired physical ability beyond what the operator can
accommodate, influence of drugs or alcohol, or any other reason
determined by the operator to be necessary to support the safe
operation of a pipeline facility.
(6) Restore a revoked qualification by specifying the circumstances
for which a complete re-qualification is required, and the
circumstances for which other means of restoration may be used, such as
a period of review, shadowing, retraining, or all of these.
(7) Document when an oral examination is used as the means of
evaluation, including the topics covered.
(8) Prohibit individuals without a current controller qualification
from performing the duties of a controller.
(j) Validation. An operator must have a senior executive officer
validate by signature not later than the date by which control room
management procedures must be implemented (see paragraph (a) of this
section), and annually thereafter by March 15 of each year, that the
operator has:
(1) Conducted a review of controller qualification and training
programs and has determined both programs to be adequate;
(2) Permitted only qualified controllers to operate the pipeline;
(3) Implemented the requirements of this section;
[[Page 53098]]
(4) Continued to address ergonomic and fatigue factors; and
(5) Involved controllers in finding ways to sustain and improve
safety and pipeline integrity through control room management.
(k) Compliance and deviations. An operator must maintain for review
during inspection:
(1) Records that demonstrate compliance with the requirements of
this section; and
(2) Documentation of decisions and analyses to support any
deviation from the procedures required by this section. An operator
must report any such deviation to PHMSA upon request, or in the case of
an intrastate pipeline facility regulated by a state, upon request by
the state pipeline safety authority.
7. Amend Sec. 192.805 by adding paragraph (j) to read as follows:
Sec. 192.805 Qualification program.
* * * * *
(j) Incorporate requirements applicable to controller qualification
in accordance with Sec. 192.631.
PART 193--LIQUEFIED NATURAL GAS FACILITIES: FEDERAL SAFETY
STANDARDS
8. The authority citation for part 193 is revised to read as
follows:
Authority: 49 U.S.C. 5103, 60102, 60103, 60104, 60108, 60109,
60110, 60113, 60116 and 60118, and 60137; and 49 CFR 1.53.
9. In Sec. 193.2007 add definitions for ``alarm,'' ``control
room,'' ``controller,'' and ``Supervisory Control and Data Acquisition
System (SCADA)'' as follows:
Sec. 193.2007 Definitions.
* * * * *
Alarm means an indication provided by SCADA or similar monitoring
system that a parameter is outside normal or expected operating
conditions.
* * * * *
Control room means a central location or local station at which a
control panel, computerized device, or other instrument is used by a
controller to monitor or control all or part of an LNG plant.
Controller means an individual who uses a control panel,
computerized device, or other equipment to monitor or control all or
part of an LNG plant that the individual cannot directly observe with
the naked eye. An individual who operates equipment locally, but who
cannot see the equipment respond without using a closed circuit
television system or other external device, is a controller when
performing this activity regardless of job title or whether actions are
overseen by another controller or supervisor. An individual who
performs these functions on a part time basis is considered a
controller only when performing these functions.
* * * * *
Supervisory Control and Data Acquisition System (SCADA) means a
computer-based system that gathers field data, provides a structured
view of pipeline system or facility operations, and may provide a means
to control facility operations.
* * * * *
10. Amend Sec. 193.2013 by adding item F. to the list in paragraph
(b) and by adding item F. to the table in paragraph (c) to read as
follows:
Sec. 193.2013 Incorporation by reference.
* * * * *
(b) * * *
F. American Petroleum Institute (API), 1220 L Street, NW.,
Washington, DC 20005-4070.
(c) * * *
------------------------------------------------------------------------
------------------------------------------------------------------------
* * * * * * *
F. American Petroleum Institute (API): (1) Sec. 193.2523(c)(1)
API Recommended Practice 1165 ``Recommended
Practice for Pipeline SCADA Displays,''
(January 2007).
------------------------------------------------------------------------
11. Revise Sec. 193.2441 to read as follows:
Sec. 193.2441 Control room.
Each LNG plant must have a control room from which operations and
warning devices are monitored as required by this part. A control room
must have the following capabilities and characteristics:
(a) It must be located apart or protected from other LNG facilities
so that it is operational during a controllable emergency.
(b) Each remotely actuated control system and each automatic
shutdown control system required by this part must be operable from the
control room.
(c) Each control room must have personnel in continuous attendance
while any of the components under its control are in operation, unless
the control is being performed from another control room that has
personnel in continuous attendance.
(d) If more than one control room is located at an LNG Plant, each
control room must have more than one means of communication with each
other control room.
(e) Each control room must have a means of communicating a warning
of hazardous conditions to other locations within the plant frequented
by personnel.
12. Amend Sec. 193.2503 by adding paragraph (h) to read as
follows:
Sec. 193.2503 Operating procedures.
* * * * *
(h) Implementing the applicable control room management procedures
required by Sec. 193.2523.
13. Amend Sec. 193.2509 by adding paragraph (b)(5) to read as
follows:
Sec. 193.2509 Emergency procedures.
* * * * *
(b) * * *
(5) Actions required to be taken by a controller during an
emergency in accordance with Sec. 193.2523.
14. Add Sec. 193.2523 to subpart F to read as follows:
Sec. 193.2523 Control room management.
(a) General. Each operator must have and follow written control
room management procedures that implement the requirements of this
section. The procedures must be integrated, as appropriate, into the
written operating procedures manuals required by Sec. 193.2503,
written emergency procedures required by Sec. 193.2509, and written
training plans required by Sec. 193.2713. For LNG plants that exist on
[insert effective date of final rule], operators must develop the
procedures by [insert date 12 months after effective date of final
rule] and implement them by [insert date 24 months after effective date
of final rule]. For LNG plants placed in service after [insert
effective date of final rule], but before [insert date 12 months after
effective date of final rule], procedures must be developed and
implemented no later than 12 months after placing the plant in service.
For LNG plants placed in service after [insert date 12 months after the
effective date of final rule], procedures must be developed before
[[Page 53099]]
the plant begins operation and must be implemented when operations
commence.
(b) Roles and responsibilities. Each operator must define the roles
and responsibilities of a controller during normal, abnormal, and
emergency operating conditions. To provide for a controller's prompt
and appropriate response to operating conditions, each operator must
define:
(1) A controller's authority and responsibility to make decisions
and take actions during normal operations.
(2) A controller's role when an abnormal operating condition is
detected, even if the controller is not the first to detect the
condition, including the controller's responsibility to take specific
actions and to communicate with others.
(3) A controller's role during an emergency, even if the controller
is not the first to detect the emergency, including the controller's
responsibility to take specific actions and to communicate with others.
(4) A method of recording when a controller is responsible for
monitoring or controlling a pipeline facility or portion thereof by
implementing an individual console or a system log-in feature or by
documenting in the shift records the time and name of each controller
who assumed the responsibility during a shift-change or other hand-over
of responsibility.
(c) Provide adequate information. Each operator must provide each
controller with the information necessary for the controller to carry
out the roles and responsibilities defined by the operator and must
verify that a controller knows the equipment, components, and the
effects of the controller's actions on the facilities under the
controller's control. Each operator must:
(1) Provide a controller with accurate, adequate, and timely data
concerning operation of the facility. Wherever a SCADA system is used,
the operator must implement API RP-1165 (incorporated by reference, see
Sec. 193.2013) in its entirety, unless the operator can adequately
demonstrate that a provision of API RP-1165 is not applicable or is
impracticable in the SCADA system used.
(2) Validate that any SCADA system display accurately depicts field
equipment configuration by completing all of the following:
(i) Conduct and document a baseline point-to-point verification
between field equipment and all SCADA system displays to verify 100
percent of the system displays. An operator must complete the baseline
verification no later than [insert date 2 years after effective date of
final rule]. An operator may use any documented point-to-point
verification completed after [insert date three years before effective
date of final rule] to meet some or all of this baseline verification.
A point-to-point verification must include equipment locations, ranges,
alarm set-point values, alarm activation, required alarm visual or
audible response, and proper equipment or software response to SCADA
system value.
(ii) Verify that SCADA displays accurately depict field
configuration when any modification is made to field equipment or
applicable software and conduct a point-to-point verification for
associated changes.
(iii) Perform a point-to-point verification as part of implementing
a SCADA system change for all portions of the LNG facility affected by
the change.
(iv) Develop a plan for systematic re-verification of the accuracy
of the SCADA system display.
(3) Establish a means for timely verbal communication among a
controller, management, and field personnel.
(4) Identify circumstances that require field personnel to promptly
notify the controller. These circumstances must include the
identification by field personnel of a leak or situation that could
reasonably be expected to develop into an incident if left unaddressed.
(5) Define and record critical information during each shift.
(6) Provide for the exchange of information when a shift changes or
when another controller assumes responsibility for operations for any
reason.
(7) Establish sufficient overlap of controller shifts to permit the
exchange of necessary information.
(d) Fatigue mitigation. Each operator must implement methods to
prevent controller fatigue that could inhibit a controller's ability to
carry out the roles and responsibilities defined by the operator. To
protect against the onset of fatigue, each operator must:
(1) Establish shift lengths and schedule rotations that provide
controllers off-duty time sufficient to achieve eight hours of
continuous sleep;
(2) Educate a controller and the controller's supervisor in fatigue
mitigation strategies and how off-duty activities contribute to
fatigue;
(3) Train a controller and his supervisor to recognize and mitigate
the effects of fatigue;
(4) Implement additional measures to monitor for fatigue when a
single controller is on duty; and
(5) Establish a maximum limit on controller hours-of-service, which
may include an exception during an emergency with appropriate
management approval. An operator must specify emergency situations for
which a deviation from the hours-of-service maximum limit is permitted.
(e) Alarm management. Each operator using a SCADA system must
assure appropriate controller response to alarms and notifications. An
operator must:
(1) Review SCADA operations at least once each week for:
(i) Events that should have resulted in alarms or event indications
that did not do so;
(ii) Proper and timely controller response to alarms or events;
(iii) Identification of unexplained changes in the number of alarms
or controller management of alarms;
(iv) Identification of nuisance alarms;
(v) Verification that the number of alarms received is not
excessive;
(vi) Identification of instances in which alarms were acknowledged
but associated response actions were inadequate or untimely;
(vii) Identification of abnormal or emergency operating conditions
and a review of controller response actions;
(viii) Identification of system maintenance issues;
(ix) Identification of systemic problems, server load, or
communication problems;
(x) Identification of points that have been taken off scan or that
have had forced or manual values for extended periods; and
(xi) Comparison of controller logs or shift notes to SCADA alarm
records to identify maintenance requirements or training needs.
(2) Review SCADA configuration and alarm management operations at
least once each calendar year but at intervals not to exceed 15 months.
At a minimum, reviews must include consideration of the following
factors:
(i) Number of alarms;
(ii) Potential systemic issues;
(iii) Unnecessary alarms;
(iv) Individual controller's performance changes over time
regarding alarm or event response;
(v) Alarm indications of abnormal operating conditions;
(vi) Recurring combinations of abnormal operating conditions and
the inclusion of such combinations in controller training;
(vii) Alarm indications of emergency conditions;
(viii) Individual controller workload;
(ix) Clarity of alarm descriptors to the controllers so controllers
fully
[[Page 53100]]
understand the meaning and nature of each alarm; and
(x) Verification of correct alarm set-point values.
(3) Promptly address all deficiencies identified in the weekly and
calendar year SCADA reviews.
(f) Change management. Each operator must establish thorough and
frequent communications between a controller, management, and field
personnel when planning and implementing physical changes to facility
equipment and configuration. Field personnel must be required to
promptly notify a controller when emergency conditions exist or when
performing maintenance and making field changes.
(1) Maintenance procedures must include tracking and repair of
controller-identified problems with the SCADA system or field
instrumentation to provide for prompt response.
(2) SCADA system modifications must be coordinated in advance to
allow enough time for adequate controller training and familiarization
unless such modifications are made during an emergency response or
recovery operation.
(3) An operator shall seek control room participation when LNG
plant hydraulic or configuration changes are being considered.
(4) Merger, acquisition, and divestiture plans must be developed
and used to establish and conduct controller training and qualification
prior to the implementation of any changes to the controller's
responsibilities.
(5) Changes to alarm set-point values, automated routine software,
and relief valve settings must be communicated to the controller prior
to implementation.
(6) An operator must thoroughly document and keep records for each
of these occurrences.
(g) Operating experience.
(1) Each operator must review control room operations following any
event that must be reported as an incident pursuant to 49 CFR part 191
to determine and correct, where necessary, deficiencies related to:
(i) Controller fatigue;
(ii) Field equipment;
(iii) The operation of any relief device;
(iv) Procedures;
(v) SCADA system configuration;
(vi) SCADA system performance;
(vii) Accuracy, timeliness, and portrayal of field information on
SCADA displays; and
(viii) Simulator or non-simulator training programs.
(2) Each operator must establish a definition or threshold for
close-call events to evaluate event significance. For those events the
operator determines to be significant, the operator must conduct the
review required by paragraph (g)(1) of this section and the operator
must share the information with all controllers.
(3) Each operator must review the accuracy and timeliness of SCADA
data and how it is portrayed on displays.
(h) Training. Each operator must establish a training program and
review the training program content to identify potential improvements
at least once each calendar year, but at intervals not to exceed 15
months. An operator must train each controller to carry out the roles
and responsibilities defined by the operator. In addition, the training
program must include the following elements:
(1) Responding to abnormal operating conditions likely to occur
simultaneously or in sequence.
(2) Use of a simulator or non-computerized (tabletop) method to
train controllers to recognize abnormal operating conditions, in
particular leak and failure events. Simulations and tabletop exercises
must include representative communications between controllers and
individuals that operators would expect to be involved during actual
events. Controllers will participate in improvement and development of
tabletop or simulation training scenarios.
(3) Providing appropriate information to the public and emergency
response personnel during emergency situations, and informing
controllers of the information being provided to the public or
emergency responders per the operator's procedures, if any, so that the
controllers can understand the context in which this information will
be received.
(4) Review of procedures for LNG operating configurations that are
periodically, but infrequently used.
(5) Hydraulic pipeline training that is sufficient to obtain a
thorough knowledge of the LNG plant's system, especially during the
development of abnormal operating conditions.
(6) Site specific site training on equipment failure modes.
(7) Specific training on system tools available to determine a leak
or significant failure.
(i) Qualification. An operator must have a program in accordance
with Sec. 193.2707 to determine that each controller is qualified. An
operator's procedures for the qualification of controllers must include
provisions to:
(1) Measure and verify a controller's performance including the
controller's ability to detect abnormal and emergency conditions
promptly and to respond appropriately.
(2) Evaluate a controller's physical abilities, including hearing,
colorblindness (color perception), and visual acuity, which could
affect the controller's ability to perform the assigned duties.
(3) Evaluate a controller's qualifications at least once each
calendar year, but at intervals not to exceed 15 months.
(4) Implement methods to address gradual degradation in performance
or physical abilities in a controller.
(5) Revoke a controller's qualification for extended time off-duty
or absence (of a duration determined by the operator based on the
complexity and significance of the controller's role), inadequate
performance, impaired physical ability beyond what the operator can
accommodate, influence of drugs or alcohol, or any other reason
determined by the operator to be necessary to support the safe
operation of an LNG plant.
(6) Restore a revoked qualification by specifying the circumstances
for which a complete re-qualification is required, and the
circumstances for which other means of restoration may be used, such as
a period of review, shadowing, retraining, or all of these.
(7) Document when an oral examination is used as the means of
evaluation, including the topics covered.
(8) Prohibit individuals without a current controller qualification
from performing the duties of a controller.
(j) Validation. An operator must have a senior executive officer
validate by signature not later than the date by which control room
management procedures must be implemented (see paragraph (a) of this
section), and annually thereafter by March 15 of each year, that the
operator has:
(1) Conducted a review of controller qualification and training
programs and has determined both programs to be adequate;
(2) Permitted only qualified controllers to operate the LNG plant;
(3) Implemented the requirements of this section;
(4) Continued to address ergonomic and fatigue factors; and
(5) Involved controllers in finding ways to sustain and improve
safety through control room management.
(k) Compliance and deviations. An operator must maintain for review
during inspection:
(1) Records that demonstrate compliance with the requirements of
this section; and
(2) Documentation of decisions and analyses to support any
deviation from
[[Page 53101]]
the procedures required by this section. An operator must report any
such deviation to PHMSA upon request, or in the case of an intrastate
pipeline facility regulated by a state, upon request by the state
pipeline safety authority.
15. Amend Sec. 193.2713 by adding paragraph (a)(4) to read as
follows:
Sec. 193.2713 Training: operations and maintenance.
* * * * *
(a) * * *
(4) All controllers to carry out the control room management
procedures under Sec. 193.2523 that relate to their assigned
functions.
* * * * *
PART 195--TRANSPORTATION OF HAZARDOUS LIQUIDS BY PIPELINE
16. The authority citation for part 195 is revised to read as
follows:
Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60116,
60118, and 60137; and 49 CFR 1.53.
17. In Sec. 195.2, add definitions for ``alarm'' ``control room,''
``controller,'' and ``Supervisory Control and Data Acquisition System
(SCADA)'' as follows:
Sec. 195.2 Definitions.
* * * * *
Alarm means an indication provided by SCADA or similar monitoring
system that a parameter is outside normal or expected operating
conditions.
* * * * *
Control room means a central location or local station at which a
control panel, computerized device, or other instrument is used by a
controller to monitor or control all or part of a pipeline facility or
a component of a pipeline facility.
Controller means an individual who uses a control panel,
computerized device, or other equipment to monitor or control all or
part of a pipeline facility that the individual cannot directly observe
with the naked eye. An individual who operates equipment locally, but
who cannot see the equipment respond without using a closed circuit
television system or other external device, is a controller when
performing this activity regardless of job title or whether actions are
overseen by another controller or supervisor. An individual who
performs these functions on a part time basis is considered a
controller only when performing these functions.
* * * * *
Supervisory Control and Data Acquisition System (SCADA) means a
computer-based system that gathers field data, provides a structured
view of pipeline system or facility operations, and may provide a means
to control pipeline operations.
* * * * *
18. In Sec. 195.3(c), amend the table by adding item B.(18) to
read as follows:
Sec. 195.3 Incorporation by reference.
* * * * *
(c) * * *
------------------------------------------------------------------------
------------------------------------------------------------------------
* * * * * * *
B. * * *
(18) API Recommended Practice 1165 Sec. 195.454(c)(1)
``Recommended Practice for Pipeline SCADA
Displays,'' (January 2007).
* * * * * * *
------------------------------------------------------------------------
19. Amend Sec. 195.402 by adding paragraphs (c)(15) and (e)(10) to
read as follows:
Sec. 195.402 Procedural manual for operations, maintenance, and
emergencies.
* * * * *
(c) * * *
(15) Implementing the applicable control room management procedures
required by Sec. 195.454.
* * * * *
(e) * * *
(10) Implementing actions required to be taken by a controller
during an emergency, in accordance with Sec. 195.454.
* * * * *
20. Add Sec. 195.454 to subpart F to read as follows:
Sec. 195.454 Control room management.
(a) General. Each operator of a pipeline facility with at least one
controller and control room must have and follow written control room
management procedures that implement the requirements of this section.
The procedures must be integrated, as appropriate, into the operator's
written manuals of procedures required by Sec. 195.402, and written
qualification program required by Sec. 195.505. The operator must
develop and implement the procedures no later than the dates in the
table below.
------------------------------------------------------------------------
Develop procedures Implement procedures
Control room type by: by:
------------------------------------------------------------------------
(1) Remote operations [insert date 12 [insert date 24
(control and/or monitoring) months after months after
of pipelines. effective date of effective date of
final rule]. final rule].
(2) Remote operations of [insert date 24 [insert date 30
equipment within a single months after months after
site (e.g., pump station). effective date of effective date of
final rule]. final rule].
(3) Pipelines with local [insert date 30 [insert date 30
control only. months after months after
effective date of effective date of
final rule]. final rule].
(4) Control rooms or local 12 months after 12 months after
control stations placed in placement in placement in
service after [insert service. service.
effective date of the final
rule], but before [insert
date 12 months after the
effective date of final
rule].
(5) Control rooms or local Before placing in Upon placing in
control stations placed in service. service.
service after [insert date
12 months after the
effective date of final
rule].
------------------------------------------------------------------------
(b) Roles and responsibilities. Each operator must define the roles
and responsibilities of a controller during normal, abnormal, and
emergency operating conditions. To provide for a controller's prompt
and appropriate response to operating conditions, each operator must
define:
(1) A controller's authority and responsibility to make decisions
and take actions during normal operations.
[[Page 53102]]
(2) A controller's role when an abnormal operating condition is
detected, even if the controller is not the first to detect the
condition, including the controller's responsibility to take specific
actions and to communicate with others.
(3) A controller's role during an emergency, even if the controller
is not the first to detect the emergency, including the controller's
responsibility to take specific actions and to communicate with others.
(4) A controller's responsibility to provide timely notification
and coordination with the operator of another pipeline in a common
corridor when a leak or failure is suspected, including upon receipt of
a notification from the public concerning a suspected leak on an asset
owned or operated by the other company but located in the same common
corridor or right-of-way.
(5) A method of recording when a controller is responsible for
monitoring or controlling any portion of a pipeline facility by
implementing an individual console or a system log-in feature or by
documenting in the shift records the time and name of each controller
who assumed the responsibility during a shift-change or other hand-over
of responsibility.
(c) Provide adequate information. Each operator must provide each
controller with the information necessary for the controller to carry
out the roles and responsibilities defined by the operator and must
verify that a controller knows the equipment, components and the
effects of the controller's actions on the pipeline or pipeline
facilities under the controller's control. Each operator must:
(1) Provide a controller with accurate, adequate, and timely data
concerning operation of the pipeline facility. Wherever a SCADA system
is used, the operator must implement API RP-1165 (incorporated by
reference, see Sec. 195.3) in its entirety, unless the operator can
adequately demonstrate that a provision of API RP-1165 is not
applicable or is impracticable in the SCADA system used.
(2) Validate that any SCADA system display accurately depicts field
equipment configuration by completing all of the following:
(i) Conduct and document a point-to-point baseline verification
between field equipment and all SCADA system displays to verify 100
percent of the system displays. An operator must complete the baseline
verification no later than [insert date three years after effective
date of final rule] or by [insert date one year after effective date of
final rule] for an operator of a pipeline system containing less than
500 miles of pipeline. An operator may use any documented point-to-
point verification completed after [insert date three years before
effective date of final rule] to meet some or all of this baseline
verification. A point-to-point verification must include equipment
locations, ranges, alarm set-point values, alarm activation, required
alarm visual or audible response, and proper equipment or software
response to SCADA system values.
(ii) Verify that SCADA displays accurately depict field
configuration when any modification is made to field equipment or
applicable software and conduct a point-to-point verification for
associated changes.
(iii) Perform a point-to-point verification as part of implementing
a SCADA system change for all portions of the pipeline system or
facility affected by the change.
(iv) Develop a plan for systematic re-verification of the accuracy
of the SCADA system display.
(3) Establish a means for timely verbal communication among a
controller, management, and field personnel.
(4) Identify circumstances that require field personnel to promptly
notify the controller. These circumstances must include the
identification by field personnel of a leak or situation that could
reasonably be expected to develop into an accident if left unaddressed.
(5) Define and record critical information during each shift.
(6) Provide for the exchange of information when a shift changes or
when another controller assumes responsibility for operations for any
reason.
(7) Establish sufficient overlap of controller shifts to permit the
exchange of necessary information.
(8) Periodically test and verify a backup communication system or
provide adequate means for manual operation or shutdown of the affected
portion of the pipeline safely.
(d) Fatigue mitigation. Each operator must implement methods to
prevent controller fatigue that could inhibit a controller's ability to
carry out the roles and responsibilities defined by the operator. To
protect against the onset of fatigue, each operator must:
(1) Establish shift lengths and schedule rotations that provide
controllers off-duty time sufficient to achieve eight hours of
continuous sleep;
(2) Educate a controller and his supervisor in fatigue mitigation
strategies and how off-duty activities contribute to fatigue;
(3) Train a controller and his supervisor to recognize and mitigate
the effects of fatigue;
(4) Implement additional measures to monitor for fatigue when a
single controller is on duty; and
(5) Establish a maximum limit on controller hours-of-service, which
may include an exception during an emergency with appropriate
management approval. An operator must specify emergency situations for
which a deviation from the hours-of-service maximum limit is permitted.
(e) Alarm management. Each operator using a SCADA system must
assure appropriate controller response to alarms and notifications. An
operator must:
(1) Review SCADA operations at least once each week for:
(i) Events that should have resulted in alarms or event indications
that did not do so;
(ii) Proper and timely controller response to alarms or events;
(iii) Identification of unexplained changes in the number of alarms
or controller management of alarms;
(iv) Identification of nuisance alarms;
(v) Verification that the number of alarms received is not
excessive;
(vi) Identification of instances in which alarms were acknowledged
but associated response actions were inadequate or untimely;
(vii) Identification of abnormal or emergency operating conditions
and a review of controller response actions;
(viii) Identification of system maintenance issues;
(ix) Identification of systemic problems, server load, or
communication problems;
(x) Identification of points that have been taken off scan or that
have had forced or manual values for extended periods; and
(xi) Comparison of controller logs or shift notes to SCADA alarm
records to identify maintenance requirements or training needs.
(2) Review SCADA configuration and alarm management operations at
least once each calendar year but at intervals not to exceed 15 months.
At a minimum, reviews must include consideration of the following
factors:
(i) Number of alarms;
(ii) Potential systemic issues;
(iii) Unnecessary alarms;
(iv) Individual controller's performance changes over time
regarding alarm or event response;
(v) Alarm indications of abnormal operating conditions;
(vi) Recurring combinations of abnormal operating conditions and
the inclusion of such combinations in controller training;
[[Page 53103]]
(vii) Alarm indications of emergency conditions;
(viii) Individual controller workload;
(ix) Clarity of alarm descriptors to the controllers so controllers
fully understand the meaning and nature of each alarm; and
(x) Verification of correct alarm set-point values.
(3) Promptly address all deficiencies identified in the weekly and
calendar year SCADA reviews.
(f) Change management. Each operator must establish thorough and
frequent communications between a controller, management, and field
personnel when planning and implementing physical changes to pipeline
equipment and configuration. Field personnel must be required to
promptly notify a controller when emergency conditions exist or when
performing maintenance and making field changes.
(1) Maintenance procedures must include tracking and repair of
controller-identified problems with the SCADA system or field
instrumentation to provide for prompt response.
(2) SCADA system modifications must be coordinated in advance to
allow enough time for adequate controller training and familiarization
unless such modifications are made during an emergency response or
recovery operation.
(3) An operator shall seek control room participation when pipeline
hydraulic or configuration changes are being considered.
(4) Merger, acquisition, and divestiture plans must be developed
and used to establish and conduct controller training and qualification
prior to the implementation of any changes to the controller's
responsibilities.
(5) Changes to alarm set-point values, automated routine software,
and relief valve settings must be communicated to the controller prior
to implementation.
(6) An operator must thoroughly document and keep records for each
of these occurrences.
(g) Operating experience.
(1) Each operator must review control room operations following any
event that must be reported as an accident pursuant to Sec. 195.50
determine and correct, where necessary, deficiencies related to:
(i) Controller fatigue;
(ii) Field equipment;
(iii) The operation of any relief device;
(iv) Procedures;
(v) SCADA system configuration;
(vi) SCADA system performance;
(vii) Accuracy, timeliness, and portrayal of field information on
SCADA displays; and
(viii) Simulator or non-simulator training programs.
(2) Each operator must establish a definition or threshold for
close-call events to evaluate event significance. For those events the
operator determines to be significant, the operator must conduct the
review required by paragraph (g)(1) of this section and the operator
must share the information with all controllers.
(3) Each operator must review the accuracy and timeliness of SCADA
data and how it is portrayed on displays.
(h) Training. Each operator must establish a training program and
review the training program content to identify potential improvements
at least once each calendar year, but at intervals not to exceed 15
months. An operator must train each controller to carry out the roles
and responsibilities defined by the operator. In addition, the training
program must include the following elements:
(1) Responding to abnormal operating conditions likely to occur
simultaneously or in sequence.
(2) Use of a simulator or non-computerized (tabletop) method to
train controllers to recognize abnormal operating conditions, in
particular leak and failure events. Simulations and tabletop exercises
must include representative communications between controllers and
individuals that operators would expect to be involved during actual
events. Controllers will participate in improvement and development of
tabletop or simulation training scenarios.
(3) Providing appropriate information to the public and emergency
response personnel during emergency situations, and informing
controllers of the information being provided to the public or
emergency responders under Sec. 195.440 so that the controllers can
understand the context in which this information will be received.
(4) On-site visits by controllers to a representative sampling of
field installations similar to those for which each controller is
responsible to familiarize themselves with the equipment and with
station personnel functions.
(5) Review of procedures for pipeline operating setups that are
periodically, but infrequently used.
(6) Hydraulic pipeline training that is sufficient to obtain a
thorough knowledge of the pipeline system, especially during the
development of abnormal operating conditions.
(7) Site specific training on equipment failure modes.
(8) Specific training on system tools available to determine a leak
or significant failure and specific training on other operator contact
protocols when there is reason to suspect a leak in a common pipeline
corridor or right-of-way.
(i) Qualification. An operator must have a program in accordance
with subpart G of this part to determine that each controller is
qualified. An operator's procedures for the qualification of
controllers must include provisions to:
(1) Measure and verify a controller's performance including the
controller's ability to detect abnormal and emergency conditions
promptly, and to respond appropriately.
(2) Evaluate a controller's physical abilities, including hearing,
colorblindness (color perception), and visual acuity, which could
affect the controller's ability to perform the assigned duties.
(3) Evaluate a controller's qualifications at least once each
calendar year, but at intervals not to exceed 15 months.
(4) Implement methods to address gradual degradation in performance
or physical abilities in a controller.
(5) Revoke a controller's qualification for extended time off-duty
or absence (of a duration determined by the operator based on the
complexity and significance of the controller's role), inadequate
performance, impaired physical ability beyond what the operator can
accommodate, influence of drugs or alcohol, or any other reason
determined by the operator to be necessary to support the safe
operation of a pipeline facility.
(6) Restore a revoked qualification by specifying the circumstances
for which a complete re-qualification is required, and the
circumstances for which other means of restoration may be used, such as
a period of review, shadowing, retraining, or all of these.
(7) Document when an oral examination is used as the means of
evaluation, including the topics covered.
(8) Prohibit individuals without a current controller qualification
from performing the duties of a controller.
(j) Validation. An operator must have a senior executive officer
validate by signature not later than the date by which control room
management procedures must be implemented (see paragraph (a) of this
section), and annually thereafter by June 15 of each year, that the
operator has:
(1) Conducted a review of controller qualification and training
programs and has determined both programs to be adequate;
[[Page 53104]]
(2) Permitted only qualified controllers to operate the pipeline;
(3) Implemented the requirements of this section;
(4) Continued to address ergonomic and fatigue factors; and
(5) Involved controllers in finding ways to sustain and improve
safety and pipeline integrity through control room management.
(k) Compliance and deviations. An operator must maintain for review
during inspection:
(1) Records that demonstrate compliance with the requirements of
this section; and
(2) Documentation of decisions and analyses to support any
deviation from the procedures required by this section. An operator
must report any such deviation to PHMSA upon request, or in the case of
an intrastate pipeline facility regulated by a state, upon request by
the state pipeline safety authority.
21. Amend Sec. 195.505 by adding paragraph (j) to read as follows:
Sec. 195.505 Qualification program.
* * * * *
(j) Incorporate requirements applicable to controller qualification
in accordance with Sec. 195.454.
Issued in Washington, DC, on September 2, 2008.
Jeffrey D. Wiese,
Associate Administrator for Pipeline Safety.
[FR Doc. E8-20701 Filed 9-11-08; 8:45 am]
BILLING CODE 4910-60-P