Open Collections

UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

A risk-based assessment of integrity management program for oil and gas pipelines : a regulatory perspective Iqbal, Hassan 2018

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata

Download

Media
24-ubc_2018_september_iqbal_hassan.pdf [ 3.01MB ]
Metadata
JSON: 24-1.0371924.json
JSON-LD: 24-1.0371924-ld.json
RDF/XML (Pretty): 24-1.0371924-rdf.xml
RDF/JSON: 24-1.0371924-rdf.json
Turtle: 24-1.0371924-turtle.txt
N-Triples: 24-1.0371924-rdf-ntriples.txt
Original Record: 24-1.0371924-source.json
Full Text
24-1.0371924-fulltext.txt
Citation
24-1.0371924.ris

Full Text

   A Risk-based Assessment of Integrity Management Program for Oil and Gas Pipelines:  A Regulatory Perspective by Hassan Iqbal M.Sc., University of Engineering and Technology, 2004 A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY in The College of Graduate Studies (Mechanical Engineering) THE UNIVERSITY OF BRITISH COLUMBIA (Okanagan Campus)  August 2018 © Hassan Iqbal, 2018   ii  The undersigned certify that they have read, and recommend to the College of Graduate Studies for acceptance, a thesis entitled: A Risk-based Assessment of Integrity Management Program for Oil and Gas Pipelines: A Regulatory Perspective Submitted by  Hassan Iqbal  in partial fulfillment of the requirements of the degree of   Doctor of Philosophy .  Dr. Rehan Sadiq, School of Engineering / University of British Columbia Okanagan   Supervisor, Professor and Associate Dean   Dr. Kasun Hewage, School of Engineering / University of British Columbia Okanagan  Supervisory Committee Member, Professor   Dr. Solomon Tesfamariam, School of Engineering / University of British Columbia Okanagan  Supervisory Committee Member, Professor   University Examiner,   Professor : Dr. Kevin Hanna, Director, Centre for Environmental Assessment Research  External Examiner,  Professor Jianbing Li, University of Northern British Columbia    iii  Abstract Pipelines are one of the most critical components of oil and gas (O&G) industry for the product transportation from upstream and downstream operations. Pipeline integrity is vital to maintaining production operations, protection of natural environments and human life. Integrity management programs (IMPs) are developed and implemented in the pipeline industry to ensure safe and reliable operations. IMP is comprised of management systems and technical operational procedures. Regulators monitor the effective implementation of the IMPs through a periodic auditing system.   Most of the discussion on integrity management is driven by technical aspects of integrity management. However, recent global accident investigations have instigated regulators and operators to focus on management aspect of IMP. IMP is the formal process of planning, training, documenting, record management, management review, risk assessment, and learning from incident investigations. In Canada, the pipeline operators develop and implement IMPs based on industry standard guidelines (CSA Z662, API 1160, ASME B31.8) and regulatory protocols. These industry standard guidelines are goal based, therefore the companies and the regulators have different interpretations of IMP requirements. The difference in the interpretation makes the IMP assessment a challenging task for the regulatory bodies. Compliance is not sufficient to measure the effectiveness of an IMP. Moreover, the industry is also striving to establish a culture of safety within the organizations. The culture maturity assessment is also a challenge. In this research, a novel approach is adopted to develop a framework to address the challenges of diverse interpretations and assessment methods by; categorizing IMPs requirements, linking with safety culture attributes; using risk assessment in the auditing process; and benchmarking. The  iv  noncompliance of IMP requirements and degree of effectiveness are taken as the risk of integrity failure. This research used modified failure mode effects analysis as risk assessment to incorporate in the auditing process. The framework is implemented for regulatory audits, and results are analyzed through benchmarking. The benchmarking analyses identified the low performing IMP components, and set the targets for continuous improvement cycle. This research is a paradigm shift from conventional compliance assessment to the risk assessment of IMP performance and a safety culture maturity assessment.                v  Lay Summary The O&G pipeline industry’s operations are associated with high levels of risk to cause heavy damage to assets as well as environment. The industry has an incident history, which has a severe socio-economic impact. Findings of incident investigations have shifted industry’s focus from technical measures to the management systems and safety culture. An integrity management program (IMP) is a comprehensive program, which deals with management system components such as policies, human resource competency, management roles and responsibilities, risk assessment, and technical measures. An effective IMP is not achievable without strong safety culture in the organization. However, the assessment of the program and gauging its effectiveness is a challenging task for both industry and regulators.  The presented research is an innovative solution to address this challenging task. In this research, a risk assessment framework for IMP effectiveness, safety culture maturity level, and performance benchmarking is developed and presented.   vi  Preface I, Hassan Iqbal , has developed all contents in this thesis under the supervision of Dr. Rehan Sadiq, Dr. Solomon Tesfamariam, Dr. Kasun Hewage (University of British Columbia), Dr. Husnain Haider (Qassim University) and Dr. Bushra Waheed (BC OGC), who have provided critical feedback and review of the publications listed below.  • The part of literature review presented in Chapter 2 has been published as a review article in the “Journal of Structure and Infrastructure Engineering” entitled “Inspection and maintenance of oil & gas pipelines: a review of policies ”(Iqbal, Tesfamariam, et al., 2016). Figures and tables are adapted and reproduced with permission from © Taylor & Francis. • The part of methodology presented in Chapter 3 is published in the “ASCE Journal of Pipeline Systems Engineering and Practices” entitled “IMPAKT: An Oil & Gas Pipeline Integrity Management Program Assessment (Iqbal et al. 2018). Figures and tables are adapted and reproduced with permission from © American Society of Civil Engineering.  <https://ascelibrary.org/doi/abs/10.1061/%28ASCE%29PS.1949-1204.0000326>”  • The part of methodology presented in Chapter 4 has been submitted to the “Journal of Safety Research” entitled “Mapping Safety Culture Assessment Goals to Integrity Management Program: A Framework for Oil and Gas Pipelines Industry ” (Iqbal, Waheed, et al., 2018) • The part of methodology presented in Chapter 5 has been submitted to the “International Journal of System Assurance Engineering and Management” entitled “Performance Benchmarking of Integrity Management Program and Safety Culture for Oil and Gas Industry: A Regulatory Perspective” (Iqbal, Waheed, et al., 2018).   vii  Table of Contents Abstract ......................................................................................................................................... iii Lay Summary .................................................................................................................................. v Preface............................................................................................................................................ vi Table of Contents .......................................................................................................................... vii List of Tables ................................................................................................................................ xii List of Figures .............................................................................................................................. xiii List of Acronyms .......................................................................................................................... xv Acknowledgments........................................................................................................................ xvi Dedication .................................................................................................................................. xviii Chapter 1 : Introduction ............................................................................................................. 19 1.1 Problem Formulation........................................................................................................ 19 1.1.1 Vulnerability and Safety ........................................................................................... 20 1.1.2 Integrity Managment ................................................................................................. 21 1.1.3 Regulator’s Role ....................................................................................................... 22 1.2 Research Motivation ......................................................................................................... 24 1.3 Goals and Objectives ........................................................................................................ 25 1.4 Framework Phases and Thesis Organization ................................................................... 27 1.4.1 Phase 1: Pipeline Integrity Review (Chapter2) ......................................................... 27 1.4.2 Phase 2: IMP Assessment Model (Chapter 3) .......................................................... 27 1.4.3 Phase 3: Safety Culture Linking with IMP and Assessment Model (Chapter 4)...... 28 1.4.4 Phase 4: Performance Benchmarking (Chapter 5) .................................................... 28 1.5 Meta Language ................................................................................................................. 29 Chapter 2 : A Critical Review of Inspection and Maintenance Policies of Oil & Gas Pipelines 33 2.1 Background ....................................................................................................................... 33 2.1.1 Pipeline Systems ....................................................................................................... 34 2.1.2 Integrity Management ............................................................................................... 37 2.1.3 Inspection Process ..................................................................................................... 39 2.1.4 Evolution of Maintenance Policies ........................................................................... 42  viii  2.2 Inspection and Maintenance Policies for O&G Pipelines ................................................ 46 2.2.1 Corrective Maintenance ............................................................................................ 48 2.2.2 Preventive Maintenance ............................................................................................ 48 2.2.3 Predictive Maintenance / Condition-based Maintenance ......................................... 52 2.2.4 Estimation of Inspection Intervals ............................................................................ 54 2.2.5 Proactive Maintenance / Risk-based Maintenance ................................................... 56 2.2.6 Decision-making Challenges under Uncertainties for Proactive Maintenance Policies 61 2.3 Summary ........................................................................................................................... 64 2.3.1 Lack of Data in Quantitative Models ........................................................................ 64 2.3.2 Subjectivity in Qualitative Models ........................................................................... 65 2.3.3 Investigation and Prediction of Defects .................................................................... 66 2.3.4 Variability in Inspection Results ............................................................................... 68 Chapter 3 : Integrity Management Program (IMP) Assessment ............................................ 72 3.1 Background ....................................................................................................................... 72 3.1.1 Asset Integrity Management System (IMS) ............................................................. 72 3.1.2 Pipeline Integrity Management System .................................................................... 74 3.1.3 Factors Affecting Integrity ........................................................................................ 75 3.1.4 Integrity Management Processes (IMPr) .................................................................. 76 3.2 Integrity Management Program (IMP) ............................................................................. 78 3.2.1 Industrial Standards .................................................................................................. 79 3.2.2 High Consequences Area (HCA) Focused Approach ............................................... 80 3.2.3 Goal Oriented Approach ........................................................................................... 80 3.2.4 IMP expectations ...................................................................................................... 82 3.3 Integrity Management Assessment .................................................................................... 83 3.3.1 IMP Assessment model-Auditing process ................................................................ 84 3.3.2 IMP components ....................................................................................................... 85 3.3.3 IMP components compliance criteria ....................................................................... 85 3.3.4 Analysis..................................................................................................................... 87 3.3.5 Occurrence (O).......................................................................................................... 90  ix  3.3.6 Severity (S) ............................................................................................................... 91 3.3.7 Effectiveness (E) ....................................................................................................... 91 3.3.8 RPN Calculations ...................................................................................................... 92 3.4 Integrity Management Program Assessment and Knowledge Tool (IMPAKT) ................ 92 3.4.1 IMPAKT Implementation: A Case Study ................................................................. 93 3.5 Summary ........................................................................................................................... 96 Chapter 4 : Safety Culture Assessment ................................................................................... 100 4.1 Background ..................................................................................................................... 100 4.1.1 Recent Pipeline Incidents Investigations ................................................................ 102 4.1.2 Case study I: Pacific Gas and Electric Company (PG&E) ..................................... 103 4.1.3 Case Study II: Carlsbad, New Mexico .................................................................... 104 4.1.4 Case Study III: Plains Midstream Canada ULC’s pipeline .................................... 104 4.2 Organizational Culture ................................................................................................... 105 4.2.1 Types of Organizational Culture ............................................................................. 108 4.2.2 Maturity Models...................................................................................................... 110 4.2.3 Evaluating Safety Culture ....................................................................................... 111 4.3 Safety Culture Model of NARWGSC ............................................................................... 115 4.3.1 Committed Safety Leadership................................................................................. 116 4.3.2 Vigilance ................................................................................................................. 117 4.3.3 Empowerment and Accountability ......................................................................... 118 4.3.4 Resiliency ................................................................................................................ 118 4.4 Safety Culture and IMP Integrated Model (Methodology) ............................................. 120 4.4.1 IMP Requirements and Performance Indicator (PI) ............................................... 121 4.5 Regulatory Audits and Data Collection .......................................................................... 125 4.5.1 Compliance Survey Questionnaire ......................................................................... 125 4.5.2 Documents and Record Review .............................................................................. 126 4.5.3 Interview with the Representative Team ................................................................ 126 4.6 Risk Assessment .............................................................................................................. 127 4.6.1 Risk Calculations .................................................................................................... 127 4.6.2 Ranking of IMP Components within the Safety Culture Attributes ....................... 129  x  4.6.3 Calculating Severity Score ...................................................................................... 130 4.6.4 Interpreting of Risk Assessment Results ................................................................ 131 4.7 Model Implementation: A Case Study ............................................................................. 132 4.8 Summary ......................................................................................................................... 136 Chapter 5 : Performance Benchmarking ................................................................................ 138 5.1 Background ..................................................................................................................... 138 5.1.1 Oil and Gas Sector .................................................................................................. 139 5.1.2 Regulatory Perspective ........................................................................................... 141 5.1.3 Integrity Management Program (IMP) ................................................................... 142 5.1.4 Safety Culture ......................................................................................................... 142 5.2 Model .............................................................................................................................. 145 5.2.1 Phase 1: Identification of IMP and Safety Culture Requirements .......................... 145 5.2.2 Phase 2: Development of Risk Assessment Model................................................. 146 5.2.3 Linking IMP with the Safety Culture Assessment .................................................. 147 5.3 Audit Tool........................................................................................................................ 150 5.4 Framework Implementation ............................................................................................ 152 5.4.1 Case Study .............................................................................................................. 152 5.5 Results and Discussions .................................................................................................. 152 5.5.1 IMP Benchmarking - Cycle 1 ................................................................................. 154 5.5.2 Safety Culture Benchmarking - Cycle 1 ................................................................. 155 5.5.3 Cycle 2- Results for IMP and Safety Culture ......................................................... 156 5.6 CPI Integration with the Framework .............................................................................. 162 5.6.1 Integrating with PDSA ............................................................................................ 162 5.6.2 Integrating with the Concept of LEAN ................................................................... 163 5.7 Summary ......................................................................................................................... 164 Chapter 6 : Summary and Conclusions .................................................................................. 166 6.1 Summary ......................................................................................................................... 166 6.2 Conclusions ..................................................................................................................... 167 6.3 Originality and Contributions......................................................................................... 169 6.4 Limitations and Recommendations ................................................................................. 170  xi  Bibliography .............................................................................................................................. 172 Appendix A ................................................................................................................................ 189 Risk assessment: Models and Methods ................................................................................... 189 Risk Assessment methodologies ......................................................................................... 191 Summary ............................................................................................................................. 192 Review of Industrial standards ............................................................................................... 194 CSA Z662 ................................................................................................................................ 194 History................................................................................................................................. 194 Objectives ........................................................................................................................... 194 Clauses ................................................................................................................................ 195 Annex N (Guidelines for pipeline system integrity management programs) ..................... 195 ASME B31.8 S ......................................................................................................................... 198 Objectives ........................................................................................................................... 199 Integrity management plan ................................................................................................. 200 Performance Plan ................................................................................................................ 200 Communication Plan ........................................................................................................... 202 Management of Change Plan .............................................................................................. 203 Quality Control Plan ........................................................................................................... 203 API 1160 ................................................................................................................................. 204 Clauses ................................................................................................................................ 204 Elements of integrity management ..................................................................................... 205 Appendix B ................................................................................................................................ 207      Auxiliary Tables and Figures ................................................................................................................... 207 IMP Assessment Qustionnair .................................................................................................. 218     xii  List of Tables Table 3.1: Pipeline integrity issues related to lifecycle processes .............................................. 76 Table 3.2: IMP components and their grouping into core components ...................................... 86 Table 3.3: IMP assessment question relationships with different IMP components .................. 89 Table 3.4: IMP Component compliance and non-compliance data ............................................ 98 Table 4.1: Types of organizational cultures and their characteristics ....................................... 109 Table 4.2: Safety models and common attributes ..................................................................... 111 Table 4.3: Organizational attributes that reflect the safety culture ........................................... 113 Table 4.4: Safety Culture attributes and their characteristics (NARWGSC 2016) ................... 119 Table 4.5: Components of Integrity management program (IMP) ........................................... 122 Table 4.6: IMP components linking with safety culture attributes ........................................... 123 Table 4.7: Assessment questions integrated with safety culture attributes and IMP components ................................................................................................................. 124 Table 4.8: FMEA components calculations and scoring criteria .............................................. 128 Table 5.1: Safety models and their common attributes............................................................. 143 Table 5.2: Safety Culture attributes and their characteristics (NARWGSC 2016) ................... 144 Table 5.3: IMP components and higher level ........................................................................... 148 Table 5.4: IMP components classifications in rows against the safety culture elements arranged in columns .................................................................................................... 149 Table 5.5: Ranking of IMP components and importance scores under the safety culture attribute of ‘safety leadership commitment (Hasan and Sadiq 2017) ......................... 150 Table 5.6: Number of companies audited per year from 2011-2016 ........................................ 152 Table 5.7: Performance levels translated into competitive, compliance, and safety culture maturity level .............................................................................................................. 153 Table 5.8: Statistics of IMP performance analysis results for Cycle 1 ..................................... 154      xiii  List of Figures Figure 1.1: Proposed integrated framework.............................................................................. 31 Figure 1.2: Thesis Structure ...................................................................................................... 32 Figure 2.1: Oil & gas pipeline system: a) Oil pipeline system b) Gas pipeline system, adapted from CEPA (2015) ............................................................................................. 36 Figure 2.2: Main components of magnetic flux leakage type smart inspection PIG reproduced from Non-destructive Testing Resource Center (2015) ............................... 41 Figure 2.3: Bathtub curve showing traditional behavior for equipment lifecycle adopted from (Ahmad & Kamaruddin 2012) ................................................................................ 44 Figure 2.4: Evolution of maintenance policies for assets from 1940 to present ....................... 46 Figure 2.5: Decision process-flow diagram for preventive maintenance policies .................... 53 Figure 2.6 : Risk assessment process adapted from Arunraj & Maiti (2007) ........................... 59 Figure 2.7: Evolution of different types of maintenance policies showing number of studies reported in literature ........................................................................................................ 62 Figure 2.8: Distribution of 50 studies for risk-based maintenance of assets showing uncertainties influencing the effectiveness of maintenance policies decisions ............... 63 Figure 3.1: Companies pipeline integrity expectations............................................................. 83 Figure 3.2: Integrity Management Program – A risk assessment model .................................. 84 Figure 3.3: IMP components risk assessment results ............................................................... 95 Figure 3.4: High-level IMP components risk assessment results ............................................. 95 Figure 3.5: IMP requirements compliance status ..................................................................... 97 Figure 3.6: Risk assessment results - a comparison of three companies .................................. 97 Figure 4.1: Safety Culture improvement interventions: Source (Minds 2008) ...................... 114 Figure 4.2: HSE multiple perspective assessment model. Source: HSE ................................ 115 Figure 4.3: Model Flow linking safety culture assessment with integrity management program.......................................................................................................................... 121 Figure 4.4: Percentage contribution of IMP components on safety culture assessment results ............................................................................................................................. 131 Figure 4.5: IMP assessment results and risk zones ................................................................. 134 Figure 4.6: Safety culture levels ............................................................................................. 135  xiv  Figure 5.1: An integrated model for IMP and Safety culture assessment .............................. 147 Figure 5.2: Percentage contribution of IMP components on the SC assessment (Hassan et al. 2017) ......................................................................................................................... 149 Figure 5.3: IMP assessment data spread of Audit Cycle 1 from FY 2011 to 2015, a) large-sized companies, b) medium-sized companies, c) small-sizes companies, d) consolidated results ....................................................................................................... 158 Figure 5.4: Safety Culture assessment data spread of Audit Cycle 1 from FY 2011 to 2015 a) large-sized companies, b) medium-sized companies, c) small-sizes companies, d) consolidated results ....................................................................................................... 160 Figure 5.5: IMP components contribution in IMP and safety culture performance. .............. 161 Figure 5.6: Consolidated results for all asset classes for Cycle 2 (FY 2016), a) IMP performance profile, b) safety culture profile ................................................................ 162 Figure 5.7: Framework integration with PDSA ...................................................................... 163     xv  List of Acronyms American Petroleum Institute API American Society of Mechanical Engineers ASME Condition-based maintenance CBM Condition-based inspection and maintenance CBIM Corrective maintenance CM In-line inspection  ILI Inspection and maintenance I&M Oil & Gas O&G Pipeline integrity PI Risk-based inspection RBI Risk-based maintenance RBM Risk-based inspection and maintenance RBIM Time-based preventive maintenance TBPM Failure mode effect analysis FMEA Benchmarking BM Continuous performance improvement CPI Integrity management program IMP Integrity management processes IMPr British Columbia Oil and Gas Commission BCOGC        xvi  Acknowledgments I would like to present my gratitude to my supervisor, Dr. Rehan Sadiq for his immense support, patience, and guidance throughout my research. Dr. Sadiq’s mentorship incubated my critical thinking and intellectual growth to ‘think without a box’ while providing nothing but positivity and encouragement from my first day as a Ph.D. student. His valuable time helped me to carve my industrial and academic experience into ideas, concepts, and innovative research. I would also like to thank Dr. Bushra Waheed, an active industrial partner, who helped me to align the research with industrial requirements. My special gratitude to Dr. Husnain Haider, who mentored me throughout my whole research. His encouragement, valuable input positive criticism was inspiration for me.    I am highly obliged to thank my committee members Dr. Solomon Tesfamariam, Dr. Kasun Hewage, fellow graduate students and friends, Dr. Ty Anthony Bereskie, Abdul Aziz AlGhamdi, Adil Omer, Tim Hurley, Oleg Shabarchin, Josephine Morgenroth and Kelsey McAuliffe for their assistance, guidance, and friendship. My special gratitude to Shannon Hohl and Angela Perry at UBCO for assisting with the financial and administrative aspects of my research.  I also extend my love and sincerest thanks to my family, mother, brother, aunts, uncles, cousins, and friends who prayed and supported me emotionally. Lastly, my immense thanks and love to my wife Hira and children Musab, Sumaya, and Yahya. They encouraged, supported and felt me comfortable during this stressful long process. Their love provided me a constant source of inspiration to push forward this research.   xvii  I also  gratefully acknowledge the funding provided by NSERC and British Columbia Oil and Gas Commission (BCOGC) to support this research. I also appreciate the time and technical support provided by BCOGC personnel.    xviii  Dedication To my mother, wife, and brother who bring me courage, hope, positivity, and love    19  Chapter 1 : Introduction 1.1 Problem Formulation The oil and gas (O&G) industry is the most significant contributor to the global energy sector and accounts for a major volume of the transportation of petroleum products (Govan & Reinschmidt 2013). Oil and gas operations are spread over: i) upstream activities, including all processes prior to the refined product, i.e., exploration, drilling, extraction, storage, shipping, etc.; and ii) the downstream activities which involve refining, selling, and distribution of the product. Pipelines are reliable, practical, and the most cost-effective mode of transporting O&G products globally (Brito et al. 2010; NRC 2014). The O&G industry is continuously developing, and as a result, pipeline infrastructure stocks continue to expand around the world.  The United States (US), Canada, and Russia possess some of the world’s most expansive O&G pipeline infrastructure. In the US, 500,000 km of interstate and intrastate transmission pipeline infrastructure is transporting natural gas (EIA 2017). In 2005, Russia had 150,007 km of natural gas pipelines, 75,539 km of oil pipelines, 13,771 km for refined products, and 122 km of pipeline for gas condensate. Canada has world’s third-largest proven oil and gas reserves (Canada 2016), and owns 840,000 km of transmission, gathering, and distribution pipelines assets (NRC 2016). Member companies of the Canadian Energy Pipeline Association (CEPA) operate approximately 117,000 km of large-diameter oil transmission pipelines. These pipelines transport approximately three million barrels of oil every single day, which is enough to fill 4,200 rail cars or 15,000 tanker truckloads (CEPA 2017).     20  1.1.1 Vulnerability and Safety  The wide geographic spread of pipelines combined with their varied range of operations, sizes, materials, age, and environmental effects contribute to the hazards associated with the pipeline industry. Often these cumulative hazards make O&G pipeline safety a very complex process. Tragic onshore and offshore accidents attributed to the failure of pipelines  are major concerns for operating companies, regulators, and the public (AER 2014; NEB 2016; Peekema 2013a). The O&G pipeline industry has a checkered past evidenced by significant disasters, such as the Gulf of Mexico in 2000 (NEB 2016); the gas pipeline explosion in San Bruno, California in 2010  (Peekema 2013a); the Kalamazoo River oil spill in 2010; the Red Deer River spill in 2012 (AER 2014); and the May Flower, Arkansas, spill in 2013 (NEB 2016). To date, companies working in this sector have continuously been questioned by different environmental and human rights groups in many regions of the world (Schneider et al. 2015). Oil and gas companies are continuously striving to minimize the severity of the possible adverse impacts on both human beings and the natural environment (Schneider et al. 2011). Pipeline safety addresses measures taken to overcome the inherent vulnerability of pipeline infrastructure.  Pipeline safety is a subset of integrity management, which covers process safety, worker and public safety, operational safety, security, and environmental protection. A compromise on safety can lead to loss of containment, which can result in environmental degradation, human health risks, and socio-economic impacts. The failure of gas pipelines may have high consequences due to the potential for rapid spreading in the environment; whereas failure of oil pipelines can lead to long-lasting impacts on the surrounding environment and groundwater (Dey et al. 2004). Certainly, the consequences of failure and associated costs of repair depend on both the location and size of the pipe. However, despite adopting technical processes,  21  accidents continue to occur. This fact has prompted researchers to revisit their focus on technical measures and also study management behavior (Hudson 2007). For example, the International Atomic Energy Agency (IAEA) report (Culture 1991) on the Chernobyl disaster, introduced the concept of “safety culture” as the hidden factor of failure for high consequences industry i.e nuclear industry, process industry, O&G industry  (Choudhry et al. 2007; Goodfellow & Jonsson 2015; Pidgeon 1991).  1.1.2 Integrity Managment Integrity management requires awareness and management of many linked activities. Integrity management starts from the design stage and encompasses all phases of the pipeline. Pipeline incident investigations reveal that advancements in technology and sheer implementation of risk management strategies alone are not enough to take care all pipeline integrity management-related issues (Revie 2015). For example, one of the causes leading to the San Bruno (2010) (Peekema 2013b) incident was inadequate training and competency of the operators controlling and interpreting information from the control room supervisory control and data acquisition (SCADA) system. An effective integrity management program (IMP) needs to be implemented to address and control these hazards and associated risks (NEB 2016). An IMP is a set of safety management, analytical, operations, and maintenance processes. Industrial standards and regulatory authorities emphasize the importance of formal and efficient IMP implementation (CEPA 2013; Iqbal, Waheed, et al. 2016). Measuring IMP effectiveness is a challenging task. As per management system requirements, IMP performance and effectiveness is also assessed through internal and external audits. The audits are carried out through interviews, records review, and performance analyses of implemented  22  processes. Regulators, an external auditing body, ensure compliance with standards, regulations, and operators’ management programs during audits. Typical audits determine the conformance or compliance findings based on its scope. The process to evaluate the effectiveness based on conformance/compliance findings are challenging. The process defining non-conformance as minor or major nonconformance  outlined in ISO 9001, ISO 14001, and other similar management system audits is not able to evaluate the system’s effectiveness. Therefore, the auditing process offers many events to further explore and improve.  1.1.3 Regulator’s Role  The prime responsibility for ensuring the safety of the asset rests with the operating company. However, regulators are also concerned with businesses’ economic activities, public interest, and environmental protection and strive to keep risk “as low as possible.” Regulators can address these concerns by verifying the effectiveness of IMPs and organizational culture towards safety (Tronea 2014). However, the answer to the question of “what makes an effective IMP and mature culture of safety, and how to assess its strength and effectiveness?” is a challenging task.  Regulators emphasize that pipeline operating companies should follow the guidelines of industrial standards as minimum performance standards. For instance, Canadian regulators use CSAZ662 for their pipeline industry. Furthermore, North American regulators established a group to improve safety and environmental outcomes by levering safety culture. This group includes representatives from the National Energy Board (NEB), Canada Newfoundland and Labrador Offshore Petroleum Board (C-NLOPB), Canada Nova Scotia Offshore Petroleum Board (CNSOPB), United States’ Bureau of Safety and Environmental Enforcement (BSEE), and the United States’ Pipeline and Hazardous Materials Safety Administration (PHMSA) (NEB 2016). This group was further  23  expanded by the incorporation of the Alberta Energy Regulator (AER) and the British Columbia Oil and Gas Commission (BCOGC), which is known as North American Regulators Working Group on Safety Culture (NARWGSC 2016).  The group members discussed a philosophical but practical approach to safety culture’s assessment process and advancement. The outcome of the collaboration was the development of references and resources for the industry. The objective was to provide consistency and clarity in safety culture dimensions, attributes, and terminology. The group initiated a project to identify a suite of indicators. These indicators could be used for awareness of cultural threats and understanding of defenses mechanism in the O&G industry. The major attributes of the indicators are leadership commitment, safety vigilance, empowerment to make decisions, and accountability and capacity to respond effectively in case of failure. Canadian oil and gas pipeline operators and regulators are not only focused on IMP development and implementation but also monitor its effectiveness as a mandatory requirement in the standard (CSA Z662) guidelines. Internal audits, regulatory external audits, public surveys, and benchmarking techniques are common practices for assessment and continuous improvement of IMPs. Industrial standards are the common guidelines for both the operators and the regulators; however, their perspective of assessment varies. The operators prime interest is in low-cost operations, so they often adopt the minimum safety and integrity standards outlined in the regulations. Whereas, the regulator’s perspective of effective IMP focuses on operational integrity, human safety, and environmental protection. As the guidelines in the industrial standard are goal-based, operators translate them as per their own requirements, which make it difficult to measure and compare in a standardized way.   24  1.2 Research Motivation  Pipeline operators and researchers mostly address the technical issues related to pipeline IMPs such as failure prevention, inspection, and maintenance (Kishawy & Gabbar 2010), while also considering pipeline integrity management. Most of the on-going research is related to the evaluation and optimization of corrosion rates and visual inspection. The prioritization of resources depends on risk assessment results, which are based on inspection results. However, regulators’ concerns are more than just technical processes; they also place emphasis on comprehensive integrity programs, which addresses quality management systems as well.  Modern pipeline integrity standard guidelines adopt a goal-based approach (Michael Baker Jr. 2008). This approach allows operators to define goals and establish an IMP to meet those goals. On the positive side, this approach helps operators to utilize resources where needed; on the flip side, each operator has a different IMP. The differences between operators IMPs make it very challenging for regulators to establish common IMP assessment criteria for all operators.   The auditing process to evaluate quality management systems is usually a compliance auditing process. The same process is used for IMP evaluation (Guldenmund et al. 2006; Hart et al. 2009). This type of compliance auditing process is not always able to determine the effectiveness of the program being audited. Furthermore, this type of audit is also not able to determine noncompliance severity, and risk posed by each noncompliance. This issue is not addressed in the literature. However, regulators are facing this challenge on a daily basis and are also looking for a solution. Quality management systems are not effective until organizational cultures can support them. Similarly, IMPs are not effective without a strong, mature safety culture. The O&G regulators (NARWGSC) approach defines the attributes of safety culture for pipeline operators (NARWGSC  25  2016); however, guidelines are not capable of determining safety culture maturity levels. Furthermore, sometimes excessive and redundant auditing processes may place unnecessary burdens on operating companies as well, which may also affect the duties and responsibilities of personnel and management. Therefore, a comprehensive auditing process which reduces the redundancy and assesses different dimensions of program effectiveness is needed for the O&G pipeline sector. In addition, continuous performance improvement (CPI) should be the main philosophy of all business processes (Berger 1997; Schoeder & Robinson 1991). The CPI process for IMPs is only possible if a program’s performance is monitored and assessments provide meaningful results. Qualitative auditing processes may not be very helpful to identify the areas of low performance. Furthermore, the lessons learned from competitors’ success is also a proven process of CPI and is often referred to as a benchmarking (Govan & Reinschmidt 2013; Stapenhurst 2009). Quantitative assessment results are useful for the benchmarking process, but IMP auditing is a qualitative process. The challenge is to transform qualitative assessment results into reliable and meaningful quantitative results.  1.3 Goals and Objectives The identified research gaps led to the main goal of this research. This research developed a framework (Figure 1.1) which is able to transform conventional compliance auditing process results into a risk assessment of an IMP in terms of both technical and organizational performance and safety culture maturity levels. The proposed framework has the ability to incorporate the process for continuous performance improvement.  To accomplish this goal, the specific objectives are identified as:  26  • Objective 1 – Conduct a critical review of existing decision and policy-making processes for technical integrity, guidelines for IMP development process in industrial standards (CSA Z662, ASME B31.8S), and identify the applicable research gaps. • Objective 2 – Develop an integrated framework for continuous improvement of O&G pipeline integrity management programs. • Objective 3 – Develop a safety culture maturity assessment by linking IMP assessment results. • Objective 4 – Develop a benchmarking process and demonstrate the application of CPI for O&G pipelines. To achieve these objectives, an integrated framework is presented in Figure 1.1. The framework highlights the research roadmap adopted to achieve the objectives. The framework is comprised of four well-linked research phases. The framework also illustrates the outcomes of research, i.e., four journal articles, three models, and two application tools.  The research flow begins with the detailed review of pipeline incident investigations for the clear understanding of pipeline failures. The review identifies two main aspects of incident causes, technical failures, and management system failures. The causes of technical aspects of failure are due to design, materials, construction, corrosion, natural calamities. A large body of research is available that addresses the issues in detail through technical aspects of inspection, corrective actions (emergency responses and maintenance), material properties and manufacturing defects. The management aspect deals with policies, planning, training, and organizational culture, etc., is not usually sufficiently addressed. The pipeline industry standards, which address pipeline IMPs, are reviewed. The Canadian pipeline industry follows the guidelines outlined in industry standards  27  CSA Z662 supplemented by ASME and API standards and also regulatory protocol. These guidelines explain the requirements for technical integrity processes in a well-structured way; however, the guidelines for the management of integrity processes are goal-based rather than specific or prescriptive. Technical integrity assessment is a well-defined process, but research gaps are present in the management aspects of integrity and its meaningful assessment. 1.4 Framework Phases and Thesis Organization The thesis is organized into six chapters (Figure 1.2). Chapter 2 to 5 are the outcome of the research phases. Chapter 6 is the summary and conclusions of the research. 1.4.1 Phase 1: Pipeline Integrity Review (Chapter2) Phase 1 focuses on Objective 1. The review of pipeline incident investigations and pipeline integrity practices was conducted. The review covers the detailed study of pipeline integrity practices (industrial standards, e.g., CSA Z662, API 1160, ASME B31.8S), asset maintenance decision policies, risk assessment methodologies, and review of failure mode effect analysis (FMEA). The review findings are referenced in chapters 3 to 6. Chapter 2 is the detailed literature review of pipeline inspection and maintenance policies. The outcomes of the review were also published in the “Journal of Structure and Infrastructure Engineering” entitled “Inspection and maintenance of oil & gas pipelines: a review of policies” (Iqbal, Tesfamariam, et al. 2016)     1.4.2 Phase 2: IMP Assessment Model (Chapter 3) Objective 2 is mainly addressed in this phase. Phase 2 begins with the review of pipeline integrity management programs (IMPs), review of published literature and audit findings gathered during participation in IMP audits with regulators. The IMP requirements were identified, and  28  performance indicators were established. The IMP assessment is measured through a risk assessment model using modified FMEA. The model also provides the basis to link the IMP assessment with safety culture attributes to determine the maturity of safety culture. The model is used in regulatory audits in collaboration with a regulator. The audit results are used to establish the IMP performance profile. The detailed literature review of IMPs, partial literature review of pipeline maintenance policies, and the IMP assessment model are presented in Chapter 3. The presented model is published in the ASCE Journal of Pipeline Systems Engineering and Practices entitled “IMPAKT: An Oil & Gas Pipeline Integrity Management Program Assessment.” 1.4.3 Phase 3: Safety Culture Linking with IMP and Assessment Model (Chapter 4) Phase 3 addresses Objective 3 by linking safety culture maturity levels with the IMP assessment process. The concept of safety culture and its use in the pipeline industry was reviewed. The developed model mapped IMP assessment with safety culture maturity levels. The model was also used in regulatory audits. The literature review and model is presented in Chapter 4. The proposed model and results are submitted to the “Journal of Safety Research” entitled “Mapping Safety Culture Assessment Attributes to Integrity Management Program: A Framework for Oil and Gas Pipelines Industry.” 1.4.4 Phase 4: Performance Benchmarking (Chapter 5) Objective 4 is achieved in Phase 4 and dealt with the benchmarking process. The literature review, benchmarking model, and analysis results are presented in Chapter 5. The benchmarking analysis  29  for IMP performance and safety culture maturity levels were conducted to identify the key deficient areas of IMP and safety culture.   The presented model is submitted to the “International Journal of System Assurance Engineering and Managementnal” entitled “Benchmarking Integrity Management Program and Safety Culture for Pipelines: A Risk-based Approach.” 1.5 Meta Language  This thesis uses specific, a technical language with well-defined explanation and usage. However, this section was included to ensure consistency and understanding throughout this thesis.  • “Framework” is used to represent the overall research process (e.g., IMP framework). The term “model” is used to explain the detailed methodology and processes within the framework, for example, see Chapter 3. The IMP assessment model is presented as a detailed process of inputs, methods, and outputs.  • “Regulator” represents the authority who has the legitimate right, given by the government, to implement, control, and regulate companies according to government legislation.  • “Pipeline operating companies” is used to refer to the companies who own or have operational rights of pipeline assets. The operational capacity may be upstream operations or downstream operations, however, in this research, the term represents the companies who own or have technical rights to operate upstream pipeline operations.  • “IMP components” is used to differentiate between the term “IMP elements,” which is used in most industry standards. The IMP components are a classification of IMP requirements and safety culture attributes in this research.  30  • “Integrity management processes” is used to present the technical measures which are taken for pipeline integrity. •  “IMPAKT” is an acronym of Integrity Management Assessment and Knowledge Tool. The tool is an MS-Excel based application of the presented framework. The tool is implemented for assessment and data gathering purposes. • “Tool” is used to refer to the developed application for the model.   31  Phase 4Phase 3Phase 2Phase 1StartReview of pipeline integrity practicesReview of Pipeline Integrity Programs (IMP)Review of asset maintenance  decisions and policiesReview of pipeline incidents investigations  Review of Risk assessment methodologiesReview of FMEAIMP performance profileReview of IMP assessment processReview of Performance Benchmarking (BM)Integrity processes(Technical , Management)IMP Assessment Model (Use of FMEA)Identification of IMP requirements and performance indicatorsCollaboration with O&G Regulator and regulatory auditsPipeline SC maturity indicators (NARWGSC)Mapping SC with IMP assessment SC assessment modelSC auditsSC maturity levelEndBM analysis modelIMP performance BMReview of Safety Culture (SC)SC maturity BMIdentifying the improvementsContinuous performance improvement Figure 1.1: Proposed integrated framework  32  Chapter 1. IntroductionChapter 2. Literature ReviewPhase 1Chapter 3. IMP Assessment ModelPhase 2Chapter 4. Safety Culture Linking with IMP Phase 3Chapter 5. BenchmarkingPhase 4Chapter 6. Summary and ConclusionsObjective 1Objective 2Objective 3 Objective 4 Figure 1.2: Thesis structure     33  Chapter 2 : A Critical Review of Inspection and Maintenance Policies of Oil & Gas Pipelines  Part of this chapter has been published in the “Journal of Structure and Infrastructure Engineering” entitled “Inspection and maintenance of oil & gas pipelines: a review of policies”(Iqbal, Tesfamariam, et al. 2016) This chapter is the state of the art literature review of the pipeline system, integrity management, pipeline inspection and maintenance policies and industry standards. The literature review establishes the understanding of pipeline system, the role of integrity management practices and focuses on the decision-making process of developing the inspection and maintenance programs.  2.1 Background An effective maintenance policy outlines the allocation of resources and time for corrective or preventive actions based on possible threats and incidents. Developing selection criteria and implementing economical proactive maintenance policies is a challenging task for  O&G pipeline integrity managers (Li et al. 2011). Effective maintenance policies have gained attention due to the increasing demand for system availability, lack of human resources, financial constraints, climate change, stringent environmental regulations, and system aging (Kabir et al. 2013). Although a number of articles have been published on the topic of maintenance of O&G pipelines, few specifically addressed the subject of inspection and maintenance (I&M) policies. Most of the existing literature either discussed methods to assess the physical condition of pipelines or the prediction models to analysis corrosion defects. To the best of our knowledge, no review  has catered the state-of-the-art maintenance policies in the recent past.   34  The scope of the review primarily focuses on I&M policies of O&G pipelines reported in peer-reviewed literature. The main objectives of the review are to i) outline, in support of the subject, a general review of maintenance policies for industrial and infrastructure assets to evaluate their applicability for oil and gas pipelines; ii) conduct a review of maintenance policies of O&G pipelines to investigate their practicality, advantages, and limitations; and iii) identify uncertainties affecting the decision making process for maintenance of O&G pipelines and  highlight less addressed issues to improve the existing practices. To achieve this objective, the following topics are discussed in the review: • a comprehensive review has been conducted to investigate the evolutionary process of maintenance policies for different types of infrastructure including bridges, power plants, offshore platforms, underground constructions, pipelines, and ocean structures (Frangopol et al. 2012); • pipelines are considered as infrastructure systems, whereas individual segments and auxiliary equipment such as valves, filters are treated as industrial assets; therefore, a brief review of maintenance policies of industrial assets has also been carried out; • the policies suitable for O&G pipelines are discussed in detail, and a brief overview of pipeline inspection and monitoring methods has also been conducted.    2.1.1 Pipeline Systems The National Energy Board of Canada’s Act defines an oil and gas pipeline system as "a line that is used or to be used for the transmission of oil, gas, alone or with other commodities and includes all branches, extensions, tanks, reservoirs, storage facilities, pumps, racks, compressors, loading facilities, interstation systems of communication by telephone, telegraph or radio and real and  35  personal property, or immovable and movable, and works connected to them, but does not include a sewer or water pipeline that is used or proposed to be used solely for municipal purposes" (Board 2005). Figure 2.1 shows types of pipelines in a crude oil pipeline system consisting of gathering lines and main transmission lines, whereas a gas pipeline system has three types of pipelines: gathering lines, transmission lines, and distribution lines. Sizes of gathering lines range from 2 to 12 inches, and the size of a transmission line mostly starts from 8” in and higher (Miesner & Leffler 2006). Certainly, the consequences of failure and associated costs of repair depend on both the location and size of the pipe. Regarding maintenance, the structure of pipeline system can be divided into repairable and non-repairable units (Ahmad & Kamaruddin 2012). (Crow 1975) defined a repairable structure as, ‘‘one that can be repaired to recover its functions after each failure rather than be discarded”. Based on the operational characteristics, the pipelines have been classified as ‘high-pressure’ and ‘low-pressure’ pipelines, and as ‘rigid’ or ‘flexible’ based on their stiffness properties. Gas pipelines are single phase flow pipelines; whereas oil pipelines are three-phase flow pipelines, i.e., oil, water vapors, and gases (Taitel et al. 1995). Oil pipelines are more vulnerable to failure due to internal corrosion as compared to gas pipelines. The failure of gas pipelines may cause high consequences due to a potential of rapid spread in the environment; whereas failure of oil, pipelines can lead to long-lasting impacts on the surrounding environment and groundwater (Dey et al. 2004).  At the design stage, safety and reliability are important factors in consideration. The traditional design followed a deterministic stress based methodology. High-pressure pipelines, temperature,  36  pipe-bending stresses by the lateral load, internal corrosion and erosion are important factors to be considered in traditional design methodology (Zhou et al. 2009). Figure 2.1: Oil & gas pipeline system: a) Oil pipeline system b) Gas pipeline system, adapted from CEPA (2015) (Iqbal, Tesfamariam, et al. 2016) by permission from publisher For low-pressure pipelines, external factors and soil properties, such as soil corrosivity, moisture, and soil-pipe interaction are the significant factors. Other factors at the design stage that can Gas WellheadsCompressor StationStorage TankProcessing PlantGathering LinesPower PlantCommercial BuildingsResidentialDistribution Lines(b)Transmission linesGathering LinesCrude Oil Production unitsPump StationsOil RefineryMarketing TerminalsTanker TrucksService Stations(a) 37  influence the cost and integrity of pipelines are; installation, pipe rigidity, pipe stiffness, external pressure, earth load, live load, type of construction, bedding factor, and safety factor (Kishawy & Gabbar 2010). However, the optimal design is the balance between safety and economy (Psarrpopulos et al. 2014).   Apart from static design approach, the reliability-based design approach is adopted in oil and gas pipeline design. This approach builds a strong relationship between design, operation, and maintenance (Zhou et al. 2009), and  has many significant advantages over traditional methods. For instance, it directly addresses the actual mechanism of failure and integrates design with operation and maintenance. It maintains the consistent level of safety, provides an optimal allocation of resources, and offers an assessment of technologies used in pipeline operations and maintenance (Zhou et al. 2009). The reliability-based design has also been recommended in the pipeline industrial standards, such as CSAZ662 and ASME B31.8S. The readers may refer to the work on reliability-based design reported by Nassim and Zhou (2009).    2.1.2 Integrity Management The US Department of Transportation Pipeline and Hazardous Materials Safety Administration defines the pipeline integrity (PI) as “[t]he ability of a pipeline to operate safely and to withstand the stresses imposed during Operations” (Transportation Pipeline & Administration 2003). The primary objectives of an asset integrity program are; asset safety, uninterrupted and smooth operations, efficient production process, the effective utilization of human resource, and asset life improvement (Adebayo & Dada 2008; Chang et al. 2005; Dawotola et al. 2009; Rahim et al. 2010; Simonoff et al. 2010; Yuhua & Datao 2005). These objectives can be achieved through: i) a reliable design, ii) a planned inspection, monitoring, and repair program during operations, iii),  38  implementing risk mitigation and performance optimization, and iv) maximizing life and availability of assets (Anon 2002).  The integrity management systems for pipelines can broadly categorize into: i) technical systems integrity, and ii) management system integrity. Technical standards and procedures are guidelines to maintain the technical integrity, while management integrity can be achieved by following appropriate management manuals and documentation (Wang et al. 2011).  Presently, the O&G pipeline industry is using industrial technical and management standards to maintain the integrity of pipelines as per type of assets and regulatory authorities’ requirements. Most common industrial standards are: American standards, API 1160 (Liquid pipeline integrity management), ASME B31.8S (System integrity for gas pipelines) and API 1163 (In-line inspection system qualification); Canadian standards, CSAZ662 (Oil and gas pipeline systems); British standards, BS PD8010 Part 1 (Steel pipelines on land) and part 2 (Subsea pipelines); and European standards, BS EN 14161 (Petroleum and natural gas industries-pipeline transportation systems), BS EN 1594 (Gas supply systems). Optimal design, improved materials, and I&M techniques have significant impacts on the records of O&G pipelines integrity (Cosham et al. 2007). Technical integrity of a pipeline can be compromised due to material and construction defects, damages from a third party construction, operational mistakes, accidents, device failures and malfunctioning, and environmental and climatic factors (i.e., corrosion, creep, cracking, weather and temperature change, earthquakes, landslides and floods) (Adebayo & Dada 2008; Dawotola et al. 2009; Psarrpopulos et al. 2014; Simonoff et al. 2010; Yuhua & Datao 2005). The main components of the pipeline integrity management are (Kishawy & Gabbar 2010): failure identification process of pipelines in high  39  consequence areas; assessment baseline plan; an integrated analysis of defect information and failure consequences of pipeline integrity; criteria for repair actions based on information analysis during assessment plan; a continuous improvement plan of pipeline integrity by assessment and evaluation;  preventive and mitigation measures to protect the high consequence areas;  program’s effectiveness measurement methodology; a process of information analysis and the review of integrity assessment results; a process of management of change; and a process of record keeping and documentation control. Pipeline integrity can be enhanced by lessons learned from past accidents, inspection practices, testing procedures, assessment methods, and appropriate long-term maintenance of a system (Rahim et al. 2010).  2.1.3 Inspection Process Condition evaluation and the probability of failure for pipelines are the most important factors influencing the decision-making process for effective maintenance (Khan et al. 2004). Traditional deterministic/ mechanistic approach based on standards and codes such as ASME B31G and modified B31G and the probabilistic/ statistical approach based on the stochastic character of structural and environmental factors are used to assess the probability of pipeline failure (Sahraoui et al. 2013). The deterministic approach is a process to assess the condition of pipelines by getting data from inspection tools, whereas the probabilistic approach predicts the future probability of failures. ASME B31G provides industrial guidelines (ASME 2009) of safe working pressures based on the pipeline dimensional parameters obtained through inspection (Singh & Markeset 2014a). The DNV-RP-F101 recommends the probabilistic approach for the assessment of corroded pipelines subjected to internal pressure and internal pressure combined with longitudinal compressive stresses (Bjørnøy et al. 1999; DNV 2015).   40  Pipelines can be inspected by internal (or intrusive inspection) and external (or non-intrusive inspection) techniques. The most common techniques for pipeline inspections are pigging, hydro-testing, and external and internal corrosion assessments (Cosham et al. 2007). Since the 1960s, the pigging technique has been used for cleaning and monitoring/ inspection of the internal condition of long pipelines. Smart Pigs (or inline inspection tools) are the most commonly used tool in the pipeline industry (Kishawy & Gabbar 2010; Klechka 2002; Liu 2003; Manian & Hodgdon 2005; Rankin 2004). Smart pig is a cylindrical shaped electronic device equipped with condition monitoring systems. Other types of smart pigs are the magnetic flux leakage and the ultrasonic pigs. The basic components of a smart inspection pig (magnetic flux leakage type) (Figure 2.2) consist of a drive which moves the pig in the pipeline. Flux loop generates the magnetic flux and recorder package, equipped with sensors, records the variation in flux location. These pigs are used to find metal loss, cracks, pits shape, length and maximum pit depth, and wall thickness due to corrosion and erosion. The crack detection pigs are the most recent development in inspection techniques, where the ultrasonic crack detectors, transverse magnetic flux leakage, and elastic wave pigs are used to detect circumferential and longitudinal cracks (Kishawy & Gabbar 2010). For details regarding in-line inspection system qualification, interested readers are referred to the industrial standard API 1163 (Standard API, 2005). In addition to pigging, the condition of a pipeline can also be assessed from operational parameters such as pressure, flow rate, and physical dimensions. Geometry tools have been used to determine the physical shape and geometry conditions of the pipelines, e.g., caliper tools and pipe deformation tools. Mapping tools, integrated with a global positioning system, are used to locate valves, position equipment, and for mapping of pipelines. Low-frequency long-range guided wave inspection technique is used to map corrosion and erosion in pipes. Hydrostatic testing is a process  41  to pressurize the pipeline above the normal operating pressure which detects manufacturing and metal loss defects; this test is carried out at the manufacturing stage and the completion stage before operations. Axial flaws such as stress corrosion cracking, longitudinal seam cracking, selective seam corrosion, long narrow axial corrosion, and hydrostatic testing better detect axial gouge than by pigging (Kishawy & Gabbar 2010).  SensorFlux Loop Recorder packageDrive package Figure 2.2: Main components of magnetic flux leakage type smart inspection PIG reproduced from Non-destructive Testing Resource Center (2015) (Iqbal, Tesfamariam, et al. 2016) by permission from publisher A pipeline system is a combination of pipelines, valves, and connected rotary auxiliaries such as compressors, pumps, and their prime movers. The vibration induced by the rotary auxiliaries also affects the pipeline integrity. Vibration monitoring is the most popular technique to monitor the condition of the rotary auxiliaries (Ahmad & Kamaruddin 2012; Al-Najjar 1997; Carnero 2005; Hagene et al. 2005; Higgs et al. 2004). Other techniques for condition monitoring of rotary auxiliaries are sound or acoustic monitoring (Ahmad & Kamaruddin 2012), oil analysis or lubricant monitoring, electrical temperature and physical condition monitoring (Ahmad & Kamaruddin 2012; Newell 1999).  Technological advancements have significantly improved the inspection processes; however, different types of uncertainties are involved in an inspection process, such as the probability of  42  miss detection of small holes, wrong assessment of defect existence and size, etc. The inspection process of selected small segments of a pipeline with such deficiencies is known as imperfect inspection; it may lead to costly maintenance or poor safety. A detailed discussion of different types of uncertainties is presented in the following sections. For more details about inspection methods of pipelines, interested readers may refer to (Hagene et al. 2005) and (Kishawy & Gabbar 2010). Despite the deterministic/mechanistic approaches to estimate the pipeline condition, the probabilistic/statistical approaches are also discussed in the literature based on the models trained on pipe condition data obtained from the field or laboratory experimental work. The prediction accuracy depends on the accuracy of in-line inspection (ILI) tool and data quality obtained from the field. The influencing factors on corrosion growth rate are heterogeneous in nature, such as soil properties, temperature, sulfate ion, CO2 partial pressure, chloride ion concentration, wall shear stress, water content, corrosiveness, pH, concentration and flow rate of carrying fluids. To address these issues, different probabilistic models reported in the literature are summarized in Appendix A Table1.  2.1.4 Evolution of Maintenance Policies Maintenance can be described as “the set of activities or tasks used to restore an item to a state in which it can perform its designated functions”(Ahmad & Kamaruddin 2012). The objectives of a maintenance policy are to: effectively plan maintenance activities, maximize the availability and efficiency of equipment , reduce failure, control deterioration, ensure safe and correct operation, and minimize the cost for keeping a unit operational within an acceptable level of safety (Arunraj & Maiti 2007a; Dhillon 2002; Duffuaa et al. 1999; Tan et al. 2011). Maintenance can be broadly  43  categorized as corrective maintenance (CM) and preventive maintenance (PM) (Duffuaa et al. 2001). CM is performed at the time of system failure; while PM is a systematic approach to inspection, detection and prevention of the anticipated failures for keeping the system in a specific condition (Wang 2002).  According to the traditional approach, the failure behaviors of equipment are somehow predictable and can be described with the help of the famous bathtub curve (Figure 2.3) (Ahmad & Kamaruddin 2012). The bathtub curve divides failure trends into three phases of operations: burn-in, useful life and wear-out phase (Ebeling 2004). The burn-in and wear-out phases are more critical for the failure of the unit and may have a higher rate of maintenance than useful life phase. However, the actual behavior of equipment or infrastructure is much more complex than simply defined by bathtub curve. The maintenance decisions are taken to overcome possible threats of failure due to metal loss, external damages, manufacturing errors, human operational mistakes, and asset’s age within the economic constraints (Ahmad & Kamaruddin 2012; Dawotola et al. 2012; Dey 2004; Dey 2003; Dey et al. 2004; Singh & Markeset 2009; Tan et al. 2011). Implementation of maintenance policies is a multi-criteria decision-making problem which depends on several factors, e.g., type of asset, asset condition, redundancy and reliability of a system, availability of maintenance resources (both human and logistic), reliability of maintenance action, downtime cost, operational cost of the maintenance action, response time, organizational structure, environmental, and socio-economic factors (Arunraj & Maiti 2010; Stenström et al. 2015; Sun et al. 2014).   44  Maintenance policies evolved over time and can be classified based on the time of application and the geographic location of an asset for single or multi-units as (Barnard 2006; Moubray & Lanthier 1991):  • corrective maintenance (CM),  • preventive maintenance (PM),  • predictive maintenance, and  • proactive maintenance.  Burn-In Useful Life Wear OutFailure rate, rTime, tEquipment operating life (age) Figure 2.3: Bathtub curve showing traditional behavior for equipment lifecycle adopted from  (Iqbal, Tesfamariam, et al. 2016) by permission from publisher Figure 2.4 describes different phases of evolution of maintenance policies. The first phase started in the 1940’s, when policymakers relied on a CM philosophy, “fix it when broke.” The policy can also be recognized as a reactive policy because repair or replacement actions were performed only at complete equipment or unit failure (Barnard 2006; Tan et al. 2011). In the second phase, during the 1970’s, policies were primarily based on the preventive maintenance approach. In this generation of maintenance policies, the objective was focused on preventive actions to reduce the  45  rate of failure and the consequences of failure (e.g., long shutdown time, production loss and high maintenance cost) (Usher et al. 1998). In contrast to CM, the maintenance activities were performed before the failure of the equipment or unit (Gertsbakh 1977; Löfsten 1999). The philosophy of second phase policy is based on preventive overhauls, i.e., repair of equipment/unit at fixed and scheduled intervals depending upon the age or time in service or limiting the number of failures or repairs.  The further extensions of the PM policies are predictive and proactive maintenance policies, which aim to reduce the cost and enhance the reliability. These more strategic policies such as condition-based maintenance, reliability centered maintenance, computer-aided maintenance management, and information systems have been adopted most frequently since 1980’s; however,  the initial work was introduced in 1960’s (Moan 2005). These policies can be considered as the 3rd phase of maintenance policies. The most of the literature related to the third phase spanned over two decades between 1980 and 2000. In these policies, maintenance decisions were made based on equipment/ unit’s health condition. The condition of the equipment or unit was monitored at regular intervals or a continuous basis. Preventive maintenance was carried out once the health of the unit reached a predefined threshold level.  The fourth generation policy of 21st century has been recognized as the most adaptive approach in recent past where the maintenance policies are characterized by risk-based inspection and maintenance (RBIM). These policies are also known as proactive policies (Arunraj & Maiti 2007a). The main objective of these policies is to avoid failure and to mitigate the root causes before the failure happens by emphasizing on high consequences causes, areas and more vulnerable parts of the infrastructure. The basic difference between the predictive maintenance and  46  the proactive maintenance policies is that decisions in former mainly focus on the condition of equipment whereas the latter considers the risk of failure. The decision-making criteria are elaborated in sub-sections 2.2.4 and 2.2.5.  The readers may also refer to the review presented by (Frangopol et al. 2012) for recently published articles about maintenance, management, lifecycle design, and performance of structures and infrastructures.   Maintenance policiesCorrective maintenance policies(1st generation policies)Proactive maintenance policies(4th generation policies)Preventive maintenance policies(2nd generation policies)Predictive maintenance policies(3rd generation policies)Age dependent policiesPeriodic/Time dependent policiesFailure/Repair limit based policiesCondition based policiesRisk based policies     1940's                   1950's                       1960's                  1970's                  1980's                              1990's                                 2000                                    2010Time line based on policies implementation era Figure 2.4: Evolution of maintenance policies for assets from 1940 to present (Iqbal, Tesfamariam, et al. 2016) by permission from publisher 2.2 Inspection and Maintenance Policies for O&G Pipelines In general, O&G pipelines are considered to be one of the safest modes of transporting petroleum products (Brito et al. 2010; Papadakis 2000) due to their low accident frequency (Shahriar et al. 2012). However, with aging, these assets deteriorate and need repairs. An efficient maintenance decision includes two important considerations: selection of a right pipe material at the right time, and selection of an optimal maintenance strategy implemented using a cost-efficient technology (Li et al. 2014). The causes of failure of a pipeline can be classified into two broad categories, i.e.,  47  external and internal. The external causes of failures include first, second and third party accidents, device failure and malfunctioning, natural disasters, extreme weather temperature variations, and improper installation and repairs (Guo et al. 2005; Kishawy & Gabbar 2010).  The internal causes of failure are corrosion, erosion, material defects, weld crack, fatigue, and vibrations (Guo et al. 2005). Mechanical damage and corrosion are the most common causes of failure of O&G pipelines in Western Europe and North America (Cosham et al. 2007). The researcher has also taken other factors into consideration, such as vibrations and third-party activities (Guo et al. 2005; Kishawy & Gabbar 2010). Although advancements in metallurgical and manufacturing technologies have overcome some of these issues, maintenance strategies still play a key role in improving the reliability of pipelines and economically mitigating risks (Kishawy & Gabbar 2010).  Pipelines are single unit repairable systems. Although no literature was found specifically on I&M policies of a pipeline as a single unit, (Wang 2002) presented a comprehensive review of the published literature on preventive maintenance policies for single unit systems. He identified age, the number of repairs or failure limit, time in service and condition of an asset as the main deciding factors when selecting an I&M policy. In recent research, “risk” is the main criteria for selection of inspection and maintenance intervals. Most of the studies have presented the RBIM policies for addressing issues related to maintenance of oil & gas pipelines  (Arunraj & Maiti 2010; Arunraj & Maiti 2007a; Cosham et al. 2007; Dawotola et al. 2012; Dey 2004; Dey et al. 2004; Hassan & Khan 2012a). The maintenance policies developed for O&G pipeline integrity management along with the RBIM policies are discussed in the following sections.  48  2.2.1 Corrective Maintenance  Corrective maintenance was considered as the most cost-effective policy when the maintenance actions are taken after the failure has occurred. However, the cost and benefits analysis between CM and PM presented by (Stenström et al. 2015) based on rail infrastructure case study reveals that CM is 79-90% of total cost whereas the PM maintenance is 10-30 %. The unit stoppage under a CM policy may be affordable in certain industries depending upon the mutual balance of production loss and unit replacement.  Corrective maintenance as a policy might not be feasible for O&G pipelines due to the nature of transporting material, loss of flow volume, and resulting environmental and financial consequences. For instance, repair of offshore pipeline failure is inevitably challenging and time-consuming task. Deploying submarine repair equipment to fix the leak in an offshore pipeline is certainly very expensive. Also, such repair operations may take a long time, ranging from a few weeks to several months. However, corrective actions plans cannot be completely over-ruled being an integral part of maintenance policies in case of unexpected failures (Blanchard et al. 1995; Tsang 1995).  (Appendix B Table 2.2) summarizes the applicability of existing maintenance policies based on the type of assets. Age-based policies and failure limit policies have not been frequently reported in the context of pipelines. Due to the nature of pipeline operations and the economic and environmental consequences in case of failure, the condition based maintenance and the risk-based maintenance are more suitable policies.   2.2.2 Preventive Maintenance  In preventive maintenance policies, periodic repair or replacement is implemented when the unit is in operating conditions before failure. These policies are based on the scientific data analysis  49  approach. Most of the industrial preventive maintenance practices rely on experts’ experience and recommendations from the original equipment manufacturers (OEM) (Labib 2004; Tam et al. 2006). Consequently, operations research methods were introduced in the PM policies for consistent decision-making (Ahmad & Kamaruddin 2012). The PM policies have further been classified by age, time in service, and a number of repairs or failures. 2.2.2.1 Age-based Policies The main concept of this most commonly used policy is to replace the unit at a certain predefined age limit at a time ‘T’ (Ahmad & Kamaruddin 2012). While implementing the age-dependent policies the decision of maintenance or replacement is taken at age ‘T’, or if the failure of the unit occurs before age ‘T’. The unit is either maintained preventively at predetermined ages and is replaced only at the complete failure. Conversely, the unit is replaced at a predetermined age regardless of the condition, and it can be imperfectly maintained only if a failure occurs before the replacement age (Barlow & Hunter 1960; Wang 2002). Imperfect maintenance refers to the repair of the unit after which the unit is not considered as new but is supposed to be younger than before (Pham & Wang 1996).  Repair actions such as welding of cracks, sleeves’ attachment to the eroded portions are considered as imperfect maintenance. The age of a unit is the most significant factor, but some studies presented the combined models of age-dependent policy and unit replacement policies at age ‘T’.  During 1960’s, age-based policies were the most discussed; however, further extended models, which integrates two or more policies, were also developed between 1990 and 2000. These extended models are presented in (Appendix B, Table 2.3). It can be observed from the table that Barlow & Hunter (1960) considered ‘time in service’ as a decision criterion for imperfect periodic maintenance; whereas Nakagawa (1981) combined periodic maintenance with  50  ‘block replacement policy’. Later, Wang & Pham (1999) presented a hybrid of ‘time in service’ and a number of failure limit in ‘block replacement policy’. 2.2.2.2 Time in Service based Decision Policies ‘Time in service’ based policies were more frequently applied to repairable systems. The most discussed ‘time in service-based policy’ is a periodic preventive maintenance policy (Yam et al. 2001). In the ‘time in service policy’, preventive maintenance is scheduled at fixed intervals. The time interval is independent of the failure history of a unit. (Chaudhuri & Sahu 1977) introduced the imperfect maintenance concept under the ‘time in service’ policies. (Ahn & Kim 2011) presented a periodic maintenance policy to estimate the maintenance intervals based on the assumption that system exhibits a linearly increasing hazard rate and a constant repair rate. Certainly, the availability of a system increases with the shorter time interval between preventive maintenances and higher cost. The decision variables are periodic time, reference age and a number of repairs and failures. Further extensions of periodic PM policies are summarised in (Appendix B table 2.3). Dangpunar & Jack (1994) combined decision criteria of ‘time in service’ with a number of failure limit for imperfect repair; conversely, Koshimae et al. (1996) used similar criteria for a one-time replacement policy. 2.2.2.3 Failure/Repair Limit Based Decision Policies Failure/ repair limits policies, first introduced by (Bergman 1978) are the combination of imperfect maintenance and perfect maintenance policies. The general concept of these policies is to carry out imperfect maintenance until the unit reaches to a specific (predetermined) number of failure or repairs and then replace the unit. Such policies maintain the acceptable level of reliability and the unit remains in service till the defined level of reliability. (Nakagawa & Osaki 1974) stated that  51  the unit should be replaced when the estimated cost of repairs exceeds the predetermined economic limit (Drinkwater & Hastings 1967; Gardent & Nonant 1963; Nakagawa & Osaki 1974). Table 3 presents other models developed in this category. The discussed strategies described above under the preventive maintenance policies have the objective of reducing downtime and maintenance costs. Each policy has its advantages and disadvantages. (Appendix B, Table 2.4) summarizes the decision criteria and actions suitable for repairable and non-repairable units under preventive maintenance policy. For example, under the age-based PM policy for repairable units, the imperfect maintenance will be carried out until the predefined age. The unit will be replaced either at the complete failure of a unit or when predetermined age would be reached. To overcome the deficiencies and improve the effectiveness of the policy, researchers have devised hybrid policies by combining decision criteria and actions. (Appendix B, Table 2.5) describes the hybrid models in brief. For instance, (Berg & Epstein 1976) combined the ‘age-based policy’ with ‘time in service policy’ along with the action of block replacement of the units. Later, Nakagawa (1981) adopted the same approach, but the action was the one-time replacement of the units. The most considering policy was the ‘number of failure or repair limit policy’ which was combined mostly with the ‘time in service’ and ‘fixed cost’ policies, i.e., Morimura (1969), Nakagawa & Osaki (1974), Beichelt (1982), Stadje & Zuckerman (1990), etc. Most of the researchers considered the imperfect maintenance till the replacement limit reaches and adopted one-time replacement of the unit. (Liu et al. 2011) presented an optimal imperfect sequential PM policy based on genetic algorithm for ensuring the consistency of the quality of maintenance activities. The variation in maintenance quality was considered as a stochastic variable at fixed time intervals. Figure 2.5 shows the decision process flow in preventive maintenance policies. For further discussion on hybrid policies, the readers are referred to Wang (2000) and Yu liu et al. (2011).   52  Preventive maintenance policies were not extensively used for O&G pipeline. (Sun et al. 2014) suggested time-based preventive maintenance (TBPM) strategy for individual pipeline based on the split system approach. They considered repair cost, PM cost, and the corrective repair cost as the decision criteria for preventive maintenance policy. Expert opinion, historical industrial practice, and last repair were included as key factors for effective decision-making. The TBPM was implemented on a predefined segment of the pipeline at a prescheduled time to find the optimal start time and intervals between two preventive maintenances. The results revealed that within multiple constraints, TBPM policies based on the multi-objective optimization approach reduced the overall cost of maintenance. 2.2.3 Predictive Maintenance / Condition-based Maintenance  Condition-based maintenance (CBM) or condition based inspection and maintenance (CBIM) was first introduced in 1975 to improve decision making for preventive maintenance (Jardine et al. 2006). The CBM/CBIM is the most well-known and discussed  maintenance policy in literature published since 2000 (Ahmad & Kamaruddin 2012; Grall et al. 2002; Han & Weng 2011; Moya 2004). CBM assumes that a system subjects to a random deterioration process and its main objective is to perform a real-time assessment of the equipment to enhance its reliability and to reduce the unnecessary maintenance costs (Gupta & Lawsirirat 2006). Generally, the condition of the system is monitored through perfect inspection at regular intervals, and the condition analysis is conducted for future maintenance decisions (Zio 2012). The condition monitoring / inspection is either conducted as an online process during operation or an offline process during the shutdown time. The intervals for this process are established on fixed, continuous, or risk basis. Continuous monitoring can be highly expensive (Jardine et al. 2006);  53  therefore, in most cases, equipment failure is assessed based on certain conditions, signs or indications (Bloch 1998).   Figure 2.5: Decision process-flow diagram for preventive maintenance policies (Iqbal, Tesfamariam, et al. 2016) adapted by permission from publisher Maintenance decisions under the CBM policy can be classified as diagnostic and prognostic. The diagnostic process is the process used to find the cause and source of the fault (Jeong et al. 2007); whereas, in the prognostic approach, the causes of failures are identified using predictive methods (Lewis & Edwards 1997). The diagnostic approach provides an early warning to management about a failure. Sometimes, abnormal behavior of equipment does not show any sign of failure; in  54  this case, equipment performance seems satisfactory until complete failure. In such cases, the prognostic approach can predict the failure before its occurrence.  The prognostic approach can be more cost-effective as it facilitates better planning and maximum utilization of equipment and prevents unexpected failure (Ahmad & Kamaruddin 2012). A detailed review of CBM policies can be found in (Ahmad & Kamaruddin 2012). Reduction of CBIM cost depends upon inspection intervals and critical replacement threshold values (Grall et al. 2002).  2.2.4 Estimation of Inspection Intervals A selection of optimal inspection intervals is a basic challenge in the predictive maintenance policy. In the past, industry used to set inspection intervals based on in-service time and calendar dates (i.e., the fixed shutdown dates based on production schedule and availability of the resources) (API 2009). With experience, the periodic inspection of an entire pipeline was not found to be a feasible method. According to API codes, the inspection frequency of pipelines is determined on the basis of transporting fluids types or the half remaining life of the pipeline (Chang et al. 2005). Several qualitative and quantitative models have been developed to determine the optimal inspection and maintenance intervals, so far. Different researchers have suggested various inspection interval models based on the optimization of cost and the integrity of pipelines. (Grall et al. 2002) presented CBM for a random and continuously deteriorating single unit system where replacement threshold and inspection intervals were considered as decision variables. They assumed that the system was under random deterioration and inspected by perfect inspection. They modeled the maintenance cost through a stochastic model based on the stationary law of the state of the system. Although the study did not discuss a real maintenance case, such mathematical models can help to take better maintenance decisions.    55  In regards to CBM, most studies used condition data recorded by the diagnostic systems to decide the maintenance intervals; however few studies took the cost into consideration. Tien et al. (2007) suggested that the internal condition of pipelines should be assessed at least once a year (Tien et al. 2007). (Opila & Attoh-Okine 2011) used a mean time of failure, based on a scoring approach time interval, for structural inspection/condition monitoring of pipelines. The mean time to failure describes the expected time to failure for a non-repairable system. The approach is easy to use and provides simple interpretation and validation of pipe conditions. (Pandey 1998) presented reliability based probabilistic models to determine the optimal inspection interval and to achieve targeted reliability with economic considerations. (Frangopol & Ming Liu 2007) used dynamic programming procedure integrated with Monte Carlo simulations for bridge network maintenance optimization. (Kim et al. 2013) presented a generalized probabilistic framework for optimal inspection and maintenance planning of deteriorating structures. Gomes & Beck (2014) employed multi-start simplex optimization method for optimizing the time of first inspection and inspection intervals. The results of the model were compared with over inspection process results. The model reduced the significant no of inspection intervals.  Condition based maintenance policies are less discussed for Oil & Gas pipelines in the literature; such policies are focused on the system’s reliability instead of the impact of failure consequences on the environment and humans. However, condition assessment results are used for risk evaluation, which is a key component of proactive maintenance policies. The integration of the consequences of failure with the condition based maintenance laid the foundation for proactive maintenance policies. The proactive maintenance policies are discussed in the following section.        56  2.2.5 Proactive Maintenance / Risk-based Maintenance  Risk management is a systematic approach to characterize the possible risk to existing systems, decrease the probability of harmful events and/or to reduce the harmful consequences of the occurred events (Opila & Attoh-Okine 2011; Singh et al. 2007). A typical risk assessment model begins with hazard identification followed by the modeling of causes, estimation of the likelihood of effects and estimation of impacts using qualitative, quantitative or semi-quantitative methods. Risk models estimate absolute and relative risk, major risk contributors, and compare risk factors. Stages of risk analysis are hazard analysis, consequence estimation, likelihood estimation, risk estimation, risk acceptance criteria and maintenance planning. (Geary 2002) reported that 50% of British companies use risk-based inspection approaches. Since 2000, the terms risk-based inspection (RBI) and risk-based maintenance (RBM) have been used interchangeably. Therefore, risk-based maintenance and risk-based inspections are not the separate topics anymore. Both the terminologies are referred to the same set of actions (Tan et al. 2011).  Risk-based inspection and maintenance (RBIM) is a relatively recent approach to pipeline integrity management and can be considered as an extension of the condition based maintenance policy. RBIM is a need-based strategy to prioritize an inspection and maintenance plan based on risk ranking; it helps managers to execute informed testing and inspection without affecting public safety (Dawotola et al. 2012). High-risk components or units have to be inspected with greater frequency (Tan et al. 2011). The RBIM priority for a pipeline is determined by the likelihood of failure and consequence of failure (Chang et al. 2005). Reliability standards are set as a function of time and compared with reliability levels while taking maintenance decisions (Nessim et al. 2010). Industrial standards such as API 580, ASME B31.8S and CSA Z662 Annex O describe the risk/reliability-based design and assessment methodologies (Nessim et al. 2010). The American  57  Petroleum Institute standard (API) 580 defines risk-based inspection as, “[a] risk assessment and management process that is focused on the loss of containment of pressurized equipment in processing facilities, due to material deterioration.  These risks are managed primarily through equipment inspection”. The decisions to establish inspection intervals, pipeline segment, inspection technology in RBI policy are based on the probability of failure, their severities, and consequences (API-580 2009; Chapman 1997; Lawrence 1976; Tan et al. 2011; Tien et al. 2007). Different risk-based maintenance techniques  for each stage of risk analysis discussed in the literature are classified in (Appendix B, Table 2.6)  Qualitative, semi-quantitative, quantitative are the techniques for risk analysis (Han & Weng 2011); whereas probabilistic, deterministic, and their combination are different methodologies for risk estimation.  Deterministic methodologies are based on the assumption that occurrence of a hazard and its consequences on human, environment, and equipment are well-known and certain. Conversely, a probabilistic approach is based on the probability of occurrence of a hazardous event or potential accident. Probabilistic models have a tendency to ignore the low probability situations that can be misleading. On the other hand, a possibilistic approach incorporates low possible events; however, the approach is too subjective and may also give imprecise results (Singh & Markeset 2014b; Singh & Markeset 2014a; Singh & Markeset 2014c). The cross-classification in qualitative, semi-quantitative, quantitative models is based on quantitative data or qualitative judgment of experts (Arunraj & Maiti 2010). Appendix B, Table 2.5 outlines the qualitative and quantitative processes of risk assessment. Quantitative techniques are used to estimate the likelihood and the impact. Qualitative techniques identify the hazards and model the cause and effect. The output is a qualitative ranking for the recommendations about hazard identification and control. The consistency of risk analysis results is based on the factors such as frequency  58  estimation, uncertainty, and sensitivity analysis (Arunraj & Maiti 2007a). Appendix B Table 2.6 presents the most commonly used techniques for risk analysis in O&G industry. The RBIM approach has been successfully used for the maintenance decisions for mechanical and civil infrastructure, onshore and offshore structures, and cross-country pipelines (Al-Khalil et al. 2005; Dey 2004; Dey 2003; Dey 2001; Dey et al. 2004; Famurewa et al. 2015; Rangel-Ram𝚤rez & Sørensen 2012). The integrity and safety of a structure is related to the quality of inspection in terms of detectability and size of damage; however, over-inspection may enhance the unnecessary operational cost. Moan (2005) presented reliability based I&M for off shore structures, such as production platforms, ships, semi-submersible, jack up, jacket affected by crack growth, and corrosion. In addition, design allowance against the corrosion and accidental collapse limit state were also included for reliability analysis. (Rangel-Ram𝚤rez & Sørensen 2012) developed a probabilistic model for I&M of offshore wind turbines. Fatigue and corrosion control were identified as the main contributing factors in risk analysis. (Famurewa et al. 2015) used a risk-based approach to analyse the performance of maintenance policy for the railway infrastructure. Risk of failure of punctuality, operational capacity, economic, and safety were considered as primary decision factors in their study. (El-Abbasy et al. 2014) presented a regression-based condition assessment model by using historical inspection data of pipelines in Qatar. Pipeline failure can never be completely avoided, but the overall risk can be reduced to “as low as reasonably practicable” (ALARP). The risk is considered to be ALARP if additional mitigation cost is not proportionally advantageous to the benefits achieved (Khan et al. 2004; Shahriar et al. 2012). A number of qualitative, semi-quantitative, quantitative methodologies have been used for the RBIM of oil and gas pipelines (e.g., hazard and operability study (HAZOP), failure mode and  59  effect analysis (FMEA), fault tree analysis (FTA), event tree analysis (ETA)) (Arunraj & Maiti 2007a; Han & Weng 2011; Khan & Abbasi 2001; Miri Lavasani et al. 2011; Shahriar et al. 2012). The available industrial standards for RBIM mostly used qualitative techniques. American Petroleum Institute’s risk-based inspection guidelines (API-580 2009) used an approach of absolute “risk number”  for qualitative or semi-quantitative risk analysis.    Figure 2.6 : Risk assessment process adapted from (Iqbal, Tesfamariam, et al. 2016) by permission from publisher Analytical hierarchy process (AHP) has been one of the most frequently applied multiple attribute decision-making methods in RBIM (Al-Khalil et al. 2005; Arunraj & Maiti 2010; Arunraj & Maiti 2007a; Cagno et al. 2000; Dey 2004; Dey 2003; Dey 2001; Dey et al. 2004; Tan et al. 2011). AHP employs a subjective, and qualitative pairwise comparisons approach based on expert opinion to derive priority scales for alternatives (Saaty 2008; Saaty 1996). In RBIM, the impact or consequence of an event is aggregated based on expert opinion for AHP application (Al-Khalil et al. 2005; Dey et al. 2004; Tan et al. 2011). The models used a likelihood loop considering several failure factors such as corrosion, external interference, and construction and material defects. The  60  models included different consequences in case of natural disasters, such as loss of production, loss of commodity, loss of life and property, loss of the image of a company, and environmental damage. Inline inspection, cathodic protection survey, patrolling, contingency plan, improved instrumentation, pipe coating and pipe replacement were the suggested I&M methods for onshore pipelines (Dey 2001), in addition, remotely operated vehicles, acoustic survey and diving were the suggested methods for offshore pipelines (Dey et al. 2004).  The fuzzy logic approach has extensively been reported in the literature to handle imprecise information and variation in expert opinion. This methodology is effective to reduce dependence upon precise data and can give better understandings of linguistically defined data  (Singh & Markeset 2009). Risk analysis integrated with fuzzy set theory overcomes the uncertainties associated with the conservative assumptions made by the experts in AHP (Khan et al. 2004).  The neural networks have also been used for RBIM; however the adequacy of such models depends upon the quality of extensive historical data, i.e., outliers and noise in the data can cause prediction errors (Najafi & Kulandaivel 2005). The probability of failure and associated consequences are also determined by fitting historical data of failure into either a homogeneous Poisson process or non-homogeneous Poisson process (Dawotola et al. 2012).  Details related to limitations and pros and cons of these methods are discussed in the following section.  Figure 2.7 shows the distribution of the published literature on inspection and maintenance policies in the past. It can be seen in the figure that until the end of 19th century, the primary focus was on maintenance, reliability, and availability of the system. Meanwhile, the high cost of maintenance (i.e., primarily replacement) shifted the direction of research to predictive and proactive policies. The figure also reveals that since 2000, the primary focus of the research was proactive or risk- 61  based I&M policies. However, during this era, some researchers also tried to resolve I&M issues using the earlier approaches. (Zio 2012) compared different maintenance policies by using an example of fatigue degradation process of mechanical components. He concluded that Although CBM and proactive maintenance have better performance, it cannot be generalized due to the fact that in certain situations traditional CM and PM work more efficiently than CBM and proactive maintenance. For example, in cases when the cost of corrective maintenance in response to incidents or the cost of frequent inspection is more than the operational cost. The suitability of different approaches for O&G pipelines is evaluated in Appendix B Table 2.7. Based on the evaluation parameters, i.e., assessment criteria, decision criteria, pros, and cons, it can be concluded that proactive or risk-based maintenance policies are most suitable for O&G pipelines.  2.2.6 Decision-making Challenges under Uncertainties for Proactive Maintenance Policies  This section addresses different uncertainties influencing the effectiveness of decision-making process for risk-based maintenance policies, e.g., uncertainties in internal and external degrading process, variability in inspection results, conservative assumptions for unknown data, the subjectivity of the decision-maker opinion, budgeting and costing for maintenance and imperfections in the investigation and prediction of defects. Availability and accuracy of inspection and operational data may significantly reduce uncertainties in the decision-making process (Ahmadi et al. 2015a). Both probabilistic and statistical approaches have been used to deal with uncertainties in the degradation process of pipelines (Elnashai & Tsompanakis 2012; Kim et al. 2013; Rangel-Ram𝚤rez & Sørensen 2012). Financial constraints and uncertainties due to variation in the limited budget of maintenance have also been taken into account (Frangopol & Ming Liu 2007; Kim et al. 2013).   62        The epistemic uncertainties are associated with material defects, loads, and damages. (Kim & Frangopol 2012) presented a probabilistic approach for I&M planning to handle such uncertainties related to fatigue crack initiation, propagation and damage detection in naval ships, and bridges subjected to fatigue. The uncertainties in risk-based decision makings regarding the design, fabrication, and operation of offshore structures were addressed by (Moan 2005). (Frangopol & Min Liu 2007) reviewed the development of lifecycle maintenance planning using genetic algorithms for civil infrastructures and associated uncertainties in the degradation process. (Frangopol & Bocchini 2012) discussed the uncertainties associated with limited financial resources and multi-disciplinary coordination for maintaining of bridges. The combination of stochastic expansions for probabilistic uncertainty with optimization approach provides both the accuracy and efficiency (Frangopol & Tsompanakis 2014). (Parvizsedghy et al. 2014) presented fuzzy based maintenance decision support system to address the uncertainties related to O&M cost estimation and other economic aspects. However, data with a certain amount of uncertainty is preferable than incomplete data obtained from pipeline inspection (Ahmadi et al. 2015a). 0204060801001960-1970 1970-1980 1980-2000 2000-2015No of studiesPreventive Maintenance policies Predective maintenance policiesProactive maintenance policiesFigure 2.7: Evolution of different types of maintenance policies showing number of studies reported in  literature adapted from (Iqbal, Tesfamariam, et al. 2016) by permission from publisher  63  In this paper, fifty articles published on the risk-based pipeline maintenance policies are reviewed, and uncertainties are grouped under four classifications: i) data limitations in quantitative models, ii) lack objectivity in qualitative models, iii) investigation and prediction of defects, and iv) variability in inspection results.   Figure 2.8: Distribution of 50 studies for risk-based maintenance of assets showing uncertainties influencing the effectiveness of maintenance policies decisions adapted from (Iqbal, Tesfamariam, et al. 2016) by permission from publisher Figure 2.8 shows that most of the research is carried out to deal with the uncertainties associated with investigation and prediction of defects as compared to the uncertainties due to lack of availability of data for quantitative models and subjectivity of expert opinion in qualitative models. Although very few articles addressed the issue of variability of inspection results (Singh & Markeset 2014b; Singh & Markeset 2014a; Singh & Markeset 2014c), it is the most recent focused area in risk-based maintenance policies. All the uncertainties mentioned above are discussed in more detail in the following.   16% 24%52%8%Uncertainties due to lack of data in quantitative modelsUncertainties due to subjectivity in qualitative modelsUncertainties associated with investigation and prediction of defectUncertainties due to variability of inspection results 64  2.3 Summary 2.3.1 Lack of Data in Quantitative Models  Sufficient data about population density, economic condition, pipeline operation parameters, wall thickness and historical accident data is required to estimate importance (weights) of the inherent risk index and the consequence index. In most cases, such a detailed data is difficult to obtain (Bartenev et al. 1996). (Deng 1989) used Grey correlation theory to overcome this issue. The theory aims to find the relation in dissimilar data assuming that the correlation depends upon the similarity of the geometric shape of the data series curves. Furthermore, in data preprocessing the dimensionless transformation is used to convert the original sequence of the data into a comparable sequence (Han & Weng 2011).   The historical accident data has been used to determine failure rate of pipelines for empirical models; however, the limitations in available accident data increases the uncertainty of the model results (Jo & Ahn 2005; Jo & Crowl 2008). Han (2011) presented a comparative analysis of qualitative and quantitative risk models for urban gas pipeline networks based on historical records of accidents. For the qualitative method, statistical analyses of accidents databases were used to develop the indices based on the Grey correlation and the reliability engineering theories. The causes of failure were categorized into four levels of indices by assuming the equal contribution of the causation index and the consequence index to risk quantification. However, such long-term historical data might not always be available. Simonoff et al. (2010) modeled cost consequences in natural gas transmission and distribution; however, the fatalities and injuries were not considered  due to lack of data. (Dawotola et al. 2009) estimated the probability of failure by fitting historical records of pipeline failure due to stress corrosion cracking. The issue is addressed by  65  using homogeneous Poisson process. They assumed that: i) corrosion is a uniform process ii) pipeline system will be restored as new after minimal repair, and iii) the repair will not change the frequency of failure or will not affect the homogeneity of the pipeline segment. Such assumptions may not be accurate for all segments of the pipelines thus can limit the accuracy of the model results. Furthermore, the model does not accommodate changes in maintenance history, which may have an impact on failure frequency. The prediction models trained on historical I&M data of an asset have the limitation that they can only assess and predict the future condition of the same asset (El-Abbasy et al. 2014).  2.3.2 Subjectivity in Qualitative Models  Decisions about inspection and maintenance intervals are subjective, and most of the models developed are qualitative in nature. The qualitative techniques are sensitive to the extent of the experience and knowledge of the decision makers; such a subjectivity may lead to large variations in the results. (Khan et al. 2004) highlighted the flaws in qualitative or semi-quantitative approaches, including variation in selection of failure mechanism, variation, in conclusion, averaging of all consequences, neglecting the impact of individual consequences, the difference in contents of inspections and inspection intervals, and subjective judgment due to limited information about failure knowledge. Most common approaches for developing decision support model by ranking the expert opinion for pipelines are the analytical hierarchy process (AHP) and the weighted average technique (Dawotola et al. 2012; Dey 2004; Dey 2003; Dey 2001; Dey et al. 2004). Due to the subjective nature of AHP, it yields different results under different judgments for the same problem (Arunraj & Maiti 2010; Nyström & Söderholm 2010; Saaty 1990).   66  Fuzzy or possibilistic framework frameworks and models have also been reported in the literature to deal with the subjectivity of qualitative models. (Khan & Haddara 2003) presented a quantitative approach based on a predefined threshold as criteria for risk-based maintenance to overcome inherent uncertainties. Fault tree and reverse fault tree analysis were used to estimate the time interval between the inspection/maintenance tasks. (Khan et al. 2004) adopted the Weibull distribution to determine inspection intervals and found that the overall risk decreases at a slower rate with the decrease in the likelihood of failure. Although the fuzzy-based approach accommodates variation in the decision results; the robustness of the analysis is always subjected to the expert experience and judgment.  2.3.3 Investigation and Prediction of Defects Identification of the uncertainties associated with the prediction of growth of a defect and its impact on the integrity of a pipeline is a challenging task (Singh & Markeset 2009). The time lag between the occurrence of a failure event and the resulting consequences further increase the vagueness in forensic investigation. Traditional methodologies do not take the multi-dimensional consequences into account (Brito et al. 2010). The researchers used multiple techniques to address the uncertainties due to lack of knowledge of  defect prediction by using conservative assumptions made by the experts and linguistic expressions. For instance, Sawyer & Rao (1994) presented a fuzzy fault tree technique for the reliability analysis of mechanical systems. Later, Cheng (2000) proposed evidence theory to address the uncertainties in fault tree analysis. Huang, Chen, & Wang (2001) evaluated human errors and integrated them into event tree analysis by using fuzzy concepts. Sentz & Ferson (2002)  presented the Dempster-Shafer theory, as an alternative to traditional probabilistic theory for the mathematical representation of the uncertainty. Wilcox &  67  Ayyub (2003) found that fuzzy and interval representations are appropriate techniques to address uncertainties when data is subjective, vague, or cognitive. (Singh & Markeset 2009) used a fuzzy-based inspection model for corrosion rate assessment. The issue of uncertainty has also been addressed with the help of fuzzy based bow-tie analysis by combining fault tree analysis (FTA) and event tree analysis (ETA) (Cockshott 2005; De Dianous & Fiévez 2006; Duijm 2009; Markowski et al. 2009; Shahriar et al. 2012). Traditionally Bowtie analysis requires precise data or defined probability density functions (Markowski et al. 2009). Such data are not easy to acquire in the case of pipeline risk analysis due to inherent uncertainties of design and material faults, limited understanding and vagueness of  failure mechanisms (Ayyub 1991; Ferdous et al. 2009; Sadiq et al. 2008; Sawyer & Rao 1994; Yuhua & Datao 2005).  To accommodate uncertainty issues, triangular fuzzy numbers have been used to assess the failure probabilities associated with pipeline installation, manufacturing of pipe, quality of welding, and percentage of inclusions (Yuhua & Datao 2005). (Shahriar et al. 2012) integrated the fuzzy rule base and fuzzy synthetic evaluation techniques to evaluate the triple bottom line sustainability criteria and to analyze the influence of interdependencies among the various factors, such as construction and material defects, incorrect operations, outside forces and corrosion, on the analysis results. The model can help the decision makers for informed decision-making by considering multi-dimensional consequences that may arise from pipeline failures.  (Brito et al. 2010) proposed the multi-criteria model based on ELECTRE TRI integrated with utility theory for qualitative and quantitative risk analysis of natural gas pipelines. The integrated model evaluates the uncertainties for different scenarios using ELECTRE TRI and aggregates the decision  68  maker’s preferences regarding human, environmental and financial risks with the help of utility theory.  (Sahraoui et al. 2013) developed a Bayesian formulation based probabilistic approach to address different inherent uncertainties related to inspection methods. They integrated imperfect maintenance results in the cost model for corroded pipelines. The failure probabilities, as a function of pipe age, were used for reliability analysis. The numerical application shows the effect of inspection quality and costs of maintenance planning. An optimal maintenance interval depends on corrosion rate, and imperfect maintenance may lead to wrong decisions about cost and safety.  (Aven & Zio 2011) presented a framework for including uncertainty in risk assessment by critically analyzing alternative approaches and seeking their coherent integration for effective decision making beyond the Bayesian approach. They argued that the risk-uncertainty description is more than subjective probabilities and highlighted some key issues: i) how completely realistic analysis represents the knowledge and information available?; ii) how costly is the analysis?; iii) how much confidence does the decision maker gain from the analysis and the presentation of the results?; and iv) what value does it bring to the dynamics of the deliberation process?. However, if uncertainties are not properly treated, the risk assessment tool fails to perform as intended. Table 2.8 classifies different uncertainties and their solutions presented in the reviewed literature.  2.3.4 Variability in Inspection Results The ability to accurately measure the rate of corrosion growth along a pipeline is an essential input for integrity management decisions. For example, corrosion rates are essential to predict the condition of a pipeline and to determine the suitable intervals for I&M (Nessim et al. 2008). Variability in the inspection results may affect the maintenance decisions. The term ‘variability’  69  describes deviation of measured data from its mean due to the non-uniform condition of the pipeline dimensional parameters (i.e., diameter and wall thickness), variation in the location, and length and depth of the corrosion pits.  In contrast, uncertainty is the variation in measured results due to the operator’s skill, inherent characteristics of the measuring instrument and operation.  Nassim et al. (2008) discussed the uncertainties related to measurements which are essential to estimate corrosion size from ILI runs; i.e., consecutive ILI runs have a degree of uncertainty while calculating corrosion growth rate. This uncertainty should be considered to estimate valid and accurate corrosion growth rates. The ratio between the measured corrosion growth and the measurement error is an important parameter in determining a meaningful distribution of the corrosion growth rate. The small ratio may refer to a large uncertainty which can lead to erroneous probabilistic inferences. The large ratio value makes the effect of measurement uncertainty more manageable and allows the growth rate distributions to be calculated with reasonable confidence. The capacity equation is a mathematical model used to estimate the remaining pressure capacity of the pipeline after the initiation of corrosion defect. DNV recommended practices (DNV RP-F101) cater for uncertainties in inspection process related to defect depth by incorporating safety factor in the capacity equation. Unlike conventional safety factor, this approach depends upon inspection tool accuracy (i.e., dispersion of corrosion growth rate and metal loss data). (Noor et al. 2011) have manipulated DNV RP-F101 polynomial equation to predict future growth of defects by deriving a time function standard deviation equation for the inspection tool. The future predicted metal-loss data is supposed to have higher variation from its central tendency value compared to actual metal-loss data. This approach gives a more realistic assessment of pipeline condition due to rapid reduction of structure capacity.  70   (Hallen et al. 2003) presented a probabilistic analysis framework to address the variability associated with inspection data gathered by inline inspection tools. In this framework, the data combined with fitness-for-purpose probabilistic assessments using the structural reliability analysis method computes the pipeline failure probability with time. Target reliability levels were used as a reference to assess the condition of the pipeline as measured by its failure probability model (Nessim et al. 2009). The comparison helps the decision makers to establish the best cost-effective and safe maintenance policy for the future structural integrity of the pipeline. (Singh & Markeset 2014b) have discussed the imperfection in inspection results due to several reasons, such as instrumental variability, complexities in operating conditions and the random nature of the system variables. They also addressed the issue of imperfections in inspection results by combining probabilistic and possibilistic approaches, i.e., fuzzy probability distribution function of the inspection data.  Appendix B, Table 2.8 summarised the uncertainties, their causes, and solutions presented by researchers. Out of fifty studies, twenty-five addressed the oil and gas pipelines, fifteen articles explicitly addressed oil pipelines, and ten articles were specific to gas pipelines.  According to the Webster Encyclopedic Unabridged Dictionary, the term “integrity” can be defined as “the state of being whole, entire, or undiminished; and a sound, perfect, unimpaired, or perfect condition” (Encyclopedic 1996). Integrity management is a set of systems, standards as much as the culture. It may be defined as “essential and required work processes for data management and inspection and maintenance systems to ensure the availability of operations available” (Chandima Ratnayake & Markeset 2010). With the most recent development in stakeholders’ requirements, various other factors are also the part of it, e.g., health, safety,  71  environmental protection, financial viability, etc. Integrity management is a vast subject prevail over different aspects of the management systems. International Association of O&G producers defines that asset integrity is the outcome of well-structured design, construction, and operating practices, which aim to prevent the accidents and failures. It is achieved by facilities, which are   properly designed, structurally and mechanically sound and perfroming their designated processes and producing products (OGP 2008). However, the discussion is focused on its role in engineering asset management, peculiar to the O&G pipeline integrity management.     72  Chapter 3 : Integrity Management Program (IMP) Assessment  Part of this chapter has been published in the ASCE “Journal of Pipeline Systems Engineering and Practices” entitled “IMPAKT: An Oil & Gas Pipeline Integrity Management Program Assessment.” (Iqbal et al. 2018) 3.1 Background 3.1.1 Asset Integrity Management System (IMS)  Engineering asset management (AM) is a field which addresses the contribution of asset management to the organization success. The AM system may be defined as: “the system, which defines, plans and controls the asset-related activities and their relationships to ensure the asset performance meets the intended competitive strategy of the organization throughout the lifecycle” (El-Akruti et al. 2013). The asset management system has a significant role in all aspects of asset’s lifecycle activities from conceptual design to disposal. It refers to asset performance management (APM) and asset integrity management (AIM). Asset performance management is focused on the performance of the asset in terms of its productivity and working efficiency. It examines that how the asset is working within the processing system and determines how to get the best performance from it. AIM system looks at the physical integrity of the system. It is based on sophisticated risk analysis to determine the ability of the system to perform its function safely (Inc 2017).  The primary objectives of an AIM system are; asset safety, uninterrupted and smooth operations, efficient production process, the effective utilization of human resource, and asset life improvement (Adebayo & Dada 2008; Chang et al. 2005; Dawotola et al. 2009; Rahim et al. 2010;  73  Simonoff et al. 2010; Yuhua & Datao 2005). These objectives can be achieved through the effective management system and sound technical measures (Anon 2002).  The integrity management systems can broadly categorize into: i) technical integrity (TI), and ii) integrity management program (IMP). Technical integrity (TI) is the function of asset’s technical health condition and its capability to maintain the technical state of assets incorporates all related operations and business processes as one process. It ensures the reduced risk exposure to people, property or the environment. It can be summarised that it is overall state of safety in terms of functionality, operability, and reliability (Rahim et al. 2010).  Technical integrity is a necessity to function at the design and operational stage of the asset. Sound design based on industry standards and practices, right selection of material and manufacturing practices are the sound bases of the TI at the design stage.  The operational TI is primarily dependent on the availability of quality of data and information gathered through inspection processes, later maintenance policies and procedures play a vital role (Chandima Ratnayake & Markeset 2010). TI is also dependent on the asset stakeholders' and management's ability and capability to define, implement and execute operational and maintenances strategies suited to their needs. These capabilities are documented as IMP. Technical standards and procedures are guidelines to maintain the technical integrity, while IMP is formulated on appropriate management manuals and documentation (Wang et al. 2011).   The prime objectives of the AIM include the following (Rahim et al. 2010): • Eradicating all potential hazards • Decreasing near-miss incidents and critical incidents  • Maintaining the machinery inventory in functional and operational    74  • Reducing Mean Time Between Failures (MTBF) by controling failure incidence  • Reducing Mean Time To Repair (MTTR) after failure  • Increasing personnel skills and work experience for maintenance  • Increasing reliability and availability of the equipment/system/plant. O&G asset integrity is a most common subject discus in the publication and studies. Most discussed issues are related to the material integrity and inspection (Rahim et al. 2010). However, other issues related to management systems such as policies, planning, training and competency, and organizational culture also need the focus of the researchers.  3.1.2 Pipeline Integrity Management System Pipelines imitate the vascular system in O&G industry. The pipelines integrity is vital to keeping O&G activities alive. The US Department of Transportation Pipeline and Hazardous Materials Safety Administration defines the pipeline integrity (PI) as “[t]he ability of a pipeline to operate safely and to withstand the stresses imposed during Operations” (Transportation Pipeline & Administration 2003). Asset management of O&G pipeline combines the concepts of safety, asset integrity and associated risks within a management system framework (ASME-B31.8S 2014; Revie 2015). Integrity management also renders the management priorities for resources allocation with appropriate plans, actions, and tasks to maintain and ensure the integrity. The purpose of pipeline integrity management is an efficient execution and quality control of the technical processes throughout the pipeline lifecycle phases (design, construction, maintenance, assessment, and abandonment) (Hassan & Khan 2012b; Revie 2015).    75  The main components of the pipeline integrity management are (Kishawy & Gabbar 2010): • failure identification process of pipelines in high consequence areas; • assessment baseline plan;  • an integrated analysis of defect information and failure consequences of pipeline integrity; • criteria for repair actions based on information analysis during assessment plan; • a continuous improvement plan of pipeline integrity by assessment and evaluation;  • preventive and mitigation measures to protect the high consequence areas;  • program’s effectiveness measurement methodology; • a process of information analysis and the review of integrity assessment results; • a process of management of change; and • a process of record keeping and documentation control.  Pipeline integrity can be enhanced by lessons learned from past accidents, inspection practices, testing procedures, assessment methods, and appropriate long-term maintenance of a system (Rahim et al. 2010).  3.1.3 Factors Affecting Integrity Design, materials, and I&M techniques have significant impacts on the records of O&G pipelines integrity (Cosham et al. 2007). The integrity of a pipeline can be compromised due to material and construction defects, damages from a third party construction, operational mistakes, accidents, device failures and malfunctioning, and environmental and climatic factors (i.e., corrosion, creep, cracking, weather and temperature change, earthquakes, landslides, and floods) (Adebayo & Dada  76  2008; Dawotola et al. 2009; Psarrpopulos et al. 2014; Simonoff et al. 2010; Yuhua & Datao 2005). Some of the integrity issues associated with pipeline lifecycle phases are summarized in Table 3.1. Despite all these factors, the role of human factor cannot be ignored in the integrity management. The organization can only be successful to achieve the high level of integrity with fully skilled and well trained competent personnel (Chandima Ratnayake & Markeset 2010). It can be concluded that the effective management of physical asset is only possible with well trained competent personnel in accordance with sound recognized practices and procedures where societal health and safety culture prevail.  Table 3.1: Pipeline integrity issues related to lifecycle processes Life Cycle Phases Integrity Issues Design materials selection, life cycle design, design robustness Construction fabrication inspection, construction quality control, and commissioning Weld seam defects, poorly applied coatings, construction dents, and incapability with ILI tools Maintenance Cathodic protection and chemical inhibition, monitoring (corrosion coupons and slope stability), and inspection (ILI, direct assessment, and ROW surveillance) Assessment Knowledge and understanding of hazards, understanding of inspection results, sound engineering judgment, fitness for service of the pipeline with defects Abandonment end-of-life programs are in place, any residual hazards due to the abandonment  of a pipeline  3.1.4 Integrity Management Processes (IMPr) This section will describe the IMPr related to pipeline operations to maintain its integrity. Integrity management processes are the design, technical and operational activities, which are required over the lifecycle of O&G pipelines. The pipeline lifecycle is comprised of Commissioning, Inspection, Maintenance, and De-commissioning. Broadly speaking, IMPr can be categorized as design, construction, risk assessment, condition monitoring, repair & maintenance and decommissioning & recycling activities. These activities include but are not limited to, quality control and inspection,  77  cathodic protection, in-line inspection (ILI), chemical inhibition, coating selection, excavation programs, corrosion monitoring, and river block valve maintenance (Iqbal, Tesfamariam, et al. 2016; Revie 2015).  The IMPr technology selection and implementation plans depend on the scope of the operation and can vary from production data for the upstream industry to real-time operational monitoring data gathered manually or through (SCADA) system, inspections data and incident reporting. The performance evaluation of IMPr is done by selecting suitable performance measures and indicators. Risk Assessment is an integral component of Integrity Management Program and processes. The most common codes for risk assessment in the industry are: Norsk Sokkels Konkuranseposisjon (NORSOK) standards (developed by the Norwegian petroleum industry), ISO 31000 Risk Management Principles, American Petroleum Institute (API) codes and standards API 510, 570, 653, 580 and 581, ASME PCC-3-2007 “Inspection Planning Using Risk-Based Methods” and Canadian standard CSA Z662 (Revie 2015). Generally, quantitative leading and lagging1 indicators are used to determine the efficiency and effectiveness of IMPr.                                                  1 Leading indicators: a forecasting metric that characterizes the accomplishment of the programs or processes. Leading metrics describe how well a process or program is implemented. Lagging indicators: a retrospective metric that describes the outcomes of the programs and/or processes. Lagging indicators are generally based on the occurrence of incidents or failures.  78  Condition evaluation and the probability of failure for pipelines are the most important factors influencing the decision-making process for effective IMPr (Khan et al. 2004). Traditional (deterministic/ mechanistic) approach based on standards and codes (ASME B31G and modified B31G) and the probabilistic/statistical approach based on the stochastic character of structural and environmental factors are used to assess the probability of pipeline failure (Sahraoui et al. 2013).  The deterministic approach is a process to assess the condition of pipelines by getting data from inspection tools, whereas the probabilistic approach predicts the future probability of failures. ASME B31G provides industrial guidelines (ASME 2009) of safe working pressures based on the pipeline dimensional parameters obtained through inspection (Singh & Markeset 2014a). The DNV-RP-F101 recommends the probabilistic approach for the assessment of corroded pipelines subjected to internal pressure and internal pressure combined with longitudinal compressive stresses (Bjørnøy et al. 1999; DNV 2015).  3.2 Integrity Management Program (IMP) Integrity management program (IMP) define the management system for the prevention and mitigation of accidental releases of hazardous substances (DeWolf 2003). An integrity management program (IMP) is a systematic and formal documented program that specifies policies, plans, and practices, used by the pipeline operating company, to ensure safe, environmentally responsible and reliable service of a pipeline system (ASME-B31.8S 2014; CSA 2015).   79  3.2.1 Industrial Standards  The O&G pipeline industry formulates the integrity management system based on industry standards and regulatory authorities’ requirements. Most common industrial standards used in the industry are: American standards, API 1160 (Liquid pipeline integrity management), ASME B31.8S (System integrity for gas pipelines) and API 1163 (In-line inspection system qualification); Canadian standards, CSAZ662 (Oil and gas pipeline systems); British standards, BS PD8010 Part 1 (Steel pipelines on land) and part 2 (Subsea pipelines); and European standards, BS EN 14161 (Petroleum and natural gas industries-pipeline transportation systems), BS EN 1594 (Gas supply systems). These standards provide the integrity management framework. The most of standards (e.g., CSAZ662, B31.8S) guidelines are goal based and give liberty to pipeline operating companies to implement them as per their own interpretation.   The terms - IMS and IMP - have been used interchangeably in different industrial standards. American industrial codes ASME B31.8S refer IMS as the combination of integrity management programs and integrity management processes (Figure 3.1), whereas the Canadian Oil and Gas Pipeline Systems Standard -CSA Z662- presents integrity management program as a major component under safety and loss management system and it follows goal oriented or performance-based approach. The US-based standards and codes follow high consequences area (HCA) approach (Kishawy & Gabbar 2010; Revie 2015).  In the US, the Code of Federal Regulations (CFR) established new requirements for hazardous liquid pipeline operators with more than 500 miles of pipeline. The Code was effective from May 29, 2001. It is focused on pipeline integrity management in high consequences area (HCA). The HCA focused approach requires operators to identify the geographical areas which are densely  80  populated such as schools, markets and housing facilities with impaired mobility (DeWolf 2003). Moreover, other pipeline integrity standards such as ASME B31.8S, code for pressure piping, and American Petroleum Institute (API) code API 1160 for managing system integrity for hazardous liquid pipelines, also provide the guidelines for developing IMPs based on HCA approach (API-1163 2013).  3.2.2 High Consequences Area (HCA) Focused Approach The key to an IMP is to establish a Baseline Assessment Plan for all pipelines that could affect HCAs, to address specific integrity assessment methods, risk assessment for prioritization, and schedule for assessment, the process for selection and risk factors for Integrity assessment methods and scheduling (Mohitpour et al. 2010). IMP based on HCA approach consists of eight fundamental process elements (DeWolf 2003): HCA identification process; baseline assessment plan; integrated information analysis; repair criteria; continual pipeline assessment and evaluation process; identification of preventative and mitigative measures; methods to measure the integrity program’s effectiveness;integrity assessment results and information analysis review by qualified person. 3.2.3 Goal Oriented Approach   All major O&G regulators in Canada govern the pipeline's operations, under their jurisdiction, with   guidelines of CSA Z662 and by their respective pipeline protocol (e.g., BCOGC is governed by Oil and Gas Activity Act (OGAA) and Pipeline regulation, NEB by ORP). National Energy Board (NEB) drawn up and practiced “Goal Oriented (GOR)” approach for pipeline integrity management through its Onshore Pipeline Regulation (Board 2016) . It was initially implemented  81  in 1999 for land-based pipelines. This approach is a shift from a purely prescriptive regulation to a more performance-based system. Under OPR, regulatory authorities direct the pipeline operators to achieve regulatory compliance goals aimed at improving pipeline safety and environmental protection. This approach takes prevention as a fundamental principle which is more realistic to meet safety, environmental and societal protection goals  (Furchtgott-Roth 2013).  The CSA Z662 is technical standard for the Canadian O&G Pipeline Systems for design, construction, operation, and maintenance of pipeline systems (CSA 2015). Canadians regulatory authorities started to implement IMP based on CSA Z662 in 1999. Since 2007, CSA Z662 Annex N outlines the guidelines for developing, implementing and maintaining IMP. CSA Z662 (Annex-N) provides a framework for policies, processes, and procedures for assuring the integrity of pipelines (BCOGC 2013). In addition, Annex A of CSA Z662 describes the requirements for a Safety and Loss Management program. Both annexes are intended to integrate a lifecycle management system approach within IMP. The annexes are “informative,” not mandatory, however recently some regulatory authorities like BCOGC and Alberta Energy Regulator opting them to make it mandatory by referencing it through their regulation (Michael Baker Jr. 2008).  The CSA Z662 requirements can be categorized as informative and normative. Canadian regulators actively participate in consensus standards development and enable CSA Z662 incorporation through reference in their regulation. It minimizes extra regulatory requirements.  Development and improvement of CSA Z662 are an ongoing process to provide clarity and clear interpretations to the end user.   82  3.2.4 IMP expectations Regulatory agencies develop regulations based on the lessons learned during industrial practices/standards, stakeholder’s requirements and environmental safety (Revie 2015). However, it is important to realize that regulatory changes take time as compared to industrial progress and public expectations. Regulatory requirements that often refer to the standards are bare ‘minimum level’, not an ‘excellence level’. Most of the companies only adopt the bare minimum to be compliant only and try not to improve their system more than those requirements. Proactive companies’ pride should be their safety and performance achievements beyond the minimum requirements. If a company only meets regulations, then it is well behind the industry leaders and good integrity management practices (Revie 2015).  Figure 3.2 graphically presents the regulatory authorities expectations and the high goals that companies should strive for. In order to get a regulatory perspective, the Compliance Assurance Protocol for pipeline integrity management programs by British Columbia Oil and Gas Commission (BCOGC, 2016), which is a provincial regulator, was reviewed. It was noted that BCOGC’s IMP outlines its expectations and requirements for the Oil and Gas Pipeline operators using a management system approach and follows CSA Z662 and Annex N. Main components of the IMP are identified as Planning; Implementation; Checking and Evaluation; Program Assessment and Continual Improvements; and Management Review (BCOGC (2016). Integrity management program requirements for National Energy Board also reviewed, and it was noted that management system requirements for IMP are mandated through NEB’s Onshore Pipeline Regulation (OPR 2014).   83   Figure 3.1: Companies’ pipeline integrity expectations 3.3 Integrity Management Assessment  The periodic evaluation and assessment of IMP is a mandatory requirement in the guidelines of Pipeline Standards (CSA Z662, ASME B31.8S). The objective is to evaluate the effectiveness and continual improvement of the IMP. The regulators also have developed their compliance assessment and auditing processes to measure the effectiveness of operators IMP.  The comparison of ISO 19600 Compliance Management System approach, which advocates the ‘Develop -Implement -Evaluate -Maintain’ with regulators auditing programs revealed the many improvement opportunities to make the auditing program effective.   84   Figure 3.2 : Integrity Management Program – A risk assessment model. Adapted from (Iqbal et al. 2018) by permission from publisher  3.3.1 IMP Assessment model-Auditing process The model is proposed which will systematically capture the discrepancies in the compliance and evaluate the effectiveness of operators IMP programs using a risk-based methodology and quality management approach (Figure 3.3). The model will provide a base for future performance  85  benchmarking analysis. The risk assessment model will synthesize the information gathered through regulator’s assessment process and will present three-dimensional compliance assessment report to the stakeholders by streamlining the IMP performance evaluation. A systematic procedure for implementing methodology is outlined in the next section. 3.3.2 IMP components The first step in the model development is to identify the IMP requirements given in industrial standards ASME B31.8, API 1160 and CSA Z662. These IMP requirements are further grouped under eighteen (18) categories. These eighteen (18) are referred to as IMP components. These components are further consolidated into five higher-level groups. These groups are identified as core components, which are planning, program implementation, checking and evaluation of assets, program assessment and improvement and management review. The core components are a comprehensive review of IMP performance for senior management level (Table 3.2). 3.3.3 IMP components compliance criteria Each identified component will be evaluated on compliance, severity and its effectiveness. The IMP components compliance refer to compliance with IMP requirements. The term ‘compliance’ refers to meaning that each component is adequately documented, communicated and applied by the operators and meets the expectations outlined in the standard and regulator’s protocol. The closed-ended audit questionnaire is developed to assess the compliance level. The questionnaire is comprised of around 200 questions under the relevant eighteen (18) IMP components.  Three example questions under the ‘policy and objectives’ section are given below:  86  • Is the policy statement for integrity management documented, signed and approved by the senior leadership of the operator?  • Does operator’s policy statement for integrity management include: 1) scope, 2) commitment, and 3) goals of the IMP and its continual improvements?  • Is the company policy statement for integrity management communicated to all employees? The following questions are assessing the communication, record management and top management commitment subjected to ‘policy and objectives’. The response to these questions can be compliant (Yes), Not Compliant (No) and Not Applicable (NA). The NA refer that the question is not relevant to particular operator’s IMP.  Table 3.2: IMP components and their grouping into core components IMP Core Components Planning Program implementation Checking and evaluation of assets Program assessment and improvement Management reviews IMP Components General IMP Organizational role and responsibilities Inspection and monitoring Incident reporting and investigation Management reviews Goals and objectives  Information management and communication Evaluation of inspection and monitoring results Program assessment (non-compliance)  Policy and commitment Training and competency Modification and repair Internal audits  Risk assessment Management of change     Record control    Document control     Operation control     87  3.3.4 Analysis  The presented research is focused on shifting of IMP and safety culture assessment from conventional auditing to the risk assessment. However, the auditing process is qualitative assessment process, which is based on the level of compliance with the requirements and the auditor’s assessment. The brief literature review of most commonly used risk assessment techniques (Appendix A) and will provide the rationale to select the most suitable method for the IMP assessment.  Failure Modes and Effect Analysis (FMEA) is a systematic procedure for the analysis of a system to identify the potential failure modes, their causes, and effects on system performance (Cassanelli et al. 2006). FMEA as a formal design methodology was first proposed by NASA in the year 1963 as part of its flight assurance program for spacecraft to enhance the reliability of space program hardware (Yang et al. 2010) . Since then FMEA is widely used in industry as a ‘what if’ process for safety and reliability analysis in the industry, particularly aerospace, nuclear and automotive industries. In 1977, Ford Motor Company adopted and promoted FMEA methodology in the automotive sector as prioritization methodology to assess and prioritize potential process and design- related failures.  Failure Modes and Effects Analysis (FMEA) is a method for evaluating possible reliability discrepancies before its occurrence where it is simpler to acquire actions to overcome these matters. FMEA is applied to recognize probable failure modes, conclude their effect on the process, and categorize actions to mitigate the failures. A vital step is to anticipate that what might be the possible failure in the process (Lipol & Haq 2011). FMEA may be used at different level levels of the system such as from the highest level to the functions of discrete lower levels. The  88  FMEA is also an iterative process that is evolved and updated with the change in the level process and review of FMEA will be required (Cassanelli et al. 2006). FMEA in its conventional application is a systematic engineering analysis which is used to define, identify, and eliminate potential problems within a system (Amadi-Echendu et al. 2010; Ben-Daya et al. 2009; Stamatis 2003; Yang et al. 2010). The potential failure mode is defined as the manner in which the process could potentially fail to meet the process requirements (Lipol & Haq 2011). Potential failures can be evaluated and prioritized based upon their occurrence (the probability of failure frequency), severity (failure consequence), and detection (detectability or effectiveness of prevention before the consequence is realized). Failure modes are rated according to their calculated risk priority number (RPN) which is the product of the quantified severity, occurrence and detection measures (Ben-Daya et al. 2009; Palady 1995). This technique provides the platform to transform the qualitative data for quantitative assessment. For calculating the risk in FMEA method, industrial FMEA (the Society of Automotive Engineers, US Department of Defense, and the Automotive Industry Action Group) describe the Risk Priority Number (RPN) to measure risk and severity of failures (Rhee & Spencer 2009). The RPN has three components which are multiplied to get the RPN value: Severity (S), Occurrence (O) and Detection (D). There is no threshold value for RPNs. In other words, there is no value above which it is mandatory to take a recommended action or below which the team is automatically excused from an action (Lipol & Haq 2011).  The failure mode effect analysis (FMEA) is used innovatively in the assessment process. The definitions of occurrence, severity, and detectability are modified, which are suitable to the auditing process. The detectability term is mostly employed in manufacturing industry which  89  shows that how difficult it is to find the cause of failure.  The term ‘detectability’ is interchanged with the ‘effectiveness’. The term effectiveness conceptually shows how effective is the IMP component to prevent the failure of the program. The adopted definitions of FMEA basic elements are: • Occurrence (O) is a probability of IMP failure due to not complying with the IMP requirements. In other words, it represents the non-compliance and is measured through the compliance questions. • Severity (S) is defined as the impact of the failing to complying with an IMP component requirement. It is assigned for each sub-component on a linguistic scale based on auditor’s opinion, asset condition, and location and depends on the importance of the IMP requirement within the component. • Effectiveness (E) is estimated based on the corrective actions proposed or completed by the operator and is also applied at the sub-component level. Table 3.3: IMP assessment question relationships with different IMP components Each ‘question’ is primarily associated with the most relevant IMP components, which is referred as a primary association. However, these questions may also link to the requirements of other Q.No Assessment Questions MOC Sub-component Primary Relationship Secondary Relationship 1 Is management of change (MOC) process for changes that might affect the integrity of the pipeline system developed, documented and implemented? Management of change Record and document control 2 Does the management of change process identify possible scenarios that could initiate a change? Management of change Management of change 3 Does MOC process include the responsibilities for identifying, approving and implementing changes? Management of change Organizational roles and responsibilities  90  components so that a secondary relationship is also established. For instance, the question (1) given in Table 3.3 is to check the documentation and implementation of “Management of change”, but the documentation is also the part of “Record and documentation control”. Each question may have one or two relationships with IMP sub-component. For example, Question 1 and Question 3 (Table 3.3) have two relationships, while Question 2 has only one relationship.  The next section will describe the calculation method of Risk Priority Number (RPN) calculations. 3.3.5 Occurrence (O)  The Occurrence (O) score is calculated through a questionnaire response. Each question has three possible answers: Yes, No and N/A. The probability of occurrence of failure is measured on a scale of 1 to 10. This score is linked to compliance response Yes, No and N/A. The response “Yes” has been assigned a value of (1) which means the lowest probability of failure, the response “No” has been assigned the value of (10) which means the maximum probability of failure. However, the questions with the response “Not Applicable (N/A)” are not used in the calculations.  Each question is associated with the particular component(s), so the occurrence score of each question is assigned to both primary and secondary component. The average is taken for a score of all responses associated with the primary component and secondary component. Then MAX value among both averages is taken as occurrence score as shown in Eq. (3.1) Where “𝐶𝑖,𝑝” = average score of component score with the primary relation. “𝐶𝑖,𝑠” = average score of component score with the secondary relation. Values of “C” is either 1 or 10 and “∑ N” = total number of responded questions excluding the questions with the response “NA”.  91   𝑶 = 𝑀𝐴𝑋 (∑ 𝐶𝑖,𝑝𝑁𝑖=1∑ 𝑁 ,   ∑ 𝐶𝑖,𝑠𝑁𝑖=1∑ 𝑁)              𝐶 ∈ {1,10} (3.1) 3.3.6 Severity (S)  The regulatory auditor assesses the severity of non-compliance through the response to questionnaire and document review. The questionnaire response only triggers level of severity and identified the areas of weakness. The document review further elaborates the discrepancies in the program. It also related to the pipeline location, carrying material pipeline size and material. The auditor may assign severity at three levels such as “High (H)”, “Medium (M)”, and “Low (L)”.  For example, the overall compliance score percentage of the component is 80 % but the compliance score associated with operational activity “high”, which refers that the operators are only fulfilling nonoperational activities. Such scenario will make a choice for the auditor to select the severity score medium or high. Furthermore, the pipeline location, carrying material and pipeline material will be the deciding factors.  The numerical score associated with linguistic level is as follows:  S = {SH, SM, SL} = {1, 5, 10} (3.2) 3.3.7 Effectiveness (E) After compliance and severity score, the auditors will review the corrective action plans of alternative measures to overcome the failure. The auditors will assess the level of effectiveness after reviewing the documentation, implementation, applicability, communication, competence review and review with operator’s representatives. Based on the assessment the auditor will assign the effectiveness qualitative rank at the scale of Low Medium or High. For example, the “High”  92  rank may be assigned, to effectiveness, in the scenario where the compliance score is low means fully compliant. The severity score may be low, medium or high but the corrective action plan is in place to cater the failure depending on the severity.  Furthermore, on same criteria, the medium represents corrective action plan is in place but not efficient, and Low represents that no corrective action is defined. The qualitative ranking is translated into a quantitative score ranging from 1 to 10. The scores for “High” is 1, “Medium” is 5 and “Low” is 10 (Eq 3.3)  E = {EH, EM, EL} = {1, 5, 10} (3.3) 3.3.8 RPN Calculations  The risk priority number is calculated by multiplying the score of three elements Occurrence, Severity, and Effectiveness (Eq 3.4). Higher RPN of particular IMP component infers the IMP requirements associated with the component are compliant, less severe and effective. However, the scenario may be possible that the compliance score is very high but due to low severity and high effectiveness the overall RPN is low.  𝑅𝑃𝑁 = 𝑂 × 𝑆 × 𝐸                 [1, 1000]            (3.4) 3.4 Integrity Management Program Assessment and Knowledge Tool (IMPAKT) This model is practically implemented in the regulatory audit. The model is translated into an Excel-based decision support tool (Integrity Management Program Assessment and Knowledge Tool - IMPAKT). The tool interface is consist of Assessment tab’s (Figure 3.5, Appendix B) and Results tab. The assessment tab is used, by the auditors, while auditing. The auditors evaluate the assessment questions under each category. The auditors may also add comments in the comments  93  sections. The auditors will use the drop-down menu to assign the severity and effectiveness ranks qualitatively. The auditors will assign severity and effectiveness rank for each IMP component. The assessment results are computed in FMEA tab. The assessment results are summarized in two ways: by the eighteen (18) components level (Figure 3.4), and by the core components level (Figure 3.5). The core component presentation will give the higher-level dashboard summary for senior management.  Figures 4a, 4b is the presentation of “results tab”. This tab consolidates the results and provides the summary of the risk assessment results. The RPN of each component is presented in the web graph. Three colored zones show the  risk levels. RPN range from 0-300 is a green zone, which means that component in this region is reasonably compliant and effective; range 400-600 is in yellow zone shows that necessary actions are required for improvement; and red zone ranging from 700-1000 is representing noncompliance and non-effectiveness.  3.4.1 IMPAKT Implementation: A Case Study  All companies audit data from first audit cycle from 2011 to 2014 is reassessed by using the IMPKT. Among those, three companies are selected from the audit pool of years 2014 and 2015. The IMP audit has already been conducted by regulatory auditors using the traditional approach.  The selection criteria are that the companies should have similar size, a number of assets and are the best, moderate and the worst performer in the audits. The companies are named are aliased as  Company A, Company B, and Company C”. The results of compliance response to the IMP components are summarized in Table 3.4.   94  The consolidated audit's results show that The “Company A” has proved 100% compliance, the “Company B” has 66% conformance, and 34 % non-compliance and the “Company C” has 100 % non-compliance for IMP component (Figure 3.6). On the results basis, regulatory authority renewed the operational license of the “Company A”.  95   Figure 3.3: IMP components risk assessment results (Iqbal et al. 2018) by permission from publisher   Figure 3.4: High-level IMP components risk assessment results(Iqbal et al. 2018) by permission from publisher General IMPPolicy and CommitmentGoals and ObjectivesRisk assessmentOrganizational roles andresponsibilitiesInformation managementand communicationTraining and CompetencyManagement of ChangeDocument ControlRecords ControlOperation ControlInspection and MonitoringEvaluation of inspection andmonitoring resultsModification and RepairIncident reporting andinvestigationProgram assessment (non-conformance)Internal AuditManagement reviewIMP components' perfromancePlanningImplementationChecking and evaluationProgram assessment andcontinual improvementManagement reviewProgram performance 96  The license for the Company B was issued with conditions and the license for the company C was seized. The audited data is translated and re-evaluated by using IMPAKT. The auditors revisited the entire IMP documentation and assigned severity and effectiveness scores to each IMP component. The compliance data remained the same. The results are consolidated in the web diagram (Figure 3.7).  3.5 Summary The O&G pipelines need to maintain and operate in a safe and responsible manner to ensure they do not pose a risk to the public and environment. The integrity management program is a formal program, implemented by the companies, to ensure the safety and the reliability. The industrial standards ASME B31.8, API 1160 and CSA Z662 provide the guidelines for implementing the IMP. Audits are the way to analyze the effectiveness of the IMP programs and are used as verification tool by the regulators to determine compliance with specified requirements. However, the traditional IMP audit only determine the compliance of the requirements but do not provide methods to determine the critically, importance or risk associated with the non-compliance.  The primary objective of the presented research was to develop a formalized risk-based model to assess and evaluate the implementation, effectiveness of an integrity management program for oil & gas pipeline. The failure mode effect analysis (FMEA) is used as a risk assessment method in the proposed model with some modifications to suit this research. The IMP requirements are grouped and referred to IMP components. The IMP components are further consolidated into higher level core components. The IMP assessment is to check the process of the documentation, communication, understanding, implementation, and the effectiveness.    97    Figure 3.6 : Risk assessment results - a comparison of three companies (Iqbal et al. 2018) by permission from publisher  Company ACompany BCompany C100460054100% Non-Conformance % ConformanceFigure 3.5: IMP requirements compliance status (Iqbal et al. 2018) by permission from publisher   98  Table 3.4: IMP Component compliance and non-compliance data IMP Component Company Name Non Compliance Compliance General IMP C 4 0 B 2 2 A 0 4 Policy and Commitment C 8 0 B 0 8 A 0 8 Goals and Objectives C 7 0 B 0 7 A 0 7 Records Control C 17 0 B 6 11 A 0 17 Document Control  C 17 0 B 6 11 A 0 17 Management of Change  C 7 0 B 1 6 A 0 7 Training and Competency C 7 0 B 7 0 A 0 7 Program assessment (non-compliance) C 7 0 B 0 7 A 0 7 Risk assessment C 14 0 B 0 14 A 0 14 Organizational roles and responsibilities C 1 0 B 0 1 A 0 1 Information management and communication C 14 0 B 0 14 A 0 14 Inspection and Monitoring C 13 0 B 7 6 A 0 13 Evaluation of inspection and monitoring results C 9 0 B 0 9 A 0 9 Modification and Repair C 2 0 B 0 2 A 0 2 Operation Control C 15 0 B 11 4 A 0 15 Internal Audit C 15 0 B 11 4 A 0 15 Management review C 15 0 B 1 14 A 0 15  99  An Excel-based decision support tool, Integrity Management Program Assessment and Knowledge Tool (IMPAKT) is developed to implement the proposed framework to improve auditing processes. The IMPAKT is tested and validated through a case study. A case study presents the comparison of the traditional audit process and the IMPAKT results. Three companies were selected which were already audited through the traditional audit process. The results comparison shows that the tradition IMP auditing process only gives one-dimensional information of the compliance. The decision makers are not able to evaluate the IMP based on the quality and effectiveness of the program. The model’s analysis helps to make more informed decisions. The proposed approach provides three-dimensional analysis based on compliance, severity, and effectiveness, which helps to identify the risk associated with the non- compliance, it also incorporates the significance of the corrective action plans in the decision process.  The presented work will open various new avenues for the future research and has a potential to be further extended to incorporate the continuous quality improvement management system. It can also help to incorporate and establish the safety culture assessment in the analysis. Finally, this framework also lays a foundation to develop the competitive and strategic benchmarking for pipeline operating companies.    100  Chapter 4 : Safety Culture Assessment  The chapter is the detail presentation of Phase 3. Part of this chapter has been submitted to the “Journal of Safety Research” entitled “Mapping Safety Culture Assessment Goals to Integrity Management Program: A Framework for Oil and Gas Pipelines Industry ” (Iqbal, Tesfamariam, et al. 2016).  4.1 Background Pipelines operations are subject to numerous  risk drivers, which have high consequences, often make the safety a very complex process (AER 2014; NEB 2016; Peekema 2013a). Despite the technical causes of failure, the International Atomic Energy Agency (IAEA) report (Culture 1991) on the Chernobyl disaster introduced the concept of the “safety culture” in the high consequences industry, which is a hidden factor affecting safety (Choudhry et al. 2007; Goodfellow & Jonsson 2015; Pidgeon 1991). Pipeline industry is implementing and regularly assessing the integrity management program (IMP), which comes under safety and loss management system (CSA 2015). IMP is a set of policies, plans, schedules, and documentation of technical procedures (i.e., operations, inspections, and maintenance) to ensure safety and integrity of all the processes and operations (CEPA 2013; Iqbal, Waheed, et al. 2016). The operators (companies) develop, implement, and maintain their IMPs based on the guidelines of industrial standards (CSA Z662, ASME B31.8S) and regulators. The operators and regulators ensure the effective implementation of IMP through regular assessments.  O&G regulators provide safety focused oversight to the IMP of operators in their jurisdiction and emphasis on improving the safety culture. However, finding the answers for the questions that  “What is an effective method to assess the maturity of a safety culture within the pipeline and  101  facilities industry as a regulatory body?” and “How to map integrity management program with safety culture?”. The integrated assessment process of integrity program and safety culture may be a solution for these questions. Safety culture maturity assessment is a self-assessment process within the organization, followed by a review of policies, system, processes for the safety, and survey about safety perception of the individuals and the organization as a whole (Cox & Cheyne 2000). The regulators have limited time and resources to conduct the safety culture assessment as an independent process, while the regulators have to monitor the implementation of different mandatory safety and process protocols (including IMP) for protection of public and environment.  North American O&G Regulators Working Group on Safety Culture (NARWGSC) has made a joint effort in improving the safety and environmental outcomes by levering safety culture. This group consists of representatives of several concerned organizations from all over North America, including the National Energy Board (NEB), Canada Newfoundland and Labrador Offshore Petroleum Board (C-NLOPB), Canada Nova Scotia Offshore Petroleum Board (CNSOPB), United States’ Bureau of Safety and Environmental Enforcement (BSEE), and the United States’ Pipeline and Hazardous Materials Safety Administration (PHMSA) (NEB 2016). The main motive of the collaboration was to develop a system of references and resources for the O&G pipeline industry, which will provide clarity and consistency in terminology, dimensions, attributes and assessment of the safety culture. Later, the group further expanded with the inclusion of the Alberta Energy Regulator (AER) and the British Columbia Oil and Gas Commission (BCOGC). The group has also initiated a project to identify a suite of indicators for awareness and understanding of potential cultural threats and defenses in the O&G pipeline industry (NARWGSC 2016).  102  The IMP components and safety culture attributes share several commonalities, e.g., effective policies, management commitment to safety, employee training and participation in safety-related practices, fearless incident reporting environment, etc. The NARWGSC highlighted the necessary attributes of safety culture for O&G sector. These attributes provide the common ground for the operators to implement and for regulators to assess the safety culture. The existing NARWGSC approach deals safety culture independently, whereas  an integrated assessment of IMP and safety culture may facilitate in monitoring the performance of IMP from safety culture perspective with less time and efforts. Moreover, it will align the vision and policies keeping the safety as a prime concern and will justify the allocation of resources required for improvement actions with dual functionality, i.e., simultaneous improvement in both the IMP and the safety culture.  This research develops an assessment framework to integrate the audit process of IMP with the safety culture assessment. This integration can be a possible solution to identify strength and effectiveness of IMP and safety culture in O&G pipeline operators. In addition, to reduce the efforts required for the detached assessment process for both the IMP and safety culture, mapping IMP components over the safety culture attributes will value the organization’s perspective that safety is a core value and predominant priority for all personnel. The implementation of the proposed framework on seventeen O&G pipeline industries, operating in the province of British Columbia (Canada), confirms its pragmatism.   4.1.1 Recent Pipeline Incidents Investigations   This overview aims to establish the causes of a pipeline failure that are highlighted in technical investigations with the safety culture and IMP of the companies. Incident reports mainly focus on the investigations and underline the technical causes of failure; few of them also highlighted other  103  managerial and cultural aspects. The selected investigation reports are mostly from the incidents occurred in North America.  4.1.2 Case study I: Pacific Gas and Electric Company (PG&E) On September 9, 2010, a segment of the natural gas pipeline of 30-in-diameter, owned and operated by Pacific Gas and Electric Company (PG&E), busted in a residential area of San Bruno, California. PE&G estimated that 47.6 million standard cubic feet of natural gas were released. The catastrophic fire caused eight casualties; many were injured, 38 house fully destroyed, while 70 were damaged (NTSB 2010).  According to the report published by National Transport Safety Boards (NSTB) on August 30, 2011, the explosion was the result of a fracture in the weld seam. Apart from the other technical causes of incidents, the report unveiled serious safety concerns in the construction and operational activities. Risk of failures, in design and material selection, were not analyzed. It was also found that industrial quality control and welding standards were not implemented during the fabrication of damaged segments. Furthermore, PG&E’s pipeline integrity management program was ineffective due to incomplete and inaccurate pipeline information (NTSB 2010). Risk assessment was not based on the previously reported welding defects. The internal assessment was also superficial without showing improvements of the deficiencies (NTSB 2010). These discrepancies reflect the ineffective IMP and lack of safety culture.  In the context of safety culture, the findings showed that safety was not the prime focus of the company, which was manifested by the lack of inventory management, poor communication, superficial risk assessment, and ineffective inspection results (NTSB 2010).   104  4.1.3 Case Study II: Carlsbad, New Mexico The investigation report, on the incident of natural gas pipeline rupture and fire near Carlsbad, New Mexico, issued by National Transport Safety Board, revealed that the internal corrosion was the main cause of the failure (NTSB 2000). The report highlighted the lack of appropriate risk assessment and internal corrosion mitigating programs. It was reported that “The current Federal pipeline safety regulations do not provide adequate guidance to pipeline operators or enforcement personnel in mitigating pipeline internal corrosion” (NTSB 2000). These findings show that the company was primarily relying on the regulatory or standard guidelines and did not design a specific risk assessment program. Such organizational behavior is described as Level 1 “Emerging” (Fleming 2000; Lees 2012) or “Pathological” level, where companies take the safety only as the regulatory requirement (Holstvoogd et al. 2006; Hudson et al. 2002). 4.1.4 Case Study III: Plains Midstream Canada ULC’s pipeline On June 7th, 2012, Plains Midstream Canada ULC’s pipeline monitoring system triggered an alarm. 12-inch nominal pipe size (Rangeland South) pipeline released 462.75 (m3) of crude oil into the Red Deer River. This release had devastating socio-economic impacts spread over a 40 km, reach downstream from release point to the Dickson Dam reservoir. The investigation reports identified the high cycle fatigue as a cause of failure induced due to ten times excessive vibrations generated by the overflow of the river (AER 2014). The failed section of pipeline was adhering to manufacturing standards. Therefore, corrosion, weld defects, or any other material properties were not the cause of failure. AER’s investigations for Plains’s pipeline IMP proclaimed that it did not meet the requirements of “Directive 071: Emergency Preparedness and Response Requirements  105  for the Petroleum Industry”. Also, the failure was a combination of high river flow and deficiencies in Plains’ pre-incident administration and management of the pipeline (AER 2014).  The investigations showed that safety was not the core value for the company, and the adopted procedures were only meeting the regulatory requirements but were not practiced as a function of organizational culture. According to the maturity models, Shell’s heart and minds, the company was at “Pathological” first stage of culture (Table 2) (Holstvoogd et al. 2006; Hudson et al. 2002).  At this stage, the safety was not the prime objective. Instead, safety procedures were considered because of fear of regulatory authorities. Hence, the causes of failure reflect poor safety culture, which is evident as i) the company was not fulfilling its pipeline inspection plan  as documented in the IMP, ii) the frequency of pipeline inspection was less than planned; iii) the results of hazard assessment were not taken earnestly, iv) no appropriate mitigation measures were taken, and v) the pipeline company “Plains” had not taken corrective actions for spill cleaning by isolating the accident site. The discussed investigation reports revealed that the discrepancies in IMP and poor safety culture contributed to the causes of incidents. The above-discussed findings have provided an impact on the development of the proposed framework.  4.2 Organizational Culture The culture, by definition, is something that is shared among the people, becomes a norm, and is not influenced easily (Guldenmund 2007). The culture is evolved by internal and external influences, national and regional conditions, and educational and socio-economic background of the workforce (Guldenmund et al. 2006). Cooper (2000) distinguished organizational culture toward safety in two concepts; “Safety Climate” and “Safety culture”. The difference between both has been debated in academics as well as various echelons of industry (Goulart 2013). However,  106  there is a thin line between them because safety climate and Safety Culture share common boundaries (Guldenmund 2007). “Safety Climate”, a measure of perceptions and actions about safety that are reflective of the immediate circumstances. Safety Climate is often significantly affected by recent events or incidents. Since Safety Climate is the measure of current safety actions, it is directly influenced by recent events occurred. Safety actions are taken based on organization’s Safety management system (SMS), so it depicts that the SMS has a direct impact on safety climate. Thus the performance matrices used to evaluate the SMS are also foundational elements of safety climate. Moreover, the organizational behavior has also a significant impact on Safety Climate.  Organizational behavior is the reflection of all activities, actions, and policies that an organization engages in. It is a driving force behind the Safety Climate. As recent actions have a deep impact on shaping employees’ belief and motivations. Repeated patterned of Organizational behavior began to create traditions and evolved into values and culture.   Whereas, “Safety Culture” is a measure of perspectives, beliefs, and traditions measured based on historical perspective. An organization’s safety culture is a representation of its commitment to both personal and process safety; however, safety culture is not a tangible indicator and is difficult to measure (Lees 2012). Numerous definitions of safety culture are available in the academic literature. Choudhry et al. (2007) comprehensively address that definition in a review article. The crux of all definitions is presented by Advisory Committee on the Safety of Nuclear Installations as“The Safety Culture of an organization is the product of individual and group values, attitudes, perceptions, competencies and patterns of behavior that determine the commitment to, and the style and proficiency of, an organization’s health and safety management” (Health et al. 1993).   107  Safety Culture takes a long period of time to evolve by organizational operations, values, and traditions and it’s historical context differentiates it from Safety Climate. It easier to understand the difference that Safety Climate exists at a point in time and that Safety Culture is much more of a legacy than an immediate result. So that Safety Culture is a subset of organizational culture and is driving belief that creates the Climate. (Cox & Cox 1991; Goulart 2013; Maddin & Shanks 2016; Pidgeon 1991). An organization’s Safety Culture is reflective of its commitment to personal and process safety (Maddin & Shanks 2016). The true Safety Culture is that a shift from operational safety measures to safety as core values in organizational behavior that reflects in a management role and organizational structure (Canada 2007; Lees 2012; Sorensen 2002). The commonly described broad attributes of management role are: • The strong commitment towards Safety through company’s policy and incorporating safety as a core value (Maddin & Shanks 2016); • Allocating adequate resource and communicating responsibility and accountability at all levels (NARWGSC 2016);  • gain mutual trust, encourage employee engagement and ownership;  • encourage the learning environment, accommodate the improvement ideas and positive behavior;  • non-punitive reporting of incidents and prompt response to reported issues; The organizational structure attributes include:  • good organizational communication;  • well-defined operating procedures;   108  • the vigilance of safety goals and risk;  • knowledge sharing;  • training and behavioral development;  • adaptability to the necessary changes in the system (API-1173 2014; Sorensen 2002). 4.2.1 Types of Organizational Culture Hudson et al. (2002) and Reason (2016) distinguished six (6) types of Organizational Culture. These include an informed culture, reporting culture,  just culture, flexible Culture, learning the culture and  wary culture (Hudson et al. 2002). The attributes of these organizationa cultures are summarized in Table 4.1. • Informed Culture: The managers and front-line employees have full knowledge of technical, human, organizational and environmental factors, which may influence the safety of the system. This culture is supported by reporting of useful information.  • Reporting Culture: A culture in which people report errors, near misses that may be due to their mistakes or errors. The environment felt to be fair and accepting. • Just Culture: A culture of “no blame” with the environment of trust, encourage reward for sharing and informing safety-related information. But there is also a clear understanding of acceptable and unacceptable behavior. • Flexible Culture: A culture has a characteristic to adapt and shift from conventional hierarchical mode to flatter professional structure as per sensitivity of requirements of critical and rapid response operations.    109  • Learning Culture: The organizational environment that has the capability to draw the right conclusions from safety information system and willingness to implement major reforms when and where needed. • Wary Culture: A culture that fully recognizes a problem may occur at any time and actions taken previously on past issue provides no assurance for the future accidents.  Table 4.1: Types of organizational cultures and their characteristics Attributes Characteristics Informed culture   The managers and front-line employees have full knowledge of technical, human, organizational and environmental factors  Reporting of useful information Reporting culture  People report errors, near misses that may be due to their mistakes or errors   The environment felt to be fair and accepting Just culture   A culture of “no blame”   The environment of trust, encourage reward for sharing safety information   A clear understanding of acceptable and unacceptable behavior Flexible culture   Adopt and shift from conventional hierarchical mode to flatter professional structure as per sensitivity of requirements of critical and rapid response operations   Learning culture  Capability to draw the right conclusions from safety information system   Willingness to implement major reforms when and where needed Wary culture   A culture that fully recognizes a problem may occur at any time  Preparation based on constant fear of an accident These types as a collectively are also the characteristics of  positive organizational culture (Hudson et al. 2002). However, these characteristics do not provide any guidelines to achieve such culture, but these attributes laid the foundation for Safety Culture models. The models provide the roadmap to achieve Safety Culture, which may not encapsulate all important safety management and organizational factors, but it plays a significant role in overall safety management (Sorensen 2002).    110  4.2.2 Maturity Models Safety Culture (SC) status is measured through maturity models and qualitative attributes. Several models have been presented since the concept of Safety Culture introduced in the 1986 report on the Chernobyl nuclear safety incident (Ahmadi et al. 2015b; Maddin & Shanks 2016). The following three maturity models are the most commonly discussed in the available literature: 1. The UK Health and Safety Executive (HSE) (Fleming 2000; Lees 2012) 2. Shell’s Heat and Mind Safety Culture model (Hudson et al. 2002) 3. DuPont Bradley Curve (Lees 2012) These models describe safety culture in maturity levels with different nomenclature, but they have similarities in attributes. These models also share difference that is philosophical in nature. HSE model is being criticized because of its mechanical nature of implementation (Holstvoogd et al. 2006; Hudson et al. 2002; Lees 2012).  Shell’s Heart and Mind Model address the psychological approach of management and employees towards safety. It deals with perceptions that how the people think and prioritize issues related to safety and allocate the resources. DuPont’s model is focused on the actions to mitigate the risks. The commonalities in all the models between maturity levels are described in Table 4.2.   The organization at Level-1 are those that take safety as a frontline worker responsibility. Fear of punishment compel the worker to hide the incident reporting, and safety measures are only reactive instead of preventive measures. Level-2 organization somehow considers safety as a part of the job but still possesses a blaming and punishing attitude. At maturity Level-3, everyone is  involved in safety management and the employees start to take the responsibility. Safety record and safety training become the part of the main job at level 3. At the Maturity Level-4, the importance of  111  safety is appreciated at all the levels from workers to the management; safety performances are assessed, and everyone has training and knowledge about safety. Maturity at Level-5 is the highest level of safety culture; here safety becomes a value instead of a priority. Actions are planned based on the philosophy of accident fear, personal health, and safety, which are a key element of Safety Management System (SMS) (Fleming 2000; Hudson et al. 2002; Lees 2012). Table 4.2: Safety models and common attributes Level/Model HSE Model Shell’s Model DuPont’s Model Common Attributes Level 1 Emerging Pathological Reactive Safety is only responsibility of the frontline worker Blaming attitude on frontline workers Fear of reporting Fear-based compliance Reactive behavior not a proactive Level 2 Managing Reactive Safety is considered as part of the job The accident rate is the only measure Blaming and punishing attitude Level 3 Involving Calculative Dependent Everyone involves the safety management Management accept the responsibility Personal health and safety is also important Safety data are collected Some extent of safety training Level 4 Co-operating Proactive Independent Appreciate the importance of safety Everyone has safety knowledge, training, and involvement.  Management and worker take the responsibility. Safety performance is monitored and analyzed Level 5 Continually improving Generative Interdependent Safety is organizational value Prepared for accident and constant fear The culture of mutual help to safety initiatives Highly personnel health and safety care Pride in safety practices and culture Continuous improvement 4.2.3 Evaluating Safety Culture The discussed maturity models give the perspective of maturity level, but these models do not give the methodology for evaluation. The Safety Culture evaluation process is perceiving importance  112  in safety management research. The challenge is to find the way to quantify management attention to safety and other proposed attributes of Safety Culture (Sorensen 2002).  Lees (2012) considered the occupational injury and accident rates as a measuring indicator, but relying only on the injury rate may mislead to the real interpretation of the Safety Culture (Refinery 2007). Researchers proposed the organizational attributes that reflect the safety culture. These attributes are grouped into the four categories: Management role, Employees development, Communication/records and Organizational environment (Table 4.3).  Safety culture maturity can be achieved by improving these attributes. “Stepchange” company (Minds 2008) presented a guide “A Practical Guide for Behavioural Change in the Oil & Gas Industry” which prescribed interventions at each maturity level of HSE model to move next higher level Figure 4.1. These interventions are grouped into two categories: safety leadership and behavioral interventions. Training, management initiative, employee management, and leading indicators are proposed as behavioral interventions. Whereas Safety Leadership  can be improved by enhancing knowledge, skills, communication and feedback and team-based development (Minds 2008).  The first step in safety culture assessment is to define Objective criteria. For example, management wants to improve the safety knowledge of workers. So that , the selection of attributes will depend on the objective criteria (Maddin & Shanks 2016). Once objective criteria are established then data collection, analysis and results representation through the scoring system will assist in determining areas of weakness. However, the low score may not necessarily be the only factor that determines the actions of improvements.   113  Table 4.3: Organizational attributes that reflect the safety culture Organizational Elements References Management role Management commitment (Commission & others 2011; Donald & Canter 1994; Fleming 2000)  Environmental control management Donald & Canter (1994) Safety resources Fleming (2000) Employees development Safety training (Donald & Canter 1994; Fleming 2000) Stable workforce Donald & Canter (1994) Participation Fleming (2000) Industrial relation and job satisfaction Fleming (2000) Communication/Records Effective communication (Commission & others 2011; Donald & Canter 1994; Fleming 2000)  Shared perception of safety Fleming (2000) Organizational environment Positive safety promotion Donald & Canter (1994) Productivity vs. safety Fleming (2000) Learning environment Trust and respect  (Commission & others 2011; Fleming 2000) Problem identification and resolution Commission & others (2011) Personal accountability Work processes Continuous learning Environment for raising concerns and questionin attitude Questionnaires, survey, interviews, audits, Workshops and Normal business dialogues are safety culture assessment tools (Mearns et al. 2001; Minds 2008; Sorensen 2002). These tools give the qualitative insight view of the Safety Culture over time. Maddin & Shanks (2016) suggested the categories of the questions that are also applicable to the pipeline industry such as “Experience of risk-Hazards”, “Assessment of Safety”, and “Safety Attitude.”    114   Figure 4.1: Safety culture improvement interventions: Source (Minds 2008)  The best ways to assess the “organizational attributes” are observations and audits (Figure 4.2) whereas, “organizational perspective” and “individual perspective” are best judged with questionnaire and interviews (Guldenmund 2007). The perception surveys are sometimes a difficult task for the regulatory authorities so that, document review, accident records, compliance with quality assurance plans and integrity management plans may be more helpful in the assessment process.    115  Organizational safety culture / climate (part of overall culture)Viewed as:An objective organizational attribute “is” or “has”Viewed as:Perception of the organization how it is “seen” Viewed as:Individual perceptions impact on individualsManifest in:Safety policy, system and processes, structures, reportsManifest in:Employee, contractor, and external perception Manifest in:Employee commitment, attitude, responsibility, behaviour, etcMethods:Observation, audit, etcMethods:Interviews, questionnaires, etc.Methods:Questionnaires, observations, etc. Figure 4.2: HSE multiple perspective assessment model. Source: HSE 4.3 Safety Culture Model of NARWGSC Despite the literature, the O&G organizations also identify the safety culture attributes. For example, The Canadian Energy Pipeline Association (CEPA), representing Canada’s transmission pipeline companies, identified five primary attributes of a strong safety culture, including leadership, training, site supervision, safe work sites, and measurements to support continuous improvement (CEPA 2012).   116  North American Regulators Working Group on Safety Culture (NARWGSC), has made a joint effort in improving the safety and environmental outcomes by levering safety culture. This group consists of representatives of several concerned organizations from all over North America, including the National Energy Board (NEB), Canada Newfoundland and Labrador Offshore Petroleum Board (C-NLOPB), Canada Nova Scotia Offshore Petroleum Board (CNSOPB), United States’ Bureau of Safety and Environmental Enforcement (BSEE), and the United States’ Pipeline and Hazardous Materials Safety Administration (PHMSA) (NEB 2016). The main motive of the collaboration was to develop a system of references and resources for the industry, which will provide clarity and consistency in terminology, dimensions, attributes, and assessment. Later, the group further expanded with the inclusion of the Alberta Energy Regulator (AER) and the British Columbia Oil and Gas Commission (BCOGC). The group has also initiated a project to identify a suite of indicators for awareness and understanding of potential cultural threats and defenses in the O&G pipeline industry (NARWGSC 2016).  North American Regulators Working Group on Safety Culture (NARWGSC 2016) presented four broad level elements of safety culture necessary for oil and gas pipeline industry, including safety leadership commitment, vigilance, empowerment and accountability, and resiliency. Their characteristics are given in Table 4.4. 4.3.1 Committed Safety Leadership The leadership commitment to take safety as an organizational value by expressing and providing adequate resources, system, and rewards to serve this end. The senior leadership recognizes the conflicts between the commercial goals and safety resolve them with effective and transparent manners. The main attributes of the committed safety leadership are; the leadership must have  117  direct participation in the safety systems, the leadership must inquire the knowledge and understanding of the threat, leadership must take appropriate actions to address hazards and deficiencies in the system, and also value the safety efforts and expertise in the organization (NARWGSC 2016). The IMP component; Goals and Objectives, Organizational roles and responsibilities, Training and Competency and Management review address these attributes.  4.3.2 Vigilance Vigilance refers to the organizational capability to predict and identify the possible failures and willingness and the ability to draw the right conclusion from all available information. Lesson learned is a major part of the vigilance. It includes the continual collection and analysis of relevant data to identify the hazards and manage related risks. The possibility of hazards is linked to the human, technical, organizational and environmental factors. The communication and dissemination of safety information to all levels of the organization is a necessary part of vigilance. It improves overall awareness and understanding of risk to safety, and people are encouraged to and willing to report the unsafe conditions, errors, near- misses and incidents without fear of blame and punishment. The features of vigilance are; the in-process knowledge with proactive vigilance, understanding safety information through analysis and interpretation, proactive reporting mechanism of errors, near misses and incidents, Information sharing and interpretation, collective understanding of the current status of the safety, future challenges anticipation and learning based preventive actions. The vigilance is not limited to the company, but it also extends to all incidents, near misses and other safety investigations of the contractors (NARWGSC 2016). The IMP components: Incident reporting and investigation, Information management and communication, Risk assessment, Inspection and Monitoring, Evaluation of inspection and monitoring results,  118  Internal Audit, Program assessment (non-conformance), Management review, Records Control, address the attributes of the vigilance. 4.3.3 Empowerment and Accountability The third main attribute of the safety culture model is the empowering frontline workers to take better decisions. It is potent to meet safety challenges. This empowerment also backed by accountability. The employee must have ownership and accountability that they can stop activity, when they observe hazard, to mitigate, eliminate or report, even their decision may have an impact on production and cost. In an effective safety culture, this ownership for safety prevails all level and functions of the organizations. The clearly established, documented and communicated accountability and responsibilities roles at all level of an organization are a prime element of the empowerment and accountability. The necessary elements to execute the empowerment and accountability attribute, it is necessary that; employees at all levels must participate in safety management activities, organization-wide safety ownership, and communication, willingness to take right decisions in regards to safety and make the safety information accessible to all by breaking down of silos (NARWGSC 2016). The IMP Components, Organizational roles and responsibilities, Training and Competency, Information management and communication, Incident reporting and investigation and Operation Control, address the IMP integration with “Empowerment and accountability”. 4.3.4 Resiliency   The fourth element of Safety culture model is Resiliency. Resiliency is the ability to take effective response to manage potential and emerging risk. The effective resiliency is backed by the  119  organizational policies, resources, and mechanisms, to manage complex activities, and to meet the variable demands of high hazard industry. The organization also allow the frontline employees and to make decisions and manage the mitigation activities regardless of their level in the company. The origination provides sufficient resources for training to enhance the skills and knowledge which gives confidence, to front-line workers to make decisions, and to management to rely on those decisions. This decision making capability is also aided by the lesson learned by errors (NARWGSC 2016).     Table 4.4: Safety Culture attributes and their characteristics (NARWGSC 2016) Safety Culture Attributes Characteristics Leadership Role Direct participation in the safety system Inquire the knowledge Understanding the threat Take actions to address hazards and deficiencies Value the safety efforts and expertise Vigilance Predict and identify the possible failures Willingness and the ability to draw the right conclusion Continual data collection and analysis Lesson learned Communication and dissemination of safety awareness Fear free information sharing of errors, near misses and incidents Empowering and Accountability Document and communicate accountability and responsibilities roles at all levels Employees at all levels must participate in safety management activities Organization-wide safety ownership, and communication  Willingness to take right decisions safety information accessible to all Resiliency effective policy high-quality procedures and guidance the ability to anticipate the changing treated in operational processes knowledge and skill related to hazard management organizational capacity diversity redundancy to manage risk and unanticipated incidents  120  The main attributes of resiliency are; effective policy, high-quality procedures and guidance, the ability to anticipate the changing threated in operational processes, ensuring the knowledge and skill related to hazard management, and organizational capacity, diversity, and redundancy to manage risk and unanticipated incidents in effective manners. The Canadian Energy Pipeline Association (CEPA), represents Canada’s transmission pipeline companies, focus five attributes of strong safety culture which are leadership, training, site supervision, safe work sites and measurements to support continuous improvement (CEPA 2012).  4.4 Safety Culture and IMP Integrated Model (Methodology) The approach used in the model (Figure 4.3) is a three-dimensional assessment process. Conventional assessment only checks the compliance of regulatory and standards requirements. The process is not capable of providing insight into program effectiveness. The IMP implementation and safety culture are assessed by looking into three distinct aspects, the compliance, severity of non-compliance, and effectiveness of the program. These distinct aspects will determine the risk level in this assessment approach. This model will facilitate in achieving the following four objectives; i) integration of IMP with safety culture ii), simplified and meaningful assessment of the IMP and safety culture from regulator’s perspective iii) risk assessment of IMP performance and organizational culture, and iv) development of a decision support tool for regulatory audits.  The proposed model has four steps. The first step initiates with the identification of IMP and safety culture requirements and culminates in the development of performance indicators (PIs). The 2nd step involves audit, which gathers the data of compliance to the identified PIs . Step 3 use the data  121  to perform a risk assessment.  In the 4th step, the risk assessment results are used to determine the IMP effectiveness and identify safety culture maturity levels.  Review of pipeline integrity practices(Industrial Standards)Review of Pipeline Integrity Programs (CSA Z662 Annex A,N)Regulatory ProtocolPipeline Safety Culture attributes (NARWGSC)Review of Safety Culture modelsIdentification of IMP requirements and performance indicators (PIs)Step 1: Review of IMP requirementsReview of Safety Culture attributesIMP performance ProfileSC maturity LevelStep 4: Assessment  analysisIdentification of weak areas Step 3: Assessment ModelIMP and Safety Culture PI compliance questionsGrouped as IMP ComponentsLinking IMP Components with Safety Culture attributesRisk Assessment (FMEA)Occurrence (O), Severity (S), Effectiveness (E)Collaboration with O&G Regulator and regulatory auditsStep 2: AuditsComplianceExpert’s judgementAudit InterviewDocument review Figure 4.3: Model flow linking safety culture assessment with integrity management program 4.4.1 IMP Requirements and Performance Indicator (PI)  The model first identifies IMP and safety culture requirements. While developing IMP, the regulators’ guidelines to operators prescribe the use of Industrial Standards, such as CSA Z662 “Annex N” and “Annex A,” ASMI B31.8, API 1160, as well as regulatory legislation. The NARWGSC work on safety culture is also taken as the guideline to identify safety culture  122  attributes and the performance indicators (PIs) for safety culture. The PIs are established to assess the IMP performance from three dimensions, i.e., compliance, severity, and effectiveness. The details of these three dimensions are described in the following section. To assess the compliance, the PIs are translated into assessment questions. Their responses provide quantitative scores, which are used in risk assessment process.  The assessment questions have been grouped, which are referred to as IMP’s components. IMP components are established to present IMP performance profile in consolidated form. Eighteen components are identified, which are further grouped into five higher-level components (Table 4.5). The higher-level components provide a broad overview of IMP performance.  Table 4.5: Components of integrity management program (IMP) Planning Program Implementation Checking and Evaluation of Assets Program Assessment and Improvement Management Reviews General IMP Organizational role and responsibilities Inspection and monitoring Incident reporting and investigation Management reviews Goals and objectives  Information management and communication Evaluation of inspection and monitoring results Program assessment (Non-compliance)  Policy and commitment Training and competency Modification and repair Internal audits  Risk assessment Management of change     Record control     Document control     Operation control    The assessment questions are closed-ended. For example, some of the PIs, which are grouped under the IMP component for ‘Risk assessment,’ their corresponding assessment questions are: • Has the pipeline inventory and flow connectivity data been reviewed, corrected, and validated?  123  • Has the pipeline inventory been reviewed to determine the licensing discrepancies and that appropriate actions be taken to correct them? • Is the pipeline inventory available for the location of the pipeline system with respect to crossings, land use, and structures? Response to these questions are used in risk assessment model, which has been briefly described in the following section; however, for more details regarding the IMP component classification and assessment model, refer to Chapter 3.  Table 4.6: IMP components linking with safety culture attributes Priority Rank Leadership Role and Commitment Vigilance Empowerment and Accountability Resiliency 1 Policy and Commitment Incident reporting and investigation Organizational roles and responsibilities Risk assessment 2 Goals and Objectives Information management and communication Training and Competency Management of Change 3 Organizational roles and responsibilities Risk assessment Information management and communication Training and Competency 4 Training and Competency Inspection and Monitoring Incident reporting and investigation Management review 5 Management review Evaluation of inspection and monitoring results Operation Control Document Control 6   Internal Audit   Program assessment (non-conformance) 7   Program assessment (non-conformance)   Modification and Repair 8  Management review     9   Records Control    The PIs for safety culture are derived from the safety culture attributes and their characteristics (Table 4.4). The IMP components linkage with safety culture attributes is based on the definitions and interpretations provided by the NARWGSC and regulatory experts. For example, “Vigilance” is the ability of the origination to predict the possible failures, drawing right conclusions from  124  continual data analysis, lesson learned, strong fear free communication of incidents and near misses, communication, and dissemination of safety awareness.” These attributes can be mapped on the characteristics of IMP components such as ‘incident reporting and investigation’, ‘information management and communication’, ‘risk assessment’, ‘inspection and monitoring’, ‘evaluation of inspection and monitoring results’, ‘internal audit’, ‘program assessment (non-conformance)’, ‘management review and records control’. However, the importance ranking of IMP components under the safety culture attribute may vary from the regulator-to-regulator depending upon policies and priorities.   Some IMP components may have multiple links with different attributes of safety culture; for example, ‘training and competency’ is the part of ‘safety and leadership’, ‘empowerment and accountability’, and ‘resiliency’. The IMP components, ‘goals and objectives,’ ‘organizational roles and responsibilities,’ ‘training and competency,’ and ‘management review’ can be linked to ‘leadership role and commitment.’ Table 4.6 shows the linkages of all eighteen IMP elements with the four safety culture attributes. Table 4.7: Assessment questions integrated with safety culture attributes and IMP components Safety Culture Attribute IMP Component Assessmnt Question Leadership Role and commitment Policy and commitment Is the permit holder's policy statement for integrity management documented, signed, and approved by senior leadership? Vigilance Risk assessment Are non-corrosion hazards considered within the risk assessment? Vigilance Information management and communication Has the permit holder's policy statement for integrity management been communicated to all employees? Resiliency Training and competency Is integrity awareness training provided to all relevant employees and leaders? The assessment questions for safety culture are addressed under each IMP component according to the linking. Few examples are provided in Table 4.7. The ‘leadership role and commitment’ is  125  one of the four attributes of safety culture. The IMP component ‘policy and commitment’ denote a characteristic of committed leadership. Therefore both can be linked. The answer to these question assesses whether there are a strong commitment and involvement of leadership which is reflected through well defined, documented, and signed policy statement.  4.5 Regulatory Audits and Data Collection The second step is a regulatory audit and data collection. The audit process is comprised of following three steps.  4.5.1 Compliance Survey Questionnaire A compliance questionnaire comprises of 200 questions. It was given to the operating company to provide initial compliance status (Iqbal, Waheed, et al. 2016). To develop the questionnaire survey, the following criteria were established:  • Is the question clear and unambiguous?  • Does the question contain the required information about the related clause as given in a standard?  • Does the question not lead the respondent to more than one interpretation?  These questions were categorized into eighteen (18) IMP components (Table 4.6). Each question may have one of the three possible responses: Compliant (Yes), Not Compliant (No), and Not Applicable (NA). The response of (NA) states that the question is not relevant to a particular operator’s system. The response “Yes” is assigned a numeric score (Occurrence) value “1” and represents that requirement is fulfilled and has a minimum possibility of failure occurrence. The response “No” has a numeric score (Occurrence) value of “10” and represents that requirement is  126  not fulfilled and will pose the maximum possibility of failure. The responses with NA are not accounted for the calculations. 4.5.2 Documents and Record Review IMP document review is a detail review process of policies, processes, and procedures. The document review is also supplemented with the record review. The records reflect the actual impact of implementation of policies, procedures and corrective emergency plans. The review also helps in verifying the compliance response submitted by an operator through a questionnaire. This review may overcome false information (if any) generated by the questionnaire. The documents review also facilitate auditors to rank the ‘severity’ and ‘effectiveness’ factors. The auditors can perform both the quantitative ranking and qualitative findings.   4.5.3 Interview with the Representative Team The third step involves discussion and interview with a representative of a company. In the interview session, the auditors discussed the response to questionnaire and findings of document review with operating company’s representative. The interview did not follow the formal structure; instead, it varied from company to company based on the findings from the review of document and records. The company’s team members were generally comprised of a management representative, a safety team representative, and a field supervisor. The interview session also helped in acquiring a deeper look at an employee’s perception of safety. The interview session also ensured consistency and repeatability in responses. The qualitative information, gathered from participants, during the session will assist auditors in the development of meaningful recommendations.   127  4.6 Risk Assessment 4.6.1 Risk Calculations Risk assessment is performed by the novel use of Failure Mode Effect Analysis (FMEA) in the auditing process. FMEA transforms the qualitative data into quantitative analysis. FMEA technique measures the potential causes of failures, rank them and prioritize mitigation plans based on occurrence, severity, and detectability of a failure event (Ben-Daya et al. 2009; Palady 1995). The occurrence is the possibility of failure, severity is the intensity of consequences, and detectability denotes difficulty in the detection of fault before a failure. The product of the factors is presented in the form of risk priority number (RPN) (Ben-Daya et al. 2009; Palady 1995). Occurrence, severity, and detectability are generic terms in FMEA model. However, in this assessment process, FMEA is applied for IMP and safety culture assessment. Consequently, the terms ‘compliance’ and ‘effectiveness’ are used instead of ‘occurrence’ and ‘detectability.’ These three risk factors are defined as follows: Compliance (C) is the probability of failure due to non-compliance with IMP and safety culture requirements. It can be assessed with the help of PIs through a questionnaire survey. Severity (S) is an impact of the failure of an IMP component on IMP effectiveness and safety culture. It is measured by document and record review.  Effectiveness (E) is determined based on levels of corrective actions, emergency response plan, and employees’ perception of safety. The document review, record review, incident data, and interview are used to estimate the effectiveness.   Compliance score was calculated with the help of a compliance questionnaire survey. The score of a question may be either 1 or 10 depending on the response. Each question also has one-to-one  128  (i.e., primary) relationship or one-to-two (i.e., primary and secondary) relationships with particular IMP component(s). Therefore, the score of each question will be used in calculating the RPN for both the primary and secondary components. The corresponding RPN is calculated at each IMP component level as:   𝑅𝑃𝑁 = 𝑂 × 𝑆 × 𝐸                 [1, 1000]            (4.1) Each component has two scores. One obtained through primary relationship, and other is through secondary relationship. Subsequently, averages are taken for the scores of all the responses associated with the primary and secondary relationship. Then MAX value of both averages is taken as occurrence score (Equation-1 Table 4.8).  The auditors can assign the “severity” score as ‘High (H),’ ‘Medium (M),’ and ‘Low (L)’ based on the review of the IMP document, record, and incident reports. The numerical scores associated with linguistic levels are shown in Equation (2) (Table 4.8). The effectiveness (E) score also assigned by the auditor depends upon the document review, corrective action plans, and incident rate. The quantitative scores are assigned to the qualitative rank ranging from 1 to 10 (Equation-3 Table 4.8).   Table 4.8 : FMEA components calculations and scoring criteria IMP component Calculation Scoring Criteria Occurance (O)  𝑶 = 𝑴𝑨𝑿 (∑ 𝑪𝒊,𝒑𝑵𝒊=𝟏∑ 𝑵 ,   ∑ 𝑪𝒊,𝒔𝑵𝒊=𝟏∑ 𝑵)   𝑪∈ {𝟏, 𝟏𝟎} (1)  Yes = 1 No = 10 Not Applicable (NA) Severity (S)  S = {SH, SM, SL} = {1, 5, 10}       (2)  High = 1 Medium = 5 Low = 10 Effectiveness (E)  E = {EH, EM, EL} = {1, 5, 10}       (3)  High = 1 Medium = 5 Low = 10  129  4.6.2 Ranking of IMP Components within the Safety Culture Attributes The regulatory expert ranked the IMP components based on their impact and recurrence on safety culture’s attributes as shown in the first column of Table 4.6. For example, IMP component “risk assessment” is part of two safety culture attributes, i.e., ’vigilance’ and ’resiliency.’ Resiliency assesses the ability and versatility to take an effective response to manage a potential and / or emerging risk. Consequently, ’risk assessment’ is ranked a top priority for ‘resiliency,’ while ranked 3rd place under the “vigilance.” “Vigilance” is an organizational capability to predict and identify possible failures and ability to draw the right conclusion from available information. Therefore, IMP component ‘incident reporting and investigation’ ranked first under ‘vigilance.’  Sensitivity analyses were performed to evaluate the impact of IMP components to safety culture attributes, in terms of percentage contribution.  Subsequently, percentage contribution values are used to calculate RPN of each IMP component for safety culture attributes using the following equation 4.2:    𝑅𝑃𝑁𝑆𝐶𝐸 = ∑(𝑅𝑃𝑁𝐼𝑀𝑃 × 𝑃𝐶)                  [1,1000]                 (4.2) For example, the “RPNIMP” of ‘safety leadership and commitment’ is calculated as (Equation 3): 𝑅𝑃𝑁𝑠𝑙𝑐 = (𝑅𝑃𝑁𝑃&𝐶 × 𝑃𝐶𝑃&𝐶) + (𝑅𝑃𝑁𝐺&𝑂 × 𝑃𝐶𝐺&𝑂) + (𝑅𝑃𝑁𝑇&𝐶 × 𝑃𝐶𝑇&𝐶) + (𝑅𝑃𝑁𝑀𝑅 × 𝑃𝐶𝑀𝑅) + (𝑅𝑃𝑁𝑂&𝑅 ×𝑃𝐶𝑂&𝑅)      (4.3) where ‘slc’ is safety leadership and commitment, P&C is the ‘Policy and commitment,’ G&O is the ‘goals and objectives,’ T&C is ‘training and competency,’ MR is ‘management review,’ and O&R characterizes for ‘organizational role and responsibility.’  130  4.6.3 Calculating Severity Score Severity in the framework has different meanings for IMP assessment and safety culture assessment. In IMP assessment process, the “severity” is defined as an impact of failure on effectiveness while meeting the requirements related to a specific IMP component. Whereas, in safety culture assessment, severity is measured through an importance rank and relates percent contribution of an IMP component towards each safety culture attribute.  To compute the percentage contribution, a sensitivity analysis was performed by using  Monte Carlo iterations in “Oracle Crystal Ball” tool. The RPN values calculated for IMP components were assumed independent and uniformly distributed. Based on the sensitivity analysis (Figure 4.4), the IMP components were grouped under high, medium, and low levels of significance. These results indicate that four IMP components classified under “high significance” group have an impact on four safety culture attributes (also see Table 4.6), including ‘leadership role and commitment,’ ‘vigilance,’ ‘empowerment and accountability,’ and ‘resiliency.’ The group classified as ‘medium significance’ consist of four IMP components with the cumulative contribution of 33.72%. The remaining nine IMP components showed only 11.78% contribution and thus have been grouped under ‘low significance’ (Figure 4.4). Assessment of the safety culture is integrated with IMP assessment so that the auditors assign severity scores for IMP assessment only. IMP components may have different ranks under different SC attributes addressed.  131  Therefore, the severity score of IMP component is multiplied by corresponding adjustment factors (Equation-4.4) and new RPN calculation for Safety culture is given as Equation-5.                         𝐴𝑑𝑗𝑢𝑠𝑡𝑚𝑒𝑛𝑡 𝐹𝑎𝑐𝑡𝑜𝑟  = 1-(Ri-1)Rn                                    (4.4) where “Ri” is the assigned ranking, and the “Rn” is the total no of the associated IMP components within each  safety culture attribute. 𝑅𝑃𝑁𝑆𝐶= O × E × (Adjustment Factor × S)     (4.5) 4.6.4 Interpreting of Risk Assessment Results Risk assessment results are presented using web diagrams. The web diagrams provide an overview of IMP components, and safety culture attributes in relation to their risk levels.  Four risk levels are highlighted with the help of different color zones. IMP components with RPN values range from 0 to100, are considered under acceptable risk zone (i.e., green) and demonstrate strong safety 0 5 10 15 20Training and CompetencyOrganizational roles and responsibilitiesPolicy and CommitmentRisk assessmentIncident reporting and investigationGoals and ObjectivesInformation management and communicationManagement of ChangeManagement reviewInspection and MonitoringProgram assessment (non-conformance)Evaluation of inspection and monitoring resultsDocument ControlOperation ControlModification and RepairInternal AuditRecords controlHighSignificanceMediumSignificanceLow Significance% ContributionFigure 4.4: Percentage contribution of IMP components on safety culture assessment results  132  culture. RPN values varying from 1 to 300 correspond to low risk (i.e., light green) with moderate safety culture; the components in this zone are considered as reasonably compliant and effective. Components with RPN values ranged between 300 and 600, correspond to medium risk zone (i.e., yellow) with weak safety culture; necessary actions are required to improve these components. Finally, the IMP components in higher risk zone (i.e., red) with weakest safety culture  belong to RPN values ranging from 600 to 1000. Regulators can define these zones as they may change when new policies are introduced. 4.7 Model Implementation: A Case Study The proposed model (Figure 4.2) was implemented to a regulatory audit for functioning seventeen ‘upstream pipeline operators’ in the province of British Columbia (Canada). Each company responded to the compliance questionnaire. Regulator reviewed the documents and assigned the severity ranks for all the IMP components. The same severity ranks were used to compute the severity score of each IMP component for safety culture assessment. The audit interviews were conducted, and assessment findings were discussed to assign the effectiveness ranks. Subsequently, risk assessment for seventeen companies was conducted. RPN of each IMP component under a safety culture attribute was calculated (equation-5). Among these seventeen companies, audit results of four companies (Company A, Company B, Company C, and Company D) are used to demonstrate the application of the framework. The consolidated results for IMP assessment and safety culture levels are presented in Figure 4.3 and Figure 4.4, respectively.  Among four participating companies (Figure 4.5), Company A and Company B are low performers in terms of IMP implementation and effectiveness. For Company A, the IMP component, ‘risk assessment’ falls under high-risk zone (RPN > 600). It means that the ‘risk assessment’ of IMP is  133  not complying with the regulatory requirements and is not effective. Thus, immediate and major improvements are required to improve the effectiveness of IMP. Moreover, ‘internal audit,’ and ‘program assessment (non-conformance)’ being in the yellow zone, shows partial compliance and  non-effectiveness.  The weak performance of these IMP components is consequently impacting safety culture (Figure 4.5). The IMP component “risk assessment” is ranked as the 1st under ‘resiliency’ and ranked as 3rd under the ‘vigilance’ (Table 4.6). Other two IMP components ‘program assessment (non-conformance)’ and ‘internal audit’ fall under low significance (Figure 4.4). These two IMP components contribute to both ‘vigilance’ and ‘resiliency’ attributes of safety culture. In addition, ‘training and competency’ is a highly significant IMP component and is a part of SC attribute ‘resiliency.’ Consequently, among the four safety culture attributes (Figure 4.6), Company A shows weak performance in ‘resiliency’ and ‘vigilance’. The collective impact of all these attributes reveals that overall Company A has a weak safety culture. The results of Company B show that the IMP component “internal audit” is non-compliant and non-effective (red zone) and the ‘evaluation of inspection and monitoring results’ is partially compliant and non-effective. However, both IMP components with higher RPN values have less contribution towards safety culture (Figure 4.6). Most of the other IMP components are partially compliant and partially effective. Therefore, the overall safety culture of the company B is not strong and needs further improvements (Figure 4.6).  Companies C and D demonstrated different patterns of compliance and effectiveness in IMP performance assessment (Figure 4.5) but revealed a similar level of effectiveness in safety culture assessment (Figure 4.6). The results for Company C in terms of IMP’s compliance and  134  effectiveness are better than Company D. All of the IMP components of Company C are either partially compliant and partially effective or fully compliant and fully effective. While in case of Company D, only one of the IMP component “program assessment (non- conformance)” is partial compliant and non-effective and most of the IMP components are fully compliant and fully effective. However, the overall effect of IMP performance is kept to safety culture level of Company D between moderate to strong.  Figure 4.5: IMP assessment results and risk zones  Document ControlEvaluation of inspection andmonitoring resultsGeneral IMPGoals and ObjectivesIncident reporting and investigationInformation management andcommunicationInspection and MonitoringInternal AuditManagement of ChangeManagement reviewModification and RepairOperation ControlOrganizational roles andresponsibilitiesPolicy and CommitmentProgram assessment (non-conformance)Records ControlRisk assessmentTraining and Competency02004006008001000Non-Compliance Non effective Partial Compliance and Non-EffectivePartial Compliance and Partial effective Full Compliance and fully effectiveCompany A Company BCompany C Company D 135  The results of this case study show the robustness and rationale of the proposed framework to appraise the performance of operators. IMP and safety culture share mutual objectives. Therefore it is rational to assess both using common criteria.  It will also reduce the auditing process time. Moreover, the corrective actions can be prioritized to improve the effectiveness of the IMP components based on their level of contribution in both IMP and safety culture. The compliance assessment alone is not enough to set the priority for action plans. The severity and effectiveness are also important to prioritize improvement actions. The implementation of FMEA provides an insight of safety culture in an organization, which may have a similar level of ‘compliance’ but varying levels of ‘implementation’ and ‘effectiveness’ for different IMP components. Finally, the framework presents the status of safety culture on a risk Safety LeadershipCommitmentVigilanceEmpowermentandAccountabilityResiliencyWeakestWeakModerateStrongCompany ACompany BCompany CCompany DFigure 4.6: Safety culture levels  136  scale through RPN, which quantify the importance of the safety culture and its impact on the organizational safety. The results may also help the regulators to improve the guidelines and protocols keeping in view both IMP effectiveness and safety culture maturity level prevailing among the pipeline operating companies.  4.8 Summary The proposed model is a novel approach to deal with challenges associated with the meaningful assessment of IMP and safety culture in O&G pipeline industries. The model is a paradigm shift from conventional compliance assessment to risk assessment approach. The IMP requirements are not solely measured based on their compliance or non-compliance. Instead, severity levels and implementation of corrective action plans are also addressed. The performance of these factors is translated into the risk priority number (RPN) using Failure Mode Effect Analysis (FMEA). The safety culture assessment was performed by establishing logical relationships between IMP components and their contributions towards safety culture maturity levels.  The framework is implemented for a regulatory audit of seventeen O&G pipeline companies operating in British Columbia (Canada). It is extended that managers can plan corrective actions based on the severity levels, which may effectively improve the performance of deficient IMP components and safety culture attributes. The severity depends on several influencing factors, such as asset type, condition, demographic location, type of product, etc. The results of sensitivity analysis showed that IMP components classified under ‘high significance’ group impact all the safety culture attribute, i.e., ‘leadership role and commitment,’ ‘vigilance,’ ‘empowerment and accountability,’ and ‘resiliency’,.  137  Implementation of the proposed model can reduce the auditing process time by pursuing a common criterion of assessment for IMP and safety culture. The pipeline operating companies and regulators can prioritize the improvement plans based on the effectiveness of their IMP and safety culture levels. The regulator’s guidelines may also focus on the weak areas of IMP by aiming at effectiveness rather than compliance.   This model is primarily focused on regulatory assessment requirement. However, this  can also be implemented for the internal audit of a company. The approach can be extended to other operations of O&G, such as downstream pipelines and associated facilities. The safety culture assessment results need further validation by comparing it with actual organizational culture assessment.  It is also recommended to include further sub level components to evaluate different job functions, particularly in large companies operating in diverse geographical regions around the world.    The auditing process for safety culture can be further improved through field visits, conducting interviews with operational personnel and incorporating the fully updated data from incident and near misses.   138  Chapter 5 : Performance Benchmarking  The chapter is the detail presentation of Phase 4. Part of this chapter has been submitted to the “International Journal of System Assurance Engineering and Management” entitled “Benchmarking Integrity Management Program and Safety Culture for pipelines: A Risk-based Approach” (Iqbal, Tesfamariam, et al. 2016). This chapter presents a novel approach to determine IMP effectiveness and safety culture maturity through a benchmarking process.  Disclaimer:  The case study is performed using data provided by the BCOGC, which was modified for confidentiality purposes. However, the results represented here are not the responsibility of BCOGC. 5.1 Background Competitor research possesses a negative connotation of corporate spying and attempts to mirror competitors’ work. Conversely, benchmarking is a planned research process which is a potential source of ideas, information, methods, and practices that may be appropriate to adapt, adopt, and implement (Stapenhurst 2009). In the benchmarking process, a comparison amongst similar entities that need improvement is made, e.g., cost, quality, performance, etc. It is a concept of striving for CPI by learning from competitors’ best practices (First Quartile Consulting 2010; iSixSigma 2017; Pickering & Chambers 1991).  Quality audits are also often confused with benchmarking. A quality audit provides auditors with performance status with respect to the standards; whereas, in the benchmarking process, organizations evaluate various aspects of their processes in relation to best practices (Hart et al.  139  2009). The aim of benchmarking is to proactively improve ahead of the predetermined criteria usually translated from the prescriptive type of guidelines (Govan & Reinschmidt 2013). The audit criteria are predetermined while the benchmarks are usually established depending on performance targets. However, the audits certainly provide a basis to initiate the benchmarking process. The metrics for the benchmarking process are usually established through surveys, audits, interviews, or industrial standards. Organizations identify performance gaps, prioritize action items, and then conduct follow-up studies to improve underperforming processes.  The selection of a suitable benchmarking process depends on the overall objective of performance assessment. Benchmarking can be classified into two broad categories: internal benchmarking and external benchmarking. Internal benchmarking is a comparison of practices and performance between teams, individuals or groups, and divisions or departments within an organization. Whereas,  external benchmarking compares organizational performance with industry peers or across industries at a business or a functional level (Fisher et al. 1995). In comparison, internal benchmarking is a more convenient process than external benchmarking because companies may hesitate to share their data directly with competitors. However, third-party organizations usually conduct external benchmarking. The third-party organizations maintain the privacy and anonymity of participating organizations and share the knowledge and methodology of the better performing competitors (Govan & Reinschmidt 2013).  5.1.1 Oil and Gas Sector  Similar to other industrial sectors, benchmarking techniques have been widely used in the O&G sector. Most of the benchmarking work available in the literature is from the  companies’ or operators’ perspective. A detailed and critical review of past benchmarking studies is out of the  140  scope of this paper. However, a brief and relevant review of some recent studies in the O&G sector is presented.  Healy et al. (2004) optimized the cost of preventing leaks and ruptures for a 140,000-km long pipeline based on the benchmarking results of pipeline integrity management plans. Nine elements were considered for integrity assessment, including integrity plan, risk assessment, defect assessment, repair methods, spill detection, corrosion prevention, in-line inspection, third-party damage prevention, and failure history. The benchmarking results showed that the best performing operators were those who followed a formal plan for integrity management, proactive maintenance strategies, and agility to accommodate industry best practices.  Govan & Reinschmidt (2013) used benchmarking to assess the financial performance by identifying factors and predictors of natural gas pipeline projects. The study highlighted the type of project, climatic factors, and location of the project as the primary predictors, which can influence the cost regardless of the size of the project.  Schneider et al. (2015) used benchmarking analysis to study the sustainability of environmental, health, and safety (EHS) efforts in the O&G sector. The study is based on the data obtained from published public reports of ten (10) globally recognized O&G companies. The authors identified emissions, process safety, environmental protection, and personal productivity as common issues with existing EHS practices. Major reasons for these discrepancies were found to be: i) noncompliance of EHS laws as a common practice, ii) lack of common metrics of performance within companies, and iii) documents did not reflect the adequate communication of the mission and vision to support EHS improvement efforts.   141  5.1.2 Regulatory Perspective Oil and gas pipeline regulators are primarily responsible for ensuring the provision of safe, efficient, and effective delivery of services by the companies operating in their jurisdiction (First Quartile Consulting 2010). Regulators address the objectives of economic efficiency, the cost-effectiveness of viable operations, consumer protection, and social and environmental safety. In a rapidly changing environment, regulators are finding it increasingly necessary to improve their regulations and identify best industrial practices, simultaneously. In Canada, pipeline assets are often geographically distributed across provinces, and pipeline stocks may consist of a variety of primary materials. Therefore, operators must be compliant with the requirements of different regulators, e.g., BCOGC, AER, NEB. Therefore, operators’ practices reflect diverse regulatory dimensions. Regulators are also seeking common guidelines and protocols. Therefore the use of benchmarking process amongst the regulators has been increased in the recent past, which will help to identify the best practices.  The regulators’ perspective of performance measurement, auditing, and benchmarking is different from the companies’ perspective. However, parallels may be drawn between both perspectives. The companies’ perspective encompasses productivity enhancement within the constraints of cost-effectiveness and regulatory compliance. A company’s benchmarking analysis objectives are to measure the performance through performance indicators (one of the main ones is incidents); identify weaknesses; set targets for CPI; fulfill corporate objectives; achieve compliance of regulatory requirements, and identify the industry’s best practices (Schneider et al. 2015). The regulators’ perspective for conducting benchmarking is to find the companies that are fulfilling the regulatory requirements and taking measures to go above and beyond the requirements. The main source of data for benchmarking is the information filed by the operating companies for licensing  142  purposes or reporting incidents and during verification audits. Benchmarks can be established based on an acceptable level of performance within regulatory requirements or the performance level of the best company.  5.1.3 Integrity Management Program (IMP) An IMP is a systematic and formal documented program that specifies policies, plans, and practices to ensure safe, environmentally responsible, and reliable service of a pipeline (ASME-B31.8S 2014; CSA 2015). A comprehensive pipeline IMP addresses all areas of operational safety (i.e., inspection, repair, maintenance) and organizational elements (e.g., policies, training programs, safety culture, etc.). Companies develop an IMP based on the goal-based guidelines given in industrial standards and translate them suit organizational objectives. Canadian O&G regulators emphasize that pipeline operators must develop and implement IMPs following the guidelines of CSA Z662. The NEB outlines expectations and requirements for a management-system based safety and loss management as defined in Onshore Pipeline Regulation, and CSA Z662 (NEB 2018). The BCOGC’s IMP protocol for pipelines outlines its expectations and requirements based on CSA Z662  and Annex N of CSA Z662 (BCOGC (2016)) as mandated through its Pipeline Regulation to anticipate, prevent, mitigate, and manage the risks associated with construction, operation, and decommissioning of pipelines.  5.1.4 Safety Culture Safety culture is difficult to define and measure. Yet, substantial maturity models and qualitative attributes have been presented since the introduction of the concept of safety culture (Ahmadi et  143  al. 2015b; Maddin & Shanks 2016). The following three maturity models have been most commonly discussed: 1. The UK Health and Safety Executive (HSE) (Fleming 2000; Lees 2012) 2. Shell’s Heat and Mind Safety Culture Model (Hudson et al. 2002) 3. DuPont Bradley Curve (Lees 2012) These models have similarities in their characteristics and present five similar levels of maturity with different nomenclature (Table 5.1).  Table 5.1 : Safety models and their common attributes Maturity level HSE aodel Shell’s model DuPont’s model Common attributes Level 1 Emerging Pathological Reactive Safety is only the responsibility of the frontline worker Blaming attitude for frontline workers Fear of reporting Fear-based compliance Reactive behavior not a proactive Level 2 Managing Reactive Safety is considered as part of the job The accident rate is the only measure Blaming and punishing attitude Level 3 Involving Calculative Dependent Everyone involved in safety management Management accepts responsibility Personal health and safety is also important Safety data are collected Some extent of safety training Level 4 Co-operating Proactive Independent Appreciate the importance of safety Everyone has safety knowledge, training, and involvement Management and workers take responsibility Safety performance is monitored and analyzed Level 5 Continually improving Generative Interdependent Safety is an organizational value Prepared for accident and constant fear The culture of mutual help for safety initiatives High personnel health and safety care Pride in safety practices and culture Continuous improvement Most of the safety culture models were developed for nuclear and process industries. These models can be used for O&G pipelines with some modifications (Maddin & Shanks 2016). The Canadian  144  Energy Pipeline Association (CEPA), representing Canada’s transmission pipeline companies, focused on five attributes of strong safety culture, including leadership, training, site supervision, safe work sites, and measurements (CEPA 2012).  Table 5.2 : Safety Culture attributes and their characteristics (NARWGSC 2016) Safety Culture Attributes Characteristics  Direct participation in the safety system  Acquire the knowledge Safety leadership commitment Understanding the threat  Take actions to address hazards and deficiencies  Value safety efforts and expertise  Predict and identify possible failures  Willingness and ability to draw the right conclusion Vigilance Continual data collection and analysis  Lessons learned  Communication and dissemination of safety awareness  Fear-free information sharing of errors, near misses and incidents  Document and communicate accountability and responsibility roles at all levels  Employees at all levels must participate in safety management activities Empowerment and  Organization-wide safety ownership, and communication  accountability Willingness to take right decisions  Safety information accessible to all  Effective safety policies  High-quality procedures and guidance  Ability to anticipate the changes in operational processes Resiliency Knowledge and skill related to hazard management  Organizational capacity  Diversity  Redundancy to manage risk and unanticipated incidents The North American Regulators Working Group on Safety Culture (NARWGSC) presented four broad level attributes (Table 5.2) for safety culture in the O&G pipeline industry, which are safety leadership commitment; vigilance; empowerment and accountability; and resiliency (NARWGSC, 2016). The definition of these four attributes comprehensively covers all necessary characteristics  145  of strong and mature safety culture (Table 5.2). These safety culture attributes are coherent with IMP components and provide the basis to link the safety culture attributes with the IMP components. The methodology to establish a link between IMP components and safety culture will be discussed in Section 5.2 5.2 Model The proposed model (Figure 5.1) has three phases. Phase 1 initiates the identification of IMP and safety culture requirements, development of PIs presented as questionnaires based on standards requirements and categorizing them as management system-based components for IMP. In Phase 2, a risk assessment model is developed and implemented to audit and collect the performance data. In Phase 3, a benchmarking process is developed and tested using results from the risk-based auditing process to highlight the areas of improvement, best performance, and best in class practices.  5.2.1 Phase 1: Identification of IMP and Safety Culture Requirements A detailed review was conducted for IMP requirements given in industrial standards (CSA Z662 Annex A and N, ASMI B31.8 S, API 1160, and API RP 1173), regulatory legislation, and safety culture attributes (NARWGSC, 2016). The requirements are translated into PIs, which are grouped into eighteen categories. These categories, referred to as IMP components (Table 5.3), are further consolidated into five higher-level IMP components, i.e., planning, program implementation, checking and evaluation, program assessment and improvement, and management review.  146  5.2.2 Phase 2: Development of Risk Assessment Model  In Phase 2, The first step of the risk assessment model is to translate the identified PIs into measurable closed-ended questions. For example, some assessment questions are: • Is pipeline inventory and flow connectivity data reviewed, corrected and validated? • For liquid hydrocarbon pipelines, are material balance records interpreted in accordance with Annex E of CSA Z662 or sound engineering practices used to determine uncertainties and alarm tolerances?  • Is there a process in place to track specific training and frequency of training for employees within the IMP?  • Is pipeline inventory reviewed to determine licensing discrepancies and are appropriate actions taken to correct them? • Are frequency and responsibilities for management review and evaluation defined? The purpose of these questions is to assess the level of compliance. A risk score ranging from 1 (fully compliant, minimum risk) and 10 (complete noncompliance, maximum risk) are provided with the response to the question. Based on these responses, the risk of noncompliance has been estimated using failure mode and effect analysis (FMEA). The FMEA technique prioritizes risk using three factors: the probability of occurrence, the severity of the failure, and level of difficulty in detection of fault before failure (Ben-Daya et al. 2009; Palady 1995). These three factors are used to generate the risk priority number (RPN). The RPN is a product of the severity, occurrence, and effectiveness score. The RPN represents the level of risk and can be used to prioritize resources and corrective actions. The RPN score will be utilized for further benchmarking analysis. More details are reported in Iqbal, Waheed, et al. (2016).  147   Phase 3Phase 2Assessment Model (IMP & SC) (FMEA)Mapping SC and  IMP PIs Assessment ModelPhase 1Review of pipeline integrity practices(Industrial Standards)Review of Pipeline Integrity Programs (CSA Z662 Annex A,N)Review of Regulatory RequirementsPipeline SC maturity indicators (NARWGSC)Review of Safety Culture (SC)Identification of IMP requirements and performance indicatorsReview of IMP requirementsReview of Performance Benchmarking (BM)Benchmarking ModelBM analysis modelIMP performance profileCollaboration with O&G Regulator and regulatory auditsIMP and SC AuditsSC maturity levelAuditsIMP performance BMSC maturity BMBenchmarking analysisIdentification of weak areas  Figure 5.1: An integrated model for IMP and safety culture assessment 5.2.3 Linking IMP with the Safety Culture Assessment IMP components share similar characteristics with safety culture attributes. Furthermore, the relationships between safety culture and IMP components are not mutually exclusive (Table 5.4). Consequently, importance ranking of IMP components with safety culture attributes was established through expert knowledge (Delphi technique). For example, in ranking the scores of  148  IMP components under the safety culture attribute of ‘safety leadership and commitment’ (Table 5.5), regulatory experts were consulted to assign the IMP component ‘policy and commitment’ with the highest rank, whereas the component ‘management review’ was ranked as the lowest. These rankings were used for determining percentage contributions of IMP components for each corresponding safety culture attribute through sensitivity analysis see Hassan et al. et al. (2017).  Table 5.3 : IMP components and higher level Planning Program implementation Checking and evaluation of assets Program assessment and improvement Management reviews General imp Organizational role and responsibilities Inspection and monitoring Incident reporting and investigation Management reviews Goals and objectives  Information management and communication Evaluation of inspection and monitoring results Program assessment (non-compliance) - Policy and commitment Training and competency Modification and repair Internal audits - Risk assessment Management of change - - - - Record control - - - - Document control - - - - Operation control - - - The sensitivity analysis results of each IMP component are categorized as high, medium, and low significance components (Figure 5.2).  Results indicate that four IMP components found to be of ‘high significance,’ which are associated with all four safety culture attributes (Table 5.4). The medium significance group also has four IMP components with a contribution of 33.72% in safety culture maturity level. The percentage contribution of the remaining nine IMP components in the safety culture maturity was found to be 11.78%. These percentage contributions are used while determining severity score and calculating RPN calculations.   149  Table 5.4: IMP components classifications in rows against the safety culture elements arranged in columns Priority rank Safety leadership commitment Vigilance Empowerment and accountability Resiliency 1 Policy and commitment Incident reporting and investigation Organizational roles and responsibilities Risk assessment 2 Goals and objectives Information management and communication Training and competency Management of change 3 Organizational roles and responsibilities Risk assessment Information management and communication Training and competency 4 Training and competency Inspection and monitoring Incident reporting and investigation Management review 5 Management review Evaluation of inspection and monitoring results Operation control Document control 6   Internal audit   Program assessment (non-conformance) 7   Program assessment (non-conformance)   Modification and repair 8  Management review     9   Records control             Figure 5.2: Percentage contribution of IMP components on the safety culture assessment (Hassan et al. 2017)  0 5 10 15 20Training and CompetencyOrganizational roles and responsibilitiesPolicy and CommitmentRisk assessmentIncident reporting and investigationGoals and ObjectivesInformation management and communicationManagement of ChangeManagement reviewInspection and MonitoringProgram assessment (non-conformance)Evaluation of inspection and monitoring resultsDocument ControlOperation ControlModification and RepairInternal AuditRecords controlHighSignificanceMediumSignificanceLow Significance% Contribution 150  Table 5.5 : Ranking of IMP components and importance scores under the safety culture attribute of ‘safety leadership commitment (Hasan and Sadiq 2017) Ranking IMP Component Importance score 1 Policy and Commitment 1.00 2 Goals and Objectives 0.80 3 Organizational Roles and Responsibilities 0.60 4 Training and Competency 0.40 5 Management Review 0.20 5.3 Audit Tool The audit tool (Integrity Management Program Assessment and Knowledge Tool “IMPAKT”) developed comprises of two options: i) self-audit by the auditee, and ii) audit by the auditor based on interviews with the representative team, reviewing the documents, explanation of the company’s representatives, and incorporating the auditor’s judgment.  5.3.1.1 Audit Two hundred questions reflecting PIs can be used by the auditee to perform a self-audit (Iqbal, Waheed, et al. 2016). The questionnaire followed three criteria:  • Is the question clear and unambiguous?  • Does the question contain the required information about the related clause as given in a standard?  • Does the question not lead the respondent to more than one interpretation?  Each question may have one of the three possible responses: Compliant (Yes), Not Compliant (No), and Not Applicable (NA). The response of NA states that the question is not relevant to a particular operator’s system. The auditors review each question response based on provided information, documentation, and records.   151  During the audits, auditors collect objective evidence through review of records, practices, and existing procedures to verify adequacy, implementation, and effectiveness of the existing IMP program under review. The auditors can assign ‘severity’ and ‘effectiveness’ factors to the IMP components based on observations.  5.3.2 Phase 3: Benchmarking Analysis  Benchmarking analysis is the third phase of the proposed framework (Figure 1). Once the audit results are captured in the audit tool, the tool helps determine the performance in terms of risk levels through RPN scores and sets the benchmarks for performance improvement. The analysis results are presented in three ways, compliance benchmarking, competitive benchmarking and safety culture maturity level analysis. Oil and gas companies were classified as small-, medium-, and large-sized based on their assets. The IMP and resource allocation may vary with the size of the company to maintain IMP effectiveness. Large asset holding companies are vulnerable to higher risk because their assets spread over a larger geographic area. On the other hand, the companies with large-sized assets have more financial and technological resources for asset management than the small-sized companies and thus can take advantage of economies-of-scale for improvement actions.  The objectives of benchmarking analysis are; • Evaluating performance and analyzing trends (risk profile over time) of an individual auditee;  • Streamlining and improving the tracking process for IMP assessment and the impact of corrective actions;  • Developing benchmarks for IMPs based on auditees; and  152  • Proposing a system for continuous performance improvement over time with safety culture. 5.4 Framework Implementation 5.4.1 Case Study The proposed framework has been demonstrated in a regulatory environment with the collaboration of the British Columbia Oil and Gas Commission (BCOGC). Since 2011, the BCOGC has been conducting an annual audit of the companies operating upstream O&G pipelines in the province of BC (Canada) to assess the effectiveness of their IMPs. The audit data was obtained and modified for two audit cycles. The first audit cycle spanned between 2011 and 2015. The second cycle was initiated in 2016 and will be completed in 2020. Only data for 2016 was available at the time of data collection. Eighty-eight O&G pipeline operating companies were audited during the first cycle while 17 companies were audited in the second cycle (Table 5.6). The risk profile for IMP components and safety culture was generated using the methodology described in section 3.2 and Hassan et al. et al. (2017) for each company and was further used for the benchmarking analysis.  Table 5.6: Number of companies audited per year from 2011-2016 Year 2011 2012 2013 2014 2015 2016 No of companies 18 15 19 19 17 17 5.5 Results and Discussions The effectiveness of IMP components and safety culture attributes has been assessed against four risk levels (RLs) corresponding to calculated RPN values (see Table 5.7). The RLs are interpreted  153  in terms of compliance, competitiveness, and safety culture maturity. For example, RL1 corresponds to RPN values less than 25. RPN values in this range show that the company’s IMP performance is the “High” in terms of competitiveness, “Fully compliant and fully effective” in terms of compliance, and it represents a “Strong” safety culture. The compliance performance level is the representation of the operational management while the competitive performance level and safety culture maturity levels are more useful for decision-making at the senior management level.  Table 5.7: Performance levels translated into competitive, compliance, and safety culture maturity level Performance levels O1 S2 E1 RPN Effective range of RPN Competitiveness level  Compliance level Safety Culture maturity level PL1   1 1 1 1 1 - 25 High Fully compliant and effective Strong PL2  5 5 5 125 26 - 125 Medium Partially compliant Partially effective Moderate PL3  5 10 10 500 126 - 500 Low Partially compliant not effective Weak PL4  10 10 10 1000 501 - 1000 Very low Not compliant and not effective Very weak 1Occurance scored as low =1, medium =5, and high =10 2 Severity scored as low =1, medium =5, and high =10 3 Effectiveness scored as low =10, medium =5, and high =1 The participating companies were categorized into three asset classes. The companies having pipeline assets up to 100 km of length were grouped under the small-sized category. The asset lengths from 100 to 500 km and more than 500 were categorized as medium-sized companies and the large-sized companies, respectively. Subsequently, the assessment results were analyzed for each asset class size. A normality test revealed that the data is not normally distributed and widely dispersed. In Table 5.8, the statistics of IMP data of the companies that participated in Cycle 1 shows that the data of large and small-sized companies are more widely spread as compared to the medium-sized companies. However, the average performance of large-sized companies is better than the small and medium-sized with an average RPN value of 108. Companies were selected  154  during the first cycle with a primary objective to assess all the operating companies from all asset classes. On average, 17 companies were audited in each year of Cycle 1.  Table 5.8 : Statistics of IMP performance analysis results for Cycle 1 Asset class n Median 75% CI Large-sized companies 17 108 58-320 Medium-sized companies 17 238 175-360 Small-sized companies 40 167 88-250 5.5.1 IMP Benchmarking - Cycle 1 Whisker plots in Figure 3a-c show the performance assessment results in terms of 25th percentile, the median, and 75th percentile of the companies categorized under different asset classes. The four RLs defined in Table 5.7 are illustrated with different colors (Figure 5.3). The companies selected for the audit each year were asked to submit their IMP documents. Initially, the assessment criteria were focused only on the compliance of the requirements. The results of the fiscal year (FY) 2011 in Figure 5.3 shows that the distribution of RPN values for large-sized companies and small-sized companies mostly lie in ‘high’ and ‘medium’ risk zones with the exception of a few outliers for small-sized companies. For medium-sized companies, RPN values are high and mainly fall in ‘medium’ to ‘low’ performance zones. Therefore, it can be inferred that in the starting year of Cycle 1 (i.e., 2011), the overall (i.e., 75 percentile) performance of small-sized and large-sized companies was better than medium-sized companies.  The impact of the new assessment criteria is evident from the assessment results for the period between FY2012 to FY2015 (Figure 3). The overall RPN values (i.e., 75th percentile)  for the large-sized companies were increased with the corresponding risk dropped from ‘high’ to ‘low’. Likewise, the overall performance of small-sized companies (i.e., 75th percentile) also declined to  155  the ‘low’ risk zone. However, the impact of revised criteria was more pronounced in case of medium-sized companies (refer to Figure 5.3b). The consolidated results of Cycle 1 presented in Figure 5.3d show that the overall performance of large-sized companies was better than the small-sized and medium-sized companies.  5.5.2 Safety Culture Benchmarking - Cycle 1 Figure 5.4a-c are whisker plots showing safety culture assessment results for all asset classes. The results are analogous to IMP assessment results; however, the IMP components have different percentage contributions to safety culture attributes (refer to Figure 5.5). With the exception of some large-sized (FY 2011, 2012, and 2015) and small-sized companies (FY 2011, 2013, and  2014), the assessment results revealed ‘weak’ to ‘very weak’ safety culture in most of the participating companies during Cycle 1. The worst performance results were observed in FY 2012 in the case of small-sized companies and in FY 2014 for medium-sized and large-sized companies.  The consolidated results for all asset classes during cycle 1 presented in Figure 4d show that on an overall basis, safety culture in small-sized companies was weaker as compared to the large-sized and medium-sized companies. Although large-sized companies showed better safety culture than other asset classes, most of the data for large-sized companies are dispersed between ‘medium’ to ‘very weak’ zones.   Analysis of  the IMP components revealed that the performance levels of ‘internal audit,’ ‘training and competency,’ ‘management review,’ and ‘control of non-conformance’ were low for most companies. These components were identified as the most significant components for IMP and safety culture assessment (Figure 5). Thus companies should take serious steps to improve their performance. Nevertheless, each IMP component shared equal increment in risk profile (Figure  156  5); therefore, all of them need to address the deficiencies in identified weak performing IMP components.   5.5.3   Cycle 2- Results for IMP and Safety Culture The Cycle 1 results showed alarming discrepancies in IMP components, IMP performance, and safety culture profile. The regulator set the performance level 1 (PL1) as the benchmarks for IMP performance which is “fully compliant and fully effective” and “strong” safety culture. Accordingly, the regulator emphasizes the operating companies to improve the efficacy of their IMP components, and safety culture attributes to achieve PL1.  The regulator adopted several measures in this regard, such as i) improved their communication with the operators; ii) developed and disseminated an IMP assessment questionnaire through their website, and iii) followed up with poor performing operators identified in Cycle 1. The audit results of the Cycle 2, presented in Figure 6a started from FY 2016, showed significant improvements for all asset classes. The large-sized companies achieved the desired benchmark, i.e., PL1: fully compliant fully effective. The performance of small-sized and medium-sized companies fall in the range of PL 2, i.e., partial compliant and partially effective.  Likewise, the safety culture analysis showed significant improvements for all asset classes in Figure 6b. Around 25% of large-sized companies have achieved the desired benchmark, i.e., ‘strong safety culture’; however, most of the companies still need to further improve their safety culture. All the small-sized and medium-sized companies lie in ‘moderate’ or ‘weak’ performance zones and thus need major improvements.    157  010020030040050060070080090010002011 2012 2013 2014 2015RPNAuditing Year(a)010020030040050060070080090010002011 2012 2013 2014 2015RPNAuditing Year(b)High Medium Low Very Low 158    Figure 5.3: IMP assessment data spread of Audit Cycle 1 from FY 2011 to 2015, a) large-sized companies, b) medium-sized companies, c) small-sizes companies, d) consolidated results 010020030040050060070080090010002011 2012 2013 2014 2015RPNAuditing years(c)High Medium Low Very Low01002003004005006007008009001000Small Medium LargeRPNAsset Class(d)High Medium Low Very Low 159     010020030040050060070080090010002010 2011 2012 2013 2014 2015RPNAuditing Year(a)Strong Medium Weak Very weak010020030040050060070080090010002011 2012 2013 2014 2015RPNAuditing Year(b)Strong Medium Weak Very weakVery Weak Weak Moderate Strong Very Weak Weak Moderate Strong  160    Figure 5.4 : Safety Culture assessment data spread of Audit Cycle 1 from FY 2011 to 2015 a) large-sized companies, b) medium-sized companies, c) small-sizes companies, d) consolidated results  010020030040050060070080090010002011 2012 2013 2014 2015RPNAuditing years(c)Strong Medium Weak Very weak01002003004005006007008009001000Large Medium SmallRPNAsset class(d)Strong Medium Weak Very weakVery Weak Weak Moderate Strong Very Weak Weak Moderate Strong  161   Figure 5.5 : IMP components contribution in IMP and safety culture performance.  01002003004005006007008009001000Large Medium SmallRPNAsset Size(a)High Medium Low Very LowVery Weak Weak Moderate Strong  162   Figure 5.6: Consolidated results for all asset classes for Cycle 2 (FY 2016), a) IMP performance profile, b) safety culture profile 5.6 CPI Integration with the Framework 5.6.1 Integrating with PDSA The implementation of the framework is CPI process (PDSA) (Figure 5.7). Each complete cycle of assessment triggers the CPI cycle. The PLAN stage started with the review of IMP guideline and protocol, which is a phase 1 of the framework. The DO stage is spread over phase 2 and phase 3 which are comprised of assessment process of IMP and Safety culture. During the STUDY stage, the IMP performance level is studied, the low performing IMP components are identified, and new benchmarks are set. The ACT stage is a phase 5, which includes the IMP assessment process improvement review, defining improved protocol and improvements in assessment model.  01002003004005006007008009001000Large Medium SmallRPNAsset Size(b)High Medium Low Very LowVery Weak Weak Moderate Strong  163  Phase 4Phase 3Phase 2Phase 1Review of pipeline integrity practicesReview of Pipeline Integrity Programs (IMP)Review of asset maintenance  decisions and policiesReview of pipeline incidents investigations  Review of Risk assessment methodologiesReview of FMEAIMP performance profileReview of IMP assessment processReview of Performance Benchmarking (BM)Integrity processes(Technical , Management)IMP Assessment Model (Use of FMEA)Identification of IMP requirements and performance indicatorsCollaboration with O&G Regulator and regulatory auditsPipeline SC maturity indicators (NARWGSC)Mapping SC with IMP assessment SC assessment modelSC auditsSC maturity levelBM analysis modelIMP performance BMReview of Safety Culture (SC)SC maturity BMIdentifying the improvementsContinuous performance improvementPLAN DO STUDY ACT Figure 5.7: Framework integration with PDSA 5.6.2 Integrating with the Concept of LEAN Lean is quality improvement philosophy. It focused on optimizing the customer-value chair. The concept of lean is the elimination of waste in every area of production, process design supply, and management. This concept was initially started in automotive sector but now has been transmitted to other industry (Bhuiyan & Baghel 2005; Buell et al. 2004). Womack & Jones (1996) describe  164  lean as the remedy of losses and waste, which is also described by the Japanese term for waste “MUDA.” The waste is defined as anything which is more than requirements of the process or the customer (Bhuiyan & Baghel 2005). The term is associated with manufacturing industry as lean manufacturing. Its goal is to become highly responsive to customer demand by incorporating less human effort, less inventory, less time to develop products, and less space. The lean manufacturing has three basic principles: improve the flow of material and information across business function; focus on the pull by the customer; commitment of organizations to CPI (Bhuiyan & Baghel 2005; Womack & Jones 1996). These three principles also reflect the IMP components as described in the standards and discuss in Chapter 3. The presented framework incorporates the concept of lean for the regulatory work by defining the prescriptive requirements of standards as well defined and structured IMP components, performance indicators, and related compliance questions. This criterion identifies what are the actual requirements of the regulator and eliminate “waste” processes from operator’s IMP. Furthermore, the benchmarking analysis identifies the common area of deficiency in the overall IMP. It helps to focus regulator to the weak areas and save more time for the future audit process.  5.7 Summary The proposed model deals with challenges associated with the assessment of IMPs and safety culture and their improvement process in the O&G pipeline industry. The model outlines a possible paradigm shift from a conventional compliance assessment to a risk assessment approach. The safety culture assessment was linked with IMP assessment by establishing logical relationships between IMP components and their contributions towards safety culture maturity levels.  165  Evaluating IMP performance in terms of risk is a better approach for compliance benchmarking. Focusing only on compliance can be misleading for the operating company whereas the risk approach portrays performance in terms of possible risk, which can be attributed to the weak performance of IMP.   The model has been applied to O&G pipeline companies operating in British Columbia (Canada) for the benchmarking analysis to determine the overall performance of companies in terms of IMP effectiveness and safety culture maturity level. A comparative analysis of small, medium and large-size companies was also carried out. The low performing IMP components were identified from assessment results of audit Cycle 1. Improvement actions were taken, and improvements were compared to the audit results of Cycle 2.   Companies with a large number of pipeline assets and more financial and technical resources showed better IMP performance in comparison to small-sized companies. The findings also revealed that the companies are mostly focused on the technical aspect of IMPs. Therefore, the IMP component ‘repair and modification’ was found to be the best performing IMP component for all asset size companies. However, the companies’ performance lacked in the management aspects of an IMP which was manifested by ‘low’ performance levels of ‘internal audit,’ ‘training and competency’, ‘management review’, and ‘control of non-conformance’ in most of the companies.  The study also concluded that better communication, elaborated protocol, and strict followup of the regulator with operating companies helps to improve IMP performance and safety culture maturity.     166  Chapter 6 : Summary and Conclusions 6.1 Summary The goal of this research was to provide comprehensive assessment and auditing solution to the O&G regulators for better control to ensure safe pipeline operations through effective implementation of integrity management program (IMP). A novel assessment framework is presented, which can shift the conventional compliance-based auditing process to a risk-based assessment process. Furthermore, it linked the IMP components with Safety Culture attributes and conduct benchmarking to support a continuous performance improvement process. Overall goal has been achieved by defining four specific research objectives (Chapter 1). The details of various models within the framework were presented in Chapters 2 to 5. A short summary of these chapters is as following:.   Chapter 1 was an introductory chapter which described the research needs, knowledge gaps, questions, and objectives. This chapter also outlined the proposed framework in the context of the objectives and research phases.  Chapter 2 addressed the objective 1 by conducting a state-of-the-art review of inspection and maintenance practices and procedures of O&G pipelines. The review of industrial standards CSA Z662, ASME B31.8S, and API 1160 was also presented as Appendix A, which highlighted mandatory and nonmandatory clauses, IMP elements, and their related requirements.  Chapter 3 addressed the objective 2 in detail. A risk-based model for IMP assessment was developed by incorporating Failure mode effect analysis (FMEA) with contextualized definitions of occurrence, severity, and detectability. Standard regulatory requirements for O&G pipeline  167  IMPs were classified into IMP components. Based on the model, an Excel-based decision support tool, “Integrity Management Program Assessment and Knowledge Tool (IMPAKT)” was developed. The IMPAKT was tested and demonstrated through a case study.  Chapter 4 addressed the objective 3. A novel approach to link IMP components with safety culture attributes was presented. A model was developed to assess safety culture maturity through IMP assessment. A case study was also presented to demonstrate the application of the model. Chapter 5 addressed the objective 4. A benchmarking analysis for operators’ IMPs and safety culture was conducted. Benchmark performance indicators were established based on compliance and competitiveness and measured IMP performance and safety culture. The pipeline operators were categorized into three groups (i.e., small, medium, and large) based on their number of O&G pipeline assets. A competitive benchmarking analysis was conducted to identify best-in-class IMP performance. The impact of IMP performance was also reflected in a safety culture assessment.  6.2 Conclusions  Following are main conclusions of this research: • Pipeline integrity management is a holistic approach which should also involve organizational elements. Traditional integrity assessment approaches, which only focus on inspection, testing, and analysis activities followed by maintenance, cannot fully address all integrity management issues.  • Research results show that traditional IMP auditing processes only provide a one-dimensional view of  compliance. The traditional IMP audits only to determine whether operators are meeting regulatory requirements, however, do not gauge the level of risk  168  associated with each non-compliance. Decision makers are not able to evaluate an IMP based on the quality and effectiveness of the program.  • The decision-making process can be improved by addressing the severity of noncompliance with requirements and analysis of corrective action plans.  • The effectiveness of an IMP also depends on the maturity level of safety culture. The links between IMP components and safety culture attributes provides a simultaneous assessment of both and determine the common areas of improvement. The linking process reduced the auditing process time. Furthermore, it also elevates the role of organizational behavior in the IMP effectiveness.  • The benchmarking results findings revealed that companies are mainly focused on the ‘repair and modification.’ Conversely, companies were found to be lacking in the management aspects of an IMP, such as: ‘internal audit,’ ‘training and competency,’ ‘management review,’ and ‘control of non-conformance’.  • The research also highlighted that by adopting the proposed framework, regulators established better communication, elaborated protocol, and strict follow-up of operators’ deficiencies. • The widespread adoption of benchmarking would support cross-jurisdictional benchmarking as a regulatory instrument for assessing the performance of pipeline operators in an objective, equitable, and effective manner.   169  6.3 Originality and Contributions This research has implemented innovative techniques and delivered original contributions in the field of pipeline safety and integrity management assessment process. The main contributions and originality of this research are described as following: 1. Development of a novel, risk-based assessment, approach for IMP and safety culture.  2. Quantification of relationships between IMP components and safety culture attributes. 3. Development of a comprehensive auditing tool for IMP and safety culture assessment for regulators and benchmarking analysis for continuous performance improvement. • The first contribution is the comprehensive review of policies, decision-making processes and resource optimization of pipeline repair and maintenance. The review laid the foundation for the researchers in their future studies of maintenance resource, time optimization, efficiency and effective improvement for all types of assets in general, and for O&G pipeline assets in particular. • The second contribution is a shift from a conventional approach of IMP assessment to a risk-based approach. The methodology employs FMEA techniques in the IMP auditing process to develop the relationships between noncompliance, the severity of noncompliance, and measures taken under corrective action plans.  • The third contribution is to establish the link between the IMP and safety culture assessment process. The logical established connection between IMP components and safety culture attributes laid the foundation for a holistic approach for IMP assessment, which includes technical, managerial, and organizational behavioral aspects of safety and integrity. The developed assessment process will also help future researchers to integrate safety culture within a safety management system.   170  • The fourth contribution is the benchmarking analysis of IMP and safety culture assessment results from a regulatory perspective. The methodology provided quantitative scales for establishing IMP and safety culture performance levels. It identified the overall poor performing IMP components, which helped to focus on them and reduced the assessment time. The presented framework has the capability to be extended to the downstream pipeline sector. The framework also laid the foundation for IMP assessment for “Facilities (Stationary and rotary equipment)” in the O&G industry.  6.4 Limitations and Recommendations The integrated model for IMP and safety culture was developed in the context of the regulatory perspective, which was implemented by a Canadian O&G regulator. However, there are some inherent limitations and future recommendations for improvement:  • The framework is primarily focused on a quality management system; therefore, It deals with the management of technical processes not the technicalities of those processes.  • The presented framework gives an overall review of safety culture maturity level. It doesn’t provide an assessment of subcultures that may exist for different job functions and geographic areas, particularly in large-sized companies. • The regulatory assessment is dependent on the documents and the response to the audit questionnaire provided by the pipeline operator. The assessment through such audits may not provide actual insight of safety culture because companies may try to develop their documents and audit preparations as to the regulators wish to see.  171  • Audit interviews with a company’s representative group are limited based on the interviewees’ knowledge. Therefore, if the group is comprised of different levels of management, workers may provide a better overview of the perception of  safety at all levels of the company. • A perception survey was not conducted, as it is difficult for regulators to get access to all employees. Company policies may have a large effect on employees’ willingness to provide an accurate perception of safety culture due to fear of potential repercussions. • Auditing is an ongoing process. However, the benchmarking analysis is based on partially available data, which may not be a true representation of IMP performance. However, the trend for improvement was evident from the results.  • Linking IMP effectiveness with safety culture maturity assessment is still in its early stages. Future researchers may revise the questionnaire; it may include the importance ranking of PIs.  • Severity may be defined at the PI level instead of IMP component level, and a cumulative severity score can be used in FMEA analysis. The effectiveness may also be associated with PI levels, and the questions which describe the process may be linked with an effectiveness score. • Safety culture assessment can be further developed by adding more questions related to management commitment and personal involvement towards safety. The PIs may be ranked based on their association with safety culture attributes, and a separate FMEA may be developed for safety culture.  • Incident data can be included in the benchmarking analysis and correlations between IMP performance, and incident data can be developed.   172  Bibliography  Adebayo, A. & Dada, A., 2008. An Evaluation of the causes of oil pipeline incidents In Oil and Gas Industries in Niger Delta Region of Nigeria. J. Eng. Applied Sci, 3(3), pp.279–281. AER, 2014. AER Investigation Report , Pipeline Failure and Release into the Red Deer River, Alberta, Alberta Energy Regulator. Available at: https://www.aer.ca/documents/reports/IR_20140304-PlainsRangeland.pdf. Agarwal, H. et al., 2004. Uncertainty quantification using evidence theory in multidisciplinary design optimization. Reliability Engineering & System Safety, 85(1), pp.281–294. Ahmad, R. & Kamaruddin, S., 2012. An overview of time-based and condition-based maintenance in industrial application. Computers & Industrial Engineering, 63(1), pp.135–149. Ahmadi, M. et al., 2015a. Benefits of using basic, imprecise or uncertain data for elaborating sewer inspection programmes. Structure and Infrastructure Engineering, 11(3), pp.376–388. Ahmadi, M. et al., 2015b. Benefits of using basic, imprecise or uncertain data for elaborating sewer inspection programmes. Structure and Infrastructure Engineering, 11(3), pp.376–388. Ahn, S. & Kim, W., 2011. On determination of the preventive maintenance interval guaranteeing system availability under a periodic maintenance policy. Structure and Infrastructure Engineering, 7(4), pp.307–314. Amadi-Echendu, J.E. et al., 2010. Definitions, concepts and scope of engineering asset management, Springer. Anon, 2002. Pipeline Safety Improvement Act of 2002-Operator qualification (OQ) protocols,U.S. Department of Transportation’s Office of Pipeline Safety (OPS) Act of 2002., U.S. Department of Transportation’s Office of Pipeline Safety (OPS). Available at: http://www.phmsa.dot.gov/pv_obj_cache/pv_obj_id_CCC57970C9C41A8BEF1410A4F18DA7865A5D0000/filename/b_Acknow_and_Charteristics.pdf. API, R., 2009. 580 Recommended Practice for Risk-Based Inspection. American Petroleum Institute, Washington, DC. API-1163, 2013. In-line Inspection Systems Qualification: API Standards 1163, Second Edition, American Petroleum Institute. API-1173, 2014. Pipeline Safety Management System Requirements: API RECOMMENDED PRACTICE 1173, American Petroleum Institute. Available at: http://ballots.api.org/ecs/RP1173Ballot%20DraftJune2014.pdf. API-580, 2009. 580 Recommended Practice for Risk-Based Inspection, American Petroleum Institute.  173  Arunraj, N. & Maiti, J., 2010. Risk-based maintenance policy selection using AHP and goal programming. Safety science, 48(2), pp.238–247. Arunraj, N. & Maiti, J., 2007a. Risk-based maintenance—Techniques and applications. Journal of Hazardous Materials, 142(3), pp.653–661. Arunraj, N. & Maiti, J., 2007b. Risk-based maintenance—Techniques and applications. Journal of hazardous materials, 142(3), pp.653–661. ASME, 2009. ASME B31G-2009. Manual for determining the remaining strength of corroded pipeline, American Society of Mechanical Engineers. ASME-B31.8S, 2014. Managing System Integrity of Gas Pipelines: ASME Code for Pressure Piping, B31 Supplement to ASME B31.8, The American Society of Mechanical Engineers. Aven, T. & Zio, E., 2011. Some considerations on the treatment of uncertainties in risk assessment for practical decision making. Reliability Engineering & System Safety, 96(1), pp.64–74. Ayyub, B.M., 1991. Systems framework for fuzzy sets in civil engineering. Fuzzy sets and systems, 40(3), pp.491–508. Ayyub, B.M. & Klir, G.J., 2006. Uncertainty modeling and analysis in engineering and the sciences, CRC Press. Bae, H.-R., Grandhi, R.V. & Canfield, R.A., 2004. An approximation approach for uncertainty quantification using evidence theory. Reliability Engineering & System Safety, 86(3), pp.215–225. Barlow, R. & Hunter, L., 1960. Optimum preventive maintenance policies. Operations Research, 8(1), pp.90–100. Barnard, I., 2006. Asset Management—An Insurance Perspective. In Engineering Asset Management. Springer, pp. 44–53. Bartenev, A. et al., 1996. Statistical analysis of accidents on the Middle Asia-Centre gas pipelines. Journal of Hazardous Materials, 46(1), pp.57–69. BCOGC, 2013. Pipeline Performance Summary, BC Oil and Gas Commission. Berg, M. & Epstein, B., 1976. A modified block replacement policy. Naval Research Logistics Quarterly, 23(1), pp.15–24. Berger, A., 1997. Continuous improvement and kaizen: standardization and organizational designs. Integrated manufacturing systems, 8(2), pp.110–117. Bergman, B., 1978. Optimal replacement under a general failure model. Advances in Applied Probability, pp.431–451.  174  Bhuiyan, N. & Baghel, A., 2005. An overview of continuous improvement: from the past to the present. Management decision, 43(5), pp.761–771. Bjørnøy, O. et al., 1999. Introduction And Background to DNV RP-F101" Corroded Pipelines. In The Ninth International Offshore and Polar Engineering Conference. International Society of Offshore and Polar Engineers. Blanchard, B., Verm, D. & Peterson, E., 1995. Maintainability: A key to effective and maintenance management. Bloch, H.P., 1998. Practical Machinery Management for Process Plants: Volume 1: Improving Machinery Reliability, Gulf Professional Publishing. Board, N.E., 2016. National Energy Board Onshore Pipeline Regulations SOR-99-294. Available at: http://laws-lois.justice.gc.ca/PDF/SOR-99-294.pdf (Accessed on 09/27/2016). Board, N.E., 2005. Regulation of Operations and Maintenance Activities on Pipelines Under the National Energy Board Act and Guidance Notes, National Energy Board. Available at: https://www.neb-one.gc.ca/bts/ctrg/gnnb/prtnmntnncctvt/2005-07rgltnprtnmntnncppln-eng.pdf. Brito, A.J., Almeida, A.T. de & Mota, C.M., 2010. A multicriteria model for risk sorting of natural gas pipelines based on ELECTRE TRI integrating Utility Theory. European Journal of Operational Research, 200(3), pp.812–821. Buell, R., Turnipseed, S. & others, 2004. Application of Lean Six Sigma in Oilfield Operations. SPE Production & Facilities, 19(04), pp.201–208. Cagno, E. et al., 2000. Using AHP in determining the prior distributions on gas pipeline failures in a robust Bayesian approach. Reliability Engineering & System Safety, 67(3), pp.275–284. Canada, S., 2016. Pipelines for Oil: Protecting our economy, Respecting our environment. Available at: https://sencanada.ca/content/sen/committee/421/TRCM/Reports/FINALVERSION-PipelineStudy-2016-12-07_e.pdf. Canada, T., 2007. Moving forward - changing the safety and security culture :: T22-135/2007 - Government of Canada Publications. Carnero, M.C., 2005. Selection of diagnostic techniques and instrumentation in a predictive maintenance program. A case study. Decision Support Systems, 38(4), pp.539–555. Cassanelli, G. et al., 2006. Failure analysis-assisted FMEA. Microelectronics Reliability, 46(9), pp.1795–1799.  175  CEPA, 2012. A sneak peek at the safety culture of the pipeline industry. Available at: https://www.aboutpipelines.com/en/blog/a-sneak-peek-at-the-safety-culture-of-the-pipeline-industry/ assessed on 05-07-2017. CEPA, 2013. Safe-Pipe-Ops-ENG.pdf. CEPA, 2017. Why do we have pipelines? Available at: https://www.aboutpipelines.com/en/pipelines-in-our-lives/. Chandima Ratnayake, R. & Markeset, T., 2010. Technical integrity management: measuring HSE awareness using AHP in selecting a maintenance strategy. Journal of Quality in Maintenance Engineering, 16(1), pp.44–63. Chang, M.-K. et al., 2005. Application of risk based inspection in refinery and processing piping. Journal of Loss Prevention in the Process Industries, 18(4), pp.397–402. Chapman, C., 1997. Project risk analysis and management—PRAM the generic process. International Journal of Project Management, 15(5), pp.273–281. Chaudhuri, D. & Sahu, K.C., 1977. Preventive maintenance interval for optimal reliability of deteriorating system. Reliability, IEEE Transactions on, 26(5), pp.371–372. Cheng, Y.-L., 2000. Uncertainties in fault tree analysis. Tamkang Journal of Science and Engineering, 3(1), pp.23–30. Choudhry, R.M., Fang, D. & Mohamed, S., 2007. The nature of safety culture: A survey of the state-of-the-art. Safety science, 45(10), pp.993–1012. Cockshott, J., 2005. Probability bow-ties: a transparent risk management tool. Process Safety and Environmental Protection, 83(4), pp.307–316. Commission, N.R. & others, 2011. final Safety Culture policy Statement (nrC-2010-0282). Federal Register, 76(114), p.34773. Cooper, 2000. Towards a model of safety culture. Safety science, 36(2), pp.111–136. Cosham, A., Hopkins, P. & Macdonald, K., 2007. Best practice for the assessment of defects in pipelines–Corrosion. Engineering Failure Analysis, 14(7), pp.1245–1265. Cox, S. & Cheyne, A., 2000. Assessing safety culture in offshore environments. Safety science, 34(1), pp.111–129. Cox, S. & Cox, T., 1991. The structure of employee attitudes to safety: A European example. Work & stress, 5(2), pp.93–106. Crow, L.H., 1975. Reliability analysis for complex, repairable systems, DTIC Document. CSA, 2015. Oil and gas pipeline systems: CSA Z662-15, Canadian Standards Association (CSA).  176  Culture, S., 1991. Safety Series No. 75 INSAG-4, International Nuclear Safety Advisory Group. International Atomic Energy Agency, Vienna. Dawotola, A.W. et al., 2012. Risk-Based Maintenance of a Cross-Country Petroleum Pipeline System. Journal of Pipeline Systems Engineering and Practice, 4(3), pp.141–148. Dawotola, A.W., Van Gelder, P. & Vrijling, J., 2009. Risk Assessment of Petroleum Pipelines using a com-bined Analytical Hierarchy Process-Fault Tree Analysis (AHP-FTA). In Proceedings of the 7th International Probabilistic Workshop, Delft. Ben-Daya, M. et al., 2009. Handbook of maintenance management and engineering, Springer. Deng, J.-L., 1989. Introduction to grey system theory. The Journal of grey system, 1(1), pp.1–24. DeWolf, G.B., 2003. Process safety management in the pipeline industry: parallels and differences between the pipeline integrity management (IMP) rule of the Office of Pipeline Safety and the PSM/RMP approach for process facilities. Journal of hazardous materials, 104(1), pp.169–192. Dey, P.K., 2001. A risk-based model for inspection and maintenance of cross-country petroleum pipeline. Journal of Quality in Maintenance Engineering, 7(1), pp.25–43. Dey, P.K., 2003. Analytic hierarchy process analyzes risk of operating cross-country petroleum pipelines in India. Natural Hazards Review, 4(4), pp.213–221. Dey, P.K., 2004. Decision support system for inspection and maintenance: a case study of oil pipelines. Engineering Management, IEEE Transactions on, 51(1), pp.47–56. Dey, P.K., Ogunlana, S.O. & Naksuksakul, S., 2004. Risk-based maintenance model for offshore oil and gas pipelines: a case study. Journal of Quality in Maintenance Engineering, 10(3), pp.169–183. Dhillon, B.S., 2002. Engineering maintenance: a modern approach, CRC Press. De Dianous, V. & Fiévez, C., 2006. ARAMIS project: A more explicit demonstration of risk control through the use of bow–tie diagrams and the evaluation of safety barrier performance. Journal of Hazardous Materials, 130(3), pp.220–233. DNV, 2015. Recommended Practice DNV-RP-F101 Corroded Pipelines, DNV. Donald, I. & Canter, D., 1994. Employee attitudes and safety in the chemical industry. Journal of Loss Prevention in the Process Industries, 7(3), pp.203–208. Drinkwater, R. & Hastings, N.A., 1967. An economic replacement model. OR, pp.121–138. Duffuaa, S. et al., 2001. A generic conceptual simulation model for maintenance systems. Journal of Quality in Maintenance Engineering, 7(3), pp.207–219.  177  Duffuaa, S.O., Raouf, A. & Campbell, J.D., 1999. Planning and control of maintenance systems: modeling and analysis, John Wiley & Sons. Duijm, N.J., 2009. Safety-barrier diagrams as a safety management tool. Reliability Engineering & System Safety, 94(2), pp.332–341. Ebeling, C.E., 2004. An introduction to reliability and maintainability engineering, Tata McGraw-Hill Education. EIA, 2017. About U.S. Natural Gas Pipelines; U.S Energy information Administration. Available at: https://www.eia.gov/naturalgas/archive/analysis_publications/ngpipeline/index.html. El-Abbasy, M.S. et al., 2014. Condition prediction models for oil and gas pipelines using regression analysis. Journal of Construction Engineering and Management, 140(6), p.04014013. El-Akruti, K., Dwight, R. & Zhang, T., 2013. The strategic role of engineering asset management. International Journal of Production Economics, 146(1), pp.227–239. Elnashai, A.S. & Tsompanakis, Y., 2012. Uncertainties in life-cycle analysis and design of structures and infrastructures. Structure and Infrastructure Engineering, 8(10), pp.891–892. Encyclopedic, W., 1996. Webster’s Encyclopedic Unabridged Dictionary of the English Language. Escoe, K., 2006. Piping and pipelines assessment guide, Gulf Professional Publishing. Famurewa, S.M. et al., 2015. Maintenance analysis for continuous improvement of railway infrastructure performance. Structure and Infrastructure Engineering, 11(7), pp.957–969. Fell, R., 1994. Landslide risk assessment and acceptable risk. Canadian Geotechnical Journal, 31(2), pp.261–272. Ferdous, R. et al., 2011. Fault and event tree analyses for process systems risk analysis: uncertainty handling formulations. Risk Analysis, 31(1), pp.86–107. Ferdous, R. et al., 2009. Handling data uncertainties in event tree analysis. Process safety and environmental protection, 87(5), pp.283–292. First Quartile Consulting, L., 2010. CAMPUT Benchmarking For Regulatory Purposes, First Quartile Consulting, LLC. Available at: http://www.camput.org/wp-content/uploads/2013/03/2010-04-14CAMPUTBenchmarkingFinalReport.pdf. Fisher, D., Miertschin, S. & Pollock Jr, D.R., 1995. Benchmarking in construction industry. Journal of management in engineering, 11(1), pp.50–57.  178  Fleming, M., 2000. Safety culture maturity model. OFFSHORE TECHNOLOGY REPORT-HEALTH AND SAFETY EXECUTIVE OTH. Frangopol, D. & Tsompanakis, Y., 2014. Maintenance and Safety of Aging Infrastructure: Structures and Infrastructures Book Series, CRC Press. Frangopol, D.M. & Bocchini, P., 2012. Bridge network performance, maintenance and optimisation under uncertainty: accomplishments and challenges. Structure and Infrastructure Engineering, 8(4), pp.341–356. Frangopol, D.M. & Liu, M., 2007. Bridge network maintenance optimization using stochastic dynamic programming. Journal of Structural Engineering, 133(12), pp.1772–1782. Frangopol, D.M. & Liu, M., 2007. Maintenance and management of civil infrastructure based on condition, safety, optimization, and life-cycle cost∗. Structure and infrastructure engineering, 3(1), pp.29–41. Frangopol, D.M., Saydam, D. & Kim, S., 2012. Maintenance, management, life-cycle design and performance of structures and infrastructures: a brief review. Structure and Infrastructure Engineering, 8(1), pp.1–25. Furchtgott-Roth, D., 2013. Pipelines are safest for transportation of oil and gas, Manhattan Institute for Policy Research. Gardent, P. & Nonant, L., 1963. Entretien et renouvellement d’un parc de machines. Revue Francause de Recherche Operationelle, 7, pp.5–19. Geary, W., 2002. Risk based inspection: a case study evaluation of offshore process plant, Report HSL/2000/20, Health and Safety Laboratory, Scheffield. Gertsbakh, I.B., 1977. Models of preventive maintenance, Elsevier Science & Technology. Goodfellow, R. & Jonsson, K., 2015. Pipeline Integrity Management Systems (PIMS). Oil and Gas Pipelines: Integrity and Safety Handbook, pp.1–12. Goulart, C., 2013. Resolving the safety culture/safety climate debate. Occupational Health & Safety. Govan, P. & Reinschmidt, K., 2013. Benchmarking Natural Gas Pipeline Projects. In Pipelines 2013: Pipelines and Trenchless Construction and Renewals—A Global Perspective. pp. 1532–1542. Grall, A., Bérenguer, C. & Dieulle, L., 2002. A condition-based maintenance policy for stochastically deteriorating systems. Reliability Engineering & System Safety, 76(2), pp.167–180.  179  Guldenmund, F. et al., 2006. The development of an audit technique to assess the quality of safety barrier management. Journal of hazardous materials, 130(3), pp.234–241. Guldenmund, F.W., 2007. The use of questionnaires in safety culture research–an evaluation. Safety Science, 45(6), pp.723–743. Guo, B. et al., 2005. Offshore Pipelines, Elsevier. Gupta, A. & Lawsirirat, C., 2006. Strategically optimum maintenance of monitoring-enabled multi-component systems using continuous-time jump deterioration models. Journal of Quality in Maintenance Engineering, 12(3), pp.306–329. Hagene, J.K. et al., 2005. Pipeline internal inspection device and method. Hallen, J., Caleyo, F. & Gonzalez, J., 2003. Probabilistic condition assessment of corroding pipelines in Mexico. In Proceedings of the 3rd Pan American Conference for Nondestructive Testing (PANNDT), Rio de Janeiro, Brazil. Han, Z. & Weng, W., 2011. Comparison study on qualitative and quantitative risk assessment methods for urban natural gas pipeline network. Journal of Hazardous Materials, 189(1), pp.509–518. Hart, A., Northmore, S. & Gerhardt, C., 2009. Briefing paper: Auditing, benchmarking and evaluating public engagement. National Co-ordinating Centre for Public Engagement, Bristol. Hassan, I. et al., 2017. Linking Safety Culture Assessment with Integrity Management Program: A Comprehensive Framework for Oil and Gas Pipeline Industry. submitted to Safety Science. Hassan, J. & Khan, F., 2012a. Risk-based asset integrity indicators. Journal of Loss Prevention in the Process Industries, 25(3), pp.544–554. Hassan, J. & Khan, F., 2012b. Risk-based asset integrity indicators. Journal of Loss Prevention in the Process Industries, 25(3), pp.544–554. Health, Commission, S. & others, 1993. ACSNI study group on human factors. Healy, J. et al., 2004. Using benchmarking to optimise the cost of pipeline integrity management. In Pigging Products and Servicing Association London Seminar. London, UK. Retrieved from http://ppsa-online. com/papers. php PPSA. Higgs, P.A. et al., 2004. A survey on condition monitoring systems in industry. In Proceedings of the ASME 7th Biennial Conference on Engineering Systems Design and Analysis, Manchester, UK. pp. 19–22.  180  Holstvoogd, R. et al., 2006. Hearts and Minds programmes the road map to improved HSE culture. In INSTITUTION OF CHEMICAL ENGINEERS SYMPOSIUM SERIES. Institution of Chemical Engineers; 1999, p. 176. Huang, D., Chen, T. & Wang, M.-J.J., 2001. A fuzzy set approach for event tree analysis. Fuzzy sets and systems, 118(1), pp.153–165. Hudson, P., 2007. Implementing a safety culture in a major multi-national. Safety Science, 45(6), pp.697–722. Hudson, P.T. et al., 2002. The Hearts and Minds Program: Understanding HSE Culture. In SPE International Conference on Health, Safety and Environment in Oil and Gas Exploration and Production. Society of Petroleum Engineers. Inc, M., 2017. Asset Performance Management vs Asset Integrity Management: What’s the Difference? Available at: https://metegrity.com/media/articles/asset-performance-management-vs-asset-integrity-management. Iqbal, H. et al., 2018. IMPAKT: Oil and Gas Pipeline Integrity Management Program Assessment. Journal of Pipeline Systems Engineering and Practice, 9(3), p.06018003. Iqbal, H., Tesfamariam, S., et al., 2016. Inspection and maintenance of oil & gas pipelines: a review of policies. Structure and Infrastructure Engineering, pp.1–22. Iqbal, H., Waheed, B., et al., 2016. Revisiting Pipeline Integrity Management Program: A Risk Assessment Framework. iSixSigma, 2017. Understanding the Purpose and Use of Benchmarking. Available at: https://www.isixsigma.com/methodology/benchmarking/understanding-purpose-and-use-benchmarking (Accessed on 05/06/2017)). Jardine, A.K., Lin, D. & Banjevic, D., 2006. A review on machinery diagnostics and prognostics implementing condition-based maintenance. Mechanical systems and signal processing, 20(7), pp.1483–1510. Jeong, I., Leon, V. & Villalobos, J., 2007. Integrated decision-support system for diagnosis, maintenance planning, and scheduling of manufacturing systems. International Journal of Production Research, 45(2), pp.267–285. Jo, Y.-D. & Ahn, B.J., 2005. A method of quantitative risk assessment for transmission pipeline carrying natural gas. Journal of hazardous materials, 123(1), pp.1–12. Jo, Y.-D. & Crowl, D.A., 2008. Individual risk analysis of high-pressure natural gas pipelines. Journal of Loss Prevention in the Process Industries, 21(6), pp.589–595.  181  Kabir, G., Sadiq, R. & Tesfamariam, S., 2013. A review of multi-criteria decision-making methods for infrastructure management. Structure and Infrastructure Engineering, (ahead-of-print), pp.1–35. Al-Khalil, M., Assaf, S. & Al-Anazi, F., 2005. Risk-based maintenance planning of cross-country pipelines. Journal of performance of constructed facilities, 19(2), pp.124–131. Khan, F., Sadiq, R. & Haddara, M., 2004. Risk-based inspection and maintenance (RBIM): multi-attribute decision-making with aggregative risk analysis. Process Safety and Environmental Protection, 82(6), pp.398–411. Khan, F.I. & Abbasi, S., 2001. Risk analysis of a typical chemical industry using ORA procedure. Journal of Loss Prevention in the Process Industries, 14(1), pp.43–59. Khan, F.I. & Haddara, M.M., 2003. Risk-based maintenance (RBM): a quantitative approach for maintenance/inspection scheduling and planning. Journal of Loss Prevention in the Process Industries, 16(6), pp.561–573. Kim, S. & Frangopol, D.M., 2012. Probabilistic bicriterion optimum inspection/monitoring planning: applications to naval ships and bridges under fatigue. Structure and Infrastructure Engineering, 8(10), pp.912–927. Kim, S., Frangopol, D.M. & Soliman, M., 2013. Generalized probabilistic framework for optimum inspection and maintenance planning. Journal of Structural Engineering, 139(3), pp.435–447. Kishawy, H.A. & Gabbar, H.A., 2010. Review of pipeline integrity management practices. International Journal of Pressure Vessels and Piping, 87(7), pp.373–380. Klechka, E.W., 2002. Pipeline integrity management and corrosion control. Materials performance, 41(6), pp.24–27. Labib, A.W., 2004. A decision analysis model for maintenance policy selection using a CMMS. Journal of Quality in Maintenance Engineering, 10(3), pp.191–202. Lawrence, W.W., 1976. Of acceptable risk. William Kaufmann, Los Altos, CA. Lees, F., 2012. Safety Culture. In Lees’ Loss prevention in the process industries: Hazard identification, assessment and control, Butterworth-Heinemann. Lewis, S. & Edwards, T., 1997. Smart sensors and system health management tools for avionics and mechanical systems. In Digital Avionics Systems Conference, 1997. 16th DASC., AIAA/IEEE. IEEE, pp. 8–5. Li, F. et al., 2011. A grouping model for distributed pipeline assets maintenance decision. In Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), 2011 International Conference on. IEEE, pp. 601–606.  182  Li, F. et al., 2014. Group Maintenance Scheduling: A Case Study for a Pipeline Network. In Engineering Asset Management 2011. Springer, pp. 163–177. Lipol, L.S. & Haq, J., 2011. Risk analysis method: FMEA/FMECA in the organizations. International Journal of Basic & Applied Sciences, 11(5), pp.74–82. Liu, H., 2003. Pipeline engineering, CRC Press. Liu, Y. et al., 2011. An optimal sequential preventive maintenance policy under stochastic maintenance quality. Structure and Infrastructure Engineering, 7(4), pp.315–322. Löfsten, H., 1999. Management of industrial maintenance-economic evaluation of maintenance policies. International Journal of Operations & Production Management, 19(7), pp.716–737. Maddin, K. & Shanks, D.A., 2016. Adapting Safety Culture Assessments to the Pipeline Industry. In 2016 11th International Pipeline Conference. American Society of Mechanical Engineers, pp. V002T01A020–V002T01A020. Manian, L. & Hodgdon, A., 2005. Pipeline integrity assessment and management. Materials performance, 44(2), pp.18–22. Markowski, A.S., Mannan, M.S. & Bigoszewska, A., 2009. Fuzzy logic for process safety analysis. Journal of Loss Prevention in the Process Industries, 22(6), pp.695–702. Mearns, K. et al., 2001. Human and organizational factors in offshore safety. Work & Stress, 15(2), pp.144–160. Michael Baker Jr., I., 2008. Comparison of US and Canadian Transmission Pipeline Consensus Standards, Department of Transportation Pipeline and Hazardous Materials Safety Administration Office of Pipeline Safety. Available at: https://primis.phmsa.dot.gov/.../FinalReport_TransborderStandards.pdf. Miesner, T.O. & Leffler, W.L., 2006. Oil & gas pipelines in nontechnical language, PennWell Corporation. Minds, C., 2008. A Practical Guide for Behavioural Change in the Oil & Gas Industry. Step Change in Safety Website. Available online: http://www. stepchangeinsafety. net/knowledgecentre/publications/publication. cfm/publicationid/16 (accessed on 29 November 2016). Miri Lavasani, M. et al., 2011. Application of fuzzy fault tree analysis on oil and gas offshore pipelines. International Journal of MArine Science and Engineering, 1(1), pp.29–42. Moan, T., 2005. Reliability-based management of inspection, maintenance and repair of offshore structures. Structure and Infrastructure Engineering, 1(1), pp.33–62.  183  Mohitpour, M., Murray, M.A. & McManus, M., 2010. Pipeline Integrity Assurance: A Practical Approach, American Society of Mechanical Engineers. Moubray, J. & Lanthier, J., 1991. Reliability-centred maintenance, Butterworth-Heinemann Oxford. Moya, M.C.C., 2004. The control of the setting up of a predictive maintenance programme using a system of indicators. Omega, 32(1), pp.57–75. Najafi, M. & Kulandaivel, G., 2005. Pipeline condition prediction using neural network models. In Pipelines 2005@ sOptimizing Pipeline Design, Operations, and Maintenance in Today’s Economy. ASCE, pp. 767–781. Al-Najjar, B., 1997. Condition-Based Maintenance: Selection and Improvement of a Cost-Effective Vibration-Based Maintenance Policy for Rolling element Bearings, Lund University. Nakagawa, T. & Osaki, S., 1974. The optimum repair limit replacement policies. Operational Research Quarterly, pp.311–317. NARWGSC, 2016. Safety Culture Indicators Research Project: A Regulatory Perspective. Available at: http://www.cnlopb.ca/pdfs/indicators.pdf?lbisphpreq=1 (Accessed on 09/27/2016). NEB, 2016. Advancing Safety in the Oil and Gas Industry - Statement on Safety Culture. Available at: https://www.neb-one.gc.ca/sftnvrnmnt/sft/sftycltr/sftycltrsttmnt-eng.pdf (Accessed on 11/05/2016). Nessim, M. et al., 2008. Obtaining corrosion growth rates from repeat in-line inspection runs and dealing with the measurement uncertainties. In 2008 7th International Pipeline Conference. American Society of Mechanical Engineers, pp. 593–600. Nessim, M. et al., 2009. Reliability Based Design and Assessment for Location-Specific Failure Threats With Application to Natural Gas Pipelines. Journal of Pressure Vessel Technology, 131(4), p.041701. Nessim, M., Yue, H. & Zhou, J., 2010. Application of Reliability Based Design and Assessment to Maintenance and Protection Decisions for Natural Gas Pipelines. In 2010 8th International Pipeline Conference. American Society of Mechanical Engineers, pp. 625–634. Newell, G.E., 1999. Oil analysis cost-effective machine condition monitoring technique. Industrial Lubrication and tribology, 51(3), pp.119–124. Noor, N., Ozman, N. & Yahaya, N., 2011. Deterministic prediction of corroding pipeline remaining strength in marine environment using DNV RP-F101 (Part A). Journal of Sustainability Science and Management, 6(1), pp.69–78.  184  NRC, 2014. Pipeline Facts | Natural Resources Canada. Available at: http://www.nrcan.gc.ca/energy/infrastructure/13751. NRC, 2016. Pipelines Across Canada. Available at: http://www.nrcan.gc.ca/energy/infrastructure/18856. NTSB, 2010. Pacific Gas and Electric Company, Natural Gas Transmission Pipeline Rupture and Fire, San Bruno, California, National Transportation Safety Board. Available at: http://www.ntsb.gov/investigations/AccidentReports/Reports/PAR1101.pdf. NTSB, 2000. Pipeline Accident Report, Natural Gas Pipeline Rupture and Fire Near Carlsbad, New Mexico, National Transportation Safety Board, Washington, D.C. Available at: http://www.ntsb.gov/investigations/AccidentReports/Reports/PAR0301.pdf. Nyström, B. & Söderholm, P., 2010. Selection of maintenance actions using the analytic hierarchy process (AHP): decision-making in railway infrastructure. Structure and Infrastructure Engineering, 6(4), pp.467–479. OGP, 2008. Asset integrity – the key to managing major incident risks- Report No.415, International Association of Oil & Gas Producers. Opila, M.C. & Attoh-Okine, N., 2011. Novel Approach in Pipe Condition Scoring. Journal of pipeline systems engineering and practice, 2(3), pp.82–90. Palady, P., 1995. Failure modes and effects analysis: predicting & preventing problems before they occur. West Palm Beach, FL: PT Publications. Pandey, M., 1998. Probabilistic models for condition assessment of oil and gas pipelines. NDT & E International, 31(5), pp.349–358. Pandey, M. & Lu, D., 2013. Estimation of parameters of degradation growth rate distribution from noisy measurement data. Structural Safety, 43, pp.60–69. Papadakis, G.A., 2000. Assessment of requirements on safety management systems in EU regulations for the control of major hazard pipelines. Journal of hazardous materials, 78(1), pp.63–89. Parvizsedghy, L. et al., 2014. Condition-based maintenance decision support system for oil and gas pipelines. Structure and Infrastructure Engineering, (ahead-of-print), pp.1–15. Peekema, R.M., 2013a. Causes of natural gas pipeline explosive ruptures. Journal of Pipeline Systems Engineering and Practice, 4(1), pp.74–80. Peekema, R.M., 2013b. Causes of natural gas pipeline explosive ruptures. Journal of Pipeline Systems Engineering and Practice, 4(1), pp.74–80.  185  Pham, H. & Wang, H., 1996. Imperfect maintenance. European journal of operational research, 94(3), pp.425–438. Pickering, I.M. & Chambers, S., 1991. Competitive benchmarking: progress and future development. Computer Integrated Manufacturing Systems, 4(2), pp.98–102. Pidgeon, N.F., 1991. Safety culture and risk management in organizations. Journal of cross-cultural psychology, 22(1), pp.129–140. Psarrpopulos, P.N., Antoniou, A. & Tsompanakis, Y., 2014. Earthquake-Related Geogazards and Seismic Design of Pipelines. In Second European Conference on Earthquake Engineering and Seismology, Istanbul. Rahim, Y., Refsdal, I. & Kenett, R.S., 2010. The 5C model: A new approach to asset integrity management. International Journal of Pressure Vessels and Piping, 87(2), pp.88–93. Rangel-Ram𝚤rez, J.G. & Sørensen, J.D., 2012. Risk-based inspection planning optimisation of offshore wind turbines. Structure and Infrastructure Engineering, 8(5), pp.473–481. Rankin, L.G., 2004. Pipeline integrity information integration. Materials performance, 43(6), pp.56–60. Reason, J., 2016. Managing the risks of organizational accidents, Routledge. Refinery, B.T.C., 2007. INVESTIGATION REPORT - REFINERY EXPLOSION AND FIRE, U.S. CHEMICAL SAFETY AND HAZARD INVESTIGATION BOARD. Available at: www.csb.gov/assets/1/19/csbfinalreportbp.pdf (Accessed on 09/21/2016). Revie, R.W., 2015. Oil and Gas Pipelines: Integrity and Safety Handbook, John Wiley & Sons. Rhee, S. & Spencer, C., 2009. Life Cost Based FMEA Manual: A step by step guide to carrying out a cost-based failure modes and effects analysis, Stanford Linear Accelerator Center (SLAC). Rimington, J., 1993. Overview of risk assessment. Process Safety and Environmental Protection, 71, pp.112–112. Saaty, T.L., 1996. Decision making with dependence and feedback: The analytic network process, RWS publications Pittsburgh. Saaty, T.L., 2008. Decision making with the analytic hierarchy process. International journal of services sciences, 1(1), pp.83–98. Saaty, T.L., 1990. How to make a decision: the analytic hierarchy process. European journal of operational research, 48(1), pp.9–26.  186  Sadiq, R., Saint-Martin, E. & Kleiner, Y., 2008. Predicting risk of water quality failures in distribution networks under uncertainties using fault-tree analysis. Urban Water Journal, 5(4), pp.287–304. Sahraoui, Y., Khelif, R. & Chateauneuf, A., 2013. Maintenance planning under imperfect inspections of corroded pipelines. International Journal of Pressure Vessels and Piping, 104, pp.76–82. Sawyer, J.P. & Rao, S., 1994. Fault tree analysis of fuzzy mechanical systems. Microelectronics Reliability, 34(4), pp.653–667. Schneider, J. et al., 2011. An analysis of reported sustainability-related efforts in the petroleum refining industry. The Journal of Corporate Citizenship, (44), p.69. Schneider, J. et al., 2015. Towards sustainability in the oil and gas sector: benchmarking of environmental, health, and safety efforts. Journal of Environmental Sustainability, 3(3), p.6. Schoeder, D.M. & Robinson, A.G., 1991. America’s most successful export to Japan: Continuous improvement programs. Quality control and applied statistics, 36(11), pp.655–656. Sentz, K. & Ferson, S., 2002. Combination of evidence in Dempster-Shafer theory, Citeseer. Shahriar, A., Sadiq, R. & Tesfamariam, S., 2012. Risk analysis for oil & gas pipelines: A sustainability assessment approach using fuzzy based bow-tie analysis. Journal of Loss Prevention in the Process Industries, 25(3), pp.505–523. Sharma, R.K., Kumar, D. & Kumar, P., 2005. Systematic failure mode effect analysis (FMEA) using fuzzy linguistic modelling. International Journal of Quality & Reliability Management, 22(9), pp.986–1004. Simonoff, J.S., Restrepo, C.E. & Zimmerman, R., 2010. Risk management of cost consequences in natural gas transmission and distribution infrastructures. Journal of Loss Prevention in the Process Industries, 23(2), pp.269–279. Singh, M. & Markeset, T., 2009. A methodology for risk-based inspection planning of oil and gas pipes based on fuzzy logic framework. Engineering Failure Analysis, 16(7), pp.2098–2113. Singh, M. & Markeset, T., 2014a. Handling of variability in probabilistic and possibilistic failure analysis of corroded pipes. International Journal of System Assurance Engineering and Management, 5(4), pp.503–512. Singh, M. & Markeset, T., 2014b. Hybrid models for handling variability and uncertainty in probabilistic and possibilistic failure analysis of corroded pipes. Engineering Failure Analysis, 42, pp.197–209.  187  Singh, M. & Markeset, T., 2014c. Simultaneous handling of variability and uncertainty in probabilistic and possibilistic failure analysis of corroded pipes. International Journal of System Assurance Engineering and Management, 5(1), pp.43–54. Singh, V.P., Jain, S.K. & Tyagi, A., 2007. Risk and reliability analysis: a handbook for civil and environmental engineers. In ASCE. Sorensen, J., 2002. Safety culture: a survey of the state-of-the-art. Reliability Engineering & System Safety, 76(2), pp.189–204. Spouge, J. & others, 1999. A guide to quantitative risk assessment for offshore installations, CMPT. Stamatis, D.H., 2003. Failure mode and effect analysis: FMEA from theory to execution, ASQ Quality Press. Stapenhurst, T., 2009. The benchmarking book, Routledge. Stenström, C. et al., 2015. Preventive and corrective maintenance–cost comparison and cost–benefit analysis. Structure and Infrastructure Engineering. Sun, Y., Fidge, C. & Ma, L., 2014. Optimizing Preventive Maintenance Strategies for Linear Assets. In Engineering Asset Management 2011. Springer, pp. 91–102. Taitel, Y., Barnea, D. & Brill, J., 1995. Stratified three phase flow in pipes. International Journal of Multiphase Flow, 21(1), pp.53–60. Tam, A., Chan, W. & Price, J., 2006. Optimal maintenance intervals for a multi-component system. Production Planning and Control, 17(8), pp.769–779. Tan, Z. et al., 2011. An evaluation of maintenance strategy using risk based inspection. Safety science, 49(6), pp.852–860. Tien, S.-W., Hwang, W.-T. & Tsai, C.-H., 2007. Study of a risk-based piping inspection guideline system. ISA transactions, 46(1), pp.119–126. Tixier, J. et al., 2002. Review of 62 risk analysis methodologies of industrial plants. Journal of Loss Prevention in the process industries, 15(4), pp.291–303. Transportation Pipeline, U.D. of & Administration, H.M.S., 2003. Operator Qualification: Glossary, Us Department of Transportation Pipeline and Hazardous Materials Safety Administration. Available at: https://primis.phmsa.dot.gov/oq/glossary.htm. Tronea, M., 2014. Trends and Challenges in Regulatory Assessment of Nuclear Safety Culture. International Nuclear Safety Journal, 3(1), pp.1–5.  188  Tsang, A.H., 1995. Condition-based maintenance: tools and decision making. Journal of Quality in Maintenance Engineering, 1(3), pp.3–17. Usher, J.S., Kamal, A.H. & Syed, W.H., 1998. Cost optimal preventive maintenance and replacement scheduling. IIE transactions, 30(12), pp.1121–1128. Wang, H., 2002. A survey of maintenance policies of deteriorating systems. European journal of operational research, 139(3), pp.469–489. Wang, T. et al., 2011. Establishment and Discovery of Pipeline Integrity Management System. In Reston, VA: ASCE copyright Proceedings of the International Conference on Pipelines and Trenchless Technology 2011 October 26. 29, 2011, Beijing, china| d 20110000. American Society of Civil Engineers. Wilcox, R.C. & Ayyub, B.M., 2003. Uncertainty modeling of data and uncertainty propagation for risk studies. In Uncertainty Modeling and Analysis, International Symposium on. IEEE Computer Society, pp. 184–184. Womack, J.P. & Jones, D.T., 1996. Beyond Toyota: how to root out waste and pursue perfection. Harvard business review, 74(5), p.140. Yam, R. et al., 2001. Intelligent predictive decision support system for condition-based maintenance. The International Journal of Advanced Manufacturing Technology, 17(5), pp.383–391. Yang, C. et al., 2010. Apu fmea validation and its application to fault identification. In ASME 2010 International Design Engineering Technical Conferences and Computers and Information in Engineering Conference. American Society of Mechanical Engineers, pp. 959–967. Yuhua, D. & Datao, Y., 2005. Estimation of failure probability of oil and gas transmission pipelines by fuzzy fault tree analysis. Journal of loss prevention in the process industries, 18(2), pp.83–88. Zhou, J. et al., 2009. Reliability-based design and assessment standards for onshore natural gas transmission pipelines. Journal of Pressure Vessel Technology, 131(3), p.031702. Zio, E., 2012. Prognostics and health management of industrial equipment. Diagnostics and Prognostics of Engineering Systems: Methods and Techniques, pp.333–356. 189   Appendix A Risk assessment: Models and Methods Risk can be defined as the considered expected loss or damage associated with the occurrence of a possible undesired event (Rimington 1993) . Sophisticated techniques are being used to identify the high-risk and to identify means for reducing the risk of accidents. Risk assessment is an alternative understanding of failures or the causes of the failures. Rimington (1993) described the risk assessment as the way of systemizing our approach to hazard with a view to determining what is more and what is less risky. Risk assessment is the understanding of probability of failure occurrence, its causes, and its consequences. It also include the causes and source of the risk. Qualitative, semi Quantitative and Quantitative techniques are used depending upon data availability and required degree of details.  The qualitative assessment defines probability of failure and consequences by significance level such as “high” medium and low. Semi quantitative methods rate the probability of failure and consequences through qualitative technique on numerical scale. The numerical values compute the risk level by using formulas. The scales may be linear, logarithmic or other relationship. The quantitative analysis is data oriented technique to estimate the probability of risk and its consequences. For example, the data gathered about asset’s condition through inspection and mentoring system is studied and transformed into the future prediction by using statistical and mathematical computation. The qualitative and semi- quantitative analysis are mostly dependent on expert judgement, therefore, the analysis carried the uncertainty due to human factor. Whereas the quantitative data used in quantitative analysis is influenced by the machine error and the human  190  error. However, the objective of the assessment is to understand, identify and predict the possible failures and the consequences. The Risk assessment is mostly consist of five modules (Arunraj & Maiti 2007b) Hazard analysis: is conducted to identify the failure scenario. The failure scenario is developed over the operational characteristics, physical condition, geometry of the system, and applied safety system. Likelihood assessment: is to calculate the occurrence of undesired event, its frequency or probability of failure for defined period of time. Consequence assessment: is to quantify the potential consequences of the failure scenario. The consequences are production and operational loss, asset loss, environmental loss, and health and safety loss.    Risk estimation: is carried out based on the consequences and probabilistic failure analysis. Risk is estimated for each unit.  Acceptable Risk: The computed risk is compared against the risk acceptance criteria. The acceptance criteria is usually defined in terms of the assumed probability of loss of life, cost effectiveness of risk reduction and cost benefit analysis (Fell 1994).   Risk assessment is the part of pipeline integrity management guidelines. ASME B31.8 S standard’s guidelines describe (ASME-B31.8S 2014); “Risk assessment shall be conducted for pipelines and related facilities. Risk assessment are required for both perspective-based and performance based integrity management programs”. The guidelines are about the risk assessment in different integrity processes. The objectives of risk assessment are described as;  191   Prioritizing the segment for the integrity assessment and mitigation action  Assessment of the benefits derived from mitigation action  Assessment of the integrity impact from inspection intervals  More effective resource allocations However, the objectives described may provide the rationale to the novel use of risk assessment in auditing process. Therefore, a novel approach is adopted in the presented research and risk assessment methodology is used for the IMP and safety culture auditing process. Different risk assessment methodologies are studied and their brief description are presented. The suitable technique will be selected which may be modified according to the requirements of auditing process. The brief review of different risk assessment methodologies is presented in following sections.             Risk Assessment methodologies  A number of qualitative and quantitative techniques, For example, fault tree analysis (FTA), event tree analysis (ETA), hazard and operability study (HAZOP), failure mode and effect analysis (FMEA),have been used for the risk assessment (Khan & Abbasi 2001; Shahriar et al. 2012). Tixier et al. (2002) reviewed 62  risk assessment methodologies from various references and classified them into deterministic, probabilistic, and combination of deterministic and probabilistic approaches.  The deterministic techniques are used for the product, the equipment and the quantification of consequences for various targets such as people, processes, environment and equipment. This approach postulates that the occurrence of a hazard and its consequences are known and certain.  192  The probabilistic methods are based on the probability or frequency of hazardous situation that may occur or on the occurrence of potential accident (Tixier et al. 2002). Again, they are cross-classified into groups of qualitative, quantitative and semi-quantitative (Table 2.5 Appendix B). Summary FMEA is bottom- up risk assessment tool, which is used in consumer goods, manufacturing and process industries (Sharma et al. 2005).It has strength to identify major failure modes in a system. However, It lacks in identifying complex failure modes involving multiple failures within a subsystem. Furthermore, in RPN calculation method, rank reversal may lead to wrong decisions and less serious failure mode receives a higher RPN than a more serious failure mode. The reason is the multiplication of ordinal scale ranking. For example, a ranking of "2" may not be twice as bad as a ranking of "1," or an "8" may not be twice as bad as a "4,"  (Lipol & Haq 2011). The other disadvantage of the RPN ranking method is that it neglects the relative importance among occurrence, severity and detectability. All three factors are taken as same importance but in real scenario, they have relative importance. For example a failure mode with a very high severity, low rate of occurrence, and moderate detectability (9, 3, and 5 respectively) may have a lower RPN (135) than Other failure mode which may have all moderate parameters (5, 6, and 6) and RPN of 180, even though it should have a higher priority for corrective action. However, Fuzzy FMEA may address these limitations and also address the uncertainty, which is inherent in the traditional assessment (Sharma et al. 2005).  FMECA is mostly applicable in risk assessment of the high-risk plants, such as nuclear and aerospace industries (Sharma et al. 2005). The most prominent weakness of FMECA is associated with Critically number (CN) calculations. The failure mode CN may be underestimated when it  193  has multiple effects in different severity categories since only the most severe effect is used in the calculation. Fault tree analysis (FTA) and event tree analysis (ETA) is a well established "top-down" analysis. Its strength is its qualitative analysis of hazards identification and a detail quantitative assessment of likelihood for the undesired events. FTA is limit to risk assessment of one specific failure effect and then identifies only those failure modes that can cause the particular effect, whereas a FMEA, Fuzzy FMEA or FMECA are able to identify all possible failure modes and their effects.   194  Review of Industrial standards CSA Z662 History Canadian Standards Association (operating as “CSA Group”), under whose auspices this National Standard has been produced, was chartered in 1919 and accredited by the Standards Council of Canada to the National Standards system in 1973. It is a not-forprofit, nonstatutory, voluntary membership association engaged in standards development and certification activities. A National Standard of Canada is a standard developed by an SCC accredited Standards Development Organization (SDO), and approved by the Standards Council of Canada (SCC), in accordance with SCC’s: Requirements and Guidance -Accreditation for Standards Development Organizations, and Requirements and Guidance -Approval of National Standards of Canada Designation. Objectives This Standard covers the design, construction, operation, maintenance, deactivation, and abandonment of oil and gas industry pipeline systems that convey. 1. liquid hydrocarbons, including crude oil, multiphase fluids, condensate, liquid petroleum products, natural gas liquids, and liquefied petroleum gas; 2. oilfield water; 3. oilfield steam; 4. liquid or dense phase carbon dioxide; or 5. gas. Vapour phase carbon dioxide pipeline systems  195  Clauses The Standard Clause 16.8.8 describe; The operating company shall develop, document, and implement an integrity management program that is in accordance with Annex N. The pipeline system integrity management program shall include procedures to monitor for conditions that can lead to failures, to eliminate or mitigate such conditions, and to manage integrity data. Such integrity management programs shall include a description of operating company commitment and responsibilities, quantifiable objectives, and methods for a) assessing risks; b) identifying risk reduction approaches and corrective actions; c) implementing the integrity management program; and d) monitoring results. The standard covers the pipeline design, construction.  Annex N (Guidelines for pipeline system integrity management programs) CSA Z662 Annex N is an informative guideline to build the pipeline IMP. This Annex provides guidelines for developing, documenting and implementing an integrity management program to provide safe, environmentally responsible, and reliable service. Annex N (Figure 2.2) described and discussed 15 components in the context of IMP development. The components have sub components. The  1. IMP Scope; 2. Corporate Policies, Objectives and Organization; 3. Description of pipeline systems; 4. IMP Records;  196  5. Change Management; 6. Competency and Training; 7. Hazard Identification and Control; 8. Risk Assessment; 9. Options for Reducing Uncertainty, Frequencies and Consequences of failure or damage incidents; 10. IMP Planning; 11. Inspections, testing, patrols, and monitoring; 12. Evaluation of inspection, testing, patrol, and monitoring results  13. Mitigation and repair 14. Continual improvement 15. Incident investigations  197  N.1Safety and Loss management systemN.2Integrity management program scopeN.3Corporate policies, objectives, and organizationN.4Description of pipeline systemsN.5 to N.7Integrity management proram records, change management, competency and trainingIdentify potential hazardsN.16Incident investigationsCan the hazard lead to significant consequences?Perform risk assessment ?Risk AssessmentIs risk significant ?Choose to refine risk analysisSelect control measure(s) for risk reductionChanges ?Review and evaluate program control methods and risk management cycle Implement activitiesEstablish plan and schedule activitiesSelect action for hazard controlYesNoYesYesNoNoNoNoN.8 Hazard identificationand control Figure 1: CSA Z662, Annex N, IMP Framework   198  ASME B31.8 S The code is specifically designed to provide the operators with the information necessary to establish the effective Integrity Management Program. The goal of the standard to establish the incident free operations of pipelines. The standard has the objectives (ASME-B31.8S 2014);  To provide the comprehensive, systematic and integrated IMP to improve the safety o f the pipeline  To provide the information to the operator to allocate the resources for appropriate prevention, detection and mitigation activities  The standard covers both prescriptive based and performance based integrity management programs.  Prescriptive process will provide the inspection, prevention, detection and mitigation activities necessary to develop the effective IMP. However, it doesn’t rule out the conformances with ASME-B31.8.  The performance based IMP is an alternative of prescriptive based IMP. It is data intensive approach with extensive risk analysis. It enables the operator to achieve more flexibility in order to meet or exceed the requirements of the code. Specifically in the areas of inspection intervals, tools, and mitigation techniques employed.  Performance based IMP is interlinked with prescriptive type IMP because the operators cannot proceed with performance based IMP until adequate inspections are performed that provide the information on the pipeline condition required by the prescriptive- based program.  This section will briefly described the structure of the standard   199  Objectives The code’s objective is to provide the guidelines for the comprehensive, systematic and integrated IMP which may lead improve the safety of pipelines system. Such IMP will;  Provides the information for an operator to effectively allocate resources for appropriate prevention, detection and mitigation activities  Improve safety and reduction in accidents The section 2.3 of the code describe the integrity management process. The code give seven integrity management process, which are; 1. Identify potential pipeline impact by Threat 2. Gathering, reviewing and integrating data 3. Risk assessment 4. Integrity Assessment 5. Response to integrity assessment, mitigation (Repair and preventions) and setting inspection intervals 6. Update, integrate and review data 7. Reassess Risk The code define and provide detailed description of these integrity management process and elements of integrity management programs. The requirements of prescriptive and performance based IMP is given in this code. The code describe 5 fundamental elements/ components of IMP; 1) integrity management plan, 2)  200  performance Plan, 3) Communication Plan, 4) Management of Change Plan, and 5) Quality Control Plan Integrity management plan The integrity management plan is developed after getting data and completing risk assessment for each threat and each pipeline segment.. The code describe the necessary “shall” clauses” for the risk assessment and inspection of the pipeline.  A performance based integrity management mplan containing the same structure as the prescriptive based integrity management plan. The management plan shall be updating with data collecting during inspection and mitigation activities, risk assessment . The paln framework have following clauses  1. Gathering, reviewing and integrating data 2. Assess Risk 3. Integrity Assessment  4. Response to integrity assessment, mitigation (repair and prevention) and intervels Performance Plan The code describe that “ Performance plan is required fro both performance-based IMP and prescriptive  based IMP. “ Integrity management plan evaluation shall be performed at least annually to provide a continuing measure of integrity management program effectiveness over time. The performance measurement plan cover; process or activity measure, operational measures, direct integrity measures.   201  The code does not prescribe any specific method for the performance measure. The code state that “An operator can evaluate a system’s integrity management program performance within their own system and also by comparison with other systems on an industry-wide basis.” This clause initiate the need of benchmarking in IMP. Performance measurement shall include all of the threat-specific metrics for each threat. The code prescribe the internal performance measure as well as external performance measured, which is referred as “ Performance measurement – industry based” “In addition to intersystem comparisons, external comparisons can provide a basis for performance measurement of the integrity management program. This can include comparisons with other pipeline operators, industry data sources, and jurisdictional data sources. Benchmarking with other gas pipeline operators can be useful; however, any performance measure or evaluation derived from such sources shall be carefully evaluated to ensure that all comparisons made are valid. Audits conducted by outside entities can also provide useful evaluation data. The standard also emphasised on continuous performance improvement “ The results of the performance measurements and audits shall be utilized to modify the integrity management program as part of a continuous improvement process. Internal and external audit results are performance measures that should be used to evaluate effectiveness in addition to other measures stipulated in the integrity management program. Recommendations for changes and/or improvements to the integrity management program shall be based on analysis of the performance measures and audits. The results, recommendations, and resultant changes made to the integrity management program shall be documented.  202  Communication Plan Communication plan is very important component of IMP. The code states that: “ The operator shall develop and implement a communications plan in order to keep appropriate company personnel, jurisdictional authorities, and the public informed about their integrity management efforts and the results of their integrity management activities.” The plan must address the; external communication and internal communications Internal Communication Operator management and other appropriate operator personnel must understand and support the integrity management program. This should be accomplished through the development and implementation of an internal communications aspect of the plan. Performance measures reviewed on a periodic basis and resulting adjustments to the integrity management program should also be part of the internal communications plan. External Communication The communication associated outside of the organization is considered to be external communication. It is included the communication with ; 1. Landowners and Tenants Along the Rights-of-Way 2. Public Officials Other Than Emergency Responders 3. Local and Regional Emergency Responders 4. General Public  203  Management of Change Plan Management of change shall address technical, physical, procedural, and organizational changes to the system, whether permanent or temporary. A management of change process includes the following: 1. reason for change 2. authority for approving changes 3. analysis of implications 4. acquisition of required work permits 5. documentation 6. communication of change to affected parties 7. time limitations 8. qualification of staff Quality Control Plan Quality control as defined for this Standard is the “documented proof that the operator meets all the requirements of their integrity management program.” Requirements of a quality control program include documentation, implementation, and maintenance. The following six activities are usually required: 1. identify the processes that will be included in the quality program 2. determine the sequence and interaction of these processes 3. determine the criteria and methods needed to ensure that both the operation and control of these processes are effective  204  4. provide the resources and information necessary to support the operation and monitoring of these processes 5. monitor, measure, and analyze these processes  6. implement actions necessary to achieve planned API 1160  The Standard is titled “Managing System Integrity for Hazardous Liquid Pipelines”. This standard provides guidance to the pipeline industry for managing integrity. However the standard also recommend to follow the regulatory guidelines “Operators should build upon the foundation established by the regulations to develop an integrity management program that best serves their unique operational needs.” Clauses Section 4 of the standards provide the specific information regarding the integrity management program.  A pipeline integrity management program should facilitate appropriate and timely actions on the part of a pipeline operator to assure that J pipeline system is continually operated in a manner that minimizes risk to the public /employees, the environment, or the customers. it is the intent of this document to provide a guideline for pipeline operators to use in developing their pipeline integrity management plans (lMPs).  In simplest terms a pipeline integrity management program should:  identify threats to pipeline integrity,   identify potential consequences to the public and the environment in the event of a release,  205   rank segments of the pipeline system according to the risk each poses,  provide for assessment of the integrity of each segment in a timely manner based on identified threats and the risk to minimize the possibility of a release,  specify repairs or mitigative actions to carry out in a timely manner to prevent releases,  establish reassessment frequencies,  define preventive and mitigative measures to address relevant threats including those not covered by integrity assessments,  use the findings of integrity assessments to update and improve the integrity management process. The program process flow shown in Figure 2 provides a common structure upon which to develop an operator specific integrity management program. As implied by the feedback loop in Figure 2, an integrity management program involves a continuous cycle of monitoring pipeline condition, identifying and assessing risks, and taking action to minimize the most significant risk. Risk assessments should be periodically updated and revised to reflect current conditions so operator can most effectively use their finite resources to achieve the goal of error-free, spill-free operation. Elements of integrity management 1. Identify potential pipeline impacts to critical locations 2. Data gathering, review and integration 3. Risk assessment 4. Development of a pipeline integrity assessment plan 5. Inspection, Mitigation and or Remediation 6. Revise Integrity assessment plan and continue to assess periodically  206  7. Establish and implement preventive and mitigative measures 8. Evaluate program 9. Manage change 10. Update, integrate and review data 11. Reassess Risk 12. Integrity management of pipeline stations and terminals     207   Appendix B  Auxiliary Tables and Figures Tables and Figures  Table 2.9: Probabilistic models for pipeline condition prediction Reference Model Method Pandey (1998) Probabilistic analysis, Monte Carlo simulation The pipe internal condition prediction model is applied to determine the optimal inspection interval and maintenance strategy  Ahammed (1998) Probabilistic, A non-linear limit state model Model is used to determining the remaining life of pressurized pipeline in the presence of active corrosion Caleyo, Velázquez, Valor, & Hallen (2009) Markov chain model Markov chains are used for modelling external pitting corrosion Papavinasam, Doiron, & Revie (2010) Design of experiment , Statistical model The model predicts the growth of internal pits based on the operational parameters of the field. It also considers the variation of the pitting corrosion rate as a function of time and determines the error in the prediction. Breton, Sanchez-Gheno, Alamilla, & Alvarez-Ramirez (2010) Bayesian probabilistic model  Probabilistic model based on Bayesian approach to determine the failure rate, risk evaluation and maintenance policies.  (Pandey & Lu 2013) Bayesian statistics based comprehensive two-stage hierarchical model Estimation of parameters of degradation growth rate distribution from noisy degradation measurement data, and formulates the associated maximum likelihood function Ossai, Boswell, & Davies (2015) Probabilistic analysis, Monte Carlo simulation To estimate the internal pit depth growth and reliability of aged oil and gas pipelines Hui Wang, Yajima, Liang, & Castaneda (2015a) Bayesian inferential framework  The framework assumes the actual corrosion defect depth based on detection theory and used  cluster analysis to find the effect of soil property variation on external corrosion  Hui Wang, Yajima, Liang, & Castaneda, (2015b) The combination of hidden Markov random field theory and a finite mixture model To predict the effect of heterogeneous soil properties on external corrosion growth.  Jain et al. (2015) Probabilistic model using Bayesian network method Estimation of external corrosion growth on pipes for quantitative risk assessment    208  Table 2.2: Types of maintenance policies for single units and pipeline assets Type of assets Type of policies Age-Based Policies Service Time Policies Failure limit base policies Condition based Policies Risk-based policies Units/Plants      Pipelines           209  Table 2.3: Summary of literature on extended preventive maintenance policy models for single units Source Decision criteria Action Age Time in service Fixed cost No of Failure / Repair limit Repair Replacement/Repair Imperfect / minimal Perfect Periodic One time Block Fixed Sequential (Barlow & Hunter 1960)           (Gardent & Nonant 1963)           (Makabe & Morimura 1963)           (Drinkwater & Hastings 1967)           (Morimura 1969)           (Nakagawa & Osaki 1974)           (Tahara & Nishida 1975)            (Berg & Epstein 1976)           (Tango 1978)           (Bergman 1978)           (Park 1979)           (Nakagawa 1980)           (Nakagawa 1981b)           (Nakagawa 1981a)           (Nguyen & Murthy 1981)           (Nguyen & Murthy 1981)           (Beichelt 1982)           (Nakagawa 1984)           (Nakagawa 1986)           (Lie & Chun 1986)           (Nakagawa 1986)(Nakagawa 1988)           (Yun & Bai 1987)           (Valdez-Flores & Feldman 1989)           (Yeh 1988)           (Kapur et al. 1989)           (Stadje & Zuckerman 1990)           (Makiš & Jardine 1991), (Makis & Jardine 1993)           (Chun 1992)           (Kijima & Nakagawa 1992)           (Block et al. 1993)           (Sheu et al. 1993) (Sheu et al. 1995)           (Dagpunar & Jack 1994)           (Liu et al. 1995) (Pham & Wang 1996)           (Pham & Wang 1996)           (Koshimae et al. 1996)           (Dohi et al. 1997)           (Wang & Pham 1999).           (Wang & Pham 1999)           (Castro & Sanjuán 2008)            210  Table 2.4: Summary of different types of preventive maintenance policies for single units Preventive maintenance policies Type of units Decision Criteria Actions Aged-Based  Repairable  Predefined age or complete failure before the age maintained preventively at predetermined ages and is replaced only at the complete failure Non-repairable replaced at a predetermined age regardless of the condition Time in Service-Based Decision Policies  Repairable Time in service. The time interval is independent of the failure history  Imperfect maintenance till the unit replaced at complete failure.  Failure/Repair Limit Based Decision Policies Repairable specific (predetermined) number of failures or repairs Replacement after fixed numbers of failure/ repair. Repairs are imperfect              211  Table 2.5: Classification of risk analysis methodologies modified after (Arunraj & Maiti 2007a) Techniques Methodologies  Probabilistic Deterministic Probabilistic and deterministic Qualitative - Delphi technique  - expert judgment - rapid ranking  - Action error analysis  - Checklist - Concept hazard analysis - Goal oriented failure analysis - Hazard and operatibility (HAZOP) - Human hazard operability (Human HAZOP) - Hazard identification system (HAZID) - Master logic diagram - Optimal hazard and operability (OptHAZOP) - Plant level safety analysis (PLSA) - Preliminary risk analysis - Process hazard analysis (PHA) - Reliability block diagram (RBD) - Task analysis - What if? Analysis - Sneak analysis - Risk matrix - Maximum credible accident analysis - Safety culture hazard and operability (SCHAZOP) - Structural reliability analysis  Semi-Quantitative - IAEA-TECDOC-727 - Maintenance analysis - Semi-quantitative fault tree analysis - Shortcut risk assessment - Domino effect analysis - Layers of protection analysis (LOPA) - Predictive risk index - World health organization (WHO) - Risk priority number  - Failure mode effect analysis (FMEA) -  - Safety analysis - Failure mode effect criticality analysis (FMECA)  - Facility risk review (FRR)  Quantitative - Event tree analysis (ETA) - Fault tree analysis (FTA) - Petri nets - Probabilistic fault tree (PROFAT) - Fuzzy fault tree analysis - Risk integral  - Accident hazard index - Chemical runaway reaction hazard index - Dow’s chemical exposure index (CEI) - Dow’s fire and explosion index (FEI) - Fire and explosion damage index (FEDI) - Hazard identification and ranking (HIRA) - Instantaneous fractional annual loss (IFAL) - Reactivity risk index (RRI) - Safety weighted hazard index (SWeHI) - Toxic damage index (TDI)  - Method organised systematic analysis of  risk (MOSAR) - Quantitative risk analysis (QRA) - Rapid risk analysis - Probabilistic risk analysis (PRA) - International study group on risk analysis (ISGRA) - Optimal risk assessment (ORA) - IDEF methodology       212  Table 2.6: Description of techniques used in risk analysis modified after (Arunraj & Maiti 2007a) Risk analysis  steps Techniques  Hazard analysis (failure scenario development) - Maximum credible accident scenario (MCAS) - Event tree development  Consequence estimation - Source models - Impact intensity models - Toxic gas models - Explosions and fires models - Expert opinion Likelihood estimation - Fault tree analysis (FTA) - Probabilistic fault tree analysis (PROFAT) - Expert opinion - FMEA** Risk estimation - Fuzzy logic - Risk matrix - Simple product of probability of failure and damage loss Risk acceptance - Dutch acceptance criteria - ALARP (as low as reasonably possible) - USEPA acceptance criteria Maintenance planning - Reverse fault analysis - Analytical hierarchy process (AHP)              213  Table 2.7: Analysis of maintenance policies in the perspective of oil and gas pipelines Policy Assessment criteria Decision criteria  Pros Cons Suitability for pipelines Corrective maintenance policy Complete failure  Failure information  Cost effective  Long downtime Not appropriate for the Pipelines Preventive maintenance policy Predefined intervals, e.g., Age, service    Expert’s opinion  Industrial  historical practice   last repair  Reduced the incidence   Cost effective   reduction in a production loss  Decisions are very subjective, the condition of the pipeline was not assessed.  Not appropriate for the high consequences Pipelines Predictive Maintenance / Condition-based Maintenance policy Condition based assessment   Inspection and condition assessment  Real-time assessment of pipelines.   High inspection cost.  Uncertainties of inspection process  Decisions are limited to the condition assessment  Challenges for determining the  inspection intervals Suitable for Pipelines Proactive Maintenance / Risk Based Maintenance Policies Risk assessment associated with condition and failure  Inspection and condition assessment  Risk assessment  need-based maintenance strategy  Real-time assessment of pipelines.  Decrease the probability of harmful events   Reduce the harmful consequences of the occurred events   Uncertainties and variability in inspection data  conservative assumptions  Subjectivity of the decision-makers’ opinion  Most used policy for Oil and gas pipelines  214  Table 2.8: Summary and evaluation of risk based maintenance policies for oil and gas pipelines Uncertainties due to  Causes Effect Solutions Assumptions / limitations Lack of data in quantitative models  - Limited availability of accident data (Jo & Ahn 2005; Jo & Crowl 2008) - Insufficient data about population density, economy condition, pipeline operation parameters and, wall thickness (Bartenev et al. 1996) - Increase uncertainty of the risk analysis - (Dawotola et al. 2009) - fitting historical data of failure by homogenous Poisson process  - Corrosion assumed to be uniform process - Pipeline system will be restored as new after minimal repair - Repair will not affect the pipeline failure frequency  - Homogeneity in pipeline segment - (Han & Weng 2011) Grey Correlation Theory and the Reliability Engineering Theory  - Causation index inherent risk index and consequence index have the same weight and have equal contribution to the risk - Entire pipeline as a single segment  - Dimensionless transformation is used to convert the original sequence of data into comparable sequence as a single segment - (Deng 1989) Grey correlation theory  - Co-relation depends upon the similarity of the geometric shape of the data series curves Subjectivity in qualitative models - Subjectivity in expert opinion - Use of absolute risk number (API-580 2009) - Variation in selection of failure mechanism - Variation, in conclusion, averaging of all consequences - Neglecting the impact of individual consequence - Difference in contents of inspections and inspection intervals - vast variation in the results of the risk-based analysis (Geary 2002), (Khan et al. 2004) - (Khan et al. 2004) Fuzzy logic aggregative risk analysis  - Fuzziness in likelihood failure and their consequences - (Khan & Haddara 2003) Fault tree and reverse fault tree analysis  - Predefined level of risk as a criteria for planning the maintenance - The risk is affected by two factors: the accuracy of the estimates of the probability of failure and the quality of the consequence study.   - (Dawotola et al. 2012; Dey 2004; Dey 2003; Dey 2001; Dey et al. 2004) - AHP multi-criteria decision tool and weighted average technique - Likelihood loop used to identify the failure factors - The studies are more subjective to the expert opinion. No sensitivity analyses were carried out to see the effect of maintenance on the cost. - (Cagno et al. 2000; Cockshott 2005; Dawotola et al. 2012; Dey 2004; Dey 2003; Dey 2001; Moubray & Lanthier 1991) Fuzzy logic method (FL), Data Envelopment Analysis (DEA), Analytic Hierarchy Process (AHP), Event Tree Analysis (ETA) and Fault Tree Model (FTM)  - Focus only on the identification of the causes of the event.  - Variations in a selection of failure mechanism,  - Diversity in conclusions  - The difference in the inspection periods.  Investigation and prediction of defect  - Uncertainties in the prediction of defect growth, - Effect of defect on the integrity of pipelines (Singh & Markeset 2009) - Multi-dimensional consequences of pipeline failure (Brito et al. 2010) - Risk quantification non-realistic values  - Fuzzy based model(Agarwal et al. 2004; Ayyub & Klir 2006; Bae et al. 2004; Cheng 2000; Ferdous et al. 2011; Ferdous et al. 2009; Huang et al. 2001; Sadiq et al. 2008; Sawyer & Rao 1994; Sentz & Ferson 2002; Wilcox & Ayyub 2003)  - Model emphasized on mechanical failures such as quality of installation of pipeline, manufacturing pipe, quality of welding, and percentage of inclusion.  - Triangular fuzzy number was used to represent the fuzziness of failure probabilities   215  - Lack of knowledge of failure mechanism - Conservative assumptions made by the experts - Linguistic expressions - Uncertainties of design and material fault, limited understanding, and vagueness of  the failure mechanism (Ayyub 1991; Ferdous et al. 2009; Sadiq et al. 2008; Sawyer & Rao 1994; Yuhua & Datao 2005)  - Fuzzy based inspection model for the corrosion rate assessment (Singh & Markeset 2009)  - FTA and ETA result deals with the likelihood of an event and cannot characterise the severity of risk associated with the incident. - Fuzzy based bow-tie analysis - Fault tree analysis (FTA) - Event tree analysis (ETA) (Spouge & others 1999), (Cockshott 2005; De Dianous & Fiévez 2006; Duijm 2009; Markowski et al. 2009; Shahriar et al. 2012), (Yuhua & Datao 2005) - ELECTRE TRI integrating utility theory (Brito et al. 2010)  - The model assigned the risk category to each section of pipelines by considering the impact of the accident on the human, environment and economics.  - Lack of sensitivity analysis to see the effect of individual risk item over system risk Variability of inspection results   (Singh & Markeset 2014b; Singh & Markeset 2014a; Singh & Markeset 2014c)  - The inherent characteristics   of Instrumental variability - Complexities of operating conditions.  - Random nature of the variables (Singh & Markeset 2014b)  - Non-uniform condition of the pipeline dimensional parameters  - Variation in corrosion pits location, length, and depth - Variability in measured data  - Fuzzy probability distribution function (Singh & Markeset 2014b) - Combined the probabilistic and possibilistic approaches - Probabilistic models have a tendency to ignore the low probability situations that may cause a severe impact.  - Possibilistic approach addresses with low possible events  - Possibilistic approach is too subjective and gives more imprecise results - operator’s skill - limitation of measuring instrument and their operation  - Uncertainty in measured data - Probabilistic analysis framework (Hallen et al. 2003) - ILI data combined with fitness-for-purpose probabilistic assessments by using structural reliability analysis        216  Table 3.1: ASME B31.4 guidelines for Acceptable Pipeline Repair Methods for Dents, Buckles, Ripples, Wrinkles, Leaking Couplings, and Defective Prior Repairs, Conceived from (Escoe 2006) Defect Replacement as cylinder Removal by grinding Deposition of Weld Metal Reinforcing full encirclement Sleeve (Type A) Pressure containing full encirclement sleeve (Type B) Composite Sleeve  Mechanical Bolt-on clamps  Hot Tap  Fittings External Corrosion ≤80% t (Excluding grooving, selective, or preferential corrosion of ERW, EFW seams Yes No Limited Limited Yes Yes Yes Limited Limited External Corrosion >80% t Yes No No No No No Yes Limited Limited Internal Corrosion ≤80% t Yes No No Limited Yes Limited Yes Limited No Internal Corrosion >80% t Yes No No No Yes No Yes Limited No Grooving, selective, or preferential corrosion of ERW, EFW seams Yes No No No Yes No Yes Limited No Crack Yes Limited No Limited Yes Limited Yes Limited Limited Hard Spot Yes No No Limited Yes No Yes Limited No Blisters Yes No No No Yes No Yes Limited No Defective Girth Weld Yes No Limited No Yes No Yes No No Lamination Yes No No No Yes No Yes No No Dents ≤ 6% of the Diameter of the Pipe Containing Seam or Girth Weld Yes No  Limited Yes Limited Yes   Dents ≤ 6% of the Diameter of the Pipe Containing Gouge, Groove or Crack Yes Limited  Limited Yes Limited Yes   Dents ≤ 6% of the Diameter of the Pipe Containing External Corrosion with Depth Exceeding 12.1/2% of Wall Thickness Yes No  Limited Yes Limited Yes   Dent Exceeding 6% of the Diameter of Pipe Buckles, Ripples, or Wrinkles Yes No  Limited Yes Limited Yes   Buckles, Ripples, or Wrinkles Yes No  Limited Yes No Yes   Leaking Coupling Yes No  No Yes No Yes    217  Defective Sleeve from Prior repair Yes No  No Yes No Yes    218  IMP Assessment Qustionnair PLANNING General IMP Is an IMP documented for the entire pipeline system life cycle including planning, design, construction, operation, maintenance, and abandonment? Does the Permit holder identify and ensure conformance with up-to-date regulatory and legal requirements, external standards, and codes? Has the IMP been formally implemented?                                            Are records available for the formal roll out of IMP? Does the  permit holder have a third party operating any of its assets in BC? If the permit holder has third-party operated pipelines, does its IMP documentation specify whose IMP is applicable for such pipelines? Where a third party is operating some or all assets, is there a formal contract/agreement signed between the two parties? Does the agreement outline the IMP requirements? Where all assets are operated by a third party, or parties, does the permit holder have a documented IMP manual or policy document to outline its IMP requirements to ensure that the third party is fulfilling the contract/joint agreement requirements with respect to pipeline integrity? Policy and Commitment Is the permit holder's policy statement for integrity management documented, signed, and approved by senior leadership? Does the permit holder's policy statement for integrity management include:  1) scope, 2) commitment, and 3) goals  of the IMP and its continual improvements? Has the permit holder's policy statement for integrity management been communicated to all employees? In situations where an asset is owned by the permit holder, but operated by a third party,  are there any EHS or other corporate policies documented, signed and communicated that relate to its assets and also applies to pipeline integrity? Goals and objectives Are measurable objectives with targets and performance indicators identified by the permit holder? Is the performance of indicators tracked and trended, and are organizational adjustments made when targets, goals and objectives are not met? Has a process for periodically reviewing performance indicators through management review been established? Risk assessment Does the permit holder's IMP manual have an overview/description of the pipeline system that it owns? Has the permit holder, or third party operating its assets, established a system to maintain pipeline information (e.g. GIS, database, spreadsheets)? Has the permit holder or third party gathered and integrated data with respect to pipeline aspects, such as age, purpose, capacity, location, physical characteristics, operating conditions, physical surroundings and boundaries, past history, design, construction, failure investigation, operation and maintenance, and location and function of ancillary equipment to support risk assessment? Is pipeline inventory and flow connectivity data reviewed, corrected and validated? Is pipeline inventory reviewed to determine licensing discrepancies and are appropriate actions taken to correct them? Is the pipeline inventory available for the location of the pipeline system with respect to crossings, land use and structures? Is class location verified and included in the pipeline inventory?  219  Are formal methods and documentation in place to identify potential hazards at the planning, design, construction and commissioning phases of the pipeline life cycle including natural hazards such as, slope movement, soil settlement, wash out and seismicity? Are formal methods and documentation in place to identify hazards for the operation, maintenance and abandonment phases of the pipeline life cycle? Are all hazards as per ASME B31.8S/CSA Z662 Annex H considered in hazard identification for the entire life cycle of the pipeline? Is hazard identification an ongoing process, i.e., is hazard inventory updated as conditions change and /or new hazards are identified during the life of the activity or operation? Show records to demonstrate. Is line-by-line risk analysis performed to properly identify risks using an appropriate risk assessment approach? Are data, methods, assumption, rationale and responsible personnel documented for risk assessment? Is risk estimated in terms of probability of occurrence of hazardous event and severity of consequence by considering features that are unique to the design, construction and operation of the pipelines? Are non-corrosion hazards considered within the risk assessment? Are appropriate levels for acceptable risk defined? When a significant/high risk is determined, is a more refined method of risk analysis performed to reduce the possibility of risk level overestimation?  Is the risk assessment performed for unmitigated conditions? Are risk mitigation/reduction controls established and implemented? Is the risk assessment reassessed/re-evaluated after risk reduction options are selected/implemented? Is risk assessment performed and documented for contract operated assets? Are pipelines/segments prioritized in order of risk level? IMPLEMENTATION Organizational roles and responsibilities Has the permit holder determined and provided resources and systems needed to implement and maintain the IMP and improve its effectiveness? Is the organizational structure identified, documented  and updated for the effective implementation of the IMP program (are the positions of the personnel responsible for the development, implementation and maintenance of the IMP identified, documented and kept current)? Are the responsibilities and authorities relevant to the IMP defined and communicated within the organization? Has the permit holder designated a management representative(s) with authority and control for the overall IMP? Where a third party is operating some or all assets, are roles and responsibilities for coordinating and communicating with the third party defined by the permit holder? Information management and communication Is a process for internal and external communication to coordinate information essential to the IMP established and implemented? For third-party operated assets, does the permit holder maintain a formal communication plan that indicates when and what type of information will be obtained from the third party contract operator?  Is an in-house system developed to gather information  from the third-party operator about integrity of its pipeline assets? Training and Competency Are training and competency requirements developed and implemented for employees to give them appropriate knowledge and skills in accordance to their duties and responsibilities related to pipeline integrity by the permit holder or the third party operating its assets? Have field staff/operators participated in training and have they been deemed qualified and competent for their assigned duties and responsibilities related to IMP?  220  Is there a process in place to track training and frequency of training of employees in the IMP? For non-field employees related to IMP, is a process in place for training and competency assessment, such as an annual performance review process? Is integrity awareness training provided to all relevant employees and leaders? Is IMP (orientation) training related to safety and integrity provided to all new employees, those newly transferred and those whose job function has changed? Is a process to continually evaluate the knowledge and skills (competency) of employees with regards to the IMP developed and documented? Are employees trained and empowered to stop work and/or suspend operations as the first line of defence against an incident? Is there a process in place to evaluate and select contractors on the basis of ability and qualifications to perform specified duties, not just lowest bid/price? Does the selection/evaluation process of contractors include review of safety and environmental policies and procedures, past performance, ability, qualification check through audits, work-site inspections, and observations of performance as appropriate? Is an approved vendor (contractors, consultants, service providers, suppliers) list available and validated? Is there a process in place to ensure that the performance requirements and expectations are defined  and communicated to the contractor? Is a process in place to ensure robust oversight and monitoring of contractor performance, including direct surveillance and auditing of adherence to obligations as applicable? Is a process defined to provide feedback to the contractors and ensure that identified deficiencies are resolved? Are the methods for collection and maintenance of training records clearly documented? Managing Change Is a systematic process established and implemented to ensure that prior to implementation, changes that may impact the integrity of the pipeline system at any life cycle phase are evaluated, controlled and documented for their potential risk impacts by the permit holder or the third party operating its assets? Comment on the type of processes used for managing changes, such as Management of Change (MOC).  Where a permit holder relies on the third-party contract operator's Management of Change (MOC), is a formal process to communicate and approve MOCs developed and implemented?  Does the MOC process identify possible scenarios that could initiate a change? Are hazards and mitigations developed and implemented prior to the start of  an operation (activity or project specific)? Does the MOC process include responsibilities for identifying, approving and implementing changes? Does the MOC process include the methods for communication of changes to the internal and external affected parties? Does MOC documentation include the reasons for change, and analysis of the implications and effects of the change along with timing of the change? Does the MOC process control change to license/permit information? Does the managing change documentation identify or refer to other methods/procedures for controlling changes to the organizational structure or key personnel related to the IMP? Is a process developed and documented to control changes to methods, procedures and practices for design, construction or operation, and is the process referenced in the MOC procedure or IMP manual? Is process in place for acquisitions and divestitures of pipeline systems and described/referenced in the IMP manual? Does the acquisition and divestitures process establish controls to ensure records related to planning, design, construction and operations of pipelines are obtained/released during acquisitions and divestitures? Are technical changes not initiated and controlled by the permit holder (such as changes to standards, technical and regulatory requirements) controlled and appropriately referenced in managing change documentation? Are changes related to the physical environment of pipeline systems (e.g.. new rights of way, land development or new structures) controlled and the process for controlling such changes documented and/or referenced?   221  Document Control  Is a procedure for control and distribution of documents (procedure, standards and other relevant technical documents) established and implemented? Does the document control procedure identify documents that need to be controlled, reviewed, approved and maintained by the permit holder or the third party operating its assets? Does the control of documents procedure include location of the documents (electronic and hardcopy)? Are the responsibilities for document control identified? Does the document control procedure ensure documents are legible, identified and retrievable? Does the document control procedure readily provide access to current revisions of relevant documents at all required locations? Are pipeline manuals controlled and are the latest versions available? Records Control Is a procedure for control and distribution of records established and implemented  by the permit holder and/or the third party operating its assets? Does the control of records procedure include a description of all records to be managed, retrieval of records, location of the records (electronic and hardcopy), indexing, backup retention and disposition of records? Are the responsibilities for record control identified? When records are incomplete due to asset transfer or other reasons, is a strategy developed and implemented to recover the records and/or to manage pipeline integrity in the absence of those records? Is a process to integrate records originating from contractors, outside operators,  or purchased assets developed and implemented? Are records related to the design phase maintained (e.g. survey and route location maps, design basis and calculations including limits on pressure, temperature, loading and other operating conditions, and design changes/approvals)? Are the records related to the pipeline system construction managed? Are the records related to material specifications, certification  of the pipe, components, bolting and coating materials maintained (e.g. material test reports)? Are material selection, procurement, handling and installation records available? Are inspection and test certification and reports available for joining? Are coating and inspection records available? Are inspection records available to confirm that backfilling did not result in damage to the pipe or coating, and was in a manner that would prevent excessive subsidence or erosion of the backfill and supporting material?  Are inspection records available to confirm that backfilling clean up and restoration of areas that were disturbed during construction was completed?  Are inspection records available to confirm that the depth of cover meets minimum cover requirements specified by CSA Z662? Are pressure testing records and summaries available? Are records related to changes, events and non-conformances during design, construction and commissioning maintained? Are records for operation, maintenance, testing, inspection, and monitoring and measurement records maintained and managed and ensured to be accurate, complete and comprehensive? Are records of deactivation, maintenance of deactivation, abandonment and records of disposal of records maintained? Are records for management review, training/competency, approved suppliers/contractors, non-conformances and internal and external audits maintained? Operation Control Has the permit holder or the third party operating its assets established process controls to ensure that pipeline integrity is not compromised during design (including material procurement) and construction (installation, testing and commissioning) phases as per clauses 6, 7 and 8 of CSA Z662 as appropriate?  222  Are operating and maintenance (O&M) procedures documented and implemented for maintenance of the pipeline and its related equipment, operation and control system,  inspections, testing, patrols, monitoring, deactivation and abandonment programs in accordance with CSA Z662 Clause 9, 10 and 12 as appropriate?  Are operational controls established for  emergencies or the upset of operations? Has the permit holder offered  guidance, trained employees and does it have the capacity to manage risk and to respond to unanticipated or changing conditions in a timely and effective manner? Are plans and schedules developed for IMP related activities in alignment with risk assessment results? Are the methods and rationale for prioritization and scheduling of integrity management activities documented? Are the activities in the integrity plans reviewed and tracked in order to: 1) verify proper completion as per methods and procedures, 2) verify changes in planned activities are reviewed and approved, 3) identify incomplete work and unresolved issues, 4) develop recommendations and plans for future work, and 5) verify that the relevant records were created and revised?   CHECKING AND EVALUATION Inspection and Monitoring Are risk assessment results considered and documented to determine timing and frequency for inspection, testing, patrolling and monitoring activities by the permit holder, or the third party operating its assets, for operating and discontinued pipelines? Are the methods to determine the susceptibility to internal corrosion of the pipeline documented?  If the pipeline is considered to be susceptible to internal corrosion as per CSA Z662 Cl. 9.10.1, are appropriate mitigation programs such as pigging, dehydration (water treatment), continuous internal coating, injections of environmentally acceptable biocide, chemicals, removal of dissolved solids by chemical or mechanical means, or gas blanketing,  implemented and maintained? Is a pigging program implemented as required? Is the pigging schedule documented, tracked and are pigging records available? For internal corrosion susceptible, non-piggable pipelines, are  programs implemented and maintained to mitigate internal corrosion? Is a chemical/ batch program implemented? Are any other internal corrosion protection programs applied? Has a complete cathodic protection (CP) review been conducted to ensure that all required pipelines and risers are protected until abandoned?  Have inspection and monitoring procedures been established and implemented for cathodic protection? For new pipelines, is cathodic protection applied no later than 1 year after installation and is it maintained? Are rectifier readings recorded regularly? Are cathodic protection surveys performed at a regular intervals? Are remedial measures taken to correct any deficiencies identified in the CP survey? For non-metallic pipelines, is cathodic protection applied to metallic risers? Are programs developed to monitor the effectiveness of the internal corrosion programs such as coupons, probes,  spool pieces, NDEs, visual inspection of cut outs, monitoring of physical and chemical operating conditions (water and gas analysis)? If spool pieces/coupons or other corrosion monitoring tools are being used, are records available? Are liquid/gas samples taken and analyzed? Are leak detection methods documented and implemented appropriate to the product type? Is the leak detection program developed and implemented to all liquid hydrocarbon pipelines as per CSA Z662 Annex E?  223  For liquid hydrocarbon pipelines, are material balance records interpreted in accordance with Annex E of CSA Z662  or sound engineering practices used to determine uncertainties and alarm  tolerances? For gas pipelines, are regular surveys performed for leak detection?  For multiphase pipelines, are acceptable leak detection programs established and implemented as per CSA Z662? For oilfield water pipelines, are leak detection programs established and implemented through regular surveys for early detection to prevent environmental damage? Are size and location of pipeline system valves evaluated to ensure CSA Z662 requirements are met? Where CSA Z662 requirements are not met, are appropriate engineering assessments conducted? Are operational positions and functionality of valves tested, inspected and maintained as per CSA Z662 and O&M specifications? Are testing and inspection procedures for shutdown devices and systems established and implemented? Are pressure-control, pressure-limiting and pressure-relieving systems established, tested and inspected regularly and are records of any corrective actions/repairs maintained? Is the frequency of patrolling pipelines to observe conditions and activities on and adjacent to the right-of-way (ROW) that can impact safety and operation of pipelines determined?  Activities that shall be considered are construction, dredging, erosion, ice effect, scour, seismicity, soil slides, subsidence, loss of cover, evidence of leak and unauthorized activities. Are records of patrolling pipelines maintained and tracked? Is vegetation controlled to maintain visibility from air and provide access for maintenance where terms of easement permit? Are special inspection and maintenance consideration given to pipeline crossings? Are underwater crossings inspected periodically for adequate coverage, accumulation of debris, and other conditions that may impact the safety or integrity of the crossing? Are exposed facilities on pipeline ROW maintained for access and protected to prevent unauthorized access? Are signs installed, maintained or replaced in strategic areas as specified in CSA Z662 clause 10.5.3 for active and deactivated pipelines and abandoned pipelines and facilities as per CSA Z662 clauses 10.16.1 and 10.16.3 as appropriate? Is adequate signage provided and maintained for non-metallic pipelines? For lined pipelines, are liner vent checks performed periodically? Are inspection activities to identify corrosion and other imperfections performed on buried piping (when exposed) and permanently exposed piping (CSA Z662-15 Annex N)? Are ILIs planned and carried out to detect internal and external corrosion imperfection dents, cracks, and excessive pipe movement? Are close-interval and coating-assessment surveys considered when evaluating the performance of the cathodic protection system and the effect of corrosion on the pipeline system? Are direct inspections methods such as,  verification digs carried out following indirect inspections methods (e.g., ILI or close-interval surveys) where needed? Are discontinued pipelines (no active flowing service) deactivated after 18 months of no active flowing service as per CSA Z662 Clause 10.15.1? Are license amendments submitted for deactivating pipelines after 18 consecutive months of no fluid flow? Are pipelines that were deactivated or abandoned reactivated as per CSA Z662 Clause 10.15.2 been approved by BCOGC? Are discontinued or deactivated pipelines abandoned as per CSA Z662 Clause 10.16 requirements? Are unsafe conditions such as loss of cover, ROW sloughing, exposure, surface equipment, and external  interference monitored for buried abandoned and deactivated pipelines?  Are deadlegs or fluid traps that remain after the pipeline is discontinued, deactivated or abandoned monitored and inspected for corrosion? Are lined pipelines monitored for hazardous gas that can evolve from the liner and accumulate in the pipelines once discontinued, deactivated or abandoned as per CSA Z662 Clause 13.2.8.6?  224  Evaluation of inspection and monitoring results Has the permit holder or the third party operating its assets developed  and implemented a process to evaluate and review all results of inspection, testing, patrol and monitoring, and especially those results that indicate presence of imperfections or conditions that might lead to failure? When imperfections and cracks are found in steel piping, are evaluations made to determine the suitability of such piping for continued service? Are pipeline systems with indications of imperfections  through ILIs and/or CIS subjected to visual inspections, mechanical measurements, non-destructive inspections  and evaluation as per CSA Z662 Clause 10.10? Are engineering assessments appropriately and effectively implemented to support decisions for evaluation of conditions and imperfections that might lead to failure? Is a documented process for conducting an engineering assessment developed and implemented? Are appropriate engineering evaluation methods (e.g., B31G, DNV-RP-F101, etc.) applied to the assessment of imperfections and conditions that might lead to failure? Has a monitoring and evaluation program for natural hazard  mitigation and failure incident prevention been appropriately developed and implemented? Are appropriate monitoring programs, such as the use of increased line patrols established for natural hazards, such as, slope movement, soil settlement, wash out and seismicity impacts? Modification and Repair Does the permit holder or the third party operating its assets have modification and repair procedures documented and implemented for conditions and imperfections that could cause failure or damage with significant consequences? Are the records for modification and repair maintained and communicated? Are modification and repair activities recorded and maintained through the MOC process where applicable? PROGRAM ASSESSMENT AND CONTINUAL IMPROVEMENT Incident reporting and investigation Has the permit holder established and implemented procedures for reporting (internally and externally) and  investigating all failure and damage incidents, including near misses for all types of pipelines (for instance metallic and non-metallic) and contractor incidents? Are policies, such as a non-punitive reporting policy, in place to encourage employees to report any safety concerns, near misses, hazards, and incidents without fear of reprisal? Does incident reporting  include items as per CSA Z662 Annex H-2? Does the reporting process emphasize the importance of quality of reporting of incidents/near-misses, and is the quality of reporting reviewed?  Is a process for root cause analysis (RCA) to investigate damage/failure incidents developed and implemented? Do investigations/RCA consider the complete range of potential causes including human and organizational factors? Are RCA/investigations conducted by trained and competent personnel (internal or external)? Are key incident investigation findings shared as appropriate (safety meetings and formal communication)? Are findings from root cause analysis considered for determining corrective actions? Are recommendations from RCAs, including changes to improve the effectiveness of the IMP, effectively implemented to prevent occurrence of incidents due to similar causes? Does the permit holder maintain incident and near miss records?  Are incidents and near-misses trended on a regular basis to identify themes, trends of similarities of type, and repeat occurrences? Is the incident investigation process established and maintained during installation, construction and commissioning phases of the pipeline?    225  Program assessment (non-conformance) Has the permit holder, or the third party operating its assets, established and implemented a documented procedure for regularly monitoring and measuring conformance with the requirements of the IMP ? Does the procedure define criteria for non-conformance to the IMP? Does the procedure address responsibility and authority for handling and investigating the non-conformances, taking actions to mitigate any impacts, initiating actions to correct and prevent non-conformances, and for evaluating the effectiveness of any actions taken? Are the non-conformances documented, tracked and trended? Are the non-conformances resolved in a timely manner across the organization and is the effective implementation of actions tracked? Internal Audit Are program and procedures developed and implemented by the permit holder or the third party operating its assets to conduct audits on a regular basis to monitor and measure conformance with the standard and the IMP?  Has the permit holder or the third party operating its assets identified the scope and objectives of the internal audit? Has the internal audit frequency and schedule been established? Are the responsibilities for managing and performing the internal audit established and communicated ? Does the internal audit procedure include criteria and information on the independence and competency of auditors? MANAGEMENT REVIEW Does the permit holder or the third party operating its assets established and implemented a management review process that involves leadership directly? Are frequency and responsibilities for management review and evaluation defined? Does the management review include findings, status and trends of proposed actions identified during internal and external audits? Does the management review include status and trends of integrity (key) performance indicators? Does the management review include information on follow-up actions from previous review meetings? Does the management review include status and trends of conformances and/or non-conformances to the requirements of the IMP and non-compliances? Does the management review include information on incidents, near misses and the root cause analysis of recent failures? Does the management review include recommendations and decisions for improvement of the effectiveness of the IMP through changes to policy and objectives as appropriate? Does the management review identify the provision of resources if required?      

Cite

Citation Scheme:

        

Citations by CSL (citeproc-js)

Usage Statistics

Share

Embed

Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                        
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            src="{[{embed.src}]}"
                            data-item="{[{embed.item}]}"
                            data-collection="{[{embed.collection}]}"
                            data-metadata="{[{embed.showMetadata}]}"
                            data-width="{[{embed.width}]}"
                            async >
                            </script>
                            </div>
                        
                    
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:
https://iiif.library.ubc.ca/presentation/dsp.24.1-0371924/manifest

Comment

Related Items