Compliance with new pipeline rule offers opportunity to implement best practices
By Russel Treat
Many pipeline operators will spend substantial time and effort reworking their control rooms and systems to comply with the new Pipeline Hazardous Materials Safety Administration's (PHMSA) Control Room Management (CRM) rule by 1 August 2012. With a small amount of additional effort, pipeline operators can leverage compliance efforts into best practices that will serve them now and well into the future.
Why the new rule?
In investigating incidents, PHMSA found pipeline controllers (the person using the Supervisory Control and Data Acquisition [SCADA] system) may be qualified but not always successful in managing abnormal situations or events. The controller's ability to manage abnormal situations can be influenced by ineffective procedures, fatigue, or even limitations in the SCADA system itself.
To comply with the CRM rule, pipeline operators must:
- Provide effective operating and maintenance procedures, including specific requirements for training
- Match the control room environment and equipment (including displays, alarming, environment, etc.) to human capability
- Provide controllers with warnings and guidance when abnormal operations occur
The requirement to "match to human capability" presents one of the greatest challenges to pipeline operators, demanding solutions and systems that differ significantly from anything they have in their control rooms today.
Situational awareness, permission to operate
Matching a control room to human capability is the science of human factors. The idea is to provide the information required to maintain pipeline safety and operational control without too much workload or confusion. Current control rooms are generally designed for normal operations. However, it is during abnormal or emergency operations when proper human factors engineering can make the difference between success and failure.
Fundamental to success are two key concepts: "situational awareness" and "permission to operate." Originally a battlefield science, situational awareness, as applied to control systems, refers to a single display that quickly provides the operating condition of the pipeline: normal, abnormal, or emergency.
The second key concept in our approach is permission to operate. The premise is you maintain permission to operate as long as you maintain situational awareness (i.e., you understand the operating condition). When you lose situational awareness, then you no longer have permission to operate and need to return to a safe operating condition. This could require shutting down or changing operating parameters, depending on the process.
Frequently, a process moves from normal operations into abnormal operations before the controller receives any notification. The idea is to design displays to show abnormal operations before an alarm is required. Then, use alarms levels to ensure the operator has time to properly identify the cause, determine the solution, take corrective action, and allow for the process to respond.
Our recommended best practice is to define alarm as something requiring controller action. Further, EnerSys recommends pre-engineering all alarms and making the results available to improve the controller's ability to accurately respond. Because field personnel may be required to drive to remote sites to handle manual portions of the process, planning for elapsed time is critical to success.
Retaining permission to operate requires implementing alarm management in such a way that alarms are clear and unambiguous. Systems must be designed so the controller will not act too early when a problem arises but has sufficient time to diagnose and determine what specific action is required, with enough of a cushion for the process to respond.
Historically, we think of SCADA as communications and wiring bringing signals to a display. As an industry, we have not given much thought to the operator interface. SCADA is a complex toolset, including multiple software components and communications technologies, complex networking, and field equipment. To have a firm grasp on the entire system, the pipeline operator needs a well-documented data flow and infrastructure.
What often is missing in these systems is a way to record shift handover and controllers' logs, as well as processes for alarm management, simulation training, leak detection modeling, commissioning support, and change management. In addition, some rework-in the way data is displayed on the HMIs and the way the alarms are processed-is needed. Some of these changes may be strictly procedural, some may entail software updates, and some may require a combination of both.
Compliance is opportunity
Addressing this new rule offers the pipeline operator a prime opportunity to take a structured approach to best practices that will significantly improve their operations. The requirements will drive a rework of displays, alarms, and procedures. Doing this incrementally will require a very thoughtful approach to the disciplined methodology.
ABOUT THE AUTHOR
Russel Treat (firstname.lastname@example.org) is founder and president of EnerSys Corporation, a Control System Integrators Association Certified member.