A Framework for Pipeline
& Storage Facilities Risk Modeling
Dr. Ken Oliphant, P.Eng. and Wayne Bryce, P.Eng. – JANA Corporation
For Risk Assessments to deliver what is needed to truly improve the Integrity Management of gas system assets, the risk modeling methodology must be properly structured. The requirements for a functional risk modeling structure are driven by the unique nature of gas system assets and the objectives of the Integrity Management process. JANA has developed a risk model structure and implementation process that ensures that the resulting Risk Assessments provide functional and effective inputs into the overall Integrity Management process. Further, this methodology allows for the direct comparison of risk across disparate gas system assets so that risk reduction actions can be prioritized so as to optimally reduce risk across all company assets.
“Doing nothing is not as bad as things can get for risk management. The worst thing to do is to adopt a soft scoring method or an unproven but seemingly sophisticated method (what some have called “crackpot rigor”) and act on it with confidence.”
– Douglas W. Hubbard, The Failure of Risk Management
Introduction
JANA has developed a suite of MechanisticProbabilistic (MP) Risk Models covering the primary gas distribution and transmission asset types and threats. Further, a mechanisticprobabilistic model for storage assets is currently under development. These structured risk models are based on a mechanisticprobabilistic modeling approach that can be customized based on data availability. Base elements for the model are configured to the operator’s specific system and data inputs. The base models are centered on a mechanisticprobabilistic approach to risk that is quantitative and probabilistic, providing accurate risk estimates that enable assessment of overall system risk and relative risk rankings within and across asset families on a common risk basis.
The benefits of this type of modeling approach are:

It is built on a mechanisticprobabilistic structure

Highly predictive

1020 year predictive time horizon

Incorporates Low Frequency – High Consequence Risks


It can be implemented with currently available data

It is evolutionary in nature as it can be updated as the data, modeling approaches and regulations/requirements evolve

It is DIMP / TIMP compliant as it addresses all identified threats, evaluates and ranks risks, and evaluates the impact of risk mitigation measures

Risk estimates are provided based on discrete estimates of PofF (probability of failure) and a common basis for CofF (Consequences of Failure) so that direct and relative Asset Criticality comparisons can be made within and between asset classes (e.g. steel versus plastic)

The risk reduction benefits of potential mitigations are directly handled within the risk model for optimization of mitigation strategies

Enables ‘whatif’ scenario analyses

Ease of use


Asset Criticality estimates are probabilistic, providing current and future risk profiles for the asset base to provide a forward looking view of how risk will evolve in the asset base and enable longrange optimization of mitigation strategies

Asset Criticality, both in terms of PofF and CofF, is calculated on a granular basis to enable a complete risk picture and understanding of the fundamental drivers of risk in the asset base, providing insight into Low Frequency High Consequence events
Risk Model Implementation Process
The quality of the underlying risk models is critical to the overall effectiveness of the Risk Assessment. Without a clear picture of the risk in the pipeline system, optimal Integrity and Risk Management decisions cannot be made. What decision makers need are reliable risk projections with a common risk basis (so that risk comparisons can be made across different asset types and families and different locations within the pipeline system) that provide clear risk differentiation throughout the asset base.
Many risk modeling approaches fail to deliver in these key areas, providing potentially misleading, and certainly less than optimal, information to decision makers. In recognition of this, there has been an ongoing evolution in modeling approaches within the pipeline industry. JANA has developed the JANA Risk Model Implementation Process (Figure 1) to assess and select appropriate risk models based on specific utility objectives and data availability. This systematic process ensures all pertinent information is brought to bear on the risk assessments, all primary threats are considered and reliable projections of future system risk are provided through selection of optimized risk models.
The JANA Asset Criticality Determination Framework is a six step process as detailed below.
Figure 1: JANA Risk Model Implementation Process
Strategic Intent
The first step in the process is developing a clear understanding of the corporate risk management strategy and objectives to ensure that the underlying Risk Modeling Methodology is aligned with them. This phase defines the scope of the modeling approach (scope of assets to be included, life cycle phases of assets to be considered, threats to be considered, level of risk assessment, etc.) and ensures successful project outcome.
Asset Analysis
An asset analysis is then conducted to define the primary asset types and amounts in the distribution, transmission and storage systems. The nature of the assets being evaluated will set specific requirements for the risk assessment process.
Threat Analysis
A threat assessment is conducted to identify the threats for each asset. This assessment draws on historical utility records (e.g., current replacement programs, risk register, past risk assessments, historical root cause analyses (RCAs), etc.), known industry threats and JANA’s Gas Distribution, Transmission and Storage Threat Fault Tree databases (databases of primary threats and failure modes for system assets). The applicability of all threats identified in the GPTC Guide Material Appendix G1928^{1} is assessed to ensure all threats are identified for inclusion in the risk models.
Data Assessment
“We use probabilistic methods because we lack perfect data, not in spite of it. If we had perfect data, probabilities would not be required.”
– Douglas W. Hubbard, The Failure of Risk Management: Why It's Broken and How to Fix It
Data collection is conducted to gather relevant data inputs and a data assessment is run to determine the available asset data, its format and reliability. The MP risk models are configured to be implemented with currently available data. Higher level modeling approaches are activated during implementation where more detailed asset data is available. Missing or questionable asset data is flagged in the risk calculation so that the impact of data uncertainty can be explicitly assessed in the risk analysis. An assessment of the use of tacit knowledge in the form of SME (subject matter expert) input is also conducted. At this stage and throughout the implementation process data collection opportunities are identified.
Risk Model Optimization
Based on the Strategic Intent, Asset Analysis and Data Collection and Assessment the best probability of failure (PofF) and CofF models for each asset type are selected.
Risk Model Verification
A critical component of model development is verification of model projections. Multiple approaches to model verification are used based on the specific modeling approaches applied, including: statistical fit assessments, back checking, trial projections and specialized studies.
General Model Structure
The JANA MP Risk Models are based on a mechanisticprobabilistic model structure. Risk is calculated on the basis of:
Risk = Probability of Failure (PofF) x Consequence of Failure (CofF)
Where:
CofF = Probability of Consequence (PofC) x Consequences
The overall model structure is shown in Figure 2. Risk is calculated based on unique models for each asset type (e.g., steel mains, plastic mains, plastic services, meters, regulators, etc.) and threat type (e.g., material failure, excavation damage, natural forces, incorrect operations, etc.). Overall the granular nature of the risk calculations provides a complete and clear risk picture.
Figure 2: Schematic of Overall MP Risk Model Structure
Based on the asset type, PofF is calculated for Loss of Function^{2} (PLF) and/or Loss of Containment^{3} (PLC). In gas distribution, as an example, for Loss of Containment separate PofF calculations are run for ruptures, pinhole leaks, medium sized leaks and large leaks. These represent the primary failure outcomes: Loss of Function, Rupture, Pinhole, Medium Leak and Large Leak. Discrete probabilities are calculated for each of these primary failure outcomes.
For each primary failure outcome, a common basis is used for calculating the consequences of failure. This, combined with the discrete probability estimates for the primary failure outcomes provides for a consistent basis for calculating and comparing risk within and across different asset types. Consequences are calculated based on the probability of the consequence (PofC) times the magnitude of the consequence.
To ensure the best risk projections possible based on currently available asset data, the specific risk models are selected, tuned to the utilities specific asset data and verified based on statistical fit assessments and back checking.
The model calculations are transparent and provided with support documentation on the basis and validity of the risk models.
The risk reduction benefits of possible mitigations/interventions are directly calculated through mitigation scenarios. This provides for the use of scenario forecasting to optimize mitigation or pipeline replacement programs.
Probability of Failure Models
Separate PofF models are utilized for each asset type and threat type. An example of the primary threat types for gas distribution assets is detailed in Figure 3. The PofF is calculated for each of the primary leak types of:

Rupture

Large Leak

Medium Leak

Pinhole Leak
Figure 3: Example – Primary JDIMPTM Threat Categories
The specific PofF model structure depends on the asset type, threat type and client implementation (i.e., data availability, modeling level, etc.). There are three primary model structures as shown in Figure 4 and discussed below.
Figure 4: PofF Model Structure

MechanisticProbabilistic Modeling: MP models couple a fundamental understanding of the underlying mechanisms of failure with operator specific historical performance data. For high risk assets, they provide the most robust modeling approach.

Statistical MP Modeling: Statistical MP models are developed based on operatorspecific historical performance data linked to the key mechanistic factors that drive risk. JANA has developed a specific process for data assessment, data cleansing, model development and verification. The primary modeling approaches used are:

Weibull Modeling: A common approach used in reliability engineering that allows for robust definition of hazard functions for an asset, enabling future leak rate projections. JANA has demonstrated the applicability and effectiveness of Weibull modeling for a range of distribution system assets.

Weibull PHM: Weibull Proportional Hazards Modeling (PHM) extends the utility of Weibull modeling by enabling the inclusion of statistically significant distinguishing factors that impact probability of failure (e.g., age, location, operating conditions, etc.). The Weibull PHM approach provides the ability to rank assets based on the distinguishing factors for AM prioritization.


Mechanistic MP Modeling: The JANA Mechanistic MP Modeling approach is based on assessing risk in terms of the probability of failure (PofF) times the consequences of failure (CofF).

The PofF is assessed as: PofF = exposure x (1 – mitigation) x (1 – resistance) where:

Exposure is an event which, in the absence of any mitigation, can result in failure if insufficient resistance exists (e.g., unmitigated corrosion rate)

Mitigation is the effectiveness of all activities designed to stop the exposure (a number between 0 and 1 representing the probability of the mitigation stopping the exposure, 1 representing 100% effectiveness) (e.g., mitigation effectiveness of CP system and coating)

Resistance is a measure or estimate of the ability of the component to absorb the exposure force without failure once the exposure reaches the component (e.g., remaining wall thickness)


The PofF is calculated for each specific threat or exposure type. The overall PofF for a pipeline segment is the sum of the PofFs for all possible threat types. PofF is typically described in terms of events/mile/year or events/component/year.

The base PofF models are tuned based on operator specific data to provide a finalized set of PofF models for each asset class. PofF models for nonstandard asset types or threat types can be developed on implementation.
Consequence of Failure Models
The standard JANA CofF model can be implemented (inputs customized based on operator specifics) or client specific consequence models can be implemented to integrate with overall corporate consequence assessments.
For each of the primary failure outcomes (loss of function, rupture, pinhole, medium leak and large leak) the potential consequences are calculated based on the Probability of the Consequence (PofF) times the potential consequence factors. For loss of function consequences, the probability of a loss of function failure resulting in consequence outcomes is multiplied by the consequences of the loss of function event. For loss of containment failures, the probabilities of the possible outcomes for no ignition, ignition and explosion are multiplied by the potential consequences for each of these potential outcome scenarios. Separate probabilities of these outcomes events are applied for each threat type (e.g. the probability of a third party damage event leading to ignition is higher than that for a corrosion leak) based on statistical analysis of historical industry data and utility specific data (see Table 1). The probabilities are also linked to asset environment specifics (i.e. class location, wall to wall cover, etc.).
Table 1: Probability of Consequence Factors
Consequence impact tables are configured to operator system specifics and costs on implementation. The impact tables cover the primary consequence types detailed in Figure 5.
Figure 5: Primary Consequence Types
The consequences for each consequence type are assessed as detailed in Table 2.
Table 2: Consequences
Risk Mitigation
The risk reduction benefits of possible mitigations/interventions are assessed directly through the use of mitigation scripts. The mitigation scripts are applied to the risk model to provide an absolute estimate of residual risk after implementation of the mitigation. This is compared to the current asset risk to calculate the risk reduction benefit of the mitigation. Scenario forecasting can then be applied to develop optimized mitigation/replacement strategies.
^{1 }The American Gas Association, GPTC Guide for Gas Transmission and Distribution Piping Systems: Guide Material Appendix G1928, 2009 Edition.
^{2} E.g. Loss of function of odorizer
^{3} E.g. Gas release
Mechanistic Probabilistic Modeling
You can call it MP Modeling. We call it the better approach to modeling risk for your pipeline integrity.
Gas Transmission
 Intelligent and scalable risk management
 Exceed regulations with bestinclass compliance
 Prioritize tasks in your asset management
Gas Distribution
 Ensure continuity of service through prevention
 Achieve optimal compliance more efficiently
 Resolve issues and meet strategic goals