E8-20701. Pipeline Safety: Control Room Management/Human Factors

AGENCY:

Pipeline and Hazardous Materials Safety Administration (PHMSA), DOT.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

PHMSA proposes to revise the Federal pipeline safety regulations to address human factors and other components of control room management. The proposed rules would require operators of hazardous liquid pipelines, gas pipelines, and liquefied natural gas (LNG) facilities to amend their existing written operations and maintenance procedures, operator qualification (OQ) programs, and emergency plans to assure controllers and control room management practices and procedures used maintain pipeline safety and integrity. This proposed rule results from a PHMSA study of controllers and controller performance issues known as the Controller Certification Project (CCERT), a National Transportation Safety Board study, safety-related condition reports, operator visits and inspections, and inquiries. This rule would improve opportunities to reduce risk through more effective control of pipelines and require the human factors management plan mandated by the Pipeline Inspection, Protection, Enforcement, and Safety Act of 2006 (PIPES Act). These regulations would enhance pipeline safety by coupling strengthened control room management, including automated control systems, with improved controller training and qualifications and fatigue management. PHMSA expects these regulations will complement efforts already underway in the pipeline industry to address human factors and control room management, such as the development of new national consensus standards, including an American Petroleum Institute (API) recommended practices on roles and responsibilities, shift operations, management of change, fatigue management, alarm management and SCADA display standard, as well as comparable business practices at some pipeline companies.

DATES:

Anyone interested in filing written comments on this proposal must do so by November 12, 2008. PHMSA will consider late comments filed so far as practical.

ADDRESSES:

Comments should reference Docket No. PHMSA-2007-27954 and may be submitted the following ways:

E-Gov Web site: http://www.regulations.gov. This Web site allows the public to enter comments on any Federal Register notice issued by any agency. Follow the instructions for submitting comments.
Fax: 1-202-493-2251.
Mail: DOT Docket Management System: U.S. Department of Transportation, Docket Operations, M-30, West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 20590-0001.
Hand Delivery: DOT Docket Management System; West Building Ground Floor, Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 20590-0001 between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.

Instructions: You should identify the docket ID, PHMSA-2007-27954, at the beginning of your comments. If you submit your comments by mail, submit two copies. To receive confirmation that PHMSA received your comments, include a self-addressed stamped postcard. Internet users may submit comments at http://www.regulations.gov.

Note:

Comments are posted without changes or edits to http://www.regulations.gov,, including any personal information provided. There is a privacy statement published on http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Byron Coy at (609) 989-2180 or by e-mail at Byron.Coy@dot.gov.

SUPPLEMENTARY INFORMATION:

I. Prevention Through People

Over the past several years, PHMSA's integrity management (IM) programs have been successfully driving down the two leading causes of pipeline failure—excavation damage and corrosion. IM programs help operators understand the threats affecting the integrity of their systems and implement appropriate actions to mitigate risks associated with these threats.

Excavation damage and corrosion are, however, only part of the safety picture. The next logical area of program development is to examine the role people play in operating and maintaining pipelines. With this proposed rule, PHMSA is beginning implementation of a program that recognizes the importance of human interactions and opportunities for preventing risk, both errors and mitigating actions, to pipeline systems through a Prevention Through People (PTP) program. PTP addresses human impacts on pipeline system integrity. Human impacts include errors contributing to events, intervention to prevent or mitigate events, and the recognition of events that may begin the need for increased vigilance. The role of people, including controllers and those interacting with control center operations, is a vital component in preventing and reducing risk associated with pipeline systems. The proposed rule addresses requirements applicable to controllers and control room management.

PHMSA has long recognized that controllers can play a key role in pipeline safety. Congress recognized the importance of this role in the Pipeline Safety Improvement Act of 2002 (PSIA) (Pub. L. 107-355) and the PIPES Act. A controller's actions can mitigate risk, but they can also introduce the potential for upset conditions. Human error (including those caused by mistake or fatigue) can cause or exacerbate events involving releases leading to safety hazards and environmental impacts. Controllers also respond to indications of abnormal conditions on the pipeline. Appropriate human response to abnormal situations can mitigate events, helping to prevent accidents leading to adverse consequences. As part of the PTP program, this proposed rule addresses requirements applicable to controllers, key players among the people who can affect pipeline safety.

Several existing regulations strengthen the effectiveness of the role of people in managing safety. These include regulations on damage prevention programs (49 CFR 192.614 and 195.442), public awareness (§§ 192.616 and 195.440), qualification of pipeline personnel (part 192, subpart N, part 193, subpart H, and part 195, subpart G), and drug and alcohol testing regulations and procedures (parts 40 and 199). Explicitly incorporating a PTP element in IM plans would emphasize the role of people both in contributing to, and in reducing, risks. PHMSA believes this may be the best means of fostering a holistic approach to managing the safety impact of people on the integrity of pipelines. This proposed rule adds requirements applicable to control room management. In the future, PHMSA plans to address additional risks associated with human factors as well as the opportunities for people to mitigate risks. In addition to regulations, PHMSA plans to identify and promote noteworthy best practices in PTP.Start Printed Page 53077

PHMSA recently reported to Congress on its work examining control room management issues as mandated in the PSIA. The report, titled “Qualification of Pipeline Personnel,” includes a summary of the CCERT Project, a four-year effort examining control room issues in PTP. Although the project began with examination of qualification issues, during the course of the project, we identified other control room issues impacting the safety performance of controllers. PHMSA concluded that validating the adequacy of controller-related processes, procedures, training, and the controllers' credentials would improve management of control rooms, thereby enhancing safety for the public, the environment and pipeline employees. PHMSA also identified areas in which additional measures could enhance control room safety and minimize the risk associated with fatigue and interaction with computer equipment. These areas include annual validation of controller qualifications by senior level executives of pipeline companies, clearly defined responsibilities for controllers in responding to abnormal operating conditions, the use of formalized procedures for information exchange during shift turnover, and clearly established shift lengths combined with education on strategies to reduce the contribution of non-work activities to fatigue. These areas are addressed by requirements included in this proposed rule.

II. Background

A. Pipelines and LNG Plants

Approximately two-thirds of our domestic energy supplies are transported by pipeline. There are roughly 170,000 miles of hazardous liquid pipelines, 295,000 miles of gas transmission pipelines, and 1.9 million miles of gas distribution pipelines in the United States. Hazardous liquid pipelines carry crude oil to refineries and refined products to locations where these products are consumed. Hazardous liquid pipelines also transport highly volatile liquids (HVLs), other hazardous liquids such as anhydrous ammonia, and carbon dioxide. The regulations in 49 CFR part 195 apply to owners and operators of pipelines used in the transportation of hazardous liquids and carbon dioxide. Throughout this document, the term “operator” refers to both owners and operators of pipeline facilities.

Gas transmission pipelines typically carry natural gas over long distances from gas gathering, supply, or import facilities to localities where it is used to heat homes, generate electricity, and fuel industry. Gas distribution pipelines take natural gas from transmission pipelines and distribute it to residential, commercial, and industrial customers. The regulations in 49 CFR part 192 apply to operators of pipelines that transport natural gas, flammable gas, or gas which is toxic and corrosive. Throughout this document, the term “gas” refers to all gases in pipelines regulated under part 192.

Additionally, there are currently 109 LNG import and peak shaving plants connected to our natural gas transmission and distribution pipeline systems. The volume of natural gas is reduced about 600 times when the gas is cooled to a liquid form. This allows large quantities of natural gas to be transported by ship and to be stored in insulated tanks. LNG import plants allow the U.S. to use natural gas produced in other countries and transported by ship. According to the Department of Energy, imported LNG provided 2% of U.S. natural gas supplies in 2003 but that proportion is expected to grow to 21% by 2025.^[1] LNG peak shaving plants allow gas pipeline operators to liquefy and store natural gas during off-peak periods. The stored LNG is then converted back to natural gas when needed for periods of peak consumption. The risks inherent in control of these facilities can be reduced by application of this proposed rule.

B. Control Rooms and Controllers

Most pipelines are underground and operate without disturbing the environment or negatively impacting public safety. However, accidents ^[2] do occasionally occur. Effective control is one key component of accident prevention. Controllers can help identify risks, prevent accidents, and minimize commodity losses if provided with the necessary tools and working environment. Therefore, this proposed rule is intended to increase the likelihood that pipeline and LNG controllers have the necessary knowledge, skills, abilities, and qualifications to help prevent accidents and that operators provide controllers with the training, tools, procedures, management support, and environment where a controller's actions can help prevent accidents and minimize commodity losses.

i. Background

Pipeline systems vary from small, simple systems, to complex systems covering thousands of miles. Combined, these systems make up a vast network of pipelines reaching across the United States. Pipeline systems include pumps, compressors, storage tanks, valves, and other components. A pump station, compressor station, or terminal is usually a major installation consisting of large pumps, compressors, storage tanks, and other service equipment. Pipeline systems also include valves used to control pressure and to direct flow during normal operations, to isolate sections of pipeline for maintenance or emergency activities, or to maintain operating pressures within allowable limits.

Most operators monitor pumps, compressors, valves, and other equipment from single or multiple locations, often hundreds of miles away. Such locations are commonly known as “control rooms.” The individuals who work in control rooms are “controllers.” ^[3] A control room may have one or more controllers, who could be union or non-union employees. Both union and non-union controllers may work for the same operating company and a control room is likely to be operational 24 hours a day, 365 days a year, or less, depending on the complexity and nature of the pipeline system or LNG facilities served.

Most operators use computer-based supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), or other less sophisticated systems to gather key information electronically from field locations.^[4] These systems are configured to present field data to the controllers, and may include additional historical, trending, and alarm management information. Controllers track routine operations continuously and watch for possible developing abnormal operating or emergency conditions. A controller may take direct action through the SCADA system to correct the conditions Start Printed Page 53078or the controller may alert and defer action to others.

ii. Importance of Control Rooms and Controllers

Control rooms and controllers are critical to the safe operation of pipeline systems and LNG facilities. Control rooms often serve as the hub or command center for decisions such as adjusting commodity flow or facilitating an operator's initial response to an emergency. The control room is the central location where humans or computers receive data from field sensors. Commands from the control room may be transmitted back to remotely controlled equipment. Field personnel also receive significant information from the control room. In essence, the control room is the “brain” of the pipeline system or LNG plant. Errors made in control rooms can have significant effects on the controlled systems. A controller's errors can initiate or exacerbate an accident. A controller's improper action or lack of action can place undue stresses on a pipeline segment or an LNG facility, which could result in a subsequent failure, the loss of service, or an increase in lost commodity, leading to risk to people, the environment, and the fuel supply. Controller responses to developing abnormal operating conditions or accidents can alleviate or exacerbate the consequences of some events regardless of the initial cause.

A brief description of a few accidents can help illustrate the importance of control rooms and controllers to safe pipeline operation. More often than not, however, control rooms and controllers are a significant part of an operator's response to abnormal and emergency events rather than the cause.

A batch of hazardous liquid expected to fill several tanks was being received at a tank terminal. A tank switchover was scheduled to occur late in a controller's shift. The switchover did not occur at the scheduled time due to a reduction in flow rate in the pipeline, but the controller failed to inform the relief controller at shift change. The oncoming controller assumed the switchover had happened as scheduled, and therefore did not monitor the levels in the tank being filled. The liquid overflowed the tank and was ignited. The resulting fire caused considerable damage including the destruction of two large storage tanks.
A seldom-used manual valve in a hazardous liquid pipeline system had been closed to facilitate maintenance. The controller was aware that the valve was closed. The controller was not aware, however, that the indication on his computer display of pressure near the valve came from a transducer downstream of the valve. The display indicated it was from the upstream side of the valve. While filling the isolated portion of the pipeline to return it to service, the controller over-pressurized the line, resulting in a rupture.
While diverting hazardous liquid pipeline flow from one facility to another, an elevated pressure caused the rupture of a pipeline at a location weakened by previous third party damage. Pumps had automatically shut off due to the high pressures. Despite a sharp drop in line pressure, the controller did not recognize that the pipeline had failed, and re-started the pumps. As a result, a significant amount of product was released through the ruptured line, ignited, and resulted in several fatalities. Maintenance activities being performed on the computers of the SCADA system at the time of the vent hampered the controller from recognizing and reacting to the failure.
A slug of contaminants was introduced into a gas transmission pipeline when gas was drawn from storage. The contaminants affected instruments and regulators as the slug moved down the pipeline, resulting in many control room alarms. The controller operating the pipeline did not recognize what was happening and failed to initiate corrective action in time to avoid loss of gas supply to several towns.
A citizen called a gas pipeline control room to report a sheen on a creek in a right-of-way shared with hazardous liquid pipelines. The citizen called the gas control room because its telephone number was on the pipeline marker the citizen located in the corridor. The controller of the gas pipeline failed to contact the controllers of the liquid pipelines in the shared corridor, and referred the information from the call to a field office that was unattended at the time. The result was a delay of several days in responding to a potential failure of one of the liquid pipelines.
In a similar situation, a citizen telephoned a gas control room and reported a leak. The controller concluded the company had no facilities in the area, that any problem was thus not theirs, and did not follow up. The leak persisted and subsequent calls to regulatory agencies resulted in locating a number of leaks in the area affecting facilities operated by the control room that took the original call.

iii. Local Control and LNG

Many pipeline systems and LNG plants have equipment that is locally controlled via a control panel located on or near the field equipment. The individuals who operate this equipment using the control panel could be considered controllers depending on their shared and associated responsibilities with controllers at other locations. This may also depend on the specific equipment being controlled and whether or not the controlled equipment is within direct observation of the individual at the local control panel.

Gas pipeline operations are sometimes associated with LNG plants. LNG facilities are operated from control rooms and can have locally-controlled equipment in the same manner as pipeline facilities. In addition, some LNG control rooms also control pipeline systems connected to the LNG plant. Working from control rooms, controllers operate LNG facilities, pipelines associated with the facilities, and locally controlled equipment within LNG plants.

Most pipeline systems today have control rooms. These facilities can be located at some distance from the pipeline, or they may be in close proximity to the pipeline. Many pipelines also have locally controlled equipment operated by controllers. This proposed rule addresses all of these situations. Pipeline and LNG facilities include compressor stations, hazardous liquid terminals, pump stations, LNG plants, and any other locations where controllers are located. In addition, control room also means a control center, control station, or any other such terminology.

iv. Providing Tools for Effective Controller Performance

Pipeline and LNG controllers impact the safety and integrity of the pipeline and LNG facilities they operate by being vigilant during normal operations and by properly responding to abnormal operating conditions and potential emergency situations. Public safety can be enhanced when a pipeline or LNG operator provides a controller the necessary tools and management support, while implementing and tracking thoroughly developed processes used by controllers.

SCADA systems, which are widely used throughout the pipeline industry, can be as simple as computerized field equipment that allows an individual to monitor alarms or control equipment within a pipeline facility; or they can be more complex and diverse to allow a Start Printed Page 53079controller to monitor, or monitor and control, many facilities as part of a complex pipeline network involving various communications mediums, often from a control room that is hundreds of miles away. For some pipeline operators, the application of SCADA systems has resulted in a reduction of pipeline field personnel, making the role of the controller even more critical to the safety and integrity of pipeline facilities.

Pipeline and LNG controllers also must have adequate and up-to-date information about the conditions and operating status of the equipment they monitor, or monitor and control, if they are to succeed in maintaining pipeline safety. Incorrect, delayed, missing, or poorly displayed data may confuse a controller and can lead to problems despite the extensive training, qualification, and abilities of the controller.

v. Controller Knowledge and Abilities

Operators should assure that controllers perform their duties promptly and accurately, including routine operations and response to developing abnormal operating conditions or emergency circumstances, to help maintain pipeline and LNG facility safety. Existing operator qualification (OQ) regulations for pipeline personnel currently address a portion of the processes affecting a controller's ability to succeed in maintaining pipeline safety and integrity.

A controller should possess certain abilities, and attain the knowledge and skills necessary to complete the various tasks required for a specific pipeline system or LNG facility. To attain the necessary knowledge and skills, the controller is typically required to complete extensive on-the-job training and is often closely observed by an experienced controller for a period of time. The controller must also review and understand appropriate procedures, including those associated with emergency response, and repeatedly practice the correct responses to a variety of abnormal operating conditions. A controller's skills and knowledge are then evaluated through the pipeline operator's OQ process. Many pipeline operators require additional company-specific performance requirements that are outside of the operator's OQ program.

Many controllers routinely monitor and send commands to change flow rates and pressures, open and close valves, start and stop compressors or pumps, monitor tank levels, identify abnormal operating and emergency conditions, and perform a key role when a safety response is needed. In some pipeline systems, controllers also monitor corrosion control rectifiers, odorant systems, purge operations, leak detection equipment, and security systems. Prompted by an assortment of factors, controllers re-direct flow, start and stop pipeline segments, or further adjust flow rates to accommodate market conditions, maintenance activities, and weather conditions on a regional or national basis. For these pipelines, dynamic operating conditions require controllers to have a high level of knowledge, skills, and abilities to safely maintain systems and to promptly recognize abnormal operating conditions or other anomalies as situations develop. In other pipelines and distribution systems, controllers use computers to closely monitor operating conditions, and then alert field personnel to take action when upset, abnormal or emergency conditions arise.

A controller needs adequate, thorough training and qualifications as well as appropriate timely data, a control system designed to aid in the prompt identification of abnormal conditions, and an understanding of the controller's authority to take appropriate actions.

vi. Control Room Management

All of this must occur within an environment that facilitates appropriate and correct actions. Operators must appropriately manage the factors affecting the controller, including relevant human factors and operator processes and procedures. PHMSA refers to the combination of all these factors as control room management.

Centralized pipeline and facility control operations generally fall into one of three control function categories or into a hybrid combination:

1. Monitor, detect, and perform full remote control.

2. Monitor, detect, and direct field operating personnel to perform specific actions.

3. Monitor, detect, and alert field operating personnel, and defer action to field personnel.

Controllers use SCADA systems to detect and monitor operational conditions. A controller then performs the required control function or directs or defers to field operations for needed attention based on the controller's responsibility, authority, and assessment of the situation.

Individual station computer control may be implemented through:

1. A unified control system within the station or plant, or

2. Individual unit-mounted control panels for each piece of equipment or groupings of equipment.

Pipeline operations can vary significantly based on the physical properties of the commodities transported. For example, compressibility is a fundamental difference between natural gas and some hazardous liquids. SCADA system configuration, communication schemes, control modes and applied instrumentation, pipeline system configuration and complexities, size, procedures, and practices can further differentiate pipeline operations. These differences can have dramatic effects on the required content and scope of a controller's training and qualifications, and on operational procedures and configuration of applied SCADA control systems. Differences in pipeline operations can also exist because some controllers are union employees governed by contract conditions and some are not. This can impact the number of hours worked, activities performed, number of controllers on shift, and other factors such as shift schedules.

All controllers have some opportunity to mitigate risks. The degree to which they can affect pipeline safety may vary. For example, all controllers, including those that monitor only, can affect minor events (i.e. those not meeting reporting thresholds) and can influence the impact of future incidents in a positive manner. Pipeline controllers require similar cognitive and analytical skills. Additionally, control room procedures, pipeline controller tools, training, skills, and qualifications can impact controller performance.

The nature of a particular control arrangement and the commodity transported will affect the actions an operator must take to manage the control environment and permit controllers to be successful in maintaining pipeline safety. None of these differences, though, obviate the need for control room management.

C. The Safety Pyramid

Operators of gas pipeline systems must submit to PHMSA written reports of events meeting certain criteria as incidents. Over the past 10 years, gas pipeline operators have submitted written reports for approximately 100 incidents per year on approximately 300,000 miles of gas transmission pipelines and approximately 130 incidents per year on approximately 2 million miles of distribution pipelines. Similarly, operators of hazardous liquid pipeline systems must submit to PHMSA written reports of Start Printed Page 53080pipeline system failures meeting certain criteria as accidents. Over the same 10 years, hazardous liquid pipeline operators have reported an average of approximately 140 accidents per year on approximately 160,000 miles of pipeline. The total number of accidents reported to PHMSA is about 370 per year.

There are far more events, failures and near misses that occur on pipelines than those that require written reports. Some involve off-normal conditions for which controllers or automated safety systems intercede to prevent serious consequences. Others do not progress to the point of needing controller or safety system involvement. Pipeline operators document some near misses, but not all. PHMSA believes there are other low-order events, failures and near misses that occur unobserved.

The term “safety pyramid” was used by Dr. D.W. Heinrich (1881-1962), an insurance company analyst who analyzed industrial accident prevention in the 1930s. In particular, he studied the relationship of events of varying significance and concluded that serious events (e.g., those resulting in fatalities) in any system occur in much smaller numbers than events of lesser significance. His work generally divided events into a 300-29-1 ratio, where there is 1 significant failure and 29 notable events in every 300. Heinrich called this relationship the “safety pyramid.” In turn, the number of errors and situations not recognized as “events” is even larger. Reportable pipeline accidents and incidents are only the tip of the safety pyramid. More events and failures occur at lower levels of the pyramid, including many near-miss events. Information about these near-miss events, whether affecting a gas pipeline, hazardous liquid pipeline, or LNG facility, can lead to identifying key elements that can prevent events and failures from reaching the tip of the safety pyramid. Controller vigilance and appropriate response to lower-level events thus serves to prevent reportable pipeline incidents from occurring.

D. Learning From Industry-Wide Operating Experience

The proposed rule would require operators to establish a program to evaluate events that occur on their pipeline systems to identify lessons that can be used to improve control room performance. PHMSA believes it would be useful for the pipeline industry to establish a program to perform the same function for events occurring across the pipeline industry and to disseminate to all pipeline operators the lessons learned.

It is self-evident that more events occur within the pipeline industry than on any individual pipeline system. The industry's safety pyramid is larger than that for any individual operator. This larger database of experience would provide more opportunity to learn lessons that can be used to improve the ability of controllers to maintain pipeline safety. For example, the airline industry and nuclear power plants have processes to collect and analyze operating experience and to share important lessons across their sectors. No such process exists within the pipeline or LNG industries. Some information about failures can be gleaned from news reports and discussions in trade association meetings, but pipeline and LNG operators do not usually share the details of failures. Operators are even less likely to share information about the bulk of close-calls and other minor events in the lower sector of the safety pyramid. Events with significant consequences (e.g., the 1999 hazardous liquid pipeline leak and explosion in Bellingham, Washington, or the 2001 gas transmission pipeline explosion near Carlsbad, New Mexico) get considerable press attention and become well known. The NTSB investigates significant pipeline events and issues reports and recommendations. Some events of lesser significance may be reported in trade press or by informal communications among pipeline operators, but there is no formalized process to collect and analyze information regarding close-call events or problems with more limited consequences in the pipeline industry.

For larger pipeline operators, the sheer number of pipeline segments and stations may allow for the creation of a sufficiently large database of events to yield analytical value, but for most operators, their own experiences are not adequate to do so. Industry trade associations or other cooperative organizations could sponsor an industry-wide process to collect and analyze such information. Issues of proprietary information and perceived industry collusion are real constraints, but these have been dealt with in other industries.

While the proposed rule would require each operator to establish a program to evaluate events that occur on its pipeline system, the rule would not require an intra-industry operating experience review process. PHMSA believes such intra-industry review could be useful, but does not consider it appropriate at this time to avoid the issues of unnecessary disclosure of proprietary information and perceived industry collusion. PHMSA encourages these industries to consider establishing such processes and invites the public and industry to comment on the value of such an inter-company review process.

III. Human Factors Studies

A. PHMSA Controller Study

PHMSA had been studying and evaluating control room operations for many years and began developing control room inspection guidance in 1999. Subsequently, Congress enacted the PSIA, which the President signed into law on December 17, 2002. Section 13 of the PSIA required the DOT to conduct a pilot program to evaluate whether pipeline controllers should be certified based on tests and other requirements. In response to the PSIA, PHMSA conducted the CCERT study and reported findings to Congress in a report dated December 17, 2006, entitled “Qualification of Pipeline Personnel.” This project included a comprehensive review of existing controller training, qualification processes, procedures, and practices. This review also included identifying potential enhancements such as validation and certification processes currently used in other industries to enhance public safety.

Understanding the attributes traditionally contained in existing operators' training and qualification programs was an essential element of CCERT. Process techniques, practices, and procedures are significant and valuable tools to train and qualify controllers. PHMSA identified techniques, practices, and procedures through interviews with numerous pipeline operators and controllers in a variety of situations. This included pipelines of a wide array of types and sizes and both union and non-union controllers.

PHMSA determined what actions would lead to an additional assurance that pipeline controllers are adequately qualified to perform safety-sensitive tasks. The project team also identified key processes and procedures critical to control room safety and reviewed certification programs. To consider validation or certification of pipeline operators' qualification processes, the training and qualification programs should be thorough and adequately administered. PHMSA's primary project objectives were to review and evaluate the structure and content of operators' training and qualification programs and to identify controller procedures that can have an impact on pipeline safety and integrity.Start Printed Page 53081

The project focused on the content of the pipeline operators' administrative, training, and evaluation techniques that make up the controller training and qualification processes, and included a review of related safety and integrity procedures. Ultimately this information helped to:

Identify content that should be included in an operator's training program for controllers.
Identify content that should be included in the qualification programs to provide a higher assurance that controllers possess adequate knowledge, skills, and abilities to maintain the safety and integrity of the pipeline.
Determine what form of validation should be used to ascertain that pipeline controllers are adequately qualified and sustain those qualifications.
Identify aspects of safety and integrity practices and procedures that are critical to controllers.

PHMSA established and implemented a strategy for receiving and encouraging ongoing stakeholder interaction early in the project. This approach involved the participation of numerous stakeholders that provided information including a focus group with representatives of the public, industry trade associations, pipeline operators, state and Federal pipeline safety agencies, and academia. PHMSA shared insights regarding key operational and logistical considerations for the project and collected comments from the group at key phases of the project. Information came directly from the focus group participants and indirectly from members of their respective constituencies. In addition, PHMSA presented project updates at numerous trade association meetings and other stakeholder forums to solicit additional feedback.

PHMSA gathered supplemental information regarding controller qualifications from pipeline operators transporting various commodities with diverse control room characteristics, complex control operations and minimal monitoring operations, union and nonunion work environments, and varying pipeline mileage. Additional information was also obtained from the following sources:

National Transportation Safety Board (NTSB);
PHMSA Pipeline Technical Advisory Committees;
National Association of Pipeline Safety Representatives (NAPSR);
Pipeline trade organizations such as the

◦ American Petroleum Institute (API),

◦ Association of Oil Pipelines (AOPL),

◦ American Gas Association (AGA),

◦ American Public Gas Association (APGA), and

◦ Interstate Natural Gas Association of America (INGAA);

Research by

◦ Najmedin (Najm) Meshkati, Professor of Civil/Environmental Engineering and Professor of Industrial and Systems Engineering at the University of Southern California,

◦ Craig Harvey, Industrial and Manufacturing Systems Engineering, Louisiana State University, and

◦ Marvin McCallum, Christian Richard, Battelle Seattle Research Centers;

Related product and system vendors;
Public advocate discussion lists (such as http://tech.groups.yahoo.com/group/safepipelines)
Other industries utilizing validation and certification programs, including:

◦ Aviation,

◦ Railroad,

◦ Nuclear power, and

◦ Electric power transmission.

PHMSA gathered additional information from the Environmental Protection Agency, the Occupational Safety and Health Administration, and the Chemical Safety Board. Because training, qualification, and certification programs are implemented in various forms, discussions about lessons learned in the development, implementation, and maintenance of programs in other industries were especially valuable.

PHMSA sponsored two public workshops (June 27, 2006, and May 23, 2007) that provided various stakeholders an opportunity to discuss options to enhance the adequacy of control room management, provide substantiation of existing pipeline control management processes, discuss human fatigue issues, present existing qualification processes, and provide insights on other programs or methods used to provide for effective monitoring and control of pipelines.

The workshops provided additional information and promoted discussion on the most critical factors emerging from the CCERT and the NTSB recommendations (discussed below) affecting the control and monitoring of gas and hazardous liquid pipelines. PHMSA provided an opportunity to discuss findings as a basis for providing further assurance about the effectiveness of pipeline control and the skills and qualifications of controllers. To foster discussion, PHMSA posed a number of specific questions in the Federal Register notices announcing the workshops, which were then discussed during the workshops, yielding valuable information, ideas, and opinions from a broad assortment of stakeholders.

The first workshop was divided into several sessions, each highlighted by panel discussions and an open question and answer period. The panels were made up of subject matter experts from the public, industry, and government. The panelists discussed formalized procedures to control shift rotation schedules, shift changeover practices and possible ways to improve training on fatigue. Discussions included the CCERT recommendations providing clear direction regarding the controller's authority and responsibility to promote prompt detection and appropriate response to abnormal operating and emergency conditions and ways to address major changes in the controller's operating environment.

The panelists discussed the importance of operators routinely reviewing alarm and event displays to identify when changes are necessary as well as additional measures to further protect against unauthorized access to the SCADA area. Different types of training associated with the recognition of abnormal operating conditions, emergencies, and maintaining personnel qualifications were also reviewed. A more detailed summary of the workshop is available in the CCERT docket, PHMSA-RSPA-2004-18584.

The significant outcome of CCERT was the identification of elements that can provide value in controller training and qualification processes and the recognition of the importance of thoroughness and clarity of controller-related procedures that affect pipeline safety and integrity. Also of value was the identification of a validation process for the implementation and review of these same processes and procedures. Enhancements to operator programs affecting controllers can be realized with thorough and formalized procedures and practices, additions to training and qualification programs, stimulated discussions in industry fostering a continued sharing of best practices, and the development of industry-wide recommended practices and standards. Other factors can also influence a controller's ability to succeed. Pipeline operators should identify a controller's physical work environment, visual and aural distractions, ancillary work assignments that dilute a controller's attentiveness, workload, and SCADA system performance.

The CCERT team concluded that a single controller certification process for the entire pipeline industry would not be appropriate for a number of reasons. First, because of the wide variability Start Printed Page 53082among pipeline systems, a uniform controller qualification (certification) examination would have to be very general. Second, a general exam would need to be supplemented by significant and specific material for each system by each operator before a controller could adequately perform his duties. Third, a uniform controller qualification or certification test for the entire industry would not address many operator-specific and sometimes unique tasks critical to individual pipeline safety and integrity.

The CCERT team concluded, however, that requiring operators to validate, review, and continuously improve the adequacy of controller-related training, qualification, and procedures specific to each operator's pipeline would lead to improved public safety and better safety management in control rooms.

The CCERT team also concluded:

As a cause or contributor to pipeline events or failures, control rooms rank very low compared to corrosion, material defects, and third party damage, but controllers must respond appropriately to each of these identified contributing factors.
Controllers are in a position of great importance to detect and react to abnormal operating and emergency conditions, thereby helping to avert failures and mitigate damage after a failure occurs.
Controllers are key players in a company's response to abnormal operating and emergency conditions.
The low probability of controller error is offset by the potentially high consequence of damages and injuries as a result of their improper actions.
Remote monitoring or control through the use of a computer system may be performed in a formal control room, or numerous less formal settings such as an individual's office, service vehicle, or residence.
The location of monitor or control functions does not define the nature or complexity of operations.
Established definitions used in other regulations such as large or small operators based on pipeline mileage, location of the facility, or less than 20% of the specified minimum yield strength (SMYS) of the pipeline, are not good qualifiers in defining control room risks.
More complex and diverse operations call for more thorough control room systems and processes.
Involvement of field personnel in control activities has the potential to positively or negatively influence risk control.
Although some operators still use 8-hour shifts, most operators have moved to 12-hour shifts.
Choice of shift plan and rotation schedule is usually not supported by analytical review for fatigue.
Most operators are performing at least a subset of the actions included in this proposed rule, but frequently without documentation of the basis for their process design choices or implementation methods, and sometimes without formalized procedures to maintain consistency or to provide for continuous improvement through review.

Because controllers can have a great influence on the outcome of abnormal operating and emergency conditions, it is important that we provide for adequacy of controller knowledge, skills, abilities, and performance and their maintenance over time. PHMSA has identified fundamental operating procedures and practices, which should be used by pipeline controllers to enhance public safety. Most operators are currently using a subset of these procedures and practices, but use of these procedures and practices is not universal throughout the industry. The project team concluded that operators should be required to have more thorough, formalized procedures and processes for controller training and qualification which would be evaluated by the appropriate Federal or state regulatory authority.

PHMSA collected and reviewed information from recent accident data analysis, complaints, inquiries, safety related condition reports, operator visits, PHMSA CCERT team operating experience, and the CCERT pilot program to be certain the activities of the pilot project operators and subsequent recommendations included recognition of lessons learned from those events that have been attributed to, or aggravated by, controller action or lack of action. While information reviewed indicates there is low probability for controller error to be the primary cause of an accident when compared to corrosion and other causal factors, this can be offset by the potentially high consequence of controller actions or inaction. Other industries, which employ validation and certification programs for control room personnel, also provided lessons learned in the development, implementation, and maintenance of validation and certification programs.

Through the CCERT study, PHMSA identified a number of areas associated with the performance of control rooms that require enhancement. These areas were identified through numerous control room observations, PHMSA CCERT team operating experience, the collection of related research and project activities, controller cognitive skills review, the pilot program, and the comparisons with control room management issues in parallel industries. The enhancement areas incorporated into this proposed rule are as follows:

Clearly define the roles and responsibilities of controllers to promote their prompt and appropriate response to abnormal operating conditions.
Formalize procedures for recording critical information and for exchanging information during shift turnover or other times when a controller needs to be away from the desk and duties.
Establish shift lengths, maximum hours of service limitations, and schedule rotations that provide sufficient time off work for rest in order to protect against the onset of fatigue that could affect the performance of pipeline controllers.
Educate controllers and controller supervisors in fatigue mitigation strategies and how non-work activities contribute to fatigue that could affect pipeline control and control room management.
Periodically review SCADA displays to ensure controllers are getting clear and reliable information from field stations and devices.
Periodically audit alarm configurations and handling procedures to provide confidence in alarm signals and to foster controller effectiveness.
Involve controllers when planning and implementing changes in operations.
Maintain strong communications between controllers and field personnel.
Determine how to establish, maintain, and review controller knowledge, skills, abilities, and qualifications.
Develop performance metrics with particular attention to response to abnormal operating conditions.
Analyze operating experience, including accidents, for possible involvement of the SCADA system, controller performance, and fatigue.
Validate the adequacy of controller-related procedures and training, and the qualifications of controllers annually through involvement by senior-level executives of pipeline companies.

PHMSA considers annual senior executive validation a key element. This would require a pipeline operator's senior executive responsible for pipeline operations to attest to the content and thoroughness of controller training and qualification programs and Start Printed Page 53083related procedures that impact safety, and to verify that the individuals who operated the pipeline or LNG facility during the year have completed these training and qualification programs. The executive validations would be subject to regulatory review and inspection, and create a stronger ownership and responsibility of senior management in regard to potential fines and court proceedings. A secondary benefit of this validation process would be improved communication between executive level management, control room supervision, and controllers regarding concerns, duties, procedures, and processes resulting in an elevated awareness within each pipeline operator regarding the critical nature of a controller's job as well as the impact of controller duties on the safety and integrity of pipeline operations.

Discussions in the first public workshop held June 27, 2006 reflected general acknowledgement by the pipeline industry that the process outlined above was appropriate to reduce control room risk. There was also general agreement that much of the process is in place in many pipeline control operations. A summary of this workshop is available in the docket PHMSA-RSPA-2004-18584.

PHMSA's second public workshop was held on May 23, 2007. Representatives of the pipeline industry, trade associations, the NTSB, other modes of transportation, and public interest groups presented their views on issues ranging from operator fatigue to the need to periodically review control room procedures. There was general agreement among workshop participants that controllers play an important role and that a human factors plan could have value. At the same time, most agreed that there was no need for major changes to current control room practices and staffing. A summary of this workshop is available in the docket PHMSA-2007-27954.

B. NTSB SCADA Study

The NTSB conducted a safety study on hazardous liquid pipeline SCADA systems during the same time period as PHMSA conducted the CCERT study. The PHMSA project addressed a wider perspective of interest, but includes findings similar to those in the NTSB Report.^[5] The NTSB study identified areas for potential improvement, which resulted in five recommendations; three are incorporated in this proposed rule. PHMSA is addressing the other two recommendations independent of this proposed rulemaking.

The impetus of the NTSB study was a number of hazardous liquid accidents investigated by the NTSB in which leaks went undetected after the initial indications of a leak were apparently evident on the SCADA system. The NTSB designed its SCADA study to examine how hazardous liquid pipeline companies use SCADA systems to monitor and record operating data and to evaluate the role of SCADA systems in leak detection. The study identified five areas for potential improvement:

Display graphics.
Alarm management.
Controller training.
Controller fatigue data collection.
Leak detection systems.

While this NTSB SCADA study specifically addressed hazardous liquid pipelines, NTSB included in the report an appendix listing all of its SCADA-related recommendations, which resulted from investigations of both hazardous liquid and gas pipeline accidents. Since 1976, the NTSB has issued approximately 30 recommendations either directly or indirectly related to SCADA systems involving both hazardous liquid and gas pipeline systems. PHMSA considers that the NTSB recommendations apply equally to gas and hazardous liquid pipelines and to LNG facilities. The recommendations are as follows:

NTSB Recommendation P-05-1

Operators of hazardous liquid pipelines should be required to follow the API Recommended Practice 1165 (API RP 1165) for the use of graphics on the SCADA screens.

NTSB Recommendation P-05-2

PHMSA should require pipeline companies to have a policy for the review and audit of SCADA-based alarms.

NTSB Recommendation P-05-3

Operators should be required to include simulator or non-computerized simulations for training controllers in recognition of abnormal operating conditions, in particular leak events.

NTSB Recommendation P-05-4

PHMSA should change the hazardous liquid accident reporting form (PHMSA F 7000-1) and require operators to provide data related to controller fatigue. PHMSA is addressing this recommendation in a separate action.

NTSB Recommendation P-05-5

PHMSA should require operators to install computer-based leak detection systems on all lines unless engineering analysis determines that such a system is not necessary. PHMSA is publishing a report on leak detection systems and technology in 2008.

PHMSA is addressing the first three recommendations in this proposed rule. Based on PHMSA's review of accident and incident data, the project team found that errant SCADA displays have the potential to confuse or mislead controllers or field personnel. They also found very few operators who consider the impact of color perception impairments and screen clutter or who perform periodic point-to-point verifications of screen display data with field instrumentation. Furthermore, the team found that training of the controllers usually did not include reference material to guide controllers to particular types of displays to help resolve certain types of abnormal operating conditions quickly or to address emergency response.

The CCERT team found through discussions with operators that policies were seldom in place for systematically reviewing alarms on a regular basis. Many operators were not analyzing the number of alarms, seeking to eliminate unnecessary alarms, routinely determining if new alarms were needed, studying alarms to consider if grouping could consolidate information for more effective use, looking for systemic alarms, or reviewing alarms to verify alarm descriptions were clear to the controller. In addition, operators were not reviewing alarms to determine if abnormal operating conditions were frequently occurring together or consecutively. Rate-of-change alarms often were not being used as operational tools for controllers. Most operators were not looking for potential gradual degradation of controller response or changes in controller performance. Operators may have to reduce pressure because of concerns about the integrity of the pipeline, such as anomalies discovered during integrity management assessments. However, in many cases, the operators were not changing associated alarm set-point values, or field relief values, correspondingly when implementing these pressure reductions.

The CCERT team's discussions with controllers identified that generic simulators and high-fidelity (frequently referred to as “full”) simulators were preferred training tools. The controllers interviewed generally found full simulators to have significant value. Tabletop discussions and exercises, and computerized simulators, were both found to be valuable resources for controllers in training for response to Start Printed Page 53084abnormal operating conditions. Direct controller involvement in scenario development of tabletop exercises and computer-based simulations can add safety value to these tools. Controllers can also provide significant feedback on exercise performance. However, controllers were frequently not represented in the development of exercises and frequently did not participate in exercises other than to call out appropriate responders. Controllers were seldom asked what could be done to make an exercise more realistic, provide greater value or improve team response performance.

C. DOT's Human Factors Coordinating Committee (HFCC)

The Secretary of Transportation established the HFCC in 1991 to become the focal point for human factors issues within DOT. Since its inception, the HFCC, a multi-modal team with government-wide liaisons, has successfully addressed crosscutting human factors issues in transportation. The HFCC has influenced the implementation of human factors projects within and among DOT's operating administrations, provided a mechanism for exchange of human factors and related technical information, and provided synergy and continuity in implementing transportation human factors research. DOT recognizes that many human performance issues are crosscutting and will benefit from a multi-modal approach. DOT needs coordinated human factors research to permit large research efforts that modes cannot support individually, to address multi-modal transportation issues, as well as to advocate for timely human factors research in transportation system solutions.

PHMSA continues to actively participate on the HFCC, and has drawn from the work of the HFCC to help identify fatigue management strategies for control room management.

IV. PIPES Act of 2006

The PIPES Act of 2006 (Pub. L. 109-468) imposed additional requirements on PHMSA with respect to control room management and human factors. The PIPES Act requires PHMSA to issue regulations requiring each operator of a gas or hazardous liquid pipeline to develop, implement, and submit a human factors management plan designed to reduce risks associated with human factors, including fatigue, in each control room for the pipeline. Operator plans must include a maximum limit on the hours a controller may work in a single shift between periods of adequate rest. PHMSA, or a state authorized to exercise safety oversight, is required to review and approve operators' human factors plans, and operators are required to notify PHMSA (or the appropriate state) of deviations from the plan.

The PIPES Act also requires PHMSA to issue standards to implement the first three recommendations of the NTSB SCADA safety study as described above. Controllers using computer equipment to monitor or operate pipeline facilities can be impacted by display information, alarms, and abnormal operating conditions regardless of what type of system they operate. PHMSA considers the recommendations to be equally applicable to hazardous liquid and gas pipelines (transmission and distribution) as well as LNG facilities. This proposed rule will respond to the mandates in the PIPES Act relative to control room management, human factors, and SCADA.

V. Standards, Recommended Practices, and Guidelines

One of the actions identified by CCERT was the development of consensus-based best practices to promote controller success. PHMSA is encouraged by recent industry efforts, including industry review of existing standards (such as the Instrument Society of America SP-18 and the Engineering Equipment and Materials Users Association 191A), guidance material in development by the Transportation Security Administration (TSA) focusing on SCADA CyperSecurity, and the development of other guidance, recommended practices, and standard documents. The structured development process used to establish this type of material has historically yielded great safety value. Such efforts focused on Control Room Management have the potential of enhancing safety, especially when all key stakeholders are included and contribute to the process.

The following is a list of identified applicable standards, recommended practices, white papers, and guidance material that have been established, revised, or that are currently under development:

API RP-1165, SCADA Display Standard.
American Society of Mechanical Engineers (ASME) B31Q, Operator Qualifications.
API 1164, SCADA Security.
API RP1167, Alarm Management.
AGA, Alarm Management.
API RP 1161, Qualification of Liquid Pipeline Personnel.
TSA, SCADA CyperSecurity Guidance Material.
API RP 1168, Control Room Management.
ISA SP-18, Instrument Signals and Alarms.
EEMUA 191A, Alarm Systems—A Guide to Design, Management and Procurement.

API recommended practice on control room management was initiated in February, 2008 and is anticipated to be completed in February, 2009. It is anticipated this document will address four of the nine enhancement areas addressed in PHMSA research and required in the PIPES Act. Specific guidance anticipated in this recommended practice will address: (1) Roles and Responsibilities, (2) Shift Operations, (3) Management of Change, and (4) Fatigue. PHMSA anticipates guidance on such aspects as clarifying operator's expectations for controllers to take action, information flow needed on field activities that could affect pipeline operations, direction of shift rotation and time between shifts, extent of off-duty activity and fatigue management strategy, personal responsibility for rest, how to recognize and mitigate fatigue, and the content of education programs to share with families of the controllers.

PHMSA and NAPSR have been participating in the development of this recommended practice and other national consensus document efforts and will continue to support, participate in, and encourage the development of national consensus standards and recommended practices. Once these materials are completed, PHMSA will review them and consider a regulatory amendment to incorporate by reference all or parts of such applicable documents in amended regulations.

VI. PHMSA's Proposed Approach

PHMSA is proposing to require that appropriate control room management elements be incorporated into operator plans and procedures already required by existing regulations. PHMSA believes this approach will minimize the burden on operators and will prove more effective in the long term, because it will integrate these elements directly into the existing operator programs associated with these actions. This will also avoid operators having another plan that may create or exacerbate internal communication complexities. As is the case with other regulations, an operator would not be expected to establish processes and procedures for those tasks not applicable to their operations.

These requirements would apply to operators of hazardous liquid, gas transmission, and gas distribution pipeline facilities, as well as to Start Printed Page 53085operators of LNG facilities. The requirements would not apply to operators of master meters or petroleum gas systems unless the operator transports gas as a primary activity. Master meter and petroleum gas pipeline systems are generally very simple and typically consist of only pipe, service regulators, meters, and manual valves. These systems do not typically include a control room, equipment requiring local control or computer systems for operations, or provisions for continuous remote monitoring. Operators of these systems are excluded from the scope of this proposed regulation. This proposed exclusion is consistent with other PHMSA initiatives and regulations.

The control room management elements describe “what” an operator must include but not “how” an operator must carry out such elements. This is typical of performance-based regulations and it recognizes the significant diversity present among pipeline systems and control rooms.

One of the elements proposed is a plan that each operator would develop and implement to limit the maximum length of time that a controller could work in a single shift between periods of adequate rest. The PIPES Act specifies that PHMSA (or a state authority) may not approve a control room management plan that does not include such a limit. This rule does not propose a maximum hours of service limit, since PHMSA recognizes operator-specific factors may affect this limit for each operator. Many controllers work 12-hour shifts, as do individuals with similar jobs in other industries. PHMSA has no technical objection to 12-hour shifts. For control rooms staffed on a 24-hour basis, we also recognize that additional time is required at the beginning and end of each shift to accomplish a thorough shift turnover between incoming and outgoing controllers. Thorough shift turnover procedures are important and are one of the elements included in this proposed rule.

Research performed by others has repeatedly identified a need for individuals to have eight hours sleep each day to maintain their best performance.^[6] PHMSA understands that operators have limited control over what a controller does during off-shift hours, but the agency expects that shift schedules will be established to provide a reasonable opportunity for a controller to achieve eight hours of sleep and for operators to educate controllers on the importance and need for adequate rest. PHMSA expects operators to take these factors into consideration when establishing a limit on the maximum hours an individual controller would work in a single shift, between periods of adequate rest. Operators should also consider other factors that may be unique to their operations and should provide an adequate amount of time between shifts so that controllers can rest and be expected to be free from fatigue.

Shift change may not be the only time that controllers relieve each other and need to communicate critical information. Operators need to consider what other factors may determine when a thorough and complete set of information is necessary to be communicated to controllers and their supervisors. PHMSA will take all the above factors into consideration when reviewing operators' shift plans, rotations and schedules and educational programs about the importance of adequate rest.

PHMSA will fulfill the PIPES Act requirement to review operator plans by evaluating related programs, procedures, records, and related documentation during inspections. PHMSA will also develop guidance to assist inspectors in conducting comprehensive inspections and evaluations addressing all required control room management elements. This guidance will help Federal and State agencies achieve maximum impact from the evaluation of operators' plans, maintain consistency and uniformity among inspections, and reduce the amount of subjectivity during inspections.

VII. The Proposed Rule

This proposed rule would affect operators of hazardous liquid, gas transmission, and gas distribution pipelines and operators of LNG facilities that use controllers. The nature of these facilities and their related control rooms vary, as do the complexity of pipeline systems and facilities. The proposed rule would not affect master meter operators or operators of petroleum gas systems unless the operator transports gas as a primary activity. This performance-based rule describes the necessary elements and outcomes operators must accomplish but does not prescribe exactly how operators must incorporate each element. Each operator must have documented procedures, guidelines or practices, tailored to the operator's specific systems, control regime, and circumstances.

Controllers play a critical role in any system that uses human-machine interface to monitor or control pipeline systems, LNG facilities, or other equipment. The nature of that role varies with the type of commodity and the relative complexity of the pipeline system and facilities, but the analytical and cognitive skills needed are similar in all cases. Gas industry trade groups have expressed their view that controllers have limited opportunity to affect pipeline safety; PHMSA disagrees. Furthermore, gas pipeline controllers interviewed by PHMSA and those serving as subject matter experts on the ASME B31Q ^[7] national consensus standards team for operator qualifications have also indicated that their actions could impact safety. While the compressibility of gas and the rapid progression of gas transmission pipeline failures generally make it unlikely that controller actions can cause an incident or mitigate the immediate effects of an incident, PHMSA believes that controller actions in gas pipeline systems can make incidents more likely.

PHMSA also believes that controllers can hinder mitigative actions after the initial consequences of a rupture; can recognize abnormal operating conditions and intercede to prevent incidents; and can routinely perform significant functions to operate the pipeline and facilities in a safe manner. PHMSA also notes that all controllers serve important functions in the response to incidents and accidents. In many cases, controllers serve as the first line of defense to prevent incidents and accidents, and thus serve an important safety function requiring special training and qualification. PHMSA concludes that the minimum actions required by this proposed rule, expressed in simple performance terms, are necessary and reasonable. PHMSA also concludes that many are these actions already being used or exceeded by pipeline operators and that imposition of these requirements will improve safety without unreasonable burden.

This proposed rule would add provisions to 49 CFR parts 192, 193, and 195. Rather than describe these changes on a section-by-section basis, this document describes them by topic Start Printed Page 53086because the general content of the changes in each part is the same.

A. Changes to Operations and Maintenance (O&M) Manuals

PHMSA is proposing the human factors management plan required by the PIPES Act be comprised of several enhancements in each operator's written O&M procedures manual(s), OQ program, and emergency procedures plan. PHMSA believes this makes it more likely that the actions required in this proposed rule will be integrated effectively into pipeline operations, thus limiting the potential for miscommunications to occur.

PHMSA is proposing to include these requirements in a separate section within each part because we believe the verification and deviation reporting provisions of this proposed rule will be easier to understand if included in a separate code section for control room management.

B. Definitions

This proposed rule adds the definitions of four key terms to improve the clarity of the proposed new requirements: Alarm, controller, control room, and SCADA.

An alarm is defined as an indication provided by SCADA or a similar monitoring system that a monitored parameter is outside normal or expected operating conditions. Controllers need to be aware of these conditions, and a number of these conditions need to be controlled in order not to overwhelm the controllers. The proposed rule provides for periodic actions to review alarm management. The new definition is intended to make certain that treatment of these abnormal indications is addressed as part of this management, whether or not individual operators call them alarms.

Fundamentally, a controller is an individual who uses computer-based equipment to monitor, or monitor and control, all or part of a pipeline system or LNG facility. Individuals who monitor or control a pipeline or LNG facility using computerized systems are controllers. For the purposes of this rule, individuals who operate equipment locally but who cannot actually see the equipment respond without using a closed circuit television system or other external devices are controllers when performing these activities, regardless of their job title or whether their actions are overseen by other controllers or supervisors. Conversely, individuals who operate equipment locally and can see the equipment respond without using a closed circuit television system or other external devices are not controllers. Maintenance and other personnel accessing data from the control system are not controllers.

While controller oversight of individuals operating equipment locally can facilitate the recognition of inappropriate control actions and possibly mitigate their consequences, the oversight does not generally allow prevention of inappropriate actions before they create adverse conditions. PHMSA believes that preventing actions that could result in unfavorable consequences is more important than identifying and possibly mitigating these actions after they occur. Therefore, we conclude that treating individuals operating equipment locally as controllers, even if they are subject to oversight or supervision by other trained individuals, is necessary to maintain public safety.

A control room is traditionally a central location where a pipeline system or LNG facility is monitored or controlled, regardless of whether all, or only part, of a pipeline system or LNG facility is monitored or controlled. Control rooms may include multiple stations for individual controllers who monitor or control portions of the pipeline system or facility, or instead may house a single controller. Central locations within a field station (e.g., pump or compressor station, terminals) that include controls for multiple pieces of equipment are considered control rooms for purposes of this proposed rule, though the equipment at such field locations may not include the capability to monitor or control portions of the pipeline outside of the field station. A control room is sometimes referred to as a control center, control station or by other similar terminology. However, a controller may perform his duties by non-traditional means such as using a laptop in a vehicle.

This proposed rule adds a definition for SCADA. These are the computer-based systems that collect and display information about the status of the pipeline or facility and display that information to controllers for their use in monitoring or controlling the pipeline or facility. Many SCADA systems provide the capability to control pipeline equipment from remote control panels but systems that only provide monitoring information are also considered SCADA systems.

C. Implementation Schedules

PHMSA recognizes that different pipeline systems possess different levels of risk from potential controller errors. We also recognize that developing and implementing procedures for more complex systems that pose the greatest risks needs to be thoroughly analyzed. Operators must take the time necessary to be thorough in developing their procedures. Complex systems often require additional time to train all personnel and fully implement these procedures. For some pipelines, negotiations with unions may be required to implement these requirements; such negotiations take time. PHMSA has tried to balance these needs in the implementation schedules included in this proposed rule.

Operators of hazardous liquid pipelines and gas transmission pipelines controlled or monitored remotely and operators of LNG plants with controllers would be required to develop procedures within one year after the effective date of the final rule. These operators would have one additional year to implement these procedures completely, including all necessary training.

The proposed rule would require operators of hazardous liquid pipelines and gas transmission pipelines to develop procedures for control rooms that control only equipment within a single site (e.g., pump or compressor station) within two years after the effective date of the final rule and to implement those procedures within an additional six months. This reflects the relatively lower risk associated with control rooms for these single facilities and allows the operators of the more complex pipelines to focus their initial efforts on remote-operation control rooms where potential risk is greater.

Operators of gas distribution systems would have two years after the effective date of the final rule to both develop and implement procedures. These systems operate at lower pressures, usually have field response crews in close proximity to instrumentation, and pose lower consequence risks from controllers. Many gas distribution operators are small companies or municipal departments that will require additional time to manage limited technical resources available to write procedures. At the same time, the relative simplicity of these small systems makes it easier to train controllers and implement new procedures.

Pipeline systems that rely solely on local control pose less consequence risk than more automated and remote control actions. These small pipeline systems generally rely on the most limited resources. This proposed rule allows 30 months after the effective date of the final rule for operators of these pipeline systems to both develop and implement the necessary procedures.Start Printed Page 53087

Implementing changes for existing systems and facilities takes time. The situation is different for new installations and existing facilities that are significantly changed (e.g., implementation of a new SCADA system). The proposal would require operators of systems with control rooms that are placed in service or significantly modified more than 12 months after the effective date of the final rule to develop procedures as part of the design and installation of the new systems and to implement those procedures when the control room is placed in service. Control rooms that will be implemented within 12 months of the effective date of the final rule are well along in design and planning and PHMSA concludes it is best to treat these facilities as existing control rooms.

Mergers and acquisitions can present a unique challenge for controllers and control rooms. Controllers must develop an understanding of the hydraulics of a new system; become familiar with new display graphics; handle an increased workload on existing consoles; learn new hardware and software systems using different instrumentation or control methods and changed alarm designations and priorities; and participate in a shadow control scheme until training is complete. Detailed plans on how to introduce each element into the remaining control room and how to train and qualify controllers on newly introduced systems must be developed. For example, each operator must develop and implement a plan that includes how controllers will provide input on alarm descriptors, how this input will be implemented, and how controllers will receive training on alarm descriptors before a system is under their authority or responsibility for monitor or control.

D. Roles and Responsibilities

The proposed rules require each operator to clearly define and document the roles and responsibilities of controllers for prompt and appropriate response to abnormal operating conditions and emergencies. Such documentation will also define the controller's authority and the pipeline operator's expectation for the controller to take action. Controllers are often the first to become aware of developing abnormal operating conditions or emergencies and can often play a critical role in response to these events. Timely and appropriate controller actions can arrest developing problems and return a pipeline system or LNG facility to normal operations. Conversely, untimely or improper controller actions can exacerbate abnormal operating conditions, which could potentially lead to incidents and accidents.

Sometimes controllers are not the first to notice a problem. Problems may be identified by field personnel or reported by the public. Controllers must know their roles in responding to these situations and in communicating with management, field staff, the public, government agencies, emergency response personnel, and other operators of pipelines or utilities that may share a common right-of-way.

For situations that pose the most significant risks to public safety and the environment, prompt action by controllers is often needed. In other situations, management may expect controllers to consult with them before taking actions. Therefore, controllers must know the limits of their responsibility and authority for making safety-related decisions and for taking safety-related actions in all situations. The proposed rule requires operators to develop processes so that management and controllers have uniform expectations and understandings about response requirements before an abnormal operating condition or emergency arises. The proposed rule would also require operators to establish processes to allow controllers to seek and receive management input in a timely manner when required.

E. Assuring Adequate Information

Controllers must have accurate and up-to-date information about the status of the pipeline system, equipment, or facilities they monitor or control. For example, they need to know pressures, flow rates, and temperatures, as well as the operating status of compressor and pump stations, the position of valves, and the availability of standby equipment that might be substituted in the event of a failure. They also need to know what effects power loss would have on equipment status. Without timely and correct information, controllers cannot take appropriate actions to control normal pipeline operations nor can they promptly identify abnormal situations and take actions to arrest event progression and prevent larger problems. This proposed rule requires each operator to develop processes to provide that controllers receive the timely and necessary information they need to fulfill their responsibilities at all times.

F. SCADA

Many pipeline operators use SCADA, DCS, or internet-based systems to allow controllers to monitor or control pipeline systems or LNG facilities remotely. SCADA is used in this document to mean SCADA, DCS or other methods of communicating data for monitoring or controlling pipeline systems and LNG facilities.

SCADA systems must be configured and programmed to provide accurate information to the controller and to transmit any command actions accurately. It is also important for controllers to recognize and react to information changes about the state of the pipeline. Cluttered or poorly organized SCADA screens may not be logical to a controller. Unless a controller quickly recognizes SCADA information, he or she may not be able to process the information into knowledge upon which to base control actions.

The API recognized the need for clear and logical SCADA displays and published a recommended practice, API RP-1165. This recommended practice provides guidance to operators to help them develop SCADA screens that display information clearly, logically, and without clutter to maximize the ability of controllers to use the information effectively. This proposed rule requires pipeline operators with SCADA systems to follow API RP-1165 or be able to demonstrate that the recommended practice is inapplicable or impracticable.

SCADA information is only useful when accurate, timely, and properly displayed. Complex SCADA systems receive information from sensors, transmitters, and other equipment located throughout an LNG plant or pipeline system and use algorithms to convert the information into a more useful form for the controller. SCADA systems must also provide for unexpected communication interruptions from one or more instruments or transmitters. The loss of a few data points must not result in a complete loss of system information or system malfunction to the controller.

SCADA systems must have a backup communication system, which is tested periodically to verify its performance. Alternatively, a pipeline operator must have an adequate means to operate manually or provisions to shut down the affected portion of the pipeline safely. Server load should also be reviewed on a regular basis and monitored for increased activity affecting controller-required tools. Operators should be aware of software-specific concerns (e.g., through user-group meetings) and should develop methods to prevent these issues from affecting controller performance.

SCADA systems must have provisions to accommodate different kinds of Start Printed Page 53088problems, for example, stale data. When communications problems arise, a SCADA system may present the most recent (though stale) data until data communications are restored. SCADA systems must display this stale data in a manner that is easily recognized by the controller, particularly when the data have not been updated for a significant amount of time. Not all SCADA systems are configured to provide warnings (flags) to controllers to warn of stale data. Therefore, the proposed rule requires operators to identify methods to allow controllers to recognize stale data at all times.

SCADA system integrity is usually verified when the system is initially installed by checking instrument readings and other data on each display screen. The readings and data are checked for accuracy and to ascertain that they match the readings on the corresponding field equipment or transmitters. The installation also verifies that signals issued from the SCADA panels result in the proper control of the corresponding equipment in the field. SCADA data processing is also verified during installation. While all this serves to verify the initial SCADA installation, SCADA systems, pipeline systems, and LNG facilities can change over time. Any of these changes can lead to misinformation problems for both controllers and field personnel.

To verify that existing SCADA systems are accurate, this proposed rule would require operators to conduct an initial point-to-point baseline verification for each SCADA system to validate and document that field equipment configurations agree with computer displays. Operators would check from transmitter-to-display to verify that the correct values (and units) are displayed on the SCADA screens at the correct relative locations. Operators would also verify that alarm and event functions occur at specific set-points or upon certain actions by the correct corresponding equipment and that all controlled equipment appropriately responds to SCADA inputs and outputs. This requirement is intended to verify that existing SCADA systems are accurate despite changes that may have been made without verification since the initial installation.

Operators of pipeline systems with more than 500 miles would be required to complete the baseline verification within three years of the effective date of the final rule. However, because SCADA systems for large pipeline systems can have tens of thousands of data points to check, it is not practical to require a complete verification at one time. To offer some relief for these more complex systems, the proposed rule would allow operators to credit verifications conducted up to three years before the effective date of the final rule towards the baseline verification. Operators of pipeline systems with less than 500 miles would be required to complete validation within one year of the effective date of the final rule. This reflects the relative simplicity of performing verification for these smaller systems and PHMSA's belief in the importance of prompt baseline verifications. PHMSA invites comments on the appropriateness of these time periods. We further invite comments on alternative approaches to achieve the intent of assuring baseline verification for each SCADA system. Another approach, for example, might be a risk-based schedule to build off the risk analyses most operators have previously completed for their integrity management programs.

Once the baseline SCADA system has been verified, operators should document and verify changes as they occur. Therefore, the proposed rule requires operators to verify SCADA screens versus field configurations when modifications or repairs are made to field equipment. For SCADA system changes or new SCADA systems, however, the proposed rule requires point-to-point verifications as part of the implementation process for all portions of the pipeline system or LNG facility affected by the change. The rule would also require operators to develop and implement procedures to handle system maintenance changes and SCADA point verifications such as alarm set-points, display locations, value confirmations, and the proper operation of software algorithms. Operators must make maintenance change notifications to controllers as they occur and set a maximum time limit for changes to be made and verified to the appropriate SCADA system displays and alarm features. Individual operators would also be required to develop a plan for systematic re-verification of the accuracy of the SCADA system display.

Lastly, the proposed rule would require SCADA changes brought about by mergers or buy-outs to be treated as a new SCADA system implementation and verified accordingly.

G. Shift Change

SCADA systems and other means of providing real-time information to controllers concerning the status of pipeline systems are important, but such systems are not the only information important to a controller in carrying out his duties. Controllers need to be aware of activities that have occurred, are underway, or planned that could affect pipeline operations during a shift. This includes, but is not limited to, planned modifications and maintenance activities, noted indicators of possible near-term problems including alarms, indications of any abnormal operating condition, communications concerns or malfunctions, points taken off-scan, and the unavailability of key field personnel. Field personnel must promptly inform controllers when work is done that could affect controller duties or displayed information. Under the proposal, an operator's procedures must provide for making this necessary non-computer-based information available to controllers.

PHMSA considers verbal communications important because accurate verbal contact can provide for immediate verification of maintenance activities and equipment status, and can corroborate information received from other sources. Therefore, the proposed rule requires that operators provide for timely verbal communications between controllers and field personnel. Controllers must contact field personnel, on occasion, to investigate the reason for abnormal indications, to carry out emergency response actions, or to perform actions that cannot be done remotely from the control room. Field personnel must inform controllers when equipment is taken out of service, when values are forced or locked in place, or when events that can have a near-term impact on safety occur. Field personnel must promptly contact controllers when conditions are identified that could indicate a leak or incipient accident. Field personnel should be trained and encouraged to contact the control center as quickly as possible whenever a leak is suspected. The proposed rule also requires that operators identify in procedures those circumstances, actions, and conditions for which field personnel must notify the control room.

Operators should implement individual console or system log-in features, if these are available, or record on the shift-change records the time and the name of the controller who is responsible during the shift-change procedure. While most pipelines operate 24 hours a day, seven days a week, some do not. Small pipelines, such as those dedicated to a single facility, may operate only as needed or for only certain hours of the day. Many transmission pipeline systems have implemented more sophisticated and complex control schemes and can require extensive involvement of technical personnel other than Start Printed Page 53089controllers. More thorough procedures and processes are needed to manage these activities. In all cases, it is important that controllers have a complete understanding of the conditions and activities affecting the pipeline, including non-computer based information.

The proposed rule addresses this need by requiring that critical information be recorded during each shift. Oncoming controllers can review the log to make themselves aware of recent activities and current conditions, even in those cases where a pipeline is not in continuous operation and there is no “shift change” between controllers. Operators would demonstrate compliance with this requirement by making documented information available during regulatory inspections.

For pipelines that operate continuously, controllers are expected to interact with those who relieve them in order to communicate important information. Virtually all pipeline operators with multiple shifts expect controllers to provide such a turnover of information. Shift change is not the only time that controllers are relieved of their duties. Individual pipeline operators may relieve controllers at breaks or at times when the individual is required to perform other duties. Exchange of critical information is essential to the safe operation of pipeline facilities at these times. PHMSA's CCERT interviews with pipeline operators and controllers identified several instances where there were no formal procedures for conducting shift turnover and no clear understanding of the information that was to be communicated when personnel relief occurs. In those instances, each individual controller determined what needed to be communicated. The proposed rule requires that operators provide for exchange of information during shift turnover, including defining the minimum set of information that must be communicated (e.g., by check sheet). Adequate information may vary across different parts of an operator's entire pipeline system. Each operator would be expected to define this set of information, as this information would be aligned to the specific system requirements. Operators must also provide for an overlap of controller shifts sufficient to accomplish the necessary exchange of information.

Controllers often have duties to communicate with personnel outside their companies as well. In many cases, pipelines share a common right-of-way with other pipelines or utilities. A problem on the pipeline can affect these other pipelines or utilities and controllers need to understand when it is their responsibility to notify these other companies of potential problems. Controllers also often receive calls from the public or emergency responders reporting indication of problems. Since a control room is often staffed continuously, pipeline markers usually list the control room telephone number for the public to report problems.

A controller answering a call from the public or emergency responders must obtain enough information from the caller to understand the nature of the problem. Operators should provide training for controllers to help assist them in obtaining complete and accurate information. A controller must determine whether the problem is on his pipeline or area of responsibility. If a controller determines a problem is not on the pipeline he or she controls, the controller must communicate the information to those who can address the problem, even if this is the operator of another pipeline in a shared right-of-way. Operators need to make sure that controllers know who to contact in the event of a potential problem in a shared right-of-way, regardless of which pipeline is affected.

Controllers should also be required to contact other operators in a common right-of-way when aware of a leak associated within their area of responsibility. There may be conditions when repairing a pipeline that may elevate the risk associated with another pipeline in the same corridor. For this reason, when controllers discover or are made aware of leaks in a common pipeline corridor, they should contact all of the operators in that corridor and explain the situation so that all pipeline operators can work together to minimize potential damage.

H. Fatigue

Fatigue is a key safety issue for PHMSA. The NTSB also considers fatigue one of its “top ten” safety concerns for all modes of transportation. Fatigue can result in a loss of vigilance or a lack of effective attention by a pipeline controller. All pipelines and facilities normally have safety systems in place to protect against accidents. The prudent use of safety systems, however, does not reduce the importance of controllers as the first line of defense in preventing accidents.

In most instances, monotony, not physical exertion, causes controller fatigue. Monitoring pipeline operations from a computer panel for many hours can be quite monotonous, especially for normal, uneventful operations during the usual overnight human rest cycle. It is important that pipeline operators take actions to help ensure that controllers are not unduly affected by fatigue and verify that controllers remain vigilant.

Key among these actions is establishing shift length and schedule rotations to protect against the onset of fatigue and providing controllers the opportunity to get sufficient rest between work shifts. Many pipeline controllers work rotating shifts; that is, a controller may work day shifts, night shifts, and possibly swing shifts within the same week or within a few weeks or a month. There has been extensive research by specialists in human behavior concerning shift work and the effect these shift changes have on sleep patterns and fatigue. Topics addressed in the research include the direction of shift rotation (i.e., forward or back), the amount of time between shifts to help provide for adequate rest, and the effects of off-duty activities on fatigue during duty hours.

Many pipelines operate on 12-hour shifts, while others operate on eight-hour shifts or shifts of other lengths. PHMSA does not object to 12-hour shifts, but we do note that shift rotations have seldom been established based on research or what is best for the pipeline controllers. Instead, the CCERT team found that shift rotation and length have usually been established through management-union negotiations or because the controllers prefer a specific schedule. Moreover, we found that controllers prefer 12-hour shifts because they result in longer periods of time off. Maximizing time off, however, does not necessarily maximize the mitigation of fatigue. Operators who continue to use 12-hour shifts should have procedures that include provisions for unexpected holdovers or call-outs and they must ensure the shifts are managed in a manner that requires controllers to have adequate periods of rest between shifts to help protect against the onset of fatigue during controller shifts.

Additionally, research shows that individuals need to have eight hours of sleep per day to maintain their best performance; and that work schedules can have a detrimental impact on an individual's circadian rhythm. PHMSA recognizes that pipeline and LNG facility operators cannot control or monitor controllers' off-duty time, but operators can educate controllers on the need for adequate periods of rest. Because off-duty time activities can influence on-duty fatigue, controllers must accept responsibility for structuring their off-duty time to allow for adequate rest and eight hours of sleep. The proposed rule requires operators to train controllers and their supervisors in fatigue management Start Printed Page 53090strategies and how non-work activities can contribute to fatigue. Supervisors and controllers must also be trained to recognize and mitigate the effects of fatigue among controllers on a shift. These training programs will require controllers and supervisors to exercise personal responsibility for having adequate rest and prudent fatigue management. In addition, these education programs must include information that can be shared with the family of controllers because they too need to understand that off-duty activities must allow time for adequate rest to avoid on-duty fatigue.

In many control rooms, multiple controllers work together on a shift along with a supervisor. In these circumstances, controllers can watch for signs of co-worker fatigue and supervisors can oversee assigned staff to help identify and mitigate instances of fatigue. Some control rooms, however, operate with a single controller on shift. In those instances, there is no other person present to recognize when the controller is affected by fatigue. Accordingly, the proposed rule requires operators to establish provisions to verify that a single controller remains vigilant.

While PHMSA is not establishing an overall limit on the maximum length of time a controller can work in a single shift, this proposed rule requires operators to include in their written procedures a limit on the length of time a controller can work and a requirement for adequate rest between shifts. This proposed rule will meet the requirements of the PIPES Act. The proposed rule allows operators to base the limit on the particular operating circumstances of each pipeline and to include provisions for deviations in emergency situations.

PHMSA believes operators should establish an hours-of-service limit based on its normal pattern of operations and in a manner that will preclude individual controllers from working more hours than the operator expects under normal circumstances. Operators should address unusual and emergency situations using provisions for approved exceptions that should be included in written procedures. Operators should maintain documentation of these situations.

I. Alarm Management

A principal function of SCADA systems is to “alarm” or notify a controller of circumstances when pressure, flow, temperature, or other key pipeline operating parameters are outside the expected norms. Many controllers acknowledge an alarm or event by silencing an audible sound or responding to a flashing indication on a control screen. Controllers must then take action to address the cause of the alarm or the effect on the pipeline or facility. In some cases immediate action is required; in other cases action can be deferred. Sometimes, the alarm may simply be related to system changes such as the expected startup of another unit and no action is required. Qualified controllers use their judgment, experience and training to manage alarm response. Management should review controllers' response to alarms and appropriately address situations that require immediate or deferred actions to maintain pipeline safety.

Alarm response and associated event information can help determine whether abnormal operating conditions are promptly recognized, that the responses to these conditions are properly handled in a timely manner, and that controller abilities are not degrading over time. Alarms and notifications can also provide information about the health and operational status of communication and SCADA systems.

The proposed rule requires two levels of alarm management review. On no less than a weekly basis, operators would be required to review pipeline operations and the alarms and events that have been received. Operators would confirm that events on the pipeline that should have triggered alarms actually did. Operators would review controller response to alarms to identify if abnormal operating conditions had occurred and that the controller took proper action in a suitable amount of time. Operators must also identify any unexplained changes in the number of alarms received or in controller management of those alarms, and take actions, as needed, to arrest any potentially degrading situations either in controller performance or equipment problems. Operators must identify “nuisance alarms” for which action is not required and determine whether controllers actually need to receive such notifications so that the total number of alarms is not excessive. Both nuisance alarms and an excessive number of non-nuisance alarms can contribute to a sense of complacency about alarm response. Complacency can contribute to a situation in which controllers acknowledge alarms but do not take action to clear them on a timely basis. This factor must also be considered in the weekly reviews and the associated system or instrumentation maintenance activities. However, operators may choose to capture other operational and maintenance information through alarm systems that are channeled to others responsible to manage such information.

Once each calendar year (with intervals not to exceed 15 months), the proposed rule requires that operators undertake a more detailed review of alarm configuration and management. This review must consider the number of alarms, potential systemic issues related to field equipment or the SCADA system, potential systemic issues resulting in excessive or unusual alarms, unnecessary alarms, changes in controller performance in response to alarms, and a review of alarm set-point values. Operators must also consider alarm indications of abnormal operating conditions, including identifying any that occur frequently in combination and assuring that these combinations are included in controller training. Alarm descriptors and naming conventions also need to be reviewed for clarity and consistency. Operators must consider controller workload with respect to the number and nature of alarms received. Alarms should also be reviewed for ongoing maintenance issues or communication problems that need to be solved. Incident and accident reviews should include a provision to check alarm or notification operations for any required changes. The procedure must have a mechanism to provide for controller feedback to alarm and notification modifications.

J. Change Management

Changes to the pipeline system are important and can affect the ability of a controller to do his job. System changes can affect the hydraulics of the pipeline and change the response to control inputs. It is important that controllers be aware of changes being made and that controllers are involved early in the change process to help identify and alleviate any undesirable effects on controllers and control room operations. Similarly, changes to the SCADA system, or to the instruments it monitors, can also affect a controller's understanding of conditions on the pipeline and his recognition of the need for control actions.

The proposed rule requires operators to establish thorough and frequent communications between controllers, management, and field personnel when planning and implementing changes to pipeline equipment and configuration. Maintenance procedures must ensure that problems with SCADA or field instrumentation critical to controllers are resolved promptly and properly documented. SCADA system modifications must also be coordinated with controllers and affected pipeline operating personnel. It is not always Start Printed Page 53091practical to coordinate changes before they are made, particularly when a change is in response to an emergency. In those instances, operators must make affected personnel and controllers aware of the change as soon as practical and document why this occurred. When field equipment, pipeline configuration, or SCADA changes are planned in advance, coordination should also be done so that controllers who are off-duty get informed of these changes prior to implementation. Controllers shall have time to study the implications of targeted changes and to become familiar with the anticipated system changes before they are initiated. Finally, controllers shall be represented by a controller, controller supervisor or by someone very familiar with control room operations when changes that can affect pipeline hydraulics, configuration or control system changes are considered so that controller perspectives and potential impacts can be considered early in the planning process and appropriate adjustments and training can be developed.

Whenever possible, operators should thoroughly test changes on an off-line system. Management of change procedures shall also include how operators will inform controllers of changes before they operate the system, especially the controllers who are not on shift at the time the changes are made.

K. Learning From Individual Operating Experience

Events that occur on a pipeline provide one of the best opportunities to improve the operation of the pipeline. Such events include those that must be reported to PHMSA by regulation and those with little or no consequences. Reviewing the causes of an event can help identify underlying problems, which, if properly addressed, would reduce the risk of future events occurring or resulting in more significant consequences. Reviewing the response to events can help identify areas in which emergency response and abnormal operating procedures can be improved or where additional training for controllers and other personnel may be appropriate. Individual controller logs or shift notes can provide valuable insight into maintenance requirements or communication concerns, both those provided by instrumentation and those required of other employees. Reviewing these logs and working to remove problem instrumentation or communication concerns can help to maintain pipeline safety.

The proposed rule requires operators to review all reportable accidents and incidents on a routine basis to identify and correct deficiencies related to:

Controller fatigue
Field equipment
Procedures
SCADA system configuration
SCADA system performance including communications
Simulator or non-simulator training programs

Operators must also review non-reportable events (e.g., “close-calls”) to identify and address those that could be significant if left unaddressed or coupled with other events. Each operator would establish a definition or event threshold for which a review would be conducted. Once this definition or event threshold has been established, procedures must require that operators review information about each close-call and share information regarding the proper response with all controllers.

L. Training

Training is a key element in assuring the success of pipeline controllers in maintaining safe operations. Therefore, operators must provide controllers the necessary training to completely understand the pipeline and control systems they operate. The proposed rule would require each operator to include certain content in its controller training programs. The proposed rule includes a minimum set of elements that overlap and supplement existing OQ programs. These elements are as follows:

1. Response to abnormal operating conditions and emergencies. These responses are a major element of controllers' contribution to safety. Correct actions can mitigate events without significant consequences. Incorrect actions can aggravate abnormal situations and make consequences worse. Training for controllers must include emphasis on generic and task specific abnormal conditions that are likely to occur simultaneously or sequentially. Controllers shall be trained to respond to such events and to recognize them as indicators or precursors of potentially more serious situations.

2. Simulator or tabletop exercises for training controllers to recognize abnormal operating conditions such as leaks or failures. Some abnormal events occur infrequently. Thus, experience on the job does not necessarily prepare a controller to identify and respond to all abnormal events, nor does it verify that a controller's ability is maintained over time. Computer-based simulators or tabletop exercises afford the opportunity for controllers to practice identifying and responding to safety-significant situations that controllers may not encounter during routine shift operations. The proposed rule also requires operators to involve controllers in the development and improvement of training simulations. Operators should conduct tabletop exercises or computerized simulations that require emergency response field personnel and personnel involved with commodity movement to be involved from terminals, compressor stations, pump stations, and on the pipeline right-of-way.

3. Training controllers to understand the operator's public awareness program in detail. Controllers are often involved in communication with the public, particularly when the public reports unexpected events. API Recommended Practice 1162, “Public Awareness Programs for Pipeline Operations” (API RP-1162) recommends sharing public awareness objectives, information and material used in its public awareness program with employees. Many Public Awareness Programs include components for key employee training in public awareness and specific communication training for specific key employees. Controllers shall be considered as specific key employees if they are responsible for responding to public or emergency responder calls.^[8]

4. Providing appropriate information to the public and emergency response personnel during emergency situations. In some cases, controllers may not ask the right questions or provide the correct response when communicating with the public or emergency responders during an emergency. Specific training will help ensure that the information controllers provide to the public and to emergency personnel will maximize public safety and that the information exchanged is complete and accurate.

5. Periodic visits by controllers to a field installation similar to that which the controllers monitor or control. These visits would help familiarize controllers with the equipment, field terminology, and equipment operation. They would see how weather might affect access to a specific location and observe the functions of station personnel. Normally pipeline equipment is displayed as an icon on a controller's computer screen. When it is operated or something is amiss, it may change color, flash or change shape. Controllers must understand what these changes mean in Start Printed Page 53092the field. In the past, many controllers moved up from field positions and had a thorough knowledge of field operations. Today, many pipelines hire controllers who do not have field experience and who have limited knowledge of the physical and practical aspects of pipeline operations. Providing an opportunity for controllers to actually see the equipment and talk to station personnel will help expand the controllers' awareness of site specific information. Further, discussions with field personnel in routine, non-stressful situations can help establish a familiarity that will facilitate more efficient and accurate communication during abnormal events. Ideally, controllers would visit the facilities they operate. PHMSA recognizes, however, that this is not always practical. Many pipeline systems cover extensive geographic areas, and controllers may be responsible for operating pipeline segments many hundreds of miles from the control room where they work. For this reason, the proposed rule specifies that visits should be to a representative sampling of field installations similar to those for which the controller is responsible.

6. Review of procedures for operating setups that occur infrequently. Day-to-day experience does little to help controllers retain knowledge related to functions not routinely performed. It is thus important that training programs emphasize and provide instruction on these unusual operating conditions.

7. Pipeline hydraulics training sufficient to obtain a thorough knowledge of the pipeline system, especially the pipeline's response to abnormal situations. Often, controllers know what to expect when the operating set-up changes because the controllers have seen the impact of these changes many times, but sometimes controllers do not necessarily know why flows and pressures change the way they do. A basic understanding of pipeline hydraulics, as applied to the pipeline a controller monitors, will help the controller understand what typical responses are to changes in the operating status of individual pieces of equipment and what to expect in the event of a leak or failure. This understanding will enable the controller to better identify situations outside normal operations.

8. Specific training on how power failures affect sites of controller responsibility. The operator should provide site-specific training to the controllers regarding the state of equipment upon power loss and what the effect will be. This will assist the controller in identifying other field resources that may be needed to properly repair or operate a location affected by natural disaster such as a flood, hurricane, tornado or earthquake.

9. Specific system tools available to determine a leak or significant failure. Controllers should receive training about what tools exist, including trends or other displays, that help to determine quickly the status of the pipeline or aid in leak and significant failure detection.

M. Qualification

Operators already provide for the qualification of certain individuals to evaluate their abilities and to determine that they are able to apply the necessary knowledge and skills acquired in training. The proposed rule would require additional controller qualifications to measure or verify a controller's performance, including the prompt detection of, and appropriate response to, abnormal and emergency conditions that are likely to occur. Additions to controller qualifications would be implemented in conjunction with an operator's OQ program pursuant to the existing regulations in 49 CFR parts 192, 193, and 195. The rule would not prescribe a single means of evaluating a controller's abilities. Operators can use observation of on-shift activities to perform part of this verification. Simulators and tabletop exercises can also be used to verify a controller's ability to detect conditions not seen on shift and that the controller is ready and able to take appropriate actions in response. PHMSA has found that most operators' OQ programs call for re-qualification every three years; however, this rule would require an annual qualifications review for controllers. In addition, operators would be required to provide ongoing controller performance metrics and evaluation between annual qualifications review to help detect any gradual degradation in performance.

Qualified controllers must have the physical abilities to perform the job. Most pipeline control systems use different colors to represent different operating states and display system information and status using icons and text that may vary in size depending on the complexity of an individual display. While many operators do not explicitly test controllers for colorblindness or visual acuity, it is essential that controllers be tested for these visual abilities. This does not mean that controllers who are colorblind or who lack visual acuity must be relieved of duties. Special accommodations may be needed, such as using different shapes, flashing indications, or increasing the size of icons and text on an individual controller's screen. The rule would not prescribe a specific test for these physical abilities, but operators would be required to ascertain through periodic testing and associated documentation that any deficiencies in these physical attributes would not negatively affect the controller's performance of assigned duties.

The proposed rule would also require operators to specify the reasons for which a controller's qualification must be revoked. The reasons must include extended absence or time off-duty (for a duration determined by the operator), inadequate performance, impaired abilities (e.g., vision, hearing) beyond that which the operator can accommodate, influence of drugs or alcohol, and any other circumstances for which the operator considers revocation appropriate. Operators would also be required to have procedures for restoring a revoked qualification, which may include complete re-qualification, or limited testing, a period of review, shadowing, retraining, or all of these.

Lastly, PHMSA recognizes that many operators use oral examinations as part of their qualification programs. Experienced operators and trainers quiz controllers on their knowledge of various aspects of their job. PHMSA believes this can be a very effective means of judging a person's abilities. Unlike a written test, an oral examination allows the evaluator to probe apparent weaknesses in more depth. Oral examiners can inquire in more detail in areas where the candidate appears to be hesitant, weak or unsure of the answers. This can allow a more thorough evaluation of a controller's knowledge to perform required duties.

If an operator chooses to use oral examinations as part of its controller qualification program, the rule would require the operator to document the examination and include a list of the topics covered during the oral examination. This documentation will facilitate internal audits, assist with providing consistency in controller training, and allow the operator's training personnel to vary the content of future evaluations to test knowledge in other areas.

N. Validation

PHMSA considers controllers to be extremely important in providing for pipeline safety. Accordingly, PHMSA believes that it is appropriate to involve senior pipeline executives in helping to determine that controllers are qualified, that internal communication is enhanced, and that controller needs are being addressed. The proposed rule Start Printed Page 53093would require that a senior executive officer validate certain aspects of controller training, qualification, and compliance with the requirements of this rule. Operators would be required to have a senior executive officer sign a validation each calendar year that confirms that the operator has:

Conducted a review of controller qualifications and controller training and determined that both are adequate;
Permitted only qualified controllers to operate the pipeline;
Implemented the requirements of the rule;
Continued to address ergonomic and fatigue factors; and
Involved controllers in finding ways to sustain and improve safety and pipeline integrity through control room management.

O. Compliance and Deviations

The proposed rule would require operators to maintain records that demonstrate compliance with the regulation and to document any deviations from their control room management procedures. In addition, the operators would be required to report any deviations upon request by PHMSA or the appropriate state pipeline safety authority. These requirements are derived from the PIPES Act, which specifies that operators must document compliance with their human factors and control room management plans and report any deviations. Operators would be required to report deviations only when requested by PHMSA, or in the case of an intrastate pipeline facility, when requested by the appropriate state pipeline safety authority. Such a request is anticipated to occur during a pipeline safety inspection, but may occur at any time at the discretion of PHMSA or the state pipeline safety authority.

VIII. Regulatory Analyses and Notices

Privacy Act Statement

Anyone may search the electronic form of comments received in response to any of our dockets by the name of the individual submitting the comment (or signing the comment if submitted for an association, business, labor union, etc.). You may review DOT's complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477).

Executive Order 12866 and DOT Policies and Procedures

This proposed rulemaking is a significant regulatory action under Executive Order 12866 (58 FR 51735; Oct. 4, 1993), and it is a significant regulatory action under the U.S. Department of Transportation regulatory policies and procedures (44 FR 11034; Feb. 26, 1979). Therefore, the Office of Management and Budget (OMB) has received a copy of this proposed rulemaking to review.

The proposed rule is not expected to adversely affect the economy or the environment. For those costs and benefits that can be quantified the present value of net benefits are expected to be about $65 million over a ten year period after all of the requirements are implemented. The monetary costs of the rule are expected to average about $25 million per year. Therefore, within the meaning of Executive Order 12866, the proposed rule is not expected to be an economically significant regulatory action due to cost because it will not exceed the annual $100 million threshold for economic significance.

However, there is substantial congressional, industry, and public interest in control room operations and human factors management plans. The proposed rule's immediate impact is minimal because some of its components are already included in existing regulations; moreover, in some pipeline companies, other requirements are standard practice or considered to be good business practices.

Regulatory Flexibility Act

Under the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), PHMSA must consider whether rulemaking actions would have a significant economic impact on a substantial number of small entities. While PHMSA does not collect information on the number of employees or revenues of pipeline operators, we do continuously seek information on the number of small pipeline operators to more fully determine any impacts our proposed regulations may have on small entities.

The Small Business Administration's criterion for defining a small entity in the hazardous liquid pipeline industry is 1,500 or fewer employees. PHMSA estimates there are 10 to 20 small entities in the hazardous liquid pipeline industry. For the gas pipeline industry, the size standard for a small natural gas gathering or transmission business is $6.5 million or less in annual revenues and the size standard for a small natural gas distribution business is 500 or fewer employees. PHMSA estimates there are about 480 natural gas transmission and gathering companies that have $6.5 million or less in annual revenues and about 1,000 natural gas distribution companies that have 500 or fewer employees. Therefore, there are a total of about 1,500 small entities that would be affected by the proposed rule.

PHMSA has considered the effects of the proposed rule on small pipeline operators. The total estimated aggregate annual costs of the rule across the entire pipeline industry over 10 years ranges from about $21 million per year to $37 million per year. Therefore, the average annual cost to the approximately 2,500 companies (large and small entities) is about $8,400 to $14,800 per year. For the larger operators with more controllers, the costs will be higher than the average. For the smaller operators with fewer controllers it will be less than average. Based on these figures, PHMSA does not believe there will be a significant impact on a substantial number of small entities, but PHMSA seeks comments on this analysis.

Executive Order 13175

PHMSA has analyzed this rulemaking according to Executive Order 13175, “Consultation and Coordination with Indian Tribal Governments.” Because the proposed rule would not significantly or uniquely affect the communities of the Indian tribal governments or impose substantial direct compliance costs, the funding and consultation requirements of Executive Order 13175 do not apply.

Paperwork Reduction Act

This proposed rule also contains some information collection requirements. As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), DOT will submit a copy of the Paperwork Reduction Act analysis to OMB for its review. A copy of the analysis will also be entered in the docket. PHMSA is proposing to require pipeline operators to keep records and logs related to control room operations for inspection purposes and to have a senior executive officer of each operator validate that the operator has complied with the regulatory requirements, reviewed its qualification and training, permitted only qualified controllers to operate the pipeline, addressed fatigue factors, and involved controllers in finding improvements. The record keeping requirements in the proposed rule are consistent with good business practices Start Printed Page 53094and are designed to enhance current control room management practices.

To calculate the information collection burden for the record keeping related to control room management practices, PHMSA estimates there are approximately 2,500 pipeline and LNG facility operators that would need to keep records and logs and that it would take approximately one hour per week, per operator to generate and maintain the necessary records. Therefore, PHMSA calculates it would take slightly more than 130,000 hours per year for the 2,500 pipeline operators to maintain the necessary records. PHMSA expects that most operators currently maintain records and logs for inspection purposes and that they generate records on a daily basis. Therefore, we estimate the cost for the industry would be negligible since controllers generally perform this function as part of the control room operations. PHMSA acknowledges, however, that there may be some additional cost for storage and filing, depending on what the records contain and how they are packaged. Assuming that operators store between two and four cubic feet of records (at $23.00 per cubic foot) within their facility per year, PHMSA estimates that it would cost between $115,000 and $230,000 annually to store and maintain the records for inspection purposes.

Additionally, PHMSA estimates there are approximately 3,420 controllers in the pipeline industry and that it would take approximately one hour per year, per employee to document performance appraisals. Therefore, PHMSA calculates it would take pipeline operators approximately 3,420 hours per year to document employees' performance. We estimate it would take a senior official approximately one-half hour to review and sign-off on a validation document for each controller. PHMSA estimates the annual cost would be between $76,950 and $153,900 depending on the average wage rate used in the calculation. The lower bound uses the average wage rate for a General Operations Manager published by the Bureau of Labor Statistics of $45.00 per hour ($22.50 per half-hour), while the upper bound uses the industry estimates of $90.00 per hour ($45.00 per half-hour). Therefore, PHMSA concludes that this proposed rule contains only minor additional paperwork burden and procedure implementation.

Pursuant to 44 U.S.C. 3506(c)(2)(B), the PHMSA solicits comments concerning: Whether these information collection requirements are necessary for PHMSA to properly perform its functions, including whether the information has practical utility; the accuracy of PHMSA's estimates of the burden of the information collection requirements; the quality, utility, and clarity of the information to be collected; and whether the burden of collecting information on those who are to respond, including through the use of automated collection techniques or other forms of information technology, may be minimized.

Unfunded Mandates Reform Act of 1995

This proposed rulemaking does not impose unfunded mandates under the Unfunded Mandates Reform Act of 1995. It does not result in costs of $132 million or more to either State, local, or tribal governments, in the aggregate, or to the private sector, and is the least burdensome alternative that achieves the objective of the proposed rulemaking.

National Environmental Policy Act

PHMSA has analyzed the proposed rulemaking for purposes of the National Environmental Policy Act (42 U.S.C. 4321 et seq. ) and preliminarily determined the proposed rulemaking may provide beneficial impacts on the quality of the human environment. If pipeline operators comply with the technical elements of the proposed rule, this would reduce adverse impacts on the physical environment by reducing the number and severity of pipeline releases. For example, by addressing the exchange of information at shift change and the length of shifts to reduce controller fatigue, pipeline operators could reduce the number of incidents and the consequences of releases that may harm the physical environment. Similarly, the review of SCADA procedures and alarm audits will lead to the use of better technology, which will have a positive impact on operator response to abnormal operating conditions, accidents, and incidents that have the potential for adverse environmental impacts. The following elements of the proposed rule will also lead to a better functioning control room and fewer possibilities for environmental degradation: Involving controllers when planning and implementing changes in operations; maintaining strong communications between controllers and field personnel; determining how to establish, maintain, and review controller qualifications, abilities and performance metrics, with particular attention to response to abnormal operating conditions; and analyzing operating experience including accidents and incidents for possible involvement of the SCADA system, controller performance, and fatigue. PHMSA's analysis suggests there are no adverse significant environmental impacts associated with the proposed rule. The draft environmental assessment is available for review and comment in the docket. PHMSA will make a final determination on environmental impact after reviewing the comments on this proposal.

Executive Order 13132

PHMSA has analyzed the proposed rulemaking according to Executive Order 13132 (“Federalism”). The proposal does not have a substantial direct effect on the States, the relationship between the national government and the States, or the distribution of power and responsibilities among the various levels of government. The proposed rulemaking does not impose substantial direct compliance costs on State and local governments. This proposed regulation would not preempt state law for intrastate pipelines. Therefore, the consultation and funding requirements of Executive Order 13132 do not apply.

Executive Order 13211

Transporting gas and hazardous liquids impacts the nation's available energy supply. However, this proposed rulemaking is not a “significant energy action” under Executive Order 13211 and is not likely to have a significant adverse effect on the supply, distribution, or use of energy. Further, the Administrator of the Office of Information and Regulatory Affairs has not identified this proposal as a significant energy action.

List of Subjects

49 CFR Part 192

Incorporation by reference
Gas
Natural gas
Pipeline safety
Reporting and recordkeeping requirements

49 CFR Part 193

Liquefied natural gas
Incorporation by reference
Pipeline safety, and Reporting and recordkeeping requirements

49 CFR Part 195

Ammonia
Carbon dioxide
Incorporation by reference
Petroleum
Pipeline safety
Reporting and recordkeeping requirements

For the reasons provided in the preamble, PHMSA proposes to amend 49 CFR part 192, 193, and 195 as follows:

PART 192—TRANSPORTATION OF NATURAL GAS AND OTHER GAS BY PIPELINE: MINIMUM FEDERAL SAFETY STANDARDS

1. The authority citation for part 192 is revised to read as follows:

Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60110, 60113, 60116, 60118, and 60137; and 49 CFR 1.53.

2. In § 192.3, add definitions for “alarm,” “control room,” “controller,” and “Supervisory Control and Data Acquisition System (SCADA)” as follows:

§ 192.3

Definitions.

Alarm means an indication provided by SCADA or similar monitoring system that a parameter is outside normal or expected operating conditions.

Control room means a central location or local station at which a control panel, computerized device, or other instrument is used by a controller to monitor or control all or part of a pipeline facility or a component of a pipeline facility.

Controller means an individual who uses a control panel, computerized device, or other equipment to monitor or control all or part of a pipeline facility that the individual cannot directly observe with the naked eye. An individual who operates equipment locally, but who cannot see the equipment respond without using a closed circuit television system or other external device, is a controller when performing this activity regardless of job title or whether actions are overseen by another controller or supervisor. An individual who performs these functions on a part time basis is considered a controller only when performing these functions.

Supervisory Control and Data Acquisition System (SCADA) means a computer-based system that gathers field data, provides a structured view of pipeline system or facility operations, and may provide a means to control pipeline operations.

3. In § 192.7, amend the table in paragraph (c)(2) by adding item B.(7) to read as follows:

§ 192.7

What documents are incorporated by reference partly or wholly in this part?

(2) * * *


* * * * * * *
B. * * *
(7) API Recommended Practice 1165 “Recommended Practice for Pipeline SCADA Displays,” (January 2007)	§ 192.631(c)(1)

* * * * * * *

4. Amend § 192.605 by adding paragraph (b)(12) to read as follows:

§ 192.605

Procedural manual for operations, maintenance, and emergencies.

(b) * * *

(12) Implementing the applicable control room management procedures required by § 192.631.

5. Amend § 192.615 by adding paragraph (a)(11) to read as follows:

§ 192.615

Emergency plans.

(a) * * *

(11) Actions required to be taken by a controller during an emergency in accordance with § 192.631.

6. Add § 192.631 to subpart L to read as follows:

§ 192.631

Control room management.

(a) General. Each operator of a pipeline facility with at least one controller and control room must have and follow written control room management procedures that implement the requirements of this section. The procedures must be integrated, as appropriate, into the operator's written manual of operations and maintenance procedures required by § 192.605, written qualification program required by § 192.805, and written emergency plans required by § 192.615. The operator must develop and implement the procedures no later than the dates in the following table.

Control room type	Develop procedures by:	Implement procedures by:
(1) Remote operations (control and/or monitoring) of gas transmission pipelines	[insert date 12 months after effective date of final rule]	[insert date 24 months after effective date of final rule].
(2) Remote operations of equipment within a single site (e.g., compressor station)	[insert date 24 months after effective date of final rule]	[insert date 30 months after effective date of final rule].
(3) Gas distribution pipelines	[insert date 24 months after effective date of final rule]	[insert date 24 months after effective date of final rule].
(4) Gas pipelines with local control only	[insert date 30 months after effective date of final rule]	[insert date 30 months after effective date of final rule].
(5) Control rooms or local control stations placed in service after [insert effective date of the final rule], but before [insert date 12 months after the effective date of final rule]	12 months after placement in service	12 months after placement in service.
(6) Control rooms or local control stations placed in service after [insert date 12 months after the effective date of final rule]	Before placing in service	Upon placing in service.

(b) Roles and responsibilities. Each operator must define the roles and responsibilities of a controller during normal, abnormal, and emergency operating conditions. To provide for a controller's prompt and appropriate response to operating conditions, each operator must define:

(1) A controller's authority and responsibility to make decisions and take actions during normal operations.

(2) A controller's role when an abnormal operating condition is detected, even if the controller is not the first to detect the condition, including the controller's responsibility to take Start Printed Page 53096specific actions and to communicate with others.

(3) A controller's role during an emergency, even if the controller is not the first to detect the emergency, including the controller's responsibility to take specific actions and to communicate with others.

(4) A controller's responsibility to provide timely notification and coordination with the operator of another pipeline in a common corridor when a leak or failure is suspected, including upon receipt of a notification from the public concerning a suspected leak on an asset owned or operated by the other company but located in the same common corridor or right-of-way.

(5) A method of recording when a controller is responsible for monitoring or controlling any portion of a pipeline facility by implementing an individual console or a system log-in feature or by documenting in the shift records the time and name of each controller who assumed the responsibility during a shift-change or other hand-over of responsibility.

(c) Provide adequate information. Each operator must provide each controller with the information necessary for the controller to carry out the roles and responsibilities defined by the operator and must verify that a controller knows the equipment, components and the effects of the controller's actions on the pipeline or pipeline facilities under the controller's control. Each operator must:

(1) Provide a controller with accurate, adequate, and timely data concerning operation of the pipeline facility. Wherever a SCADA system is used, the operator must implement API RP-1165 (incorporated by reference, see § 192.7) in its entirety, unless the operator can adequately demonstrate that a provision of API RP-1165 is not applicable or is impracticable in the SCADA system used.

(2) Validate that any SCADA system display accurately depicts field equipment configuration by completing all of the following:

(i) Conduct and document a point-to-point baseline verification between field equipment and all SCADA system displays to verify 100 percent of the system displays. An operator must complete the baseline verification no later than [insert date three years after effective date of final rule] or by [insert date one year after effective date of final rule] for an operator of a pipeline system containing less than 500 miles of pipeline. An operator may use any documented point-to-point verification completed after [insert date three years before effective date of final rule] to meet some or all of this baseline verification. A point-to-point verification must include equipment locations, ranges, alarm set-point values, alarm activation, required alarm visual or audible response, and proper equipment or software response to SCADA system values.

(ii) Verify that SCADA displays accurately depict field configuration when any modification is made to field equipment or applicable software and conduct a point-to-point verification for associated changes.

(iii) Perform a point-to-point verification as part of implementing a SCADA system change for all portions of the pipeline system or facility affected by the change.

(iv) Develop a plan for systematic re-verification of the accuracy of the SCADA system display.

(3) Establish a means for timely verbal communication among a controller, management, and field personnel.

(4) Identify circumstances that require field personnel to promptly notify the controller. These circumstances must include the identification by field personnel of a leak or situation that could reasonably be expected to develop into an incident if left unaddressed.

(5) Define and record critical information during each shift.

(6) Provide for the exchange of information when a shift changes or when another controller assumes responsibility for operations for any reason.

(7) Establish sufficient overlap of controller shifts to permit the exchange of necessary information.

(8) Periodically test and verify a backup communication system or provide adequate means for manual operation or shutdown of the affected portion of the pipeline safely.

(d) Fatigue mitigation. Each operator must implement methods to prevent controller fatigue that could inhibit a controller's ability to carry out the roles and responsibilities defined by the operator. To protect against the onset of fatigue, each operator must:

(1) Establish shift lengths and schedule rotations that provide controllers off-duty time sufficient to achieve eight hours of continuous sleep;

(2) Educate a controller and his supervisor in fatigue mitigation strategies and how off-duty activities contribute to fatigue;

(3) Train a controller and his supervisor to recognize and mitigate the effects of fatigue;

(4) Implement additional measures to monitor for fatigue when a single controller is on duty; and

(5) Establish a maximum limit on controller hours-of-service, which may include an exception during an emergency with appropriate management approval. An operator must specify emergency situations for which a deviation from the hours-of-service maximum limit is permitted.

(e) Alarm management. Each operator using a SCADA system must assure appropriate controller response to alarms and notifications. An operator must:

(1) Review SCADA operations at least once each week for:

(i) Events that should have resulted in alarms or event indications that did not do so;

(ii) Proper and timely controller response to alarms or events;

(iii) Identification of unexplained changes in the number of alarms or controller management of alarms;

(iv) Identification of nuisance alarms;

(v) Verification that the number of alarms received is not excessive;

(vi) Identification of instances in which alarms were acknowledged but associated response actions were inadequate or untimely;

(vii) Identification of abnormal or emergency operating conditions and a review of controller response actions;

(viii) Identification of system maintenance issues;

(ix) Identification of systemic problems, server load, or communication problems;

(x) Identification of points that have been taken off scan or that have had forced or manual values for extended periods; and

(xi) Comparison of controller logs or shift notes to SCADA alarm records to identify maintenance requirements or training needs.

(2) Review SCADA configuration and alarm management operations at least once each calendar year but at intervals not to exceed 15 months. At a minimum, reviews must include consideration of the following factors:

(i) Number of alarms;

(ii) Potential systemic issues;

(iii) Unnecessary alarms;

(iv) Individual controller's performance changes over time regarding alarm or event response;

(v) Alarm indications of abnormal operating conditions;

(vi) Recurring combinations of abnormal operating conditions and the inclusion of such combinations in controller training;

(vii) Alarm indications of emergency conditions;

(viii) Individual controller workload;

(ix) Clarity of alarm descriptors to the controllers so controllers fully Start Printed Page 53097understand the meaning and nature of each alarm; and

(x) Verification of correct alarm set-point values.

(3) Promptly address all deficiencies identified in the weekly and calendar year SCADA reviews.

(f) Change management. Each operator must establish thorough and frequent communications between a controller, management, and field personnel when planning and implementing physical changes to pipeline equipment and configuration. Field personnel must be required to promptly notify a controller when emergency conditions exist or when performing maintenance and making field changes.

(1) Maintenance procedures must include tracking and repair of controller-identified problems with the SCADA system or field instrumentation to provide for prompt response.

(2) SCADA system modifications must be coordinated in advance to allow enough time for adequate controller training and familiarization unless such modifications are made during an emergency response or recovery operation.

(3) An operator shall seek control room participation when pipeline hydraulic or configuration changes are being considered.

(4) Merger, acquisition, and divestiture plans must be developed and used to establish and conduct controller training and qualification prior to the implementation of any changes to the controller's responsibilities.

(5) Changes to alarm set-point values, automated routine software, and relief valve settings must be communicated to the controller prior to implementation.

(6) An operator must thoroughly document and keep records for each of these occurrences.

(g) Operating experience.

(1) Each operator must review control room operations following any event that must be reported as an incident pursuant to 49 CFR part 191 to determine and correct, where necessary, deficiencies related to:

(i) Controller fatigue;

(ii) Field equipment;

(iii) The operation of any relief device;

(iv) Procedures;

(v) SCADA system configuration;

(vi) SCADA system performance;

(vii) Accuracy, timeliness, and portrayal of field information on SCADA displays; and

(viii) Simulator or non-simulator training programs.

(2) Each operator must establish a definition or threshold for close-call events to evaluate event significance. For those events the operator determines to be significant, the operator must conduct the review required by paragraph (g)(1) of this section and the operator must share the information with all controllers.

(3) Each operator must review the accuracy and timeliness of SCADA data and how it is portrayed on displays.

(h) Training. Each operator must establish a training program and review the training program content to identify potential improvements at least once each calendar year, but at intervals not to exceed 15 months. An operator must train each controller to carry out the roles and responsibilities defined by the operator. In addition, the training program must include the following elements:

(1) Responding to abnormal operating conditions likely to occur simultaneously or in sequence.

(2) Use of a simulator or non-computerized (tabletop) method to train controllers to recognize abnormal operating conditions, in particular leak and failure events. Simulations and tabletop exercises must include representative communications between controllers and individuals that operators would expect to be involved during actual events. Controllers will participate in improvement and development of tabletop or simulation training scenarios.

(3) Providing appropriate information to the public and emergency response personnel during emergency situations, and informing controllers of the information being provided to the public or emergency responders under § 192.616 so that the controllers can understand the context in which this information will be received.

(4) On-site visits by controllers to a representative sampling of field installations similar to those for which each controller is responsible to familiarize themselves with the equipment and with station personnel functions.

(5) Review of procedures for pipeline operating setups that are periodically, but infrequently used.

(6) Hydraulic pipeline training that is sufficient to obtain a thorough knowledge of the pipeline system, especially during the development of abnormal operating conditions.

(7) Site specific training on equipment failure modes.

(8) Specific training on system tools available to determine a leak or significant failure and specific training on other operator contact protocols when there is reason to suspect a leak in a common pipeline corridor or right-of-way.

(i) Qualification. An operator must have a program in accordance with subpart N of this part to determine that each controller is qualified. An operator's procedures for the qualification of controllers must include provisions to:

(1) Measure and verify a controller's performance including the controller's ability to detect abnormal and emergency conditions promptly and to respond appropriately.

(2) Evaluate a controller's physical abilities, including hearing, colorblindness (color perception), and visual acuity, which could affect the controller's ability to perform the assigned duties.

(3) Evaluate a controller's qualifications at least once each calendar year, but at intervals not to exceed 15 months.

(4) Implement methods to address gradual degradation in performance or physical abilities in a controller.

(5) Revoke a controller's qualification for extended time off-duty or absence (of a duration determined by the operator based on the complexity and significance of the controller's role), inadequate performance, impaired physical ability beyond what the operator can accommodate, influence of drugs or alcohol, or any other reason determined by the operator to be necessary to support the safe operation of a pipeline facility.

(6) Restore a revoked qualification by specifying the circumstances for which a complete re-qualification is required, and the circumstances for which other means of restoration may be used, such as a period of review, shadowing, retraining, or all of these.

(7) Document when an oral examination is used as the means of evaluation, including the topics covered.

(8) Prohibit individuals without a current controller qualification from performing the duties of a controller.

(j) Validation. An operator must have a senior executive officer validate by signature not later than the date by which control room management procedures must be implemented (see paragraph (a) of this section), and annually thereafter by March 15 of each year, that the operator has:

(1) Conducted a review of controller qualification and training programs and has determined both programs to be adequate;

(2) Permitted only qualified controllers to operate the pipeline;

(3) Implemented the requirements of this section;Start Printed Page 53098

(4) Continued to address ergonomic and fatigue factors; and

(5) Involved controllers in finding ways to sustain and improve safety and pipeline integrity through control room management.

(k) Compliance and deviations. An operator must maintain for review during inspection:

(1) Records that demonstrate compliance with the requirements of this section; and

(2) Documentation of decisions and analyses to support any deviation from the procedures required by this section. An operator must report any such deviation to PHMSA upon request, or in the case of an intrastate pipeline facility regulated by a state, upon request by the state pipeline safety authority.

7. Amend § 192.805 by adding paragraph (j) to read as follows:

§ 192.805

Qualification program.

(j) Incorporate requirements applicable to controller qualification in accordance with § 192.631.

PART 193—LIQUEFIED NATURAL GAS FACILITIES: FEDERAL SAFETY STANDARDS

8. The authority citation for part 193 is revised to read as follows:

Authority: 49 U.S.C. 5103, 60102, 60103, 60104, 60108, 60109, 60110, 60113, 60116 and 60118, and 60137; and 49 CFR 1.53.

9. In § 193.2007 add definitions for “alarm,” “control room,” “controller,” and “Supervisory Control and Data Acquisition System (SCADA)” as follows:

§ 193.2007

Definitions.

Alarm means an indication provided by SCADA or similar monitoring system that a parameter is outside normal or expected operating conditions.

Control room means a central location or local station at which a control panel, computerized device, or other instrument is used by a controller to monitor or control all or part of an LNG plant.

Controller means an individual who uses a control panel, computerized device, or other equipment to monitor or control all or part of an LNG plant that the individual cannot directly observe with the naked eye. An individual who operates equipment locally, but who cannot see the equipment respond without using a closed circuit television system or other external device, is a controller when performing this activity regardless of job title or whether actions are overseen by another controller or supervisor. An individual who performs these functions on a part time basis is considered a controller only when performing these functions.

10. Amend § 193.2013 by adding item F. to the list in paragraph (b) and by adding item F. to the table in paragraph (c) to read as follows:

§ 193.2013

Incorporation by reference.

(b) * * *

F. American Petroleum Institute (API), 1220 L Street, NW., Washington, DC 20005-4070.


* * * * * * *
F. American Petroleum Institute (API): (1) API Recommended Practice 1165 “Recommended Practice for Pipeline SCADA Displays,” (January 2007)	§ 193.2523(c)(1)

11. Revise § 193.2441 to read as follows:

§ 193.2441

Control room.

Each LNG plant must have a control room from which operations and warning devices are monitored as required by this part. A control room must have the following capabilities and characteristics:

(a) It must be located apart or protected from other LNG facilities so that it is operational during a controllable emergency.

(b) Each remotely actuated control system and each automatic shutdown control system required by this part must be operable from the control room.

(c) Each control room must have personnel in continuous attendance while any of the components under its control are in operation, unless the control is being performed from another control room that has personnel in continuous attendance.

(d) If more than one control room is located at an LNG Plant, each control room must have more than one means of communication with each other control room.

(e) Each control room must have a means of communicating a warning of hazardous conditions to other locations within the plant frequented by personnel.

12. Amend § 193.2503 by adding paragraph (h) to read as follows:

§ 193.2503

Operating procedures.

(h) Implementing the applicable control room management procedures required by § 193.2523.

13. Amend § 193.2509 by adding paragraph (b)(5) to read as follows:

§ 193.2509

Emergency procedures.

(b) * * *

(5) Actions required to be taken by a controller during an emergency in accordance with § 193.2523.

14. Add § 193.2523 to subpart F to read as follows:

§ 193.2523

Control room management.

(a) General. Each operator must have and follow written control room management procedures that implement the requirements of this section. The procedures must be integrated, as appropriate, into the written operating procedures manuals required by § 193.2503, written emergency procedures required by § 193.2509, and written training plans required by § 193.2713. For LNG plants that exist on [insert effective date of final rule], operators must develop the procedures by [insert date 12 months after effective date of final rule] and implement them by [insert date 24 months after effective date of final rule]. For LNG plants placed in service after [insert effective date of final rule], but before [insert date 12 months after effective date of final rule], procedures must be developed and implemented no later than 12 months after placing the plant in service. For LNG plants placed in service after [insert date 12 months after the effective date of final rule], procedures must be developed before Start Printed Page 53099the plant begins operation and must be implemented when operations commence.

(1) A controller's authority and responsibility to make decisions and take actions during normal operations.

(4) A method of recording when a controller is responsible for monitoring or controlling a pipeline facility or portion thereof by implementing an individual console or a system log-in feature or by documenting in the shift records the time and name of each controller who assumed the responsibility during a shift-change or other hand-over of responsibility.

(c) Provide adequate information. Each operator must provide each controller with the information necessary for the controller to carry out the roles and responsibilities defined by the operator and must verify that a controller knows the equipment, components, and the effects of the controller's actions on the facilities under the controller's control. Each operator must:

(1) Provide a controller with accurate, adequate, and timely data concerning operation of the facility. Wherever a SCADA system is used, the operator must implement API RP-1165 (incorporated by reference, see § 193.2013) in its entirety, unless the operator can adequately demonstrate that a provision of API RP-1165 is not applicable or is impracticable in the SCADA system used.

(2) Validate that any SCADA system display accurately depicts field equipment configuration by completing all of the following:

(i) Conduct and document a baseline point-to-point verification between field equipment and all SCADA system displays to verify 100 percent of the system displays. An operator must complete the baseline verification no later than [insert date 2 years after effective date of final rule]. An operator may use any documented point-to-point verification completed after [insert date three years before effective date of final rule] to meet some or all of this baseline verification. A point-to-point verification must include equipment locations, ranges, alarm set-point values, alarm activation, required alarm visual or audible response, and proper equipment or software response to SCADA system value.

(iii) Perform a point-to-point verification as part of implementing a SCADA system change for all portions of the LNG facility affected by the change.

(iv) Develop a plan for systematic re-verification of the accuracy of the SCADA system display.

(3) Establish a means for timely verbal communication among a controller, management, and field personnel.

(5) Define and record critical information during each shift.

(6) Provide for the exchange of information when a shift changes or when another controller assumes responsibility for operations for any reason.

(7) Establish sufficient overlap of controller shifts to permit the exchange of necessary information.

(1) Establish shift lengths and schedule rotations that provide controllers off-duty time sufficient to achieve eight hours of continuous sleep;

(2) Educate a controller and the controller's supervisor in fatigue mitigation strategies and how off-duty activities contribute to fatigue;

(3) Train a controller and his supervisor to recognize and mitigate the effects of fatigue;

(4) Implement additional measures to monitor for fatigue when a single controller is on duty; and

(e) Alarm management. Each operator using a SCADA system must assure appropriate controller response to alarms and notifications. An operator must:

(1) Review SCADA operations at least once each week for:

(i) Events that should have resulted in alarms or event indications that did not do so;

(ii) Proper and timely controller response to alarms or events;

(iii) Identification of unexplained changes in the number of alarms or controller management of alarms;

(iv) Identification of nuisance alarms;

(v) Verification that the number of alarms received is not excessive;

(vi) Identification of instances in which alarms were acknowledged but associated response actions were inadequate or untimely;

(vii) Identification of abnormal or emergency operating conditions and a review of controller response actions;

(viii) Identification of system maintenance issues;

(ix) Identification of systemic problems, server load, or communication problems;

(x) Identification of points that have been taken off scan or that have had forced or manual values for extended periods; and

(xi) Comparison of controller logs or shift notes to SCADA alarm records to identify maintenance requirements or training needs.

(i) Number of alarms;

(ii) Potential systemic issues;

(iii) Unnecessary alarms;

(iv) Individual controller's performance changes over time regarding alarm or event response;

(v) Alarm indications of abnormal operating conditions;

(vi) Recurring combinations of abnormal operating conditions and the inclusion of such combinations in controller training;

(vii) Alarm indications of emergency conditions;

(viii) Individual controller workload;

(ix) Clarity of alarm descriptors to the controllers so controllers fully Start Printed Page 53100understand the meaning and nature of each alarm; and

(x) Verification of correct alarm set-point values.

(3) Promptly address all deficiencies identified in the weekly and calendar year SCADA reviews.

(f) Change management. Each operator must establish thorough and frequent communications between a controller, management, and field personnel when planning and implementing physical changes to facility equipment and configuration. Field personnel must be required to promptly notify a controller when emergency conditions exist or when performing maintenance and making field changes.

(1) Maintenance procedures must include tracking and repair of controller-identified problems with the SCADA system or field instrumentation to provide for prompt response.

(3) An operator shall seek control room participation when LNG plant hydraulic or configuration changes are being considered.

(5) Changes to alarm set-point values, automated routine software, and relief valve settings must be communicated to the controller prior to implementation.

(6) An operator must thoroughly document and keep records for each of these occurrences.

(g) Operating experience.

(i) Controller fatigue;

(ii) Field equipment;

(iii) The operation of any relief device;

(iv) Procedures;

(v) SCADA system configuration;

(vi) SCADA system performance;

(vii) Accuracy, timeliness, and portrayal of field information on SCADA displays; and

(viii) Simulator or non-simulator training programs.

(3) Each operator must review the accuracy and timeliness of SCADA data and how it is portrayed on displays.

(1) Responding to abnormal operating conditions likely to occur simultaneously or in sequence.

(3) Providing appropriate information to the public and emergency response personnel during emergency situations, and informing controllers of the information being provided to the public or emergency responders per the operator's procedures, if any, so that the controllers can understand the context in which this information will be received.

(4) Review of procedures for LNG operating configurations that are periodically, but infrequently used.

(5) Hydraulic pipeline training that is sufficient to obtain a thorough knowledge of the LNG plant's system, especially during the development of abnormal operating conditions.

(6) Site specific site training on equipment failure modes.

(7) Specific training on system tools available to determine a leak or significant failure.

(i) Qualification. An operator must have a program in accordance with § 193.2707 to determine that each controller is qualified. An operator's procedures for the qualification of controllers must include provisions to:

(1) Measure and verify a controller's performance including the controller's ability to detect abnormal and emergency conditions promptly and to respond appropriately.

(2) Evaluate a controller's physical abilities, including hearing, colorblindness (color perception), and visual acuity, which could affect the controller's ability to perform the assigned duties.

(3) Evaluate a controller's qualifications at least once each calendar year, but at intervals not to exceed 15 months.

(4) Implement methods to address gradual degradation in performance or physical abilities in a controller.

(7) Document when an oral examination is used as the means of evaluation, including the topics covered.

(8) Prohibit individuals without a current controller qualification from performing the duties of a controller.

(j) Validation. An operator must have a senior executive officer validate by signature not later than the date by which control room management procedures must be implemented (see paragraph (a) of this section), and annually thereafter by March 15 of each year, that the operator has:

(1) Conducted a review of controller qualification and training programs and has determined both programs to be adequate;

(2) Permitted only qualified controllers to operate the LNG plant;

(3) Implemented the requirements of this section;

(4) Continued to address ergonomic and fatigue factors; and

(5) Involved controllers in finding ways to sustain and improve safety through control room management.

(k) Compliance and deviations. An operator must maintain for review during inspection:

(1) Records that demonstrate compliance with the requirements of this section; and

(2) Documentation of decisions and analyses to support any deviation from Start Printed Page 53101the procedures required by this section. An operator must report any such deviation to PHMSA upon request, or in the case of an intrastate pipeline facility regulated by a state, upon request by the state pipeline safety authority.

15. Amend § 193.2713 by adding paragraph (a)(4) to read as follows:

§ 193.2713

Training: operations and maintenance.

(a) * * *

(4) All controllers to carry out the control room management procedures under § 193.2523 that relate to their assigned functions.

PART 195—TRANSPORTATION OF HAZARDOUS LIQUIDS BY PIPELINE

16. The authority citation for part 195 is revised to read as follows:

Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60116, 60118, and 60137; and 49 CFR 1.53.

17. In § 195.2, add definitions for “alarm” “control room,” “controller,” and “Supervisory Control and Data Acquisition System (SCADA)” as follows:

§ 195.2

Definitions.

Alarm means an indication provided by SCADA or similar monitoring system that a parameter is outside normal or expected operating conditions.

18. In § 195.3(c), amend the table by adding item B.(18) to read as follows:

§ 195.3

Incorporation by reference.


* * * * * * *
B. * * *
(18) API Recommended Practice 1165 “Recommended Practice for Pipeline SCADA Displays,” (January 2007)	§ 195.454(c)(1)

* * * * * * *

19. Amend § 195.402 by adding paragraphs (c)(15) and (e)(10) to read as follows:

§ 195.402

Procedural manual for operations, maintenance, and emergencies.

(15) Implementing the applicable control room management procedures required by § 195.454.

(e) * * *

(10) Implementing actions required to be taken by a controller during an emergency, in accordance with § 195.454.

20. Add § 195.454 to subpart F to read as follows:

§ 195.454

Control room management.

(a) General. Each operator of a pipeline facility with at least one controller and control room must have and follow written control room management procedures that implement the requirements of this section. The procedures must be integrated, as appropriate, into the operator's written manuals of procedures required by § 195.402, and written qualification program required by § 195.505. The operator must develop and implement the procedures no later than the dates in the table below.

Control room type	Develop procedures by:	Implement procedures by:
(1) Remote operations (control and/or monitoring) of pipelines	[insert date 12 months after effective date of final rule]	[insert date 24 months after effective date of final rule].
(2) Remote operations of equipment within a single site (e.g., pump station)	[insert date 24 months after effective date of final rule]	[insert date 30 months after effective date of final rule].
(3) Pipelines with local control only	[insert date 30 months after effective date of final rule]	[insert date 30 months after effective date of final rule].
(4) Control rooms or local control stations placed in service after [insert effective date of the final rule], but before [insert date 12 months after the effective date of final rule]	12 months after placement in service	12 months after placement in service.
(5) Control rooms or local control stations placed in service after [insert date 12 months after the effective date of final rule]	Before placing in service	Upon placing in service.

(b) Roles and responsibilities. Each operator must define the roles and responsibilities of a controller during normal, abnormal, and emergency operating conditions. To provide for a controller's prompt and appropriate response to operating conditions, each operator must define:

(1) A controller's authority and responsibility to make decisions and take actions during normal operations.Start Printed Page 53102

(1) Provide a controller with accurate, adequate, and timely data concerning operation of the pipeline facility. Wherever a SCADA system is used, the operator must implement API RP-1165 (incorporated by reference, see § 195.3) in its entirety, unless the operator can adequately demonstrate that a provision of API RP-1165 is not applicable or is impracticable in the SCADA system used.