Pipeline Technology Conference 2015

Pipeline Integrated Management Systems - An Integrated Model

Malcolm Toft, Dennis Keen and Andy Fuller, Penspen, UK

Abstract:
Integrity management is not a piece of software, or documentation, but an organised
method for structuring pipeline integrity activity in order to optimise safe, reliable and
profitable asset performance. The range of international pipeline integrity
management standards such as IS CEN TS 15173 & 15174, BS PD 8010, ISO
12747 and 13623 etc. have many features in common, and Penspen has distilled
these into a single, integrated model of integrity management. We have harmonised
the key aspects of all the relevant standards into one model, covering pipeline
integrity policies and objectives, management and organisation, risk and quality
assurance, design, procurement, construction and commissioning, operations,
inspection and maintenance, emergency response, recovery and repair, incident
investigation and reporting, document and data management, change control, legal
and code compliance, review and audit. We present this integrated model, and share
lessons learnt from our experiences in successfully applying it through audit, gap
analysis and system development with numerous operators around with world.

1. Introduction
The objective of integrity management should be to maximise the safe, reliable
and profitable throughput of the asset. Integrity management is not just
concerned with inspection and maintenance, but with the whole spectrum of
integrated and supporting activities which assist in forming successive barrier
layers between an asset’s safe condition and any incident (e.g. external
corrosion mitigated by both coating and CP). The integration of all these
elements into a single management system is key to lifetime asset integrity,
illustrated in Figure 1.

Figure 1. Integrated PIMS wall

1
 Pipeline Technology Conference 2015

The top level of strategic asset management is governed by overarching

international standards such as the ISO 55000 series. This paper is concerned
with the next level of integrity management, specific to pipelines, see Figure 2.

Figure 2 Levels of asset management standards and activity

Asset
management
systems
(generic, strategic)
e.g. ISO 55000 series

Integrity management systems

for specific assets
e.g. pipelines (PD 8010 etc.)

Specific integrity management activities e.g. CP

system design, valve testing, product sampling
(huge range of guidance)

2
 Pipeline Technology Conference 2015

Penspen have integrated the key elements of the various principal pipeline
codes into a single model, illustrated in Table 1.

Table 1 Elements of pipeline integrity management in codes

API ASME BS CEN DNV ISO
PIMS ELEMENT PD RP
1160 B31.8S 8010-4 15174 116 55000
1 Policy & Objectives     
2 Organisation    
3 Quality Assurance      
4 Document & Data Control     
5 Hazard Assessment      
6 Design Control      
7 Procurement Control     
8 Construction Control      
9 Handover & Commissioning      
10 Normal Operations    
11 Inspection & Maintenance      
12 Emergency Response     
13 Recovery & Repair
14 Incident investigation & reporting 
15 Management of Change     
16 Legal & Code Compliance   
17 Review & Audit      

This paper discusses the principal code requirements for each element, and
Penspen’s experience of findings auditing pipeline operators for compliance.

2. Policies and objectives

The majority of codes require a pipeline operator to have in place a pipeline
integrity management policy, setting out corporate strategy and priority for
pipelines. This is often a stand-alone document, which ideally is regularly
reviewed by senior management and widely circulated. However, many policy
statements can remain “buried” within larger IMS documents, and other can be
so generic as to lose meaning. Furthermore, the idea of introducing policies
approach in various areas can lead some operators to display a large number of
similar, superficial documents without any “buy-in” within the company. Penspen
generally advise either making a PIM policy specific enough to add value in PIM
work, or generic enough to be readily combined with other asset management
initiatives (e.g. on structures or wells). Best practice is for policy statements to
cover the majority of the PIM areas mentioned above. For example, policy
statements could include:

 Establish an adequately-resourced organisation of competent people to

implement our policies and achieve our objectives;
 Establish operating procedures to ensure that our pipelines are safely and
effectively started up, operated and shut down;
 Establish and test and emergency response capability.

3
 Pipeline Technology Conference 2015

The policy should be discussed with staff and rolled out rather than simply
posted publicly.

The PIM policy should be supported by a set of objectives, which can usefully
cover all PIMS elements. Progress towards and acheivemnt of these objectives
should be monitored by suitable key performance indicators (KPIs) and detailed
performance indicators(PIs). Penspen have structured these either by PIMS
element or by pipeline-specific hazard and mitigation measures. The agregation
of PIs up into a manageable suite of KPIs can be a complex process specific to
each asset and operator. An example of “drilling down” into an external corrosion
set of PIs is shown in Figure 3.

Figure 3. Hazard KPI dashboard example for external corrosion

PI should be monitored on a continuous basis as integrity management activities

are performed or new data becomes available. KPIs should be subject to regular
review by senior management e.g. within an existing (monthly) meeting
structure, and annual reporting. Objectives can also usefully cascade down into
personal targets.

When implementing these programmes of specific targets elsewhere (e.g. in

health administration or education), it has been noticed that organisations can
focus on the targets to the exclusion of other issues. For pipeline operators, the
problem may need to be addressed by either deploying an extremely large set of
KPIs, or by regular in-depth auditing to detect areas of misplaced focus or
incorrectly set priorities.

4
 Pipeline Technology Conference 2015

3. Management and Organisation

Codes require a clearly defined organisation for the management of pipeline
integrity, although the core of this can be quite small (e.g. one pipeline specialist)
– see Figure 4. Resource must be adeqate for PIM, and most organisations have
constraints on resources. It is critical that PIM resource is focussed on pipeline
integrity work, rather than engaged entirely in secondary management activity
such as, for example, regular series’ of meetings concerning reorganisation,
roles and restructuring, which Penspen have noted on repeat audits of larger
operators.

Figure 4. Typical PIMS interfaces

The organisation must be supported by a proper competence assurance system,

including adequate provision for mentoring, development, training, supervision
and appraisal. This is especially critical for small but growing operators with
limited numbers of personnel in each role (e.g. one pipeline specialist).

Most non-State operators have frequent waves of organisational change

somewhere in the wide range of functions needed to support all PIMS elements
(including site/offshore roles), and documenting this effectively appears to be a
constant challenge. Such organisation changes rarely fall within the operator’s
definition of change, and hence neither the change nor it effects may be
adequately managed, while more minor specific material changes can be the
subject of extensive administrative process.

Many (especially small) operators are highly dependent on external pipeline

expertise, and on other organisations’ competence and quality assurance
systems: particular care is needed in these cases.

5
 Pipeline Technology Conference 2015

4. Hazard Management
Most codes insist that the heart of the PIM process is a systematic evaluation of
the likelihood and possible consequence of all the potential hazards which may
affect each pipeline section, from trap to trap, together with an estimate of the
benefits gained from the various relevant hazard mitigation measures. The
evaluation should consider all hazards which could affect asset availability and
the ability to maintain throughput (e.g. sand, wax, hydrates, black dust), and not
simply those hazards which could lead to a loss of containment. This results in
the consideration of much more frequent minor occurrences than previously.

The assessment must be carried out on a consistent basis, with genuine

consideration of the robustness of each mitigating action: operator ownership of
this is critical. Penspen have seen several evaluations which are cursory “cut
and paste” activites which give little confidence that the probability of pipeline
failure is being managed to be as low as reasonably practicable. Best practice
here involves conducting all hazard assessments on a semi-quantitative basis,
using published failure databases such as PARLOC and OREDA to derive
probabilities of failure for each hazard and asset section. All too often, inspection
and maintenance intervals are determined from some “look-up” table with little
rigorous justification such as managing the mean time between failure for
different assets. Acceptance criteria should be determined at a corporate level
for all threats to people, the environment and profits.

5. Quality Assurance
Most codes require that pipeline operators have some system of quality
assurance in place for any work which may affect the integrity of the pipeline
system. However, most operators seek to delegate the majority of this activity to
specialist consultants, and to require them to have suitable systems, accredited
for example to ISO 9001. The majority of operators therefore have no systems in
place for their own specifications, sketches and any regular pipeline
assessments or reviews.

6. Design
The majority of pipeline codes require that pipelines are designed by competent
organisations, subject to independent third-party verification, and properly
documented. However, most pipeline operators have limited systems in place for
achieving these objectives. Larger operators may have technical standards and
processes in place, but there is often a gap between an operator’s generic
project process, which can often be dominated by financial considerations, and
specific numerical requirements of corporate engineering standards (e.g. specific
hydrotest levels). There needs to be an intervening level of requirements, for
example, regarding competency, documentation and verification. This level is
often omitted. A similar weaknesses can occur in procurement practice.

In addition, assets, including pipelines, are increasingly transferred between

multiple successive operators, or from national bodies to private companies.
Visibility on legacy design adequacy is often very poor, due to a lack of, or
limited, technical due diligence and/or data transfer on the change of
operatorship. Although this transition is not a specific subject within pipeline
codes, in Penspen’s experience it is significant in reducing design confidence in

6
 Pipeline Technology Conference 2015

legacy assets, and specifically when justifying and planning life extensions. This
element also relates to the management of documentation.

7. Procurement
Purchasing of all pipeline-related material (including control systems) should
involve the relevant asset responsible person and technical expert, as well as
the personnel who will be operating and maintaining the asset. In larger
organisations, standard specifications may need to be developed. There is often
a communication gap between the pipeline responsible person and the
purchasing department. For example, minimal quality assurance may be applied
to material from an “approved” vendor; or there may be minimum traceability
when material (e.g. clamps, spare pipe, consumables etc.) is procured by an
EPIC contractor. In both these cases, ensuring that what is procured is suitable
can be extremely difficult. Formalising procurement processes can help with this,
but in smaller operators the key improvement is about raising awareness.

8. Construction
As with code requirements for pipeline design, assurance of contractor
competence and independent verification are critical. Similar issues arise in
construction practice to those in design practice, i.e. poor visibility on legacy data
(especially on variations or concessions during the construction process, and
truly “as built” data), and limited confidence that there has been robust technical
assurance.

9. Commissioning
Although most pipeline codes are highly specific on requirements for
hydrotesting etc. prior to pipeline commissioning, many operators simply indicate
preferred codes rather than formally requiring compliance with all clauses.
Visibility on legacy commissioning information can be limited, with assumptions
often made about e.g. the initial hydrotest (“I’m sure there must have been one,
but I’ve never seen any records”). There is often limited confidence that
operations/integrity were able to assure themselves of an asset’s documented
suitability in every respect before handover from the project team. One example
of such fraught handover was a project team’s removal of the pigtrap isolation
valve after the baseline inspection but before commissioning, replacing it with a
blank flange to save money, and thereby making any subsequent internal
inspection extremely expensive to organise.

10. Operations
A key concept in maintaining the integrity of a pipeline is the Safe Operating
Limit (SOL). SOLs are typically maximum or minimum pressure, temperatures,
flow and composition limits but many other parameters may be safety critical.
They may initially derive from design studies, but must be revised as a result of
any later study or assessment. Every pipeline will degrade in one way or
another, and SOLs will therefore change. They should be collated in one place
(e.g. operating procedures, P&IDs or a separate SOLs document), with
justifications, and arrangements put in place for their control, and the
rectification, reporting and analysis of the effect of any exceedances. This key
aspect of PIM is often poorly integrated, e.g. by an unused SOLs document, out-
of-date P&IDs, or failure to monitor several key parameters.

7
 Pipeline Technology Conference 2015

Codes also generally require pipeline operating procedures to be up to date,

which in Penspen’s experience is often not achieved, and available for the full
range of scenarios including pigging operations, and restart after emergency
shutdown. A particular aspect overlooked Is the transition from an emergency
condition and the associated operating procedures back to normal operation.
Whether the emergency is real or spurious eg. a e.g. after a false trip, the plant
and pipeline is misaligned with isolation valves closed and vent vaves open.
Operating procedures often presume that a restart is from a known system
condition, and emergency procedures solely focus on making a pipeline safe, not
handing back to any other procedure.

11. Inspection and Maintenance

The heart of PIM activity is the ongoing monitoring and control of the asset’s
condition. This should be driven by the need to maintain availability and
throughput, for example preventing and detecting any significant corrosion that
could cause a pipeline to be derated, rather than purely focussing on through-
wall corrosion resulting in a loss of containment. Inspection and maintenance
activity should be based on a rigorous and consistent evaluation of the principal
risks to people, the environment and profit, and the associated mitigation
measures for every asset section, whether on a site or platform, or subsea/cross
country. Key issues regularly noted by Penspen during audits include the
criticality and difficulty of transferring full instructions and receiving full reports for
e.g. ESDV testing. Despite the maturity of the industry, basic errors still persist,
such as inspecting the wrong pig trap or recording results that indicate pipe wall
thickness is increasing over time.

The large amount of data now available electronically poses problems for
pipeline personnel in integrating and assimilating all this, with a tendency for
some personnel to focus on a familiar or preferred subset of the data rather than
sitting back and seeing the “big picture”: The pipeline responsible person needs
to be able to bring information together in meaningful ways in order to spot
connections, patterns and trends which can indicate integrity challenges. Key
tools in this can be a monthly meeting reviewing a KPI suite, and an annual
review of all integrity management status and activity. Either of these can
usefully be structured around hazards and mitigations, with the other addressing
all PIMS elements.

The timely consultation of the pipeline responsible person in deferring inspection

and maintenance activity is also still often omitted.

12. Emergency Response

Pipeline emergency procedures should cover all credible scenarios in a clear
and reasonably conservative way. Operators expend considerable effort in
performing risk assessments however it is rare, almost to the point of never, that
the emergency procedures are based upon those risk assessments which will
have identified the full range of potential consequences that may be
experienced.

8
 Pipeline Technology Conference 2015

The Procedures may need to be combined with site or platform procedures, and
interface with other parties’ processes. They may also need to provide for a
handover back to operating procedures after making an emergency situation
safe.

Legislative regimes may make specific requirements regarding e.g. ESDVs or oil
pollution management plans. These plans must be properly adapted to the
asset: e.g. the US Congress found that BP’s Deepwater Horizon emergency
procedure contained plans for the protection of the walrus population, which is
totally absent from the Gulf of Mexico but was a major feature in BP Alaska1.
Penspen have also seen examples requiring operators to sample a leak even
when dealing with a gas pipeline, or monitoring pressure profiles for at least one
hour before shutdown on every pipeline section, even on a gas riser beneath a
manned platform, when it would expected in practice that the obvious danger to
large numbers of nearby personnel would dictate immediate shutdown.

Emergency procedures should be circulated appropriately and exercised

frequently. It is often difficult for operators to exercise a balanced range of
scenarios amid many competing claims, and Penspen recommend that
scenarios be formally planned as a single sequence, considering the worst
combinations of scenario probability and consequence, rather than an ad hoc
choice based on current interests. The sequence will need to cover all credible
hazards, from individual slips, process trips, through unknown pipeline damage,
up to large-scale fatality incidents. Exercises can cover individual aspects of
these scenarios (e.g. communications tests and desktop studies), but full-scale
integrated exercises need to be conducted too.

13. Recovery and Repair

Although most codes emphasise the importance of appropriate preparations for
pipeline repair (for example considering critical long lead-time items such as tees
and valves, access issues, offshore vessel availability, maintenance and
documentation of spares, and agreements with specialist subcontractors),
provision in practice is often inconsistent, ad hoc, dominated by short-term
financial considerations and sometimes entirely absent. Penspen recommend
that such provision is regularly reviewed based on the hazards and criticality of
each asset section, considering the current commercial context at the time.
Comparatively short “what if…” discussions can often highlight key
dependencies and vulnerabilities quickly. This is particularly relevent to smaller
operators working without large financial reserves. The shutdown, and
consequent suspension of the pipeline operators’s cash flow, of the main export
pipeline from a facility for 30 days while a clamp is purchased can put
considerable strain on the viability of the asset and possibly the company as a
whole.

14. Incident investigation and reporting

Pipeline codes and legislation require that incidents and near-misses are
investigated and analysed in order to identify patterns, and that this information

1
http://www.theguardian.com/environment/2010/jun/29/bp-oil-spill-timeline-deepwater-horizon

9
 Pipeline Technology Conference 2015

is fed back to appropriate personnel and into the relevant planning processesin
order to prevent recurrence or escalation.

The procedures for this are often generic (e.g. owned by an HSE function), and
rarely applied to pipelines due to the low number of loss of containment
incidents. There is a need to ensure that systems are sufficiently flexible to
encourage the reporting of both loss of containment near-misses and the internal
investigation and resording of events that resulted in, or potentially resulted in,
loss availability or reduced through put. Such events are much more common
and hence the collected data has greater statisical significance and enables the
analysis of trends affecting pipeline integrity by suitable pipeline personnel.

15. Document and Data Management

Codes require that both static documentation and live, dynamic data relating to
the pipeline system are properly managed, integrated and subject to appropriate
quality control.

Penspen’s experience is that legacy documentation is often limited (although

some aspects can sometimes be re-engineered if required e.g. for life
extension), and rarely readily searchable.

Live data is often not subejct to quality control, and in recorded in numerous
different electronic systems requiring extensive manual integration for regular
review.

Use of existing structures (such as regular meetings) can be a better way to

manage the increasing volume of data, rather than seeking expensive software
integration which still requires ongoing resource to manage.

16. Change Control

Pipeline changes must be properly managed, but corporate processes for this
are often generic, and it can be difficult to formally ensure the timely consultation
of relevant pipeline personnel. In particular, there is often a gap in corporate
systems where pipeline codes may specifically require the testing of any
modification before full pipeline recommissioning. As mentioned previously
many MOC processes do not recognise and hence do not control organisational
change. An extreme example of this was an operator who promoted a senior
person from the HQ to the position of Technical Director in an operating asset.
This person believed that pipeline integrity was not the role of the engineering
function as had been the case for many years and instead transferred it, at th
stroke of a pen, to the Integrity function who had previously only looked after
topside fabric integrity. The ensuing chaos, disengagement and disillustion
rapidly lead to a situation where an accident was only waiting to happen.

17. Legal and Code Compliance

Pipeline codes require that operators have systems in place for ensuring that
personnel are aware of legal and code requirements affecting pipeline integrity
management. A number of operators have, or employ companies that maintain,
legal registers, but fewer have a formal system for codes and standards. While
knowledge of specific legislation or pipeline code is often excellent in a few

10
 Pipeline Technology Conference 2015

specialist individuals, general or integrated awareness is frequently much more

limited. Penspen typically recommend a combination of registers, dedicated
“champion” and periodic communication “refreshers” to raise and maintain
awareness of legal/code context without inducing “information overload”.

18. Review and Audit

The PIMS should be regularly audited. Penspen recommend a combination of
both in-house and external expertise for this, so that operators are not overly
dependent on consultants. Best practice in this area involves formalising audit
procedures, and interviewing site/offshore personnel (e.g. regarding continued
suitability of a control system which may have been subject to progressive
modification for subsea tiebacks). Audits can usefully also address legal
compliance, given suitably competent auditors.

If KPIs and regular statements of integrity/TIAs are aligned with PIMS elements,
there can then be some overlap with audit. It may therefore be advisable to keep
KPIs and TIAs structured around hazards and mitigations, and focus the audit on
the overall PIMS.

19. Conclusions
In summary, Penspen find that many aspects critical to successful pipeline
integrity management are little understood outside the core pipeline team, and
that there is much useful work that can be done to increase consultation,
engagement and awareness. Several elements such as quality assurance and
pipeline repair preparations can be lacking altogether, and many subsidiary
systems such as competence and procurement are still embryonic, particularly
for small operators.

In Penspen’s experience of auditing and assisting pipeline operators, the

traditional core of pipeline inspection and maintenance activity is often
reasonably well executed, although not consistently based on a correct
evaluation of the hazards facing the pipeline system. However, the “enabling”
elements discussed above can be extremely variable, and there is a general lack
of integration.

Penspen suggest that good pipeline integrity management does not consist in
latest fashions for software, or any attempt to “make the problem go away”, but
consists of a systematic way of understanding and managing the asset from
cradle to grave, however this is accomplished. The key features often involve
optimising information flow to the pipeline responsible person, using existing
systems and structures such as monthly meetings, making organisational “silos”
porous to improve communication, and integrating all asset management
information in order to improve awareness and engagement without creating
overload.

11
 Pipeline Technology Conference 2015

20. References
1. BS PD 8010 Code of practice for pipelines – Part 2: Subsea pipelines, 2004.

2. BS PD 8010 Pipeline systems – Part 4: Steel pipelines on land and subsea

pipelines – Code of practice for integrity management, July 2012.

3. Life Extension for Subsea Systems, Norsok Standard Rev 3, December 2009.

4. Pipeline Life Extension, ISO Recommended Practice, 4 th August 2009.

5. Recommended Practice DNV-RP-F116 Integrity Management of Submarine

Pipeline Systems, October 2009.

6. International Standard ISO 13623 Petroleum and natural gas industries –

Pipeline transportation systems, 2nd edition, 15th June 2009.

7. International Standard ISO 12747 Petroleum and natural gas industries –

Pipelines transportation systems – Recommended practice for pipeline life
extension, 15th April 2011.

8. Offshore Standard DNV-OS-F101 Submarine Pipeline Systems, August 2012.

9. Energy Institute Guidelines for the Management of Integrity of Subsea

Facilities, April 2009.

12