Threats Assessment

From AS2885 INFO
Revision as of 08:07, 30 December 2019 by Susan Jaques (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
References:
AS2885.6 Section 3.3 Threat Control
AS2885.0 Section 1.5 Defined Terms


Is the credibility of a threat assessed considering the control measures in place, or without control measures in place?

(Peter Tuft) Refer to the Note to the definition of non-credible threat: "The credibility or otherwise of a threat is a characteristic of the threat itself and is assessed independently of any protective measures that may be applied to mitigate it. A non-credible threat is not the same as a credible threat that has been controlled."


When is the threat non-credible versus a frequency assessment of hypothetical? Both appear to point to a similar likelihood description.

(Peter Tuft) It is important to make the distinction between credibility of the threat itself (defined as the "activity or condition that can adversely affect the pipeline system if not controlled", and the credibility of a failure event as a result of the threat. You only get to making an assessment of likelihood if you have identified the threat as credible AND found that it is not controlled (so then risk evaluation is necessary). See also the note following the definition of non-credible threat.


How low should a frequency get to go from hypothetical to controlled?

(Peter Tuft) When a threat is controlled the possibility of failure has been eliminated - frequency is zero. Where adequate physical controls are applied this is usually fairly straightforward to assess. Where there is heavy reliance on procedural controls it may not be possible to say with complete certainty that the threat is controlled, and if there is concern that failure remains possible then the appropriate course is to take it through to risk evaluation (where the frequency is perhaps likely to be Hypothetical).


What does "for all practical purposes" mean for non-credible and controlled threats? Some facilitators make it seem like there has to be no further threat.

(Peter Tuft) These words are unchanged from the 2012 edition (although now relocated into the Part 0 definitions). I'll concede that they might be weasel words, but they seem to have worked OK since 2007 so we applied "ain't broke, don't fix it".

My interpretation is that a controlled threat is one for which sufficient controls have been applied so that failure is no longer possible. Sometimes that can be applied a bit loosely, especially if there is heavy reliance on procedural rather than physical controls.

A non-credible threat is one which is so extraordinarily unlikely that even the most paranoid person is not going to worry about it (the usual example being an aircraft crashing on your pipeline).

In essence I'm agreeing that there is either no further threat (non-credible) or no possibility of failure from the threat (controlled). If you can't be confident of this conclusion, carry it through to risk evaluation.


Does the "strong recommendation" for additional reasonably practicable controls to be implemented on low risks require an ALARP or CBA (cost benefit analysis) to demonstrate?

(Peter Tuft) Assuming this question is referring to the in Part 6 Clause 4.2 which says: "Notwithstanding that a risk has been determined to be low or negligible, if there are simple measures that could be taken to reduce risk further, then those measures should be adopted."

There is no mandatory requirement for formal ALARP assessment or CBA. Nevertheless, some users may consider it is good practice to use those methods in certain cases.


Farmers have started using deep rippers that turns soil to 1000mm with 800hp tractors. Would AS2885 consider future increases in depth of cover for broadacre locations?

(James Czornohalan) In effect, it already does. You should consider this (or the possibility of this) if you are designing a pipeline through broadacre farmland. We aren't trying to be more prescriptive with these types of rules, because there are always exceptions which is why you do designs and validate with a safety management study.


What replaces ‘encroachment’ outside of corridor in a notified zone for “S” activities that affect public safety?

(Peter Tuft) Encroachment outside the pipeline corridor is now called land use change, which is a better description anyway: "any change outside the pipeline corridor but within the measurement length, such that there is either a change in location class, or an increase in the likelihood or consequences of failure even without change in location class."

(Susan Jaques) Also picking up on terminology in this question, we've assumed that 'notified zone' is measurement length.

The terminology " "S" activities" is not familiar. In AS2885, "S" is a secondary location classification for Sensitive land users (ie, would have difficulty escaping in the case of an incident).

"Activities that affect public safety" is unclear terminology and maybe should be reframed to consider instead in terms of "why might the pipeline fail at this location?" - because it's the pipeline failure that would affect public safety, and so it is the pipeline failure that we strive to prevent.


To satisfy no rupture, how can a Licensee say that an xxT digger with TT is the largest credible threat when really any sized digger could turn up unannounced?

(James Czornohalan) This comes to the definition of 'credible' threat. We are considering for "credible" not 'whatever might be possible'. It's possible for a plane to crash into the pipeline, but probably not credible. So for diggers, as they get larger, they become harder to move on public roads, they start costing exponentially more and so become less likely to just turn up, especially unannounced. So you design and manage for what's credible. We also do the demonstration of fault tolerance to make sure we've considered the possible (even if it seems really remote).