Australian guidance for gas and liquid petroleum pipeline design guidance comes, to a large extent, from Australian Standard 2885. Amongst other things AS2885 Pipelines – Gas and liquid petroleum sets out a method for ensuring these pipelines are designed to be safe.
Like many technical standards, AS2885 provides extensive and detailed instruction on its subject matter. Together, its six sub-titles (AS2885.0 through to AS2885.5) total over 700 pages. AS2885.6:2017 Pipeline Safety Management is currently in draft and will likely increase this number.
In addition, the AS2885 suite refers to dozens of other Australian Standards for specific matters.
In this manner, Standards Australia forms a self-referring ecosystem.
R2A understands that this is done as a matter of policy. There are good technical and business reasons for this approach;
However, this hall of mirrors can lead to initially small issues propagating through the ecosystem.
At this point, it is worth asking what a standard actually is.
In short, a standard is a documented assembly of recognised good practice.
What is recognised good practice?
Measures which are demonstrably reasonable by virtue of others spending their resources on them in similar situations. That is, to address similar risks.
But note: the ideas contained in the standard are the good practice, not the standard itself.
And what are standards for?
Standards have a number of aims. Two of the most important being to:
That is, standards help people predict and manage the future – people such as engineers, designers, builders, and manufacturers.
When helping people not make decisions, standards provide standard requirements, for example for design parameters. These standards have already made decisions so they don’t need to be made again (for example, the material and strength of a pipe necessary for a certain operating pressure). These are one type of standard.
The other type of standard helps people make decisions. They provide standardised decision-making processes for applications, including asset management, risk management, quality assurance and so on.
Such decision-making processes are not exclusive to Australian Standards.
One of the more important of these is the process to demonstrate due diligence in decision-making – that is that all reasonable steps were taken to prevent adverse outcomes.
This process is of particular relevance to engineers, designers, builders, manufacturers etc., as adverse events can often result in safety consequences.
A diligent safety decision-making process involves,:
This addresses the legal obligations of engineers etc. under Australian work health and safety legislation.
Standards fit within this due diligence process as examples of recognised good practice.
They help identify practicable options (the second step) and the help in determining the reasonableness of these measures for the particular issues at hand. Noting the two types of standards above, these measures can be physical or process-based (e.g. decision-making processes).
Each type of standard provides valuable guidance to those referring to it. However the combination of the self-referring standards ecosystem and the two types of standards leads to some perhaps unintended consequences.
Some of these arise in AS2885.
One of the main goals of AS2885 is the safe operation of pipelines containing gas or liquid petroleum; the draft AS2885:2017 presents the standard's latest thinking.
As part of this it sets out the following process.
If the risk is not acceptable, apply more controls until it is and then move on with the project. (See e.g. draft AS2885.6:2017 Appendix B Figures B1 Pipeline Safety Management Process Flowchart and B2 Whole of Life Pipeline Safety Management.)
But compare this to the decision-making process outlined above, the one needed to meet WHS legislation requirements. It is clear that this process has been hijacked at some point – specifically at the point of deciding how safe is safe enough to proceed.
In the WHS-based process, this decision is made when there are no further reasonable control options to implement. In the AS2885 process the decision is made when enough controls are in place that a specified target level of risk is no longer exceeded.
The latter process is problematic when viewed in hindsight. For example, when viewed by a court after a safety incident.
In hindsight the courts (and society) actually don’t care about the level of risk prior to an event, much less whether it met any pre-determined subjective criteria.
They only care whether there were any control options that weren’t in place that reasonably ought to have been.
‘Reasonably’ in this context involves consideration of the magnitude of the risk, and the expense and difficulty of implementing the control options, as well as any competing responsibilities the responsible party may have.
The AS2885 risk sign-off process does not adequately address this. (To read more about the philosophical differences in the due diligence vs. acceptable risk approaches, see here.)
To take an extreme example, a literal reading of the AS2885.6 process implies that it is satisfactory to sign-off on a risk presenting a low but credible chance of a person receiving life-threatening injuries by putting a management plan in place, without testing for any further reasonable precautions.
In this way AS2885 moves away from simply presenting recognised good practice design decisions as part of a diligent decision-making process and, instead, hijacks the decision-making process itself.
In doing so, it mixes recognised good practice design measures (i.e. reasonable decisions already made) with standardised decision-making processes (i.e. the AS31000 risk management approach) in a manner that does not satisfy the requirements of work health and safety legislation. The draft AS2885.6:2017 appears to realise this, noting that “it is not intended that a low or negligible risk rank means that further risk reduction is unnecessary”.
And, of course, people generally don’t behave quite like this when confronted with design safety risks.
If they understand the risk they are facing they usually put precautions in place until they feel comfortable that a credible, critical risk won’t happen on their watch, regardless of that risk’s ‘acceptability’.
That is, they follow the diligent decision-making process (albeit informally).
But, in that case, they are not actually following the standard.
This raises the question:
Is the risk decision-making element of AS2885 recognised good practice?
Our experience suggests it is not, and that while the good practice elements of AS2885 are valuable and must be considered in pipeline design, AS2885’s risk decision-making process should not.
 AS2885.6 Section 5:
“... the risk associated with a threat is deemed ALARP if ... the residual risk is assessed to be Low or Negligible”
Consequences (Section 3 Table F1):
Severe - “Injury or illness requiring hospital treatment”. Major: “One or two fatalities; or several people with life-threatening injuries”. So one person with life-threatening injuries = ‘Severe’?
Likelihood (Section 3 Table 3.2):
“Credible”, but “Not anticipated for this pipeline at this location”,
Risk level (Section 3 Table 3.3):
Required action (Section 3 Table 3.4):
“Determine the management plan for the threat to prevent occurrence and to monitor changes that could affect the classification”.