Pipeline Safety: Control Room Management/Human Factors, 53076-53104 [E8-20701]

Download as PDF 53076 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules DEPARTMENT OF TRANSPORTATION Pipeline and Hazardous Materials Safety Administration 49 CFR Parts 192, 193, and 195 [Docket ID PHMSA–2007–27954] RIN 2137–AE28 Pipeline Safety: Control Room Management/Human Factors Pipeline and Hazardous Materials Safety Administration (PHMSA), DOT. ACTION: Notice of proposed rulemaking. ebenthall on PROD1PC60 with PROPOSALS2 AGENCY: SUMMARY: PHMSA proposes to revise the Federal pipeline safety regulations to address human factors and other components of control room management. The proposed rules would require operators of hazardous liquid pipelines, gas pipelines, and liquefied natural gas (LNG) facilities to amend their existing written operations and maintenance procedures, operator qualification (OQ) programs, and emergency plans to assure controllers and control room management practices and procedures used maintain pipeline safety and integrity. This proposed rule results from a PHMSA study of controllers and controller performance issues known as the Controller Certification Project (CCERT), a National Transportation Safety Board study, safety-related condition reports, operator visits and inspections, and inquiries. This rule would improve opportunities to reduce risk through more effective control of pipelines and require the human factors management plan mandated by the Pipeline Inspection, Protection, Enforcement, and Safety Act of 2006 (PIPES Act). These regulations would enhance pipeline safety by coupling strengthened control room management, including automated control systems, with improved controller training and qualifications and fatigue management. PHMSA expects these regulations will complement efforts already underway in the pipeline industry to address human factors and control room management, such as the development of new national consensus standards, including an American Petroleum Institute (API) recommended practices on roles and responsibilities, shift operations, management of change, fatigue management, alarm management and SCADA display standard, as well as comparable business practices at some pipeline companies. DATES: Anyone interested in filing written comments on this proposal must VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 do so by November 12, 2008. PHMSA will consider late comments filed so far as practical. ADDRESSES: Comments should reference Docket No. PHMSA–2007–27954 and may be submitted the following ways: • E-Gov Web site: https:// www.regulations.gov. This Web site allows the public to enter comments on any Federal Register notice issued by any agency. Follow the instructions for submitting comments. • Fax: 1–202–493–2251. • Mail: DOT Docket Management System: U.S. Department of Transportation, Docket Operations, M– 30, West Building Ground Floor, Room W12–140, 1200 New Jersey Avenue, SE., Washington, DC 20590–0001. • Hand Delivery: DOT Docket Management System; West Building Ground Floor, Room W12–140, 1200 New Jersey Avenue, SE., Washington, DC 20590–0001 between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. Instructions: You should identify the docket ID, PHMSA–2007–27954, at the beginning of your comments. If you submit your comments by mail, submit two copies. To receive confirmation that PHMSA received your comments, include a self-addressed stamped postcard. Internet users may submit comments at https:// www.regulations.gov. Note: Comments are posted without changes or edits to https:// www.regulations.gov, including any personal information provided. There is a privacy statement published on https:// www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Byron Coy at (609) 989–2180 or by email at Byron.Coy@dot.gov. SUPPLEMENTARY INFORMATION: I. Prevention Through People Over the past several years, PHMSA’s integrity management (IM) programs have been successfully driving down the two leading causes of pipeline failure—excavation damage and corrosion. IM programs help operators understand the threats affecting the integrity of their systems and implement appropriate actions to mitigate risks associated with these threats. Excavation damage and corrosion are, however, only part of the safety picture. The next logical area of program development is to examine the role people play in operating and maintaining pipelines. With this proposed rule, PHMSA is beginning implementation of a program that recognizes the importance of human interactions and opportunities for PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 preventing risk, both errors and mitigating actions, to pipeline systems through a Prevention Through People (PTP) program. PTP addresses human impacts on pipeline system integrity. Human impacts include errors contributing to events, intervention to prevent or mitigate events, and the recognition of events that may begin the need for increased vigilance. The role of people, including controllers and those interacting with control center operations, is a vital component in preventing and reducing risk associated with pipeline systems. The proposed rule addresses requirements applicable to controllers and control room management. PHMSA has long recognized that controllers can play a key role in pipeline safety. Congress recognized the importance of this role in the Pipeline Safety Improvement Act of 2002 (PSIA) (Pub. L. 107–355) and the PIPES Act. A controller’s actions can mitigate risk, but they can also introduce the potential for upset conditions. Human error (including those caused by mistake or fatigue) can cause or exacerbate events involving releases leading to safety hazards and environmental impacts. Controllers also respond to indications of abnormal conditions on the pipeline. Appropriate human response to abnormal situations can mitigate events, helping to prevent accidents leading to adverse consequences. As part of the PTP program, this proposed rule addresses requirements applicable to controllers, key players among the people who can affect pipeline safety. Several existing regulations strengthen the effectiveness of the role of people in managing safety. These include regulations on damage prevention programs (49 CFR 192.614 and 195.442), public awareness (§§ 192.616 and 195.440), qualification of pipeline personnel (part 192, subpart N, part 193, subpart H, and part 195, subpart G), and drug and alcohol testing regulations and procedures (parts 40 and 199). Explicitly incorporating a PTP element in IM plans would emphasize the role of people both in contributing to, and in reducing, risks. PHMSA believes this may be the best means of fostering a holistic approach to managing the safety impact of people on the integrity of pipelines. This proposed rule adds requirements applicable to control room management. In the future, PHMSA plans to address additional risks associated with human factors as well as the opportunities for people to mitigate risks. In addition to regulations, PHMSA plans to identify and promote noteworthy best practices in PTP. E:\FR\FM\12SEP2.SGM 12SEP2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules PHMSA recently reported to Congress on its work examining control room management issues as mandated in the PSIA. The report, titled ‘‘Qualification of Pipeline Personnel,’’ includes a summary of the CCERT Project, a fouryear effort examining control room issues in PTP. Although the project began with examination of qualification issues, during the course of the project, we identified other control room issues impacting the safety performance of controllers. PHMSA concluded that validating the adequacy of controllerrelated processes, procedures, training, and the controllers’ credentials would improve management of control rooms, thereby enhancing safety for the public, the environment and pipeline employees. PHMSA also identified areas in which additional measures could enhance control room safety and minimize the risk associated with fatigue and interaction with computer equipment. These areas include annual validation of controller qualifications by senior level executives of pipeline companies, clearly defined responsibilities for controllers in responding to abnormal operating conditions, the use of formalized procedures for information exchange during shift turnover, and clearly established shift lengths combined with education on strategies to reduce the contribution of non-work activities to fatigue. These areas are addressed by requirements included in this proposed rule. ebenthall on PROD1PC60 with PROPOSALS2 II. Background A. Pipelines and LNG Plants Approximately two-thirds of our domestic energy supplies are transported by pipeline. There are roughly 170,000 miles of hazardous liquid pipelines, 295,000 miles of gas transmission pipelines, and 1.9 million miles of gas distribution pipelines in the United States. Hazardous liquid pipelines carry crude oil to refineries and refined products to locations where these products are consumed. Hazardous liquid pipelines also transport highly volatile liquids (HVLs), other hazardous liquids such as anhydrous ammonia, and carbon dioxide. The regulations in 49 CFR part 195 apply to owners and operators of pipelines used in the transportation of hazardous liquids and carbon dioxide. Throughout this document, the term ‘‘operator’’ refers to both owners and operators of pipeline facilities. Gas transmission pipelines typically carry natural gas over long distances from gas gathering, supply, or import facilities to localities where it is used to VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 heat homes, generate electricity, and fuel industry. Gas distribution pipelines take natural gas from transmission pipelines and distribute it to residential, commercial, and industrial customers. The regulations in 49 CFR part 192 apply to operators of pipelines that transport natural gas, flammable gas, or gas which is toxic and corrosive. Throughout this document, the term ‘‘gas’’ refers to all gases in pipelines regulated under part 192. Additionally, there are currently 109 LNG import and peak shaving plants connected to our natural gas transmission and distribution pipeline systems. The volume of natural gas is reduced about 600 times when the gas is cooled to a liquid form. This allows large quantities of natural gas to be transported by ship and to be stored in insulated tanks. LNG import plants allow the U.S. to use natural gas produced in other countries and transported by ship. According to the Department of Energy, imported LNG provided 2% of U.S. natural gas supplies in 2003 but that proportion is expected to grow to 21% by 2025.1 LNG peak shaving plants allow gas pipeline operators to liquefy and store natural gas during off-peak periods. The stored LNG is then converted back to natural gas when needed for periods of peak consumption. The risks inherent in control of these facilities can be reduced by application of this proposed rule. B. Control Rooms and Controllers Most pipelines are underground and operate without disturbing the environment or negatively impacting public safety. However, accidents 2 do occasionally occur. Effective control is one key component of accident prevention. Controllers can help identify risks, prevent accidents, and minimize commodity losses if provided with the necessary tools and working environment. Therefore, this proposed rule is intended to increase the likelihood that pipeline and LNG controllers have the necessary knowledge, skills, abilities, and qualifications to help prevent accidents and that operators provide controllers with the training, tools, procedures, 1 U.S. Department of Energy, Office of Fossil Energy Web site (https://www.fossil.energy.gov/ programs/oilgas/storage/lng/feature/ whyimportant.html). 2 The pipeline safety regulations in 49 CFR parts 191, 192, and 193 refer to certain harmful events on a gas pipeline system or LNG facility as ‘‘incidents’’ while part 195 refers to certain failures on a hazardous liquid pipeline system as ‘‘accidents.’’ Throughout this document the terms ‘‘accident’’ and ‘‘incident’’ may be used interchangeably to mean an event or failure on a gas or hazardous liquid pipeline system or LNG facility. PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 53077 management support, and environment where a controller’s actions can help prevent accidents and minimize commodity losses. i. Background Pipeline systems vary from small, simple systems, to complex systems covering thousands of miles. Combined, these systems make up a vast network of pipelines reaching across the United States. Pipeline systems include pumps, compressors, storage tanks, valves, and other components. A pump station, compressor station, or terminal is usually a major installation consisting of large pumps, compressors, storage tanks, and other service equipment. Pipeline systems also include valves used to control pressure and to direct flow during normal operations, to isolate sections of pipeline for maintenance or emergency activities, or to maintain operating pressures within allowable limits. Most operators monitor pumps, compressors, valves, and other equipment from single or multiple locations, often hundreds of miles away. Such locations are commonly known as ‘‘control rooms.’’ The individuals who work in control rooms are ‘‘controllers.’’ 3 A control room may have one or more controllers, who could be union or non-union employees. Both union and non-union controllers may work for the same operating company and a control room is likely to be operational 24 hours a day, 365 days a year, or less, depending on the complexity and nature of the pipeline system or LNG facilities served. Most operators use computer-based supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), or other less sophisticated systems to gather key information electronically from field locations.4 These systems are configured to present field data to the controllers, and may include additional historical, trending, and alarm management information. Controllers track routine operations continuously and watch for possible developing abnormal operating or emergency conditions. A controller may take direct action through the SCADA system to correct the conditions 3 Different titles exist in the industry for personnel who operate computer-based systems for controlling and monitoring the operations of pipeline facilities, some of which are controllers, dispatchers, operators, and board operators, but all are considered ‘‘controllers’’ in this document. 4 SCADA and DCS systems perform similar functions. Throughout this document, where the term SCADA is used, it should be interpreted to mean SCADA or DCS. E:\FR\FM\12SEP2.SGM 12SEP2 53078 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 or the controller may alert and defer action to others. ii. Importance of Control Rooms and Controllers Control rooms and controllers are critical to the safe operation of pipeline systems and LNG facilities. Control rooms often serve as the hub or command center for decisions such as adjusting commodity flow or facilitating an operator’s initial response to an emergency. The control room is the central location where humans or computers receive data from field sensors. Commands from the control room may be transmitted back to remotely controlled equipment. Field personnel also receive significant information from the control room. In essence, the control room is the ‘‘brain’’ of the pipeline system or LNG plant. Errors made in control rooms can have significant effects on the controlled systems. A controller’s errors can initiate or exacerbate an accident. A controller’s improper action or lack of action can place undue stresses on a pipeline segment or an LNG facility, which could result in a subsequent failure, the loss of service, or an increase in lost commodity, leading to risk to people, the environment, and the fuel supply. Controller responses to developing abnormal operating conditions or accidents can alleviate or exacerbate the consequences of some events regardless of the initial cause. A brief description of a few accidents can help illustrate the importance of control rooms and controllers to safe pipeline operation. More often than not, however, control rooms and controllers are a significant part of an operator’s response to abnormal and emergency events rather than the cause. • A batch of hazardous liquid expected to fill several tanks was being received at a tank terminal. A tank switchover was scheduled to occur late in a controller’s shift. The switchover did not occur at the scheduled time due to a reduction in flow rate in the pipeline, but the controller failed to inform the relief controller at shift change. The oncoming controller assumed the switchover had happened as scheduled, and therefore did not monitor the levels in the tank being filled. The liquid overflowed the tank and was ignited. The resulting fire caused considerable damage including the destruction of two large storage tanks. • A seldom-used manual valve in a hazardous liquid pipeline system had been closed to facilitate maintenance. The controller was aware that the valve was closed. The controller was not VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 aware, however, that the indication on his computer display of pressure near the valve came from a transducer downstream of the valve. The display indicated it was from the upstream side of the valve. While filling the isolated portion of the pipeline to return it to service, the controller over-pressurized the line, resulting in a rupture. • While diverting hazardous liquid pipeline flow from one facility to another, an elevated pressure caused the rupture of a pipeline at a location weakened by previous third party damage. Pumps had automatically shut off due to the high pressures. Despite a sharp drop in line pressure, the controller did not recognize that the pipeline had failed, and re-started the pumps. As a result, a significant amount of product was released through the ruptured line, ignited, and resulted in several fatalities. Maintenance activities being performed on the computers of the SCADA system at the time of the vent hampered the controller from recognizing and reacting to the failure. • A slug of contaminants was introduced into a gas transmission pipeline when gas was drawn from storage. The contaminants affected instruments and regulators as the slug moved down the pipeline, resulting in many control room alarms. The controller operating the pipeline did not recognize what was happening and failed to initiate corrective action in time to avoid loss of gas supply to several towns. • A citizen called a gas pipeline control room to report a sheen on a creek in a right-of-way shared with hazardous liquid pipelines. The citizen called the gas control room because its telephone number was on the pipeline marker the citizen located in the corridor. The controller of the gas pipeline failed to contact the controllers of the liquid pipelines in the shared corridor, and referred the information from the call to a field office that was unattended at the time. The result was a delay of several days in responding to a potential failure of one of the liquid pipelines. • In a similar situation, a citizen telephoned a gas control room and reported a leak. The controller concluded the company had no facilities in the area, that any problem was thus not theirs, and did not follow up. The leak persisted and subsequent calls to regulatory agencies resulted in locating a number of leaks in the area affecting facilities operated by the control room that took the original call. PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 iii. Local Control and LNG Many pipeline systems and LNG plants have equipment that is locally controlled via a control panel located on or near the field equipment. The individuals who operate this equipment using the control panel could be considered controllers depending on their shared and associated responsibilities with controllers at other locations. This may also depend on the specific equipment being controlled and whether or not the controlled equipment is within direct observation of the individual at the local control panel. Gas pipeline operations are sometimes associated with LNG plants. LNG facilities are operated from control rooms and can have locally-controlled equipment in the same manner as pipeline facilities. In addition, some LNG control rooms also control pipeline systems connected to the LNG plant. Working from control rooms, controllers operate LNG facilities, pipelines associated with the facilities, and locally controlled equipment within LNG plants. Most pipeline systems today have control rooms. These facilities can be located at some distance from the pipeline, or they may be in close proximity to the pipeline. Many pipelines also have locally controlled equipment operated by controllers. This proposed rule addresses all of these situations. Pipeline and LNG facilities include compressor stations, hazardous liquid terminals, pump stations, LNG plants, and any other locations where controllers are located. In addition, control room also means a control center, control station, or any other such terminology. iv. Providing Tools for Effective Controller Performance Pipeline and LNG controllers impact the safety and integrity of the pipeline and LNG facilities they operate by being vigilant during normal operations and by properly responding to abnormal operating conditions and potential emergency situations. Public safety can be enhanced when a pipeline or LNG operator provides a controller the necessary tools and management support, while implementing and tracking thoroughly developed processes used by controllers. SCADA systems, which are widely used throughout the pipeline industry, can be as simple as computerized field equipment that allows an individual to monitor alarms or control equipment within a pipeline facility; or they can be more complex and diverse to allow a E:\FR\FM\12SEP2.SGM 12SEP2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 controller to monitor, or monitor and control, many facilities as part of a complex pipeline network involving various communications mediums, often from a control room that is hundreds of miles away. For some pipeline operators, the application of SCADA systems has resulted in a reduction of pipeline field personnel, making the role of the controller even more critical to the safety and integrity of pipeline facilities. Pipeline and LNG controllers also must have adequate and up-to-date information about the conditions and operating status of the equipment they monitor, or monitor and control, if they are to succeed in maintaining pipeline safety. Incorrect, delayed, missing, or poorly displayed data may confuse a controller and can lead to problems despite the extensive training, qualification, and abilities of the controller. v. Controller Knowledge and Abilities Operators should assure that controllers perform their duties promptly and accurately, including routine operations and response to developing abnormal operating conditions or emergency circumstances, to help maintain pipeline and LNG facility safety. Existing operator qualification (OQ) regulations for pipeline personnel currently address a portion of the processes affecting a controller’s ability to succeed in maintaining pipeline safety and integrity. A controller should possess certain abilities, and attain the knowledge and skills necessary to complete the various tasks required for a specific pipeline system or LNG facility. To attain the necessary knowledge and skills, the controller is typically required to complete extensive on-the-job training and is often closely observed by an experienced controller for a period of time. The controller must also review and understand appropriate procedures, including those associated with emergency response, and repeatedly practice the correct responses to a variety of abnormal operating conditions. A controller’s skills and knowledge are then evaluated through the pipeline operator’s OQ process. Many pipeline operators require additional company-specific performance requirements that are outside of the operator’s OQ program. Many controllers routinely monitor and send commands to change flow rates and pressures, open and close valves, start and stop compressors or pumps, monitor tank levels, identify abnormal operating and emergency VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 conditions, and perform a key role when a safety response is needed. In some pipeline systems, controllers also monitor corrosion control rectifiers, odorant systems, purge operations, leak detection equipment, and security systems. Prompted by an assortment of factors, controllers re-direct flow, start and stop pipeline segments, or further adjust flow rates to accommodate market conditions, maintenance activities, and weather conditions on a regional or national basis. For these pipelines, dynamic operating conditions require controllers to have a high level of knowledge, skills, and abilities to safely maintain systems and to promptly recognize abnormal operating conditions or other anomalies as situations develop. In other pipelines and distribution systems, controllers use computers to closely monitor operating conditions, and then alert field personnel to take action when upset, abnormal or emergency conditions arise. A controller needs adequate, thorough training and qualifications as well as appropriate timely data, a control system designed to aid in the prompt identification of abnormal conditions, and an understanding of the controller’s authority to take appropriate actions. vi. Control Room Management All of this must occur within an environment that facilitates appropriate and correct actions. Operators must appropriately manage the factors affecting the controller, including relevant human factors and operator processes and procedures. PHMSA refers to the combination of all these factors as control room management. Centralized pipeline and facility control operations generally fall into one of three control function categories or into a hybrid combination: 1. Monitor, detect, and perform full remote control. 2. Monitor, detect, and direct field operating personnel to perform specific actions. 3. Monitor, detect, and alert field operating personnel, and defer action to field personnel. Controllers use SCADA systems to detect and monitor operational conditions. A controller then performs the required control function or directs or defers to field operations for needed attention based on the controller’s responsibility, authority, and assessment of the situation. Individual station computer control may be implemented through: 1. A unified control system within the station or plant, or PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 53079 2. Individual unit-mounted control panels for each piece of equipment or groupings of equipment. Pipeline operations can vary significantly based on the physical properties of the commodities transported. For example, compressibility is a fundamental difference between natural gas and some hazardous liquids. SCADA system configuration, communication schemes, control modes and applied instrumentation, pipeline system configuration and complexities, size, procedures, and practices can further differentiate pipeline operations. These differences can have dramatic effects on the required content and scope of a controller’s training and qualifications, and on operational procedures and configuration of applied SCADA control systems. Differences in pipeline operations can also exist because some controllers are union employees governed by contract conditions and some are not. This can impact the number of hours worked, activities performed, number of controllers on shift, and other factors such as shift schedules. All controllers have some opportunity to mitigate risks. The degree to which they can affect pipeline safety may vary. For example, all controllers, including those that monitor only, can affect minor events (i.e. those not meeting reporting thresholds) and can influence the impact of future incidents in a positive manner. Pipeline controllers require similar cognitive and analytical skills. Additionally, control room procedures, pipeline controller tools, training, skills, and qualifications can impact controller performance. The nature of a particular control arrangement and the commodity transported will affect the actions an operator must take to manage the control environment and permit controllers to be successful in maintaining pipeline safety. None of these differences, though, obviate the need for control room management. C. The Safety Pyramid Operators of gas pipeline systems must submit to PHMSA written reports of events meeting certain criteria as incidents. Over the past 10 years, gas pipeline operators have submitted written reports for approximately 100 incidents per year on approximately 300,000 miles of gas transmission pipelines and approximately 130 incidents per year on approximately 2 million miles of distribution pipelines. Similarly, operators of hazardous liquid pipeline systems must submit to PHMSA written reports of E:\FR\FM\12SEP2.SGM 12SEP2 53080 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 pipeline system failures meeting certain criteria as accidents. Over the same 10 years, hazardous liquid pipeline operators have reported an average of approximately 140 accidents per year on approximately 160,000 miles of pipeline. The total number of accidents reported to PHMSA is about 370 per year. There are far more events, failures and near misses that occur on pipelines than those that require written reports. Some involve off-normal conditions for which controllers or automated safety systems intercede to prevent serious consequences. Others do not progress to the point of needing controller or safety system involvement. Pipeline operators document some near misses, but not all. PHMSA believes there are other loworder events, failures and near misses that occur unobserved. The term ‘‘safety pyramid’’ was used by Dr. D.W. Heinrich (1881–1962), an insurance company analyst who analyzed industrial accident prevention in the 1930s. In particular, he studied the relationship of events of varying significance and concluded that serious events (e.g., those resulting in fatalities) in any system occur in much smaller numbers than events of lesser significance. His work generally divided events into a 300-29-1 ratio, where there is 1 significant failure and 29 notable events in every 300. Heinrich called this relationship the ‘‘safety pyramid.’’ In turn, the number of errors and situations not recognized as ‘‘events’’ is even larger. Reportable pipeline accidents and incidents are only the tip of the safety pyramid. More events and failures occur at lower levels of the pyramid, including many near-miss events. Information about these nearmiss events, whether affecting a gas pipeline, hazardous liquid pipeline, or LNG facility, can lead to identifying key elements that can prevent events and failures from reaching the tip of the safety pyramid. Controller vigilance and appropriate response to lower-level events thus serves to prevent reportable pipeline incidents from occurring. D. Learning From Industry-Wide Operating Experience The proposed rule would require operators to establish a program to evaluate events that occur on their pipeline systems to identify lessons that can be used to improve control room performance. PHMSA believes it would be useful for the pipeline industry to establish a program to perform the same function for events occurring across the pipeline industry and to disseminate to all pipeline operators the lessons learned. VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 It is self-evident that more events occur within the pipeline industry than on any individual pipeline system. The industry’s safety pyramid is larger than that for any individual operator. This larger database of experience would provide more opportunity to learn lessons that can be used to improve the ability of controllers to maintain pipeline safety. For example, the airline industry and nuclear power plants have processes to collect and analyze operating experience and to share important lessons across their sectors. No such process exists within the pipeline or LNG industries. Some information about failures can be gleaned from news reports and discussions in trade association meetings, but pipeline and LNG operators do not usually share the details of failures. Operators are even less likely to share information about the bulk of close-calls and other minor events in the lower sector of the safety pyramid. Events with significant consequences (e.g., the 1999 hazardous liquid pipeline leak and explosion in Bellingham, Washington, or the 2001 gas transmission pipeline explosion near Carlsbad, New Mexico) get considerable press attention and become well known. The NTSB investigates significant pipeline events and issues reports and recommendations. Some events of lesser significance may be reported in trade press or by informal communications among pipeline operators, but there is no formalized process to collect and analyze information regarding close-call events or problems with more limited consequences in the pipeline industry. For larger pipeline operators, the sheer number of pipeline segments and stations may allow for the creation of a sufficiently large database of events to yield analytical value, but for most operators, their own experiences are not adequate to do so. Industry trade associations or other cooperative organizations could sponsor an industry-wide process to collect and analyze such information. Issues of proprietary information and perceived industry collusion are real constraints, but these have been dealt with in other industries. While the proposed rule would require each operator to establish a program to evaluate events that occur on its pipeline system, the rule would not require an intra-industry operating experience review process. PHMSA believes such intra-industry review could be useful, but does not consider it appropriate at this time to avoid the issues of unnecessary disclosure of proprietary information and perceived PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 industry collusion. PHMSA encourages these industries to consider establishing such processes and invites the public and industry to comment on the value of such an inter-company review process. III. Human Factors Studies A. PHMSA Controller Study PHMSA had been studying and evaluating control room operations for many years and began developing control room inspection guidance in 1999. Subsequently, Congress enacted the PSIA, which the President signed into law on December 17, 2002. Section 13 of the PSIA required the DOT to conduct a pilot program to evaluate whether pipeline controllers should be certified based on tests and other requirements. In response to the PSIA, PHMSA conducted the CCERT study and reported findings to Congress in a report dated December 17, 2006, entitled ‘‘Qualification of Pipeline Personnel.’’ This project included a comprehensive review of existing controller training, qualification processes, procedures, and practices. This review also included identifying potential enhancements such as validation and certification processes currently used in other industries to enhance public safety. Understanding the attributes traditionally contained in existing operators’ training and qualification programs was an essential element of CCERT. Process techniques, practices, and procedures are significant and valuable tools to train and qualify controllers. PHMSA identified techniques, practices, and procedures through interviews with numerous pipeline operators and controllers in a variety of situations. This included pipelines of a wide array of types and sizes and both union and non-union controllers. PHMSA determined what actions would lead to an additional assurance that pipeline controllers are adequately qualified to perform safety-sensitive tasks. The project team also identified key processes and procedures critical to control room safety and reviewed certification programs. To consider validation or certification of pipeline operators’ qualification processes, the training and qualification programs should be thorough and adequately administered. PHMSA’s primary project objectives were to review and evaluate the structure and content of operators’ training and qualification programs and to identify controller procedures that can have an impact on pipeline safety and integrity. E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules The project focused on the content of the pipeline operators’ administrative, training, and evaluation techniques that make up the controller training and qualification processes, and included a review of related safety and integrity procedures. Ultimately this information helped to: • Identify content that should be included in an operator’s training program for controllers. • Identify content that should be included in the qualification programs to provide a higher assurance that controllers possess adequate knowledge, skills, and abilities to maintain the safety and integrity of the pipeline. • Determine what form of validation should be used to ascertain that pipeline controllers are adequately qualified and sustain those qualifications. • Identify aspects of safety and integrity practices and procedures that are critical to controllers. PHMSA established and implemented a strategy for receiving and encouraging ongoing stakeholder interaction early in the project. This approach involved the participation of numerous stakeholders that provided information including a focus group with representatives of the public, industry trade associations, pipeline operators, state and Federal pipeline safety agencies, and academia. PHMSA shared insights regarding key operational and logistical considerations for the project and collected comments from the group at key phases of the project. Information came directly from the focus group participants and indirectly from members of their respective constituencies. In addition, PHMSA presented project updates at numerous trade association meetings and other stakeholder forums to solicit additional feedback. PHMSA gathered supplemental information regarding controller qualifications from pipeline operators transporting various commodities with diverse control room characteristics, complex control operations and minimal monitoring operations, union and nonunion work environments, and varying pipeline mileage. Additional information was also obtained from the following sources: • National Transportation Safety Board (NTSB); • PHMSA Pipeline Technical Advisory Committees; • National Association of Pipeline Safety Representatives (NAPSR); • Pipeline trade organizations such as the » American Petroleum Institute (API), » Association of Oil Pipelines (AOPL), VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 » American Gas Association (AGA), » American Public Gas Association (APGA), and » Interstate Natural Gas Association of America (INGAA); • Research by » Najmedin (Najm) Meshkati, Professor of Civil/Environmental Engineering and Professor of Industrial and Systems Engineering at the University of Southern California, » Craig Harvey, Industrial and Manufacturing Systems Engineering, Louisiana State University, and » Marvin McCallum, Christian Richard, Battelle Seattle Research Centers; • Related product and system vendors; • Public advocate discussion lists (such as https://tech.groups.yahoo.com/ group/safepipelines) • Other industries utilizing validation and certification programs, including: » Aviation, » Railroad, » Nuclear power, and » Electric power transmission. PHMSA gathered additional information from the Environmental Protection Agency, the Occupational Safety and Health Administration, and the Chemical Safety Board. Because training, qualification, and certification programs are implemented in various forms, discussions about lessons learned in the development, implementation, and maintenance of programs in other industries were especially valuable. PHMSA sponsored two public workshops (June 27, 2006, and May 23, 2007) that provided various stakeholders an opportunity to discuss options to enhance the adequacy of control room management, provide substantiation of existing pipeline control management processes, discuss human fatigue issues, present existing qualification processes, and provide insights on other programs or methods used to provide for effective monitoring and control of pipelines. The workshops provided additional information and promoted discussion on the most critical factors emerging from the CCERT and the NTSB recommendations (discussed below) affecting the control and monitoring of gas and hazardous liquid pipelines. PHMSA provided an opportunity to discuss findings as a basis for providing further assurance about the effectiveness of pipeline control and the skills and qualifications of controllers. To foster discussion, PHMSA posed a number of specific questions in the Federal Register notices announcing the workshops, which were then discussed during the workshops, yielding valuable PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 53081 information, ideas, and opinions from a broad assortment of stakeholders. The first workshop was divided into several sessions, each highlighted by panel discussions and an open question and answer period. The panels were made up of subject matter experts from the public, industry, and government. The panelists discussed formalized procedures to control shift rotation schedules, shift changeover practices and possible ways to improve training on fatigue. Discussions included the CCERT recommendations providing clear direction regarding the controller’s authority and responsibility to promote prompt detection and appropriate response to abnormal operating and emergency conditions and ways to address major changes in the controller’s operating environment. The panelists discussed the importance of operators routinely reviewing alarm and event displays to identify when changes are necessary as well as additional measures to further protect against unauthorized access to the SCADA area. Different types of training associated with the recognition of abnormal operating conditions, emergencies, and maintaining personnel qualifications were also reviewed. A more detailed summary of the workshop is available in the CCERT docket, PHMSA–RSPA–2004–18584. The significant outcome of CCERT was the identification of elements that can provide value in controller training and qualification processes and the recognition of the importance of thoroughness and clarity of controllerrelated procedures that affect pipeline safety and integrity. Also of value was the identification of a validation process for the implementation and review of these same processes and procedures. Enhancements to operator programs affecting controllers can be realized with thorough and formalized procedures and practices, additions to training and qualification programs, stimulated discussions in industry fostering a continued sharing of best practices, and the development of industry-wide recommended practices and standards. Other factors can also influence a controller’s ability to succeed. Pipeline operators should identify a controller’s physical work environment, visual and aural distractions, ancillary work assignments that dilute a controller’s attentiveness, workload, and SCADA system performance. The CCERT team concluded that a single controller certification process for the entire pipeline industry would not be appropriate for a number of reasons. First, because of the wide variability E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 53082 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules among pipeline systems, a uniform controller qualification (certification) examination would have to be very general. Second, a general exam would need to be supplemented by significant and specific material for each system by each operator before a controller could adequately perform his duties. Third, a uniform controller qualification or certification test for the entire industry would not address many operatorspecific and sometimes unique tasks critical to individual pipeline safety and integrity. The CCERT team concluded, however, that requiring operators to validate, review, and continuously improve the adequacy of controllerrelated training, qualification, and procedures specific to each operator’s pipeline would lead to improved public safety and better safety management in control rooms. The CCERT team also concluded: • As a cause or contributor to pipeline events or failures, control rooms rank very low compared to corrosion, material defects, and third party damage, but controllers must respond appropriately to each of these identified contributing factors. • Controllers are in a position of great importance to detect and react to abnormal operating and emergency conditions, thereby helping to avert failures and mitigate damage after a failure occurs. • Controllers are key players in a company’s response to abnormal operating and emergency conditions. • The low probability of controller error is offset by the potentially high consequence of damages and injuries as a result of their improper actions. • Remote monitoring or control through the use of a computer system may be performed in a formal control room, or numerous less formal settings such as an individual’s office, service vehicle, or residence. • The location of monitor or control functions does not define the nature or complexity of operations. • Established definitions used in other regulations such as large or small operators based on pipeline mileage, location of the facility, or less than 20% of the specified minimum yield strength (SMYS) of the pipeline, are not good qualifiers in defining control room risks. • More complex and diverse operations call for more thorough control room systems and processes. • Involvement of field personnel in control activities has the potential to positively or negatively influence risk control. VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 • Although some operators still use 8hour shifts, most operators have moved to 12-hour shifts. • Choice of shift plan and rotation schedule is usually not supported by analytical review for fatigue. • Most operators are performing at least a subset of the actions included in this proposed rule, but frequently without documentation of the basis for their process design choices or implementation methods, and sometimes without formalized procedures to maintain consistency or to provide for continuous improvement through review. Because controllers can have a great influence on the outcome of abnormal operating and emergency conditions, it is important that we provide for adequacy of controller knowledge, skills, abilities, and performance and their maintenance over time. PHMSA has identified fundamental operating procedures and practices, which should be used by pipeline controllers to enhance public safety. Most operators are currently using a subset of these procedures and practices, but use of these procedures and practices is not universal throughout the industry. The project team concluded that operators should be required to have more thorough, formalized procedures and processes for controller training and qualification which would be evaluated by the appropriate Federal or state regulatory authority. PHMSA collected and reviewed information from recent accident data analysis, complaints, inquiries, safety related condition reports, operator visits, PHMSA CCERT team operating experience, and the CCERT pilot program to be certain the activities of the pilot project operators and subsequent recommendations included recognition of lessons learned from those events that have been attributed to, or aggravated by, controller action or lack of action. While information reviewed indicates there is low probability for controller error to be the primary cause of an accident when compared to corrosion and other causal factors, this can be offset by the potentially high consequence of controller actions or inaction. Other industries, which employ validation and certification programs for control room personnel, also provided lessons learned in the development, implementation, and maintenance of validation and certification programs. Through the CCERT study, PHMSA identified a number of areas associated with the performance of control rooms that require enhancement. These areas were identified through numerous PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 control room observations, PHMSA CCERT team operating experience, the collection of related research and project activities, controller cognitive skills review, the pilot program, and the comparisons with control room management issues in parallel industries. The enhancement areas incorporated into this proposed rule are as follows: • Clearly define the roles and responsibilities of controllers to promote their prompt and appropriate response to abnormal operating conditions. • Formalize procedures for recording critical information and for exchanging information during shift turnover or other times when a controller needs to be away from the desk and duties. • Establish shift lengths, maximum hours of service limitations, and schedule rotations that provide sufficient time off work for rest in order to protect against the onset of fatigue that could affect the performance of pipeline controllers. • Educate controllers and controller supervisors in fatigue mitigation strategies and how non-work activities contribute to fatigue that could affect pipeline control and control room management. • Periodically review SCADA displays to ensure controllers are getting clear and reliable information from field stations and devices. • Periodically audit alarm configurations and handling procedures to provide confidence in alarm signals and to foster controller effectiveness. • Involve controllers when planning and implementing changes in operations. • Maintain strong communications between controllers and field personnel. • Determine how to establish, maintain, and review controller knowledge, skills, abilities, and qualifications. • Develop performance metrics with particular attention to response to abnormal operating conditions. • Analyze operating experience, including accidents, for possible involvement of the SCADA system, controller performance, and fatigue. • Validate the adequacy of controllerrelated procedures and training, and the qualifications of controllers annually through involvement by senior-level executives of pipeline companies. PHMSA considers annual senior executive validation a key element. This would require a pipeline operator’s senior executive responsible for pipeline operations to attest to the content and thoroughness of controller training and qualification programs and E:\FR\FM\12SEP2.SGM 12SEP2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules related procedures that impact safety, and to verify that the individuals who operated the pipeline or LNG facility during the year have completed these training and qualification programs. The executive validations would be subject to regulatory review and inspection, and create a stronger ownership and responsibility of senior management in regard to potential fines and court proceedings. A secondary benefit of this validation process would be improved communication between executive level management, control room supervision, and controllers regarding concerns, duties, procedures, and processes resulting in an elevated awareness within each pipeline operator regarding the critical nature of a controller’s job as well as the impact of controller duties on the safety and integrity of pipeline operations. Discussions in the first public workshop held June 27, 2006 reflected general acknowledgement by the pipeline industry that the process outlined above was appropriate to reduce control room risk. There was also general agreement that much of the process is in place in many pipeline control operations. A summary of this workshop is available in the docket PHMSA–RSPA–2004–18584. PHMSA’s second public workshop was held on May 23, 2007. Representatives of the pipeline industry, trade associations, the NTSB, other modes of transportation, and public interest groups presented their views on issues ranging from operator fatigue to the need to periodically review control room procedures. There was general agreement among workshop participants that controllers play an important role and that a human factors plan could have value. At the same time, most agreed that there was no need for major changes to current control room practices and staffing. A summary of this workshop is available in the docket PHMSA–2007–27954. ebenthall on PROD1PC60 with PROPOSALS2 B. NTSB SCADA Study The NTSB conducted a safety study on hazardous liquid pipeline SCADA systems during the same time period as PHMSA conducted the CCERT study. The PHMSA project addressed a wider perspective of interest, but includes findings similar to those in the NTSB Report.5 The NTSB study identified areas for potential improvement, which resulted in five recommendations; three are incorporated in this proposed rule. 5 NTSB, ‘‘Supervisory Control and Data Acquisition (SCADA) Systems in Liquid Pipelines,’’ Safety Study NTSB/SS–05–02, adopted November 29, 2005. VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 PHMSA is addressing the other two recommendations independent of this proposed rulemaking. The impetus of the NTSB study was a number of hazardous liquid accidents investigated by the NTSB in which leaks went undetected after the initial indications of a leak were apparently evident on the SCADA system. The NTSB designed its SCADA study to examine how hazardous liquid pipeline companies use SCADA systems to monitor and record operating data and to evaluate the role of SCADA systems in leak detection. The study identified five areas for potential improvement: • Display graphics. • Alarm management. • Controller training. • Controller fatigue data collection. • Leak detection systems. While this NTSB SCADA study specifically addressed hazardous liquid pipelines, NTSB included in the report an appendix listing all of its SCADArelated recommendations, which resulted from investigations of both hazardous liquid and gas pipeline accidents. Since 1976, the NTSB has issued approximately 30 recommendations either directly or indirectly related to SCADA systems involving both hazardous liquid and gas pipeline systems. PHMSA considers that the NTSB recommendations apply equally to gas and hazardous liquid pipelines and to LNG facilities. The recommendations are as follows: NTSB Recommendation P–05–1 Operators of hazardous liquid pipelines should be required to follow the API Recommended Practice 1165 (API RP 1165) for the use of graphics on the SCADA screens. NTSB Recommendation P–05–2 PHMSA should require pipeline companies to have a policy for the review and audit of SCADA-based alarms. NTSB Recommendation P–05–3 Operators should be required to include simulator or non-computerized simulations for training controllers in recognition of abnormal operating conditions, in particular leak events. NTSB Recommendation P–05–4 PHMSA should change the hazardous liquid accident reporting form (PHMSA F 7000–1) and require operators to provide data related to controller fatigue. PHMSA is addressing this recommendation in a separate action. NTSB Recommendation P–05–5 PHMSA should require operators to install computer-based leak detection PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 53083 systems on all lines unless engineering analysis determines that such a system is not necessary. PHMSA is publishing a report on leak detection systems and technology in 2008. PHMSA is addressing the first three recommendations in this proposed rule. Based on PHMSA’s review of accident and incident data, the project team found that errant SCADA displays have the potential to confuse or mislead controllers or field personnel. They also found very few operators who consider the impact of color perception impairments and screen clutter or who perform periodic point-to-point verifications of screen display data with field instrumentation. Furthermore, the team found that training of the controllers usually did not include reference material to guide controllers to particular types of displays to help resolve certain types of abnormal operating conditions quickly or to address emergency response. The CCERT team found through discussions with operators that policies were seldom in place for systematically reviewing alarms on a regular basis. Many operators were not analyzing the number of alarms, seeking to eliminate unnecessary alarms, routinely determining if new alarms were needed, studying alarms to consider if grouping could consolidate information for more effective use, looking for systemic alarms, or reviewing alarms to verify alarm descriptions were clear to the controller. In addition, operators were not reviewing alarms to determine if abnormal operating conditions were frequently occurring together or consecutively. Rate-of-change alarms often were not being used as operational tools for controllers. Most operators were not looking for potential gradual degradation of controller response or changes in controller performance. Operators may have to reduce pressure because of concerns about the integrity of the pipeline, such as anomalies discovered during integrity management assessments. However, in many cases, the operators were not changing associated alarm set-point values, or field relief values, correspondingly when implementing these pressure reductions. The CCERT team’s discussions with controllers identified that generic simulators and high-fidelity (frequently referred to as ‘‘full’’) simulators were preferred training tools. The controllers interviewed generally found full simulators to have significant value. Tabletop discussions and exercises, and computerized simulators, were both found to be valuable resources for controllers in training for response to E:\FR\FM\12SEP2.SGM 12SEP2 53084 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules abnormal operating conditions. Direct controller involvement in scenario development of tabletop exercises and computer-based simulations can add safety value to these tools. Controllers can also provide significant feedback on exercise performance. However, controllers were frequently not represented in the development of exercises and frequently did not participate in exercises other than to call out appropriate responders. Controllers were seldom asked what could be done to make an exercise more realistic, provide greater value or improve team response performance. ebenthall on PROD1PC60 with PROPOSALS2 C. DOT’s Human Factors Coordinating Committee (HFCC) The Secretary of Transportation established the HFCC in 1991 to become the focal point for human factors issues within DOT. Since its inception, the HFCC, a multi-modal team with government-wide liaisons, has successfully addressed crosscutting human factors issues in transportation. The HFCC has influenced the implementation of human factors projects within and among DOT’s operating administrations, provided a mechanism for exchange of human factors and related technical information, and provided synergy and continuity in implementing transportation human factors research. DOT recognizes that many human performance issues are crosscutting and will benefit from a multi-modal approach. DOT needs coordinated human factors research to permit large research efforts that modes cannot support individually, to address multimodal transportation issues, as well as to advocate for timely human factors research in transportation system solutions. PHMSA continues to actively participate on the HFCC, and has drawn from the work of the HFCC to help identify fatigue management strategies for control room management. IV. PIPES Act of 2006 The PIPES Act of 2006 (Pub. L. 109– 468) imposed additional requirements on PHMSA with respect to control room management and human factors. The PIPES Act requires PHMSA to issue regulations requiring each operator of a gas or hazardous liquid pipeline to develop, implement, and submit a human factors management plan designed to reduce risks associated with human factors, including fatigue, in each control room for the pipeline. Operator plans must include a maximum limit on the hours a controller may work in a single shift VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 between periods of adequate rest. PHMSA, or a state authorized to exercise safety oversight, is required to review and approve operators’ human factors plans, and operators are required to notify PHMSA (or the appropriate state) of deviations from the plan. The PIPES Act also requires PHMSA to issue standards to implement the first three recommendations of the NTSB SCADA safety study as described above. Controllers using computer equipment to monitor or operate pipeline facilities can be impacted by display information, alarms, and abnormal operating conditions regardless of what type of system they operate. PHMSA considers the recommendations to be equally applicable to hazardous liquid and gas pipelines (transmission and distribution) as well as LNG facilities. This proposed rule will respond to the mandates in the PIPES Act relative to control room management, human factors, and SCADA. V. Standards, Recommended Practices, and Guidelines One of the actions identified by CCERT was the development of consensus-based best practices to promote controller success. PHMSA is encouraged by recent industry efforts, including industry review of existing standards (such as the Instrument Society of America SP–18 and the Engineering Equipment and Materials Users Association 191A), guidance material in development by the Transportation Security Administration (TSA) focusing on SCADA CyperSecurity, and the development of other guidance, recommended practices, and standard documents. The structured development process used to establish this type of material has historically yielded great safety value. Such efforts focused on Control Room Management have the potential of enhancing safety, especially when all key stakeholders are included and contribute to the process. The following is a list of identified applicable standards, recommended practices, white papers, and guidance material that have been established, revised, or that are currently under development: • API RP–1165, SCADA Display Standard. • American Society of Mechanical Engineers (ASME) B31Q, Operator Qualifications. • API 1164, SCADA Security. • API RP1167, Alarm Management. • AGA, Alarm Management. • API RP 1161, Qualification of Liquid Pipeline Personnel. • TSA, SCADA CyperSecurity Guidance Material. PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 • API RP 1168, Control Room Management. • ISA SP–18, Instrument Signals and Alarms. • EEMUA 191A, Alarm Systems—A Guide to Design, Management and Procurement. API recommended practice on control room management was initiated in February, 2008 and is anticipated to be completed in February, 2009. It is anticipated this document will address four of the nine enhancement areas addressed in PHMSA research and required in the PIPES Act. Specific guidance anticipated in this recommended practice will address: (1) Roles and Responsibilities, (2) Shift Operations, (3) Management of Change, and (4) Fatigue. PHMSA anticipates guidance on such aspects as clarifying operator’s expectations for controllers to take action, information flow needed on field activities that could affect pipeline operations, direction of shift rotation and time between shifts, extent of offduty activity and fatigue management strategy, personal responsibility for rest, how to recognize and mitigate fatigue, and the content of education programs to share with families of the controllers. PHMSA and NAPSR have been participating in the development of this recommended practice and other national consensus document efforts and will continue to support, participate in, and encourage the development of national consensus standards and recommended practices. Once these materials are completed, PHMSA will review them and consider a regulatory amendment to incorporate by reference all or parts of such applicable documents in amended regulations. VI. PHMSA’s Proposed Approach PHMSA is proposing to require that appropriate control room management elements be incorporated into operator plans and procedures already required by existing regulations. PHMSA believes this approach will minimize the burden on operators and will prove more effective in the long term, because it will integrate these elements directly into the existing operator programs associated with these actions. This will also avoid operators having another plan that may create or exacerbate internal communication complexities. As is the case with other regulations, an operator would not be expected to establish processes and procedures for those tasks not applicable to their operations. These requirements would apply to operators of hazardous liquid, gas transmission, and gas distribution pipeline facilities, as well as to E:\FR\FM\12SEP2.SGM 12SEP2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 operators of LNG facilities. The requirements would not apply to operators of master meters or petroleum gas systems unless the operator transports gas as a primary activity. Master meter and petroleum gas pipeline systems are generally very simple and typically consist of only pipe, service regulators, meters, and manual valves. These systems do not typically include a control room, equipment requiring local control or computer systems for operations, or provisions for continuous remote monitoring. Operators of these systems are excluded from the scope of this proposed regulation. This proposed exclusion is consistent with other PHMSA initiatives and regulations. The control room management elements describe ‘‘what’’ an operator must include but not ‘‘how’’ an operator must carry out such elements. This is typical of performance-based regulations and it recognizes the significant diversity present among pipeline systems and control rooms. One of the elements proposed is a plan that each operator would develop and implement to limit the maximum length of time that a controller could work in a single shift between periods of adequate rest. The PIPES Act specifies that PHMSA (or a state authority) may not approve a control room management plan that does not include such a limit. This rule does not propose a maximum hours of service limit, since PHMSA recognizes operator-specific factors may affect this limit for each operator. Many controllers work 12-hour shifts, as do individuals with similar jobs in other industries. PHMSA has no technical objection to 12-hour shifts. For control rooms staffed on a 24-hour basis, we also recognize that additional time is required at the beginning and end of each shift to accomplish a thorough shift turnover between incoming and outgoing controllers. Thorough shift turnover procedures are important and are one of the elements included in this proposed rule. Research performed by others has repeatedly identified a need for individuals to have eight hours sleep each day to maintain their best performance.6 PHMSA understands that operators have limited control over what a controller does during off-shift 6 For a discussion of research concerning fatigue and need for sleep, see Federal Motor Carrier Safety Administration proposed rule, May 2, 2000 (65 FR 25540). PHMSA is not relying on any particular study cited by FMCSA for its action here, but rather on the totality of research indicating that an 8-hour sleep period is necessary to provide for optimum human performance. VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 hours, but the agency expects that shift schedules will be established to provide a reasonable opportunity for a controller to achieve eight hours of sleep and for operators to educate controllers on the importance and need for adequate rest. PHMSA expects operators to take these factors into consideration when establishing a limit on the maximum hours an individual controller would work in a single shift, between periods of adequate rest. Operators should also consider other factors that may be unique to their operations and should provide an adequate amount of time between shifts so that controllers can rest and be expected to be free from fatigue. Shift change may not be the only time that controllers relieve each other and need to communicate critical information. Operators need to consider what other factors may determine when a thorough and complete set of information is necessary to be communicated to controllers and their supervisors. PHMSA will take all the above factors into consideration when reviewing operators’ shift plans, rotations and schedules and educational programs about the importance of adequate rest. PHMSA will fulfill the PIPES Act requirement to review operator plans by evaluating related programs, procedures, records, and related documentation during inspections. PHMSA will also develop guidance to assist inspectors in conducting comprehensive inspections and evaluations addressing all required control room management elements. This guidance will help Federal and State agencies achieve maximum impact from the evaluation of operators’ plans, maintain consistency and uniformity among inspections, and reduce the amount of subjectivity during inspections. VII. The Proposed Rule This proposed rule would affect operators of hazardous liquid, gas transmission, and gas distribution pipelines and operators of LNG facilities that use controllers. The nature of these facilities and their related control rooms vary, as do the complexity of pipeline systems and facilities. The proposed rule would not affect master meter operators or operators of petroleum gas systems unless the operator transports gas as a primary activity. This performance-based rule describes the necessary elements and outcomes operators must accomplish but does not prescribe exactly how operators must incorporate each element. Each operator must have documented procedures, PO 00000 Frm 00011 Fmt 4701 Sfmt 4702 53085 guidelines or practices, tailored to the operator’s specific systems, control regime, and circumstances. Controllers play a critical role in any system that uses human-machine interface to monitor or control pipeline systems, LNG facilities, or other equipment. The nature of that role varies with the type of commodity and the relative complexity of the pipeline system and facilities, but the analytical and cognitive skills needed are similar in all cases. Gas industry trade groups have expressed their view that controllers have limited opportunity to affect pipeline safety; PHMSA disagrees. Furthermore, gas pipeline controllers interviewed by PHMSA and those serving as subject matter experts on the ASME B31Q 7 national consensus standards team for operator qualifications have also indicated that their actions could impact safety. While the compressibility of gas and the rapid progression of gas transmission pipeline failures generally make it unlikely that controller actions can cause an incident or mitigate the immediate effects of an incident, PHMSA believes that controller actions in gas pipeline systems can make incidents more likely. PHMSA also believes that controllers can hinder mitigative actions after the initial consequences of a rupture; can recognize abnormal operating conditions and intercede to prevent incidents; and can routinely perform significant functions to operate the pipeline and facilities in a safe manner. PHMSA also notes that all controllers serve important functions in the response to incidents and accidents. In many cases, controllers serve as the first line of defense to prevent incidents and accidents, and thus serve an important safety function requiring special training and qualification. PHMSA concludes that the minimum actions required by this proposed rule, expressed in simple performance terms, are necessary and reasonable. PHMSA also concludes that many are these actions already being used or exceeded by pipeline operators and that imposition of these requirements will improve safety without unreasonable burden. This proposed rule would add provisions to 49 CFR parts 192, 193, and 195. Rather than describe these changes on a section-by-section basis, this document describes them by topic 7 ASME B31Q is a national consensus standard governing qualification of pipeline operating personnel. A team of experts representing various technical disciplines within pipeline operating companies, including controllers, developed the standard. E:\FR\FM\12SEP2.SGM 12SEP2 53086 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules because the general content of the changes in each part is the same. ebenthall on PROD1PC60 with PROPOSALS2 A. Changes to Operations and Maintenance (O&M) Manuals PHMSA is proposing the human factors management plan required by the PIPES Act be comprised of several enhancements in each operator’s written O&M procedures manual(s), OQ program, and emergency procedures plan. PHMSA believes this makes it more likely that the actions required in this proposed rule will be integrated effectively into pipeline operations, thus limiting the potential for miscommunications to occur. PHMSA is proposing to include these requirements in a separate section within each part because we believe the verification and deviation reporting provisions of this proposed rule will be easier to understand if included in a separate code section for control room management. B. Definitions This proposed rule adds the definitions of four key terms to improve the clarity of the proposed new requirements: Alarm, controller, control room, and SCADA. An alarm is defined as an indication provided by SCADA or a similar monitoring system that a monitored parameter is outside normal or expected operating conditions. Controllers need to be aware of these conditions, and a number of these conditions need to be controlled in order not to overwhelm the controllers. The proposed rule provides for periodic actions to review alarm management. The new definition is intended to make certain that treatment of these abnormal indications is addressed as part of this management, whether or not individual operators call them alarms. Fundamentally, a controller is an individual who uses computer-based equipment to monitor, or monitor and control, all or part of a pipeline system or LNG facility. Individuals who monitor or control a pipeline or LNG facility using computerized systems are controllers. For the purposes of this rule, individuals who operate equipment locally but who cannot actually see the equipment respond without using a closed circuit television system or other external devices are controllers when performing these activities, regardless of their job title or whether their actions are overseen by other controllers or supervisors. Conversely, individuals who operate equipment locally and can see the equipment respond without using a closed circuit television system or other VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 external devices are not controllers. Maintenance and other personnel accessing data from the control system are not controllers. While controller oversight of individuals operating equipment locally can facilitate the recognition of inappropriate control actions and possibly mitigate their consequences, the oversight does not generally allow prevention of inappropriate actions before they create adverse conditions. PHMSA believes that preventing actions that could result in unfavorable consequences is more important than identifying and possibly mitigating these actions after they occur. Therefore, we conclude that treating individuals operating equipment locally as controllers, even if they are subject to oversight or supervision by other trained individuals, is necessary to maintain public safety. A control room is traditionally a central location where a pipeline system or LNG facility is monitored or controlled, regardless of whether all, or only part, of a pipeline system or LNG facility is monitored or controlled. Control rooms may include multiple stations for individual controllers who monitor or control portions of the pipeline system or facility, or instead may house a single controller. Central locations within a field station (e.g., pump or compressor station, terminals) that include controls for multiple pieces of equipment are considered control rooms for purposes of this proposed rule, though the equipment at such field locations may not include the capability to monitor or control portions of the pipeline outside of the field station. A control room is sometimes referred to as a control center, control station or by other similar terminology. However, a controller may perform his duties by non-traditional means such as using a laptop in a vehicle. This proposed rule adds a definition for SCADA. These are the computerbased systems that collect and display information about the status of the pipeline or facility and display that information to controllers for their use in monitoring or controlling the pipeline or facility. Many SCADA systems provide the capability to control pipeline equipment from remote control panels but systems that only provide monitoring information are also considered SCADA systems. C. Implementation Schedules PHMSA recognizes that different pipeline systems possess different levels of risk from potential controller errors. We also recognize that developing and implementing procedures for more PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 complex systems that pose the greatest risks needs to be thoroughly analyzed. Operators must take the time necessary to be thorough in developing their procedures. Complex systems often require additional time to train all personnel and fully implement these procedures. For some pipelines, negotiations with unions may be required to implement these requirements; such negotiations take time. PHMSA has tried to balance these needs in the implementation schedules included in this proposed rule. Operators of hazardous liquid pipelines and gas transmission pipelines controlled or monitored remotely and operators of LNG plants with controllers would be required to develop procedures within one year after the effective date of the final rule. These operators would have one additional year to implement these procedures completely, including all necessary training. The proposed rule would require operators of hazardous liquid pipelines and gas transmission pipelines to develop procedures for control rooms that control only equipment within a single site (e.g., pump or compressor station) within two years after the effective date of the final rule and to implement those procedures within an additional six months. This reflects the relatively lower risk associated with control rooms for these single facilities and allows the operators of the more complex pipelines to focus their initial efforts on remote-operation control rooms where potential risk is greater. Operators of gas distribution systems would have two years after the effective date of the final rule to both develop and implement procedures. These systems operate at lower pressures, usually have field response crews in close proximity to instrumentation, and pose lower consequence risks from controllers. Many gas distribution operators are small companies or municipal departments that will require additional time to manage limited technical resources available to write procedures. At the same time, the relative simplicity of these small systems makes it easier to train controllers and implement new procedures. Pipeline systems that rely solely on local control pose less consequence risk than more automated and remote control actions. These small pipeline systems generally rely on the most limited resources. This proposed rule allows 30 months after the effective date of the final rule for operators of these pipeline systems to both develop and implement the necessary procedures. E:\FR\FM\12SEP2.SGM 12SEP2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 Implementing changes for existing systems and facilities takes time. The situation is different for new installations and existing facilities that are significantly changed (e.g., implementation of a new SCADA system). The proposal would require operators of systems with control rooms that are placed in service or significantly modified more than 12 months after the effective date of the final rule to develop procedures as part of the design and installation of the new systems and to implement those procedures when the control room is placed in service. Control rooms that will be implemented within 12 months of the effective date of the final rule are well along in design and planning and PHMSA concludes it is best to treat these facilities as existing control rooms. Mergers and acquisitions can present a unique challenge for controllers and control rooms. Controllers must develop an understanding of the hydraulics of a new system; become familiar with new display graphics; handle an increased workload on existing consoles; learn new hardware and software systems using different instrumentation or control methods and changed alarm designations and priorities; and participate in a shadow control scheme until training is complete. Detailed plans on how to introduce each element into the remaining control room and how to train and qualify controllers on newly introduced systems must be developed. For example, each operator must develop and implement a plan that includes how controllers will provide input on alarm descriptors, how this input will be implemented, and how controllers will receive training on alarm descriptors before a system is under their authority or responsibility for monitor or control. D. Roles and Responsibilities The proposed rules require each operator to clearly define and document the roles and responsibilities of controllers for prompt and appropriate response to abnormal operating conditions and emergencies. Such documentation will also define the controller’s authority and the pipeline operator’s expectation for the controller to take action. Controllers are often the first to become aware of developing abnormal operating conditions or emergencies and can often play a critical role in response to these events. Timely and appropriate controller actions can arrest developing problems and return a pipeline system or LNG facility to normal operations. Conversely, untimely or improper controller actions can exacerbate VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 abnormal operating conditions, which could potentially lead to incidents and accidents. Sometimes controllers are not the first to notice a problem. Problems may be identified by field personnel or reported by the public. Controllers must know their roles in responding to these situations and in communicating with management, field staff, the public, government agencies, emergency response personnel, and other operators of pipelines or utilities that may share a common right-of-way. For situations that pose the most significant risks to public safety and the environment, prompt action by controllers is often needed. In other situations, management may expect controllers to consult with them before taking actions. Therefore, controllers must know the limits of their responsibility and authority for making safety-related decisions and for taking safety-related actions in all situations. The proposed rule requires operators to develop processes so that management and controllers have uniform expectations and understandings about response requirements before an abnormal operating condition or emergency arises. The proposed rule would also require operators to establish processes to allow controllers to seek and receive management input in a timely manner when required. E. Assuring Adequate Information Controllers must have accurate and up-to-date information about the status of the pipeline system, equipment, or facilities they monitor or control. For example, they need to know pressures, flow rates, and temperatures, as well as the operating status of compressor and pump stations, the position of valves, and the availability of standby equipment that might be substituted in the event of a failure. They also need to know what effects power loss would have on equipment status. Without timely and correct information, controllers cannot take appropriate actions to control normal pipeline operations nor can they promptly identify abnormal situations and take actions to arrest event progression and prevent larger problems. This proposed rule requires each operator to develop processes to provide that controllers receive the timely and necessary information they need to fulfill their responsibilities at all times. F. SCADA Many pipeline operators use SCADA, DCS, or internet-based systems to allow controllers to monitor or control pipeline systems or LNG facilities PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 53087 remotely. SCADA is used in this document to mean SCADA, DCS or other methods of communicating data for monitoring or controlling pipeline systems and LNG facilities. SCADA systems must be configured and programmed to provide accurate information to the controller and to transmit any command actions accurately. It is also important for controllers to recognize and react to information changes about the state of the pipeline. Cluttered or poorly organized SCADA screens may not be logical to a controller. Unless a controller quickly recognizes SCADA information, he or she may not be able to process the information into knowledge upon which to base control actions. The API recognized the need for clear and logical SCADA displays and published a recommended practice, API RP–1165. This recommended practice provides guidance to operators to help them develop SCADA screens that display information clearly, logically, and without clutter to maximize the ability of controllers to use the information effectively. This proposed rule requires pipeline operators with SCADA systems to follow API RP–1165 or be able to demonstrate that the recommended practice is inapplicable or impracticable. SCADA information is only useful when accurate, timely, and properly displayed. Complex SCADA systems receive information from sensors, transmitters, and other equipment located throughout an LNG plant or pipeline system and use algorithms to convert the information into a more useful form for the controller. SCADA systems must also provide for unexpected communication interruptions from one or more instruments or transmitters. The loss of a few data points must not result in a complete loss of system information or system malfunction to the controller. SCADA systems must have a backup communication system, which is tested periodically to verify its performance. Alternatively, a pipeline operator must have an adequate means to operate manually or provisions to shut down the affected portion of the pipeline safely. Server load should also be reviewed on a regular basis and monitored for increased activity affecting controller-required tools. Operators should be aware of softwarespecific concerns (e.g., through usergroup meetings) and should develop methods to prevent these issues from affecting controller performance. SCADA systems must have provisions to accommodate different kinds of E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 53088 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules problems, for example, stale data. When communications problems arise, a SCADA system may present the most recent (though stale) data until data communications are restored. SCADA systems must display this stale data in a manner that is easily recognized by the controller, particularly when the data have not been updated for a significant amount of time. Not all SCADA systems are configured to provide warnings (flags) to controllers to warn of stale data. Therefore, the proposed rule requires operators to identify methods to allow controllers to recognize stale data at all times. SCADA system integrity is usually verified when the system is initially installed by checking instrument readings and other data on each display screen. The readings and data are checked for accuracy and to ascertain that they match the readings on the corresponding field equipment or transmitters. The installation also verifies that signals issued from the SCADA panels result in the proper control of the corresponding equipment in the field. SCADA data processing is also verified during installation. While all this serves to verify the initial SCADA installation, SCADA systems, pipeline systems, and LNG facilities can change over time. Any of these changes can lead to misinformation problems for both controllers and field personnel. To verify that existing SCADA systems are accurate, this proposed rule would require operators to conduct an initial point-to-point baseline verification for each SCADA system to validate and document that field equipment configurations agree with computer displays. Operators would check from transmitter-to-display to verify that the correct values (and units) are displayed on the SCADA screens at the correct relative locations. Operators would also verify that alarm and event functions occur at specific set-points or upon certain actions by the correct corresponding equipment and that all controlled equipment appropriately responds to SCADA inputs and outputs. This requirement is intended to verify that existing SCADA systems are accurate despite changes that may have been made without verification since the initial installation. Operators of pipeline systems with more than 500 miles would be required to complete the baseline verification within three years of the effective date of the final rule. However, because SCADA systems for large pipeline systems can have tens of thousands of data points to check, it is not practical to require a complete verification at one time. To offer some relief for these more VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 complex systems, the proposed rule would allow operators to credit verifications conducted up to three years before the effective date of the final rule towards the baseline verification. Operators of pipeline systems with less than 500 miles would be required to complete validation within one year of the effective date of the final rule. This reflects the relative simplicity of performing verification for these smaller systems and PHMSA’s belief in the importance of prompt baseline verifications. PHMSA invites comments on the appropriateness of these time periods. We further invite comments on alternative approaches to achieve the intent of assuring baseline verification for each SCADA system. Another approach, for example, might be a risk-based schedule to build off the risk analyses most operators have previously completed for their integrity management programs. Once the baseline SCADA system has been verified, operators should document and verify changes as they occur. Therefore, the proposed rule requires operators to verify SCADA screens versus field configurations when modifications or repairs are made to field equipment. For SCADA system changes or new SCADA systems, however, the proposed rule requires point-to-point verifications as part of the implementation process for all portions of the pipeline system or LNG facility affected by the change. The rule would also require operators to develop and implement procedures to handle system maintenance changes and SCADA point verifications such as alarm set-points, display locations, value confirmations, and the proper operation of software algorithms. Operators must make maintenance change notifications to controllers as they occur and set a maximum time limit for changes to be made and verified to the appropriate SCADA system displays and alarm features. Individual operators would also be required to develop a plan for systematic re-verification of the accuracy of the SCADA system display. Lastly, the proposed rule would require SCADA changes brought about by mergers or buy-outs to be treated as a new SCADA system implementation and verified accordingly. G. Shift Change SCADA systems and other means of providing real-time information to controllers concerning the status of pipeline systems are important, but such systems are not the only information important to a controller in carrying out his duties. Controllers need to be aware of activities that have PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 occurred, are underway, or planned that could affect pipeline operations during a shift. This includes, but is not limited to, planned modifications and maintenance activities, noted indicators of possible near-term problems including alarms, indications of any abnormal operating condition, communications concerns or malfunctions, points taken off-scan, and the unavailability of key field personnel. Field personnel must promptly inform controllers when work is done that could affect controller duties or displayed information. Under the proposal, an operator’s procedures must provide for making this necessary noncomputer-based information available to controllers. PHMSA considers verbal communications important because accurate verbal contact can provide for immediate verification of maintenance activities and equipment status, and can corroborate information received from other sources. Therefore, the proposed rule requires that operators provide for timely verbal communications between controllers and field personnel. Controllers must contact field personnel, on occasion, to investigate the reason for abnormal indications, to carry out emergency response actions, or to perform actions that cannot be done remotely from the control room. Field personnel must inform controllers when equipment is taken out of service, when values are forced or locked in place, or when events that can have a near-term impact on safety occur. Field personnel must promptly contact controllers when conditions are identified that could indicate a leak or incipient accident. Field personnel should be trained and encouraged to contact the control center as quickly as possible whenever a leak is suspected. The proposed rule also requires that operators identify in procedures those circumstances, actions, and conditions for which field personnel must notify the control room. Operators should implement individual console or system log-in features, if these are available, or record on the shift-change records the time and the name of the controller who is responsible during the shift-change procedure. While most pipelines operate 24 hours a day, seven days a week, some do not. Small pipelines, such as those dedicated to a single facility, may operate only as needed or for only certain hours of the day. Many transmission pipeline systems have implemented more sophisticated and complex control schemes and can require extensive involvement of technical personnel other than E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules controllers. More thorough procedures and processes are needed to manage these activities. In all cases, it is important that controllers have a complete understanding of the conditions and activities affecting the pipeline, including non-computer based information. The proposed rule addresses this need by requiring that critical information be recorded during each shift. Oncoming controllers can review the log to make themselves aware of recent activities and current conditions, even in those cases where a pipeline is not in continuous operation and there is no ‘‘shift change’’ between controllers. Operators would demonstrate compliance with this requirement by making documented information available during regulatory inspections. For pipelines that operate continuously, controllers are expected to interact with those who relieve them in order to communicate important information. Virtually all pipeline operators with multiple shifts expect controllers to provide such a turnover of information. Shift change is not the only time that controllers are relieved of their duties. Individual pipeline operators may relieve controllers at breaks or at times when the individual is required to perform other duties. Exchange of critical information is essential to the safe operation of pipeline facilities at these times. PHMSA’s CCERT interviews with pipeline operators and controllers identified several instances where there were no formal procedures for conducting shift turnover and no clear understanding of the information that was to be communicated when personnel relief occurs. In those instances, each individual controller determined what needed to be communicated. The proposed rule requires that operators provide for exchange of information during shift turnover, including defining the minimum set of information that must be communicated (e.g., by check sheet). Adequate information may vary across different parts of an operator’s entire pipeline system. Each operator would be expected to define this set of information, as this information would be aligned to the specific system requirements. Operators must also provide for an overlap of controller shifts sufficient to accomplish the necessary exchange of information. Controllers often have duties to communicate with personnel outside their companies as well. In many cases, pipelines share a common right-of-way with other pipelines or utilities. A problem on the pipeline can affect these other pipelines or utilities and VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 controllers need to understand when it is their responsibility to notify these other companies of potential problems. Controllers also often receive calls from the public or emergency responders reporting indication of problems. Since a control room is often staffed continuously, pipeline markers usually list the control room telephone number for the public to report problems. A controller answering a call from the public or emergency responders must obtain enough information from the caller to understand the nature of the problem. Operators should provide training for controllers to help assist them in obtaining complete and accurate information. A controller must determine whether the problem is on his pipeline or area of responsibility. If a controller determines a problem is not on the pipeline he or she controls, the controller must communicate the information to those who can address the problem, even if this is the operator of another pipeline in a shared right-ofway. Operators need to make sure that controllers know who to contact in the event of a potential problem in a shared right-of-way, regardless of which pipeline is affected. Controllers should also be required to contact other operators in a common right-of-way when aware of a leak associated within their area of responsibility. There may be conditions when repairing a pipeline that may elevate the risk associated with another pipeline in the same corridor. For this reason, when controllers discover or are made aware of leaks in a common pipeline corridor, they should contact all of the operators in that corridor and explain the situation so that all pipeline operators can work together to minimize potential damage. H. Fatigue Fatigue is a key safety issue for PHMSA. The NTSB also considers fatigue one of its ‘‘top ten’’ safety concerns for all modes of transportation. Fatigue can result in a loss of vigilance or a lack of effective attention by a pipeline controller. All pipelines and facilities normally have safety systems in place to protect against accidents. The prudent use of safety systems, however, does not reduce the importance of controllers as the first line of defense in preventing accidents. In most instances, monotony, not physical exertion, causes controller fatigue. Monitoring pipeline operations from a computer panel for many hours can be quite monotonous, especially for normal, uneventful operations during the usual overnight human rest cycle. It is important that pipeline operators take PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 53089 actions to help ensure that controllers are not unduly affected by fatigue and verify that controllers remain vigilant. Key among these actions is establishing shift length and schedule rotations to protect against the onset of fatigue and providing controllers the opportunity to get sufficient rest between work shifts. Many pipeline controllers work rotating shifts; that is, a controller may work day shifts, night shifts, and possibly swing shifts within the same week or within a few weeks or a month. There has been extensive research by specialists in human behavior concerning shift work and the effect these shift changes have on sleep patterns and fatigue. Topics addressed in the research include the direction of shift rotation (i.e., forward or back), the amount of time between shifts to help provide for adequate rest, and the effects of off-duty activities on fatigue during duty hours. Many pipelines operate on 12-hour shifts, while others operate on eighthour shifts or shifts of other lengths. PHMSA does not object to 12-hour shifts, but we do note that shift rotations have seldom been established based on research or what is best for the pipeline controllers. Instead, the CCERT team found that shift rotation and length have usually been established through management-union negotiations or because the controllers prefer a specific schedule. Moreover, we found that controllers prefer 12-hour shifts because they result in longer periods of time off. Maximizing time off, however, does not necessarily maximize the mitigation of fatigue. Operators who continue to use 12-hour shifts should have procedures that include provisions for unexpected holdovers or call-outs and they must ensure the shifts are managed in a manner that requires controllers to have adequate periods of rest between shifts to help protect against the onset of fatigue during controller shifts. Additionally, research shows that individuals need to have eight hours of sleep per day to maintain their best performance; and that work schedules can have a detrimental impact on an individual’s circadian rhythm. PHMSA recognizes that pipeline and LNG facility operators cannot control or monitor controllers’ off-duty time, but operators can educate controllers on the need for adequate periods of rest. Because off-duty time activities can influence on-duty fatigue, controllers must accept responsibility for structuring their off-duty time to allow for adequate rest and eight hours of sleep. The proposed rule requires operators to train controllers and their supervisors in fatigue management E:\FR\FM\12SEP2.SGM 12SEP2 53090 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 strategies and how non-work activities can contribute to fatigue. Supervisors and controllers must also be trained to recognize and mitigate the effects of fatigue among controllers on a shift. These training programs will require controllers and supervisors to exercise personal responsibility for having adequate rest and prudent fatigue management. In addition, these education programs must include information that can be shared with the family of controllers because they too need to understand that off-duty activities must allow time for adequate rest to avoid on-duty fatigue. In many control rooms, multiple controllers work together on a shift along with a supervisor. In these circumstances, controllers can watch for signs of co-worker fatigue and supervisors can oversee assigned staff to help identify and mitigate instances of fatigue. Some control rooms, however, operate with a single controller on shift. In those instances, there is no other person present to recognize when the controller is affected by fatigue. Accordingly, the proposed rule requires operators to establish provisions to verify that a single controller remains vigilant. While PHMSA is not establishing an overall limit on the maximum length of time a controller can work in a single shift, this proposed rule requires operators to include in their written procedures a limit on the length of time a controller can work and a requirement for adequate rest between shifts. This proposed rule will meet the requirements of the PIPES Act. The proposed rule allows operators to base the limit on the particular operating circumstances of each pipeline and to include provisions for deviations in emergency situations. PHMSA believes operators should establish an hours-of-service limit based on its normal pattern of operations and in a manner that will preclude individual controllers from working more hours than the operator expects under normal circumstances. Operators should address unusual and emergency situations using provisions for approved exceptions that should be included in written procedures. Operators should maintain documentation of these situations. I. Alarm Management A principal function of SCADA systems is to ‘‘alarm’’ or notify a controller of circumstances when pressure, flow, temperature, or other key pipeline operating parameters are outside the expected norms. Many controllers acknowledge an alarm or VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 event by silencing an audible sound or responding to a flashing indication on a control screen. Controllers must then take action to address the cause of the alarm or the effect on the pipeline or facility. In some cases immediate action is required; in other cases action can be deferred. Sometimes, the alarm may simply be related to system changes such as the expected startup of another unit and no action is required. Qualified controllers use their judgment, experience and training to manage alarm response. Management should review controllers’ response to alarms and appropriately address situations that require immediate or deferred actions to maintain pipeline safety. Alarm response and associated event information can help determine whether abnormal operating conditions are promptly recognized, that the responses to these conditions are properly handled in a timely manner, and that controller abilities are not degrading over time. Alarms and notifications can also provide information about the health and operational status of communication and SCADA systems. The proposed rule requires two levels of alarm management review. On no less than a weekly basis, operators would be required to review pipeline operations and the alarms and events that have been received. Operators would confirm that events on the pipeline that should have triggered alarms actually did. Operators would review controller response to alarms to identify if abnormal operating conditions had occurred and that the controller took proper action in a suitable amount of time. Operators must also identify any unexplained changes in the number of alarms received or in controller management of those alarms, and take actions, as needed, to arrest any potentially degrading situations either in controller performance or equipment problems. Operators must identify ‘‘nuisance alarms’’ for which action is not required and determine whether controllers actually need to receive such notifications so that the total number of alarms is not excessive. Both nuisance alarms and an excessive number of nonnuisance alarms can contribute to a sense of complacency about alarm response. Complacency can contribute to a situation in which controllers acknowledge alarms but do not take action to clear them on a timely basis. This factor must also be considered in the weekly reviews and the associated system or instrumentation maintenance activities. However, operators may choose to capture other operational and maintenance information through alarm PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 systems that are channeled to others responsible to manage such information. Once each calendar year (with intervals not to exceed 15 months), the proposed rule requires that operators undertake a more detailed review of alarm configuration and management. This review must consider the number of alarms, potential systemic issues related to field equipment or the SCADA system, potential systemic issues resulting in excessive or unusual alarms, unnecessary alarms, changes in controller performance in response to alarms, and a review of alarm set-point values. Operators must also consider alarm indications of abnormal operating conditions, including identifying any that occur frequently in combination and assuring that these combinations are included in controller training. Alarm descriptors and naming conventions also need to be reviewed for clarity and consistency. Operators must consider controller workload with respect to the number and nature of alarms received. Alarms should also be reviewed for ongoing maintenance issues or communication problems that need to be solved. Incident and accident reviews should include a provision to check alarm or notification operations for any required changes. The procedure must have a mechanism to provide for controller feedback to alarm and notification modifications. J. Change Management Changes to the pipeline system are important and can affect the ability of a controller to do his job. System changes can affect the hydraulics of the pipeline and change the response to control inputs. It is important that controllers be aware of changes being made and that controllers are involved early in the change process to help identify and alleviate any undesirable effects on controllers and control room operations. Similarly, changes to the SCADA system, or to the instruments it monitors, can also affect a controller’s understanding of conditions on the pipeline and his recognition of the need for control actions. The proposed rule requires operators to establish thorough and frequent communications between controllers, management, and field personnel when planning and implementing changes to pipeline equipment and configuration. Maintenance procedures must ensure that problems with SCADA or field instrumentation critical to controllers are resolved promptly and properly documented. SCADA system modifications must also be coordinated with controllers and affected pipeline operating personnel. It is not always E:\FR\FM\12SEP2.SGM 12SEP2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 practical to coordinate changes before they are made, particularly when a change is in response to an emergency. In those instances, operators must make affected personnel and controllers aware of the change as soon as practical and document why this occurred. When field equipment, pipeline configuration, or SCADA changes are planned in advance, coordination should also be done so that controllers who are offduty get informed of these changes prior to implementation. Controllers shall have time to study the implications of targeted changes and to become familiar with the anticipated system changes before they are initiated. Finally, controllers shall be represented by a controller, controller supervisor or by someone very familiar with control room operations when changes that can affect pipeline hydraulics, configuration or control system changes are considered so that controller perspectives and potential impacts can be considered early in the planning process and appropriate adjustments and training can be developed. Whenever possible, operators should thoroughly test changes on an off-line system. Management of change procedures shall also include how operators will inform controllers of changes before they operate the system, especially the controllers who are not on shift at the time the changes are made. K. Learning From Individual Operating Experience Events that occur on a pipeline provide one of the best opportunities to improve the operation of the pipeline. Such events include those that must be reported to PHMSA by regulation and those with little or no consequences. Reviewing the causes of an event can help identify underlying problems, which, if properly addressed, would reduce the risk of future events occurring or resulting in more significant consequences. Reviewing the response to events can help identify areas in which emergency response and abnormal operating procedures can be improved or where additional training for controllers and other personnel may be appropriate. Individual controller logs or shift notes can provide valuable insight into maintenance requirements or communication concerns, both those provided by instrumentation and those required of other employees. Reviewing these logs and working to remove problem instrumentation or communication concerns can help to maintain pipeline safety. The proposed rule requires operators to review all reportable accidents and VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 incidents on a routine basis to identify and correct deficiencies related to: • Controller fatigue • Field equipment • Procedures • SCADA system configuration • SCADA system performance including communications • Simulator or non-simulator training programs Operators must also review nonreportable events (e.g., ‘‘close-calls’’) to identify and address those that could be significant if left unaddressed or coupled with other events. Each operator would establish a definition or event threshold for which a review would be conducted. Once this definition or event threshold has been established, procedures must require that operators review information about each close-call and share information regarding the proper response with all controllers. L. Training Training is a key element in assuring the success of pipeline controllers in maintaining safe operations. Therefore, operators must provide controllers the necessary training to completely understand the pipeline and control systems they operate. The proposed rule would require each operator to include certain content in its controller training programs. The proposed rule includes a minimum set of elements that overlap and supplement existing OQ programs. These elements are as follows: 1. Response to abnormal operating conditions and emergencies. These responses are a major element of controllers’ contribution to safety. Correct actions can mitigate events without significant consequences. Incorrect actions can aggravate abnormal situations and make consequences worse. Training for controllers must include emphasis on generic and task specific abnormal conditions that are likely to occur simultaneously or sequentially. Controllers shall be trained to respond to such events and to recognize them as indicators or precursors of potentially more serious situations. 2. Simulator or tabletop exercises for training controllers to recognize abnormal operating conditions such as leaks or failures. Some abnormal events occur infrequently. Thus, experience on the job does not necessarily prepare a controller to identify and respond to all abnormal events, nor does it verify that a controller’s ability is maintained over time. Computer-based simulators or tabletop exercises afford the opportunity for controllers to practice identifying and responding to safety-significant PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 53091 situations that controllers may not encounter during routine shift operations. The proposed rule also requires operators to involve controllers in the development and improvement of training simulations. Operators should conduct tabletop exercises or computerized simulations that require emergency response field personnel and personnel involved with commodity movement to be involved from terminals, compressor stations, pump stations, and on the pipeline right-ofway. 3. Training controllers to understand the operator’s public awareness program in detail. Controllers are often involved in communication with the public, particularly when the public reports unexpected events. API Recommended Practice 1162, ‘‘Public Awareness Programs for Pipeline Operations’’ (API RP–1162) recommends sharing public awareness objectives, information and material used in its public awareness program with employees. Many Public Awareness Programs include components for key employee training in public awareness and specific communication training for specific key employees. Controllers shall be considered as specific key employees if they are responsible for responding to public or emergency responder calls.8 4. Providing appropriate information to the public and emergency response personnel during emergency situations. In some cases, controllers may not ask the right questions or provide the correct response when communicating with the public or emergency responders during an emergency. Specific training will help ensure that the information controllers provide to the public and to emergency personnel will maximize public safety and that the information exchanged is complete and accurate. 5. Periodic visits by controllers to a field installation similar to that which the controllers monitor or control. These visits would help familiarize controllers with the equipment, field terminology, and equipment operation. They would see how weather might affect access to a specific location and observe the functions of station personnel. Normally pipeline equipment is displayed as an icon on a controller’s computer screen. When it is operated or something is amiss, it may change color, flash or change shape. Controllers must understand what these changes mean in 8 Implementation of public awareness programs conforming to API RP1162 is required for gas pipelines by § 192.616 and for hazardous liquid pipelines by § 195.440. E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 53092 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules the field. In the past, many controllers moved up from field positions and had a thorough knowledge of field operations. Today, many pipelines hire controllers who do not have field experience and who have limited knowledge of the physical and practical aspects of pipeline operations. Providing an opportunity for controllers to actually see the equipment and talk to station personnel will help expand the controllers’ awareness of site specific information. Further, discussions with field personnel in routine, non-stressful situations can help establish a familiarity that will facilitate more efficient and accurate communication during abnormal events. Ideally, controllers would visit the facilities they operate. PHMSA recognizes, however, that this is not always practical. Many pipeline systems cover extensive geographic areas, and controllers may be responsible for operating pipeline segments many hundreds of miles from the control room where they work. For this reason, the proposed rule specifies that visits should be to a representative sampling of field installations similar to those for which the controller is responsible. 6. Review of procedures for operating setups that occur infrequently. Day-today experience does little to help controllers retain knowledge related to functions not routinely performed. It is thus important that training programs emphasize and provide instruction on these unusual operating conditions. 7. Pipeline hydraulics training sufficient to obtain a thorough knowledge of the pipeline system, especially the pipeline’s response to abnormal situations. Often, controllers know what to expect when the operating set-up changes because the controllers have seen the impact of these changes many times, but sometimes controllers do not necessarily know why flows and pressures change the way they do. A basic understanding of pipeline hydraulics, as applied to the pipeline a controller monitors, will help the controller understand what typical responses are to changes in the operating status of individual pieces of equipment and what to expect in the event of a leak or failure. This understanding will enable the controller to better identify situations outside normal operations. 8. Specific training on how power failures affect sites of controller responsibility. The operator should provide site-specific training to the controllers regarding the state of equipment upon power loss and what the effect will be. This will assist the VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 controller in identifying other field resources that may be needed to properly repair or operate a location affected by natural disaster such as a flood, hurricane, tornado or earthquake. 9. Specific system tools available to determine a leak or significant failure. Controllers should receive training about what tools exist, including trends or other displays, that help to determine quickly the status of the pipeline or aid in leak and significant failure detection. M. Qualification Operators already provide for the qualification of certain individuals to evaluate their abilities and to determine that they are able to apply the necessary knowledge and skills acquired in training. The proposed rule would require additional controller qualifications to measure or verify a controller’s performance, including the prompt detection of, and appropriate response to, abnormal and emergency conditions that are likely to occur. Additions to controller qualifications would be implemented in conjunction with an operator’s OQ program pursuant to the existing regulations in 49 CFR parts 192, 193, and 195. The rule would not prescribe a single means of evaluating a controller’s abilities. Operators can use observation of onshift activities to perform part of this verification. Simulators and tabletop exercises can also be used to verify a controller’s ability to detect conditions not seen on shift and that the controller is ready and able to take appropriate actions in response. PHMSA has found that most operators’ OQ programs call for re-qualification every three years; however, this rule would require an annual qualifications review for controllers. In addition, operators would be required to provide ongoing controller performance metrics and evaluation between annual qualifications review to help detect any gradual degradation in performance. Qualified controllers must have the physical abilities to perform the job. Most pipeline control systems use different colors to represent different operating states and display system information and status using icons and text that may vary in size depending on the complexity of an individual display. While many operators do not explicitly test controllers for colorblindness or visual acuity, it is essential that controllers be tested for these visual abilities. This does not mean that controllers who are colorblind or who lack visual acuity must be relieved of duties. Special accommodations may be needed, such as using different shapes, flashing indications, or increasing the PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 size of icons and text on an individual controller’s screen. The rule would not prescribe a specific test for these physical abilities, but operators would be required to ascertain through periodic testing and associated documentation that any deficiencies in these physical attributes would not negatively affect the controller’s performance of assigned duties. The proposed rule would also require operators to specify the reasons for which a controller’s qualification must be revoked. The reasons must include extended absence or time off-duty (for a duration determined by the operator), inadequate performance, impaired abilities (e.g., vision, hearing) beyond that which the operator can accommodate, influence of drugs or alcohol, and any other circumstances for which the operator considers revocation appropriate. Operators would also be required to have procedures for restoring a revoked qualification, which may include complete re-qualification, or limited testing, a period of review, shadowing, retraining, or all of these. Lastly, PHMSA recognizes that many operators use oral examinations as part of their qualification programs. Experienced operators and trainers quiz controllers on their knowledge of various aspects of their job. PHMSA believes this can be a very effective means of judging a person’s abilities. Unlike a written test, an oral examination allows the evaluator to probe apparent weaknesses in more depth. Oral examiners can inquire in more detail in areas where the candidate appears to be hesitant, weak or unsure of the answers. This can allow a more thorough evaluation of a controller’s knowledge to perform required duties. If an operator chooses to use oral examinations as part of its controller qualification program, the rule would require the operator to document the examination and include a list of the topics covered during the oral examination. This documentation will facilitate internal audits, assist with providing consistency in controller training, and allow the operator’s training personnel to vary the content of future evaluations to test knowledge in other areas. N. Validation PHMSA considers controllers to be extremely important in providing for pipeline safety. Accordingly, PHMSA believes that it is appropriate to involve senior pipeline executives in helping to determine that controllers are qualified, that internal communication is enhanced, and that controller needs are being addressed. The proposed rule E:\FR\FM\12SEP2.SGM 12SEP2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules would require that a senior executive officer validate certain aspects of controller training, qualification, and compliance with the requirements of this rule. Operators would be required to have a senior executive officer sign a validation each calendar year that confirms that the operator has: • Conducted a review of controller qualifications and controller training and determined that both are adequate; • Permitted only qualified controllers to operate the pipeline; • Implemented the requirements of the rule; • Continued to address ergonomic and fatigue factors; and • Involved controllers in finding ways to sustain and improve safety and pipeline integrity through control room management. O. Compliance and Deviations The proposed rule would require operators to maintain records that demonstrate compliance with the regulation and to document any deviations from their control room management procedures. In addition, the operators would be required to report any deviations upon request by PHMSA or the appropriate state pipeline safety authority. These requirements are derived from the PIPES Act, which specifies that operators must document compliance with their human factors and control room management plans and report any deviations. Operators would be required to report deviations only when requested by PHMSA, or in the case of an intrastate pipeline facility, when requested by the appropriate state pipeline safety authority. Such a request is anticipated to occur during a pipeline safety inspection, but may occur at any time at the discretion of PHMSA or the state pipeline safety authority. VIII. Regulatory Analyses and Notices ebenthall on PROD1PC60 with PROPOSALS2 Privacy Act Statement Anyone may search the electronic form of comments received in response to any of our dockets by the name of the individual submitting the comment (or signing the comment if submitted for an association, business, labor union, etc.). You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477). Executive Order 12866 and DOT Policies and Procedures This proposed rulemaking is a significant regulatory action under Executive Order 12866 (58 FR 51735; Oct. 4, 1993), and it is a significant VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 regulatory action under the U.S. Department of Transportation regulatory policies and procedures (44 FR 11034; Feb. 26, 1979). Therefore, the Office of Management and Budget (OMB) has received a copy of this proposed rulemaking to review. The proposed rule is not expected to adversely affect the economy or the environment. For those costs and benefits that can be quantified the present value of net benefits are expected to be about $65 million over a ten year period after all of the requirements are implemented. The monetary costs of the rule are expected to average about $25 million per year. Therefore, within the meaning of Executive Order 12866, the proposed rule is not expected to be an economically significant regulatory action due to cost because it will not exceed the annual $100 million threshold for economic significance. However, there is substantial congressional, industry, and public interest in control room operations and human factors management plans. The proposed rule’s immediate impact is minimal because some of its components are already included in existing regulations; moreover, in some pipeline companies, other requirements are standard practice or considered to be good business practices. Regulatory Flexibility Act Under the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), PHMSA must consider whether rulemaking actions would have a significant economic impact on a substantial number of small entities. While PHMSA does not collect information on the number of employees or revenues of pipeline operators, we do continuously seek information on the number of small pipeline operators to more fully determine any impacts our proposed regulations may have on small entities. The Small Business Administration’s criterion for defining a small entity in the hazardous liquid pipeline industry is 1,500 or fewer employees. PHMSA estimates there are 10 to 20 small entities in the hazardous liquid pipeline industry. For the gas pipeline industry, the size standard for a small natural gas gathering or transmission business is $6.5 million or less in annual revenues and the size standard for a small natural gas distribution business is 500 or fewer employees. PHMSA estimates there are about 480 natural gas transmission and gathering companies that have $6.5 million or less in annual revenues and about 1,000 natural gas distribution companies that have 500 or fewer employees. Therefore, there are a total PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 53093 of about 1,500 small entities that would be affected by the proposed rule. PHMSA has considered the effects of the proposed rule on small pipeline operators. The total estimated aggregate annual costs of the rule across the entire pipeline industry over 10 years ranges from about $21 million per year to $37 million per year. Therefore, the average annual cost to the approximately 2,500 companies (large and small entities) is about $8,400 to $14,800 per year. For the larger operators with more controllers, the costs will be higher than the average. For the smaller operators with fewer controllers it will be less than average. Based on these figures, PHMSA does not believe there will be a significant impact on a substantial number of small entities, but PHMSA seeks comments on this analysis. Executive Order 13175 PHMSA has analyzed this rulemaking according to Executive Order 13175, ‘‘Consultation and Coordination with Indian Tribal Governments.’’ Because the proposed rule would not significantly or uniquely affect the communities of the Indian tribal governments or impose substantial direct compliance costs, the funding and consultation requirements of Executive Order 13175 do not apply. Paperwork Reduction Act PHMSA proposes to revise the Federal pipeline safety regulations to address human factors and other components of control room management. The proposed rules would require operators of hazardous liquid pipelines, gas pipelines, and LNG facilities to amend their existing written operations and maintenance procedures, operator qualification programs, and emergency plans. This proposed rule also contains some information collection requirements. As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), DOT will submit a copy of the Paperwork Reduction Act analysis to OMB for its review. A copy of the analysis will also be entered in the docket. PHMSA is proposing to require pipeline operators to keep records and logs related to control room operations for inspection purposes and to have a senior executive officer of each operator validate that the operator has complied with the regulatory requirements, reviewed its qualification and training, permitted only qualified controllers to operate the pipeline, addressed fatigue factors, and involved controllers in finding improvements. The record keeping requirements in the proposed rule are consistent with good business practices E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 53094 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules and are designed to enhance current control room management practices. To calculate the information collection burden for the record keeping related to control room management practices, PHMSA estimates there are approximately 2,500 pipeline and LNG facility operators that would need to keep records and logs and that it would take approximately one hour per week, per operator to generate and maintain the necessary records. Therefore, PHMSA calculates it would take slightly more than 130,000 hours per year for the 2,500 pipeline operators to maintain the necessary records. PHMSA expects that most operators currently maintain records and logs for inspection purposes and that they generate records on a daily basis. Therefore, we estimate the cost for the industry would be negligible since controllers generally perform this function as part of the control room operations. PHMSA acknowledges, however, that there may be some additional cost for storage and filing, depending on what the records contain and how they are packaged. Assuming that operators store between two and four cubic feet of records (at $23.00 per cubic foot) within their facility per year, PHMSA estimates that it would cost between $115,000 and $230,000 annually to store and maintain the records for inspection purposes. Additionally, PHMSA estimates there are approximately 3,420 controllers in the pipeline industry and that it would take approximately one hour per year, per employee to document performance appraisals. Therefore, PHMSA calculates it would take pipeline operators approximately 3,420 hours per year to document employees’ performance. We estimate it would take a senior official approximately one-half hour to review and sign-off on a validation document for each controller. PHMSA estimates the annual cost would be between $76,950 and $153,900 depending on the average wage rate used in the calculation. The lower bound uses the average wage rate for a General Operations Manager published by the Bureau of Labor Statistics of $45.00 per hour ($22.50 per half-hour), while the upper bound uses the industry estimates of $90.00 per hour ($45.00 per half-hour). Therefore, PHMSA concludes that this proposed rule contains only minor additional paperwork burden and procedure implementation. Pursuant to 44 U.S.C. 3506(c)(2)(B), the PHMSA solicits comments concerning: Whether these information collection requirements are necessary for PHMSA to properly perform its functions, including whether the VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 information has practical utility; the accuracy of PHMSA’s estimates of the burden of the information collection requirements; the quality, utility, and clarity of the information to be collected; and whether the burden of collecting information on those who are to respond, including through the use of automated collection techniques or other forms of information technology, may be minimized. Unfunded Mandates Reform Act of 1995 This proposed rulemaking does not impose unfunded mandates under the Unfunded Mandates Reform Act of 1995. It does not result in costs of $132 million or more to either State, local, or tribal governments, in the aggregate, or to the private sector, and is the least burdensome alternative that achieves the objective of the proposed rulemaking. National Environmental Policy Act PHMSA has analyzed the proposed rulemaking for purposes of the National Environmental Policy Act (42 U.S.C. 4321 et seq. ) and preliminarily determined the proposed rulemaking may provide beneficial impacts on the quality of the human environment. If pipeline operators comply with the technical elements of the proposed rule, this would reduce adverse impacts on the physical environment by reducing the number and severity of pipeline releases. For example, by addressing the exchange of information at shift change and the length of shifts to reduce controller fatigue, pipeline operators could reduce the number of incidents and the consequences of releases that may harm the physical environment. Similarly, the review of SCADA procedures and alarm audits will lead to the use of better technology, which will have a positive impact on operator response to abnormal operating conditions, accidents, and incidents that have the potential for adverse environmental impacts. The following elements of the proposed rule will also lead to a better functioning control room and fewer possibilities for environmental degradation: Involving controllers when planning and implementing changes in operations; maintaining strong communications between controllers and field personnel; determining how to establish, maintain, and review controller qualifications, abilities and performance metrics, with particular attention to response to abnormal operating conditions; and analyzing operating experience including accidents and incidents for possible involvement of the SCADA system, controller performance, and PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 fatigue. PHMSA’s analysis suggests there are no adverse significant environmental impacts associated with the proposed rule. The draft environmental assessment is available for review and comment in the docket. PHMSA will make a final determination on environmental impact after reviewing the comments on this proposal. Executive Order 13132 PHMSA has analyzed the proposed rulemaking according to Executive Order 13132 (‘‘Federalism’’). The proposal does not have a substantial direct effect on the States, the relationship between the national government and the States, or the distribution of power and responsibilities among the various levels of government. The proposed rulemaking does not impose substantial direct compliance costs on State and local governments. This proposed regulation would not preempt state law for intrastate pipelines. Therefore, the consultation and funding requirements of Executive Order 13132 do not apply. Executive Order 13211 Transporting gas and hazardous liquids impacts the nation’s available energy supply. However, this proposed rulemaking is not a ‘‘significant energy action’’ under Executive Order 13211 and is not likely to have a significant adverse effect on the supply, distribution, or use of energy. Further, the Administrator of the Office of Information and Regulatory Affairs has not identified this proposal as a significant energy action. List of Subjects 49 CFR Part 192 Incorporation by reference, Gas, Natural gas, Pipeline safety, Reporting and recordkeeping requirements. 49 CFR Part 193 Liquefied natural gas, Incorporation by reference, Pipeline safety, and Reporting and recordkeeping requirements. 49 CFR Part 195 Ammonia, Carbon dioxide, Incorporation by reference, Petroleum, Pipeline safety, Reporting and recordkeeping requirements. For the reasons provided in the preamble, PHMSA proposes to amend 49 CFR part 192, 193, and 195 as follows: E:\FR\FM\12SEP2.SGM 12SEP2 53095 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules PART 192—TRANSPORTATION OF NATURAL GAS AND OTHER GAS BY PIPELINE: MINIMUM FEDERAL SAFETY STANDARDS 1. The authority citation for part 192 is revised to read as follows: Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60110, 60113, 60116, 60118, and 60137; and 49 CFR 1.53. 2. In § 192.3, add definitions for ‘‘alarm,’’ ‘‘control room,’’ ‘‘controller,’’ and ‘‘Supervisory Control and Data Acquisition System (SCADA)’’ as follows: § 192.3 Definitions. * * * * * Alarm means an indication provided by SCADA or similar monitoring system that a parameter is outside normal or expected operating conditions. Control room means a central location or local station at which a control panel, computerized device, or other instrument is used by a controller to monitor or control all or part of a pipeline facility or a component of a pipeline facility. Controller means an individual who uses a control panel, computerized device, or other equipment to monitor or control all or part of a pipeline facility that the individual cannot directly observe with the naked eye. An individual who operates equipment locally, but who cannot see the equipment respond without using a closed circuit television system or other external device, is a controller when performing this activity regardless of job title or whether actions are overseen by another controller or supervisor. An individual who performs these functions on a part time basis is considered a controller only when performing these functions. * * * * * Supervisory Control and Data Acquisition System (SCADA) means a computer-based system that gathers field data, provides a structured view of pipeline system or facility operations, and may provide a means to control pipeline operations. * * * * * 3. In § 192.7, amend the table in paragraph (c)(2) by adding item B.(7) to read as follows: § 192.7 What documents are incorporated by reference partly or wholly in this part? * * * (c) * * * (2) * * * * * * * * * * * B. * * * (7) API Recommended Practice 1165 ‘‘Recommended Practice for Pipeline SCADA Displays,’’ (January 2007) ......................... * * * * § 192.615 4. Amend § 192.605 by adding paragraph (b)(12) to read as follows: § 192.605 Procedural manual for operations, maintenance, and emergencies. * * * * * (b) * * * (12) Implementing the applicable control room management procedures required by § 192.631. * * * * * 5. Amend § 192.615 by adding paragraph (a)(11) to read as follows: * Emergency plans. (a) * * * (11) Actions required to be taken by a controller during an emergency in accordance with § 192.631. * * * * * 6. Add § 192.631 to subpart L to read as follows: § 192.631 Control room management. (a) General. Each operator of a pipeline facility with at least one controller and control room must have * * § 192.631(c)(1) * and follow written control room management procedures that implement the requirements of this section. The procedures must be integrated, as appropriate, into the operator’s written manual of operations and maintenance procedures required by § 192.605, written qualification program required by § 192.805, and written emergency plans required by § 192.615. The operator must develop and implement the procedures no later than the dates in the following table. Control room type Develop procedures by: (1) Remote operations (control and/or monitoring) of gas transmission pipelines. (2) Remote operations of equipment within a single site (e.g., compressor station). (3) Gas distribution pipelines .............................. [insert date 12 months after effective date of final rule]. [insert date 24 months after effective date of final rule]. [insert date 24 months after effective date of final rule]. [insert date 30 months after effective date of final rule]. 12 months after placement in service ............. [insert date 24 months after effective final rule]. [insert date 30 months after effective final rule]. [insert date 24 months after effective final rule]. [insert date 30 months after effective final rule]. 12 months after placement in service. Before placing in service ................................. Upon placing in service. (4) Gas pipelines with local control only ............ ebenthall on PROD1PC60 with PROPOSALS2 (5) Control rooms or local control stations placed in service after [insert effective date of the final rule], but before [insert date 12 months after the effective date of final rule]. (6) Control rooms or local control stations placed in service after [insert date 12 months after the effective date of final rule]. (b) Roles and responsibilities. Each operator must define the roles and responsibilities of a controller during normal, abnormal, and emergency operating conditions. To provide for a controller’s prompt and appropriate VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 response to operating conditions, each operator must define: (1) A controller’s authority and responsibility to make decisions and take actions during normal operations. PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 Implement procedures by: date of date of date of date of (2) A controller’s role when an abnormal operating condition is detected, even if the controller is not the first to detect the condition, including the controller’s responsibility to take E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 53096 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules specific actions and to communicate with others. (3) A controller’s role during an emergency, even if the controller is not the first to detect the emergency, including the controller’s responsibility to take specific actions and to communicate with others. (4) A controller’s responsibility to provide timely notification and coordination with the operator of another pipeline in a common corridor when a leak or failure is suspected, including upon receipt of a notification from the public concerning a suspected leak on an asset owned or operated by the other company but located in the same common corridor or right-of-way. (5) A method of recording when a controller is responsible for monitoring or controlling any portion of a pipeline facility by implementing an individual console or a system log-in feature or by documenting in the shift records the time and name of each controller who assumed the responsibility during a shift-change or other hand-over of responsibility. (c) Provide adequate information. Each operator must provide each controller with the information necessary for the controller to carry out the roles and responsibilities defined by the operator and must verify that a controller knows the equipment, components and the effects of the controller’s actions on the pipeline or pipeline facilities under the controller’s control. Each operator must: (1) Provide a controller with accurate, adequate, and timely data concerning operation of the pipeline facility. Wherever a SCADA system is used, the operator must implement API RP–1165 (incorporated by reference, see § 192.7) in its entirety, unless the operator can adequately demonstrate that a provision of API RP–1165 is not applicable or is impracticable in the SCADA system used. (2) Validate that any SCADA system display accurately depicts field equipment configuration by completing all of the following: (i) Conduct and document a point-topoint baseline verification between field equipment and all SCADA system displays to verify 100 percent of the system displays. An operator must complete the baseline verification no later than [insert date three years after effective date of final rule] or by [insert date one year after effective date of final rule] for an operator of a pipeline system containing less than 500 miles of pipeline. An operator may use any documented point-to-point verification completed after [insert date three years before effective date of final rule] to VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 meet some or all of this baseline verification. A point-to-point verification must include equipment locations, ranges, alarm set-point values, alarm activation, required alarm visual or audible response, and proper equipment or software response to SCADA system values. (ii) Verify that SCADA displays accurately depict field configuration when any modification is made to field equipment or applicable software and conduct a point-to-point verification for associated changes. (iii) Perform a point-to-point verification as part of implementing a SCADA system change for all portions of the pipeline system or facility affected by the change. (iv) Develop a plan for systematic reverification of the accuracy of the SCADA system display. (3) Establish a means for timely verbal communication among a controller, management, and field personnel. (4) Identify circumstances that require field personnel to promptly notify the controller. These circumstances must include the identification by field personnel of a leak or situation that could reasonably be expected to develop into an incident if left unaddressed. (5) Define and record critical information during each shift. (6) Provide for the exchange of information when a shift changes or when another controller assumes responsibility for operations for any reason. (7) Establish sufficient overlap of controller shifts to permit the exchange of necessary information. (8) Periodically test and verify a backup communication system or provide adequate means for manual operation or shutdown of the affected portion of the pipeline safely. (d) Fatigue mitigation. Each operator must implement methods to prevent controller fatigue that could inhibit a controller’s ability to carry out the roles and responsibilities defined by the operator. To protect against the onset of fatigue, each operator must: (1) Establish shift lengths and schedule rotations that provide controllers off-duty time sufficient to achieve eight hours of continuous sleep; (2) Educate a controller and his supervisor in fatigue mitigation strategies and how off-duty activities contribute to fatigue; (3) Train a controller and his supervisor to recognize and mitigate the effects of fatigue; (4) Implement additional measures to monitor for fatigue when a single controller is on duty; and PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 (5) Establish a maximum limit on controller hours-of-service, which may include an exception during an emergency with appropriate management approval. An operator must specify emergency situations for which a deviation from the hours-ofservice maximum limit is permitted. (e) Alarm management. Each operator using a SCADA system must assure appropriate controller response to alarms and notifications. An operator must: (1) Review SCADA operations at least once each week for: (i) Events that should have resulted in alarms or event indications that did not do so; (ii) Proper and timely controller response to alarms or events; (iii) Identification of unexplained changes in the number of alarms or controller management of alarms; (iv) Identification of nuisance alarms; (v) Verification that the number of alarms received is not excessive; (vi) Identification of instances in which alarms were acknowledged but associated response actions were inadequate or untimely; (vii) Identification of abnormal or emergency operating conditions and a review of controller response actions; (viii) Identification of system maintenance issues; (ix) Identification of systemic problems, server load, or communication problems; (x) Identification of points that have been taken off scan or that have had forced or manual values for extended periods; and (xi) Comparison of controller logs or shift notes to SCADA alarm records to identify maintenance requirements or training needs. (2) Review SCADA configuration and alarm management operations at least once each calendar year but at intervals not to exceed 15 months. At a minimum, reviews must include consideration of the following factors: (i) Number of alarms; (ii) Potential systemic issues; (iii) Unnecessary alarms; (iv) Individual controller’s performance changes over time regarding alarm or event response; (v) Alarm indications of abnormal operating conditions; (vi) Recurring combinations of abnormal operating conditions and the inclusion of such combinations in controller training; (vii) Alarm indications of emergency conditions; (viii) Individual controller workload; (ix) Clarity of alarm descriptors to the controllers so controllers fully E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules understand the meaning and nature of each alarm; and (x) Verification of correct alarm setpoint values. (3) Promptly address all deficiencies identified in the weekly and calendar year SCADA reviews. (f) Change management. Each operator must establish thorough and frequent communications between a controller, management, and field personnel when planning and implementing physical changes to pipeline equipment and configuration. Field personnel must be required to promptly notify a controller when emergency conditions exist or when performing maintenance and making field changes. (1) Maintenance procedures must include tracking and repair of controller-identified problems with the SCADA system or field instrumentation to provide for prompt response. (2) SCADA system modifications must be coordinated in advance to allow enough time for adequate controller training and familiarization unless such modifications are made during an emergency response or recovery operation. (3) An operator shall seek control room participation when pipeline hydraulic or configuration changes are being considered. (4) Merger, acquisition, and divestiture plans must be developed and used to establish and conduct controller training and qualification prior to the implementation of any changes to the controller’s responsibilities. (5) Changes to alarm set-point values, automated routine software, and relief valve settings must be communicated to the controller prior to implementation. (6) An operator must thoroughly document and keep records for each of these occurrences. (g) Operating experience. (1) Each operator must review control room operations following any event that must be reported as an incident pursuant to 49 CFR part 191 to determine and correct, where necessary, deficiencies related to: (i) Controller fatigue; (ii) Field equipment; (iii) The operation of any relief device; (iv) Procedures; (v) SCADA system configuration; (vi) SCADA system performance; (vii) Accuracy, timeliness, and portrayal of field information on SCADA displays; and (viii) Simulator or non-simulator training programs. (2) Each operator must establish a definition or threshold for close-call VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 events to evaluate event significance. For those events the operator determines to be significant, the operator must conduct the review required by paragraph (g)(1) of this section and the operator must share the information with all controllers. (3) Each operator must review the accuracy and timeliness of SCADA data and how it is portrayed on displays. (h) Training. Each operator must establish a training program and review the training program content to identify potential improvements at least once each calendar year, but at intervals not to exceed 15 months. An operator must train each controller to carry out the roles and responsibilities defined by the operator. In addition, the training program must include the following elements: (1) Responding to abnormal operating conditions likely to occur simultaneously or in sequence. (2) Use of a simulator or noncomputerized (tabletop) method to train controllers to recognize abnormal operating conditions, in particular leak and failure events. Simulations and tabletop exercises must include representative communications between controllers and individuals that operators would expect to be involved during actual events. Controllers will participate in improvement and development of tabletop or simulation training scenarios. (3) Providing appropriate information to the public and emergency response personnel during emergency situations, and informing controllers of the information being provided to the public or emergency responders under § 192.616 so that the controllers can understand the context in which this information will be received. (4) On-site visits by controllers to a representative sampling of field installations similar to those for which each controller is responsible to familiarize themselves with the equipment and with station personnel functions. (5) Review of procedures for pipeline operating setups that are periodically, but infrequently used. (6) Hydraulic pipeline training that is sufficient to obtain a thorough knowledge of the pipeline system, especially during the development of abnormal operating conditions. (7) Site specific training on equipment failure modes. (8) Specific training on system tools available to determine a leak or significant failure and specific training on other operator contact protocols when there is reason to suspect a leak PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 53097 in a common pipeline corridor or rightof-way. (i) Qualification. An operator must have a program in accordance with subpart N of this part to determine that each controller is qualified. An operator’s procedures for the qualification of controllers must include provisions to: (1) Measure and verify a controller’s performance including the controller’s ability to detect abnormal and emergency conditions promptly and to respond appropriately. (2) Evaluate a controller’s physical abilities, including hearing, colorblindness (color perception), and visual acuity, which could affect the controller’s ability to perform the assigned duties. (3) Evaluate a controller’s qualifications at least once each calendar year, but at intervals not to exceed 15 months. (4) Implement methods to address gradual degradation in performance or physical abilities in a controller. (5) Revoke a controller’s qualification for extended time off-duty or absence (of a duration determined by the operator based on the complexity and significance of the controller’s role), inadequate performance, impaired physical ability beyond what the operator can accommodate, influence of drugs or alcohol, or any other reason determined by the operator to be necessary to support the safe operation of a pipeline facility. (6) Restore a revoked qualification by specifying the circumstances for which a complete re-qualification is required, and the circumstances for which other means of restoration may be used, such as a period of review, shadowing, retraining, or all of these. (7) Document when an oral examination is used as the means of evaluation, including the topics covered. (8) Prohibit individuals without a current controller qualification from performing the duties of a controller. (j) Validation. An operator must have a senior executive officer validate by signature not later than the date by which control room management procedures must be implemented (see paragraph (a) of this section), and annually thereafter by March 15 of each year, that the operator has: (1) Conducted a review of controller qualification and training programs and has determined both programs to be adequate; (2) Permitted only qualified controllers to operate the pipeline; (3) Implemented the requirements of this section; E:\FR\FM\12SEP2.SGM 12SEP2 53098 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules (4) Continued to address ergonomic and fatigue factors; and (5) Involved controllers in finding ways to sustain and improve safety and pipeline integrity through control room management. (k) Compliance and deviations. An operator must maintain for review during inspection: (1) Records that demonstrate compliance with the requirements of this section; and (2) Documentation of decisions and analyses to support any deviation from the procedures required by this section. An operator must report any such deviation to PHMSA upon request, or in the case of an intrastate pipeline facility regulated by a state, upon request by the state pipeline safety authority. 7. Amend § 192.805 by adding paragraph (j) to read as follows: § 192.805 Qualification program. * * * * * (j) Incorporate requirements applicable to controller qualification in accordance with § 192.631. PART 193—LIQUEFIED NATURAL GAS FACILITIES: FEDERAL SAFETY STANDARDS 8. The authority citation for part 193 is revised to read as follows: Authority: 49 U.S.C. 5103, 60102, 60103, 60104, 60108, 60109, 60110, 60113, 60116 and 60118, and 60137; and 49 CFR 1.53. 9. In § 193.2007 add definitions for ‘‘alarm,’’ ‘‘control room,’’ ‘‘controller,’’ and ‘‘Supervisory Control and Data Acquisition System (SCADA)’’ as follows: § 193.2007 Definitions. * * * * * Alarm means an indication provided by SCADA or similar monitoring system that a parameter is outside normal or expected operating conditions. * * * * * Control room means a central location or local station at which a control panel, computerized device, or other instrument is used by a controller to monitor or control all or part of an LNG plant. Controller means an individual who uses a control panel, computerized device, or other equipment to monitor or control all or part of an LNG plant that the individual cannot directly observe with the naked eye. An individual who operates equipment locally, but who cannot see the equipment respond without using a closed circuit television system or other external device, is a controller when performing this activity regardless of job title or whether actions are overseen by another controller or supervisor. An individual who performs these functions on a part time basis is considered a controller only when performing these functions. * * * * * Supervisory Control and Data Acquisition System (SCADA) means a computer-based system that gathers field data, provides a structured view of pipeline system or facility operations, and may provide a means to control facility operations. * * * * * 10. Amend § 193.2013 by adding item F. to the list in paragraph (b) and by adding item F. to the table in paragraph (c) to read as follows: § 193.2013 Incorporation by reference. * * * * * (b) * * * F. American Petroleum Institute (API), 1220 L Street, NW., Washington, DC 20005–4070. (c) * * * * * * * * * F. American Petroleum Institute (API): (1) API Recommended Practice 1165 ‘‘Recommended Practice for Pipeline SCADA Displays,’’ (January 2007). 11. Revise § 193.2441 to read as follows: ebenthall on PROD1PC60 with PROPOSALS2 § 193.2441 Control room. Each LNG plant must have a control room from which operations and warning devices are monitored as required by this part. A control room must have the following capabilities and characteristics: (a) It must be located apart or protected from other LNG facilities so that it is operational during a controllable emergency. (b) Each remotely actuated control system and each automatic shutdown control system required by this part must be operable from the control room. (c) Each control room must have personnel in continuous attendance while any of the components under its control are in operation, unless the control is being performed from another control room that has personnel in continuous attendance. (d) If more than one control room is located at an LNG Plant, each control room must have more than one means VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 of communication with each other control room. (e) Each control room must have a means of communicating a warning of hazardous conditions to other locations within the plant frequented by personnel. 12. Amend § 193.2503 by adding paragraph (h) to read as follows: § 193.2503 Operating procedures. * * * * * (h) Implementing the applicable control room management procedures required by § 193.2523. 13. Amend § 193.2509 by adding paragraph (b)(5) to read as follows: § 193.2509 Emergency procedures. * * * * * (b) * * * (5) Actions required to be taken by a controller during an emergency in accordance with § 193.2523. 14. Add § 193.2523 to subpart F to read as follows: PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 § 193.2523 * § 193.2523(c)(1) Control room management. (a) General. Each operator must have and follow written control room management procedures that implement the requirements of this section. The procedures must be integrated, as appropriate, into the written operating procedures manuals required by § 193.2503, written emergency procedures required by § 193.2509, and written training plans required by § 193.2713. For LNG plants that exist on [insert effective date of final rule], operators must develop the procedures by [insert date 12 months after effective date of final rule] and implement them by [insert date 24 months after effective date of final rule]. For LNG plants placed in service after [insert effective date of final rule], but before [insert date 12 months after effective date of final rule], procedures must be developed and implemented no later than 12 months after placing the plant in service. For LNG plants placed in service after [insert date 12 months after the effective date of final rule], procedures must be developed before E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules the plant begins operation and must be implemented when operations commence. (b) Roles and responsibilities. Each operator must define the roles and responsibilities of a controller during normal, abnormal, and emergency operating conditions. To provide for a controller’s prompt and appropriate response to operating conditions, each operator must define: (1) A controller’s authority and responsibility to make decisions and take actions during normal operations. (2) A controller’s role when an abnormal operating condition is detected, even if the controller is not the first to detect the condition, including the controller’s responsibility to take specific actions and to communicate with others. (3) A controller’s role during an emergency, even if the controller is not the first to detect the emergency, including the controller’s responsibility to take specific actions and to communicate with others. (4) A method of recording when a controller is responsible for monitoring or controlling a pipeline facility or portion thereof by implementing an individual console or a system log-in feature or by documenting in the shift records the time and name of each controller who assumed the responsibility during a shift-change or other hand-over of responsibility. (c) Provide adequate information. Each operator must provide each controller with the information necessary for the controller to carry out the roles and responsibilities defined by the operator and must verify that a controller knows the equipment, components, and the effects of the controller’s actions on the facilities under the controller’s control. Each operator must: (1) Provide a controller with accurate, adequate, and timely data concerning operation of the facility. Wherever a SCADA system is used, the operator must implement API RP–1165 (incorporated by reference, see § 193.2013) in its entirety, unless the operator can adequately demonstrate that a provision of API RP–1165 is not applicable or is impracticable in the SCADA system used. (2) Validate that any SCADA system display accurately depicts field equipment configuration by completing all of the following: (i) Conduct and document a baseline point-to-point verification between field equipment and all SCADA system displays to verify 100 percent of the system displays. An operator must complete the baseline verification no VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 later than [insert date 2 years after effective date of final rule]. An operator may use any documented point-to-point verification completed after [insert date three years before effective date of final rule] to meet some or all of this baseline verification. A point-to-point verification must include equipment locations, ranges, alarm set-point values, alarm activation, required alarm visual or audible response, and proper equipment or software response to SCADA system value. (ii) Verify that SCADA displays accurately depict field configuration when any modification is made to field equipment or applicable software and conduct a point-to-point verification for associated changes. (iii) Perform a point-to-point verification as part of implementing a SCADA system change for all portions of the LNG facility affected by the change. (iv) Develop a plan for systematic reverification of the accuracy of the SCADA system display. (3) Establish a means for timely verbal communication among a controller, management, and field personnel. (4) Identify circumstances that require field personnel to promptly notify the controller. These circumstances must include the identification by field personnel of a leak or situation that could reasonably be expected to develop into an incident if left unaddressed. (5) Define and record critical information during each shift. (6) Provide for the exchange of information when a shift changes or when another controller assumes responsibility for operations for any reason. (7) Establish sufficient overlap of controller shifts to permit the exchange of necessary information. (d) Fatigue mitigation. Each operator must implement methods to prevent controller fatigue that could inhibit a controller’s ability to carry out the roles and responsibilities defined by the operator. To protect against the onset of fatigue, each operator must: (1) Establish shift lengths and schedule rotations that provide controllers off-duty time sufficient to achieve eight hours of continuous sleep; (2) Educate a controller and the controller’s supervisor in fatigue mitigation strategies and how off-duty activities contribute to fatigue; (3) Train a controller and his supervisor to recognize and mitigate the effects of fatigue; (4) Implement additional measures to monitor for fatigue when a single controller is on duty; and PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 53099 (5) Establish a maximum limit on controller hours-of-service, which may include an exception during an emergency with appropriate management approval. An operator must specify emergency situations for which a deviation from the hours-ofservice maximum limit is permitted. (e) Alarm management. Each operator using a SCADA system must assure appropriate controller response to alarms and notifications. An operator must: (1) Review SCADA operations at least once each week for: (i) Events that should have resulted in alarms or event indications that did not do so; (ii) Proper and timely controller response to alarms or events; (iii) Identification of unexplained changes in the number of alarms or controller management of alarms; (iv) Identification of nuisance alarms; (v) Verification that the number of alarms received is not excessive; (vi) Identification of instances in which alarms were acknowledged but associated response actions were inadequate or untimely; (vii) Identification of abnormal or emergency operating conditions and a review of controller response actions; (viii) Identification of system maintenance issues; (ix) Identification of systemic problems, server load, or communication problems; (x) Identification of points that have been taken off scan or that have had forced or manual values for extended periods; and (xi) Comparison of controller logs or shift notes to SCADA alarm records to identify maintenance requirements or training needs. (2) Review SCADA configuration and alarm management operations at least once each calendar year but at intervals not to exceed 15 months. At a minimum, reviews must include consideration of the following factors: (i) Number of alarms; (ii) Potential systemic issues; (iii) Unnecessary alarms; (iv) Individual controller’s performance changes over time regarding alarm or event response; (v) Alarm indications of abnormal operating conditions; (vi) Recurring combinations of abnormal operating conditions and the inclusion of such combinations in controller training; (vii) Alarm indications of emergency conditions; (viii) Individual controller workload; (ix) Clarity of alarm descriptors to the controllers so controllers fully E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 53100 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules understand the meaning and nature of each alarm; and (x) Verification of correct alarm setpoint values. (3) Promptly address all deficiencies identified in the weekly and calendar year SCADA reviews. (f) Change management. Each operator must establish thorough and frequent communications between a controller, management, and field personnel when planning and implementing physical changes to facility equipment and configuration. Field personnel must be required to promptly notify a controller when emergency conditions exist or when performing maintenance and making field changes. (1) Maintenance procedures must include tracking and repair of controller-identified problems with the SCADA system or field instrumentation to provide for prompt response. (2) SCADA system modifications must be coordinated in advance to allow enough time for adequate controller training and familiarization unless such modifications are made during an emergency response or recovery operation. (3) An operator shall seek control room participation when LNG plant hydraulic or configuration changes are being considered. (4) Merger, acquisition, and divestiture plans must be developed and used to establish and conduct controller training and qualification prior to the implementation of any changes to the controller’s responsibilities. (5) Changes to alarm set-point values, automated routine software, and relief valve settings must be communicated to the controller prior to implementation. (6) An operator must thoroughly document and keep records for each of these occurrences. (g) Operating experience. (1) Each operator must review control room operations following any event that must be reported as an incident pursuant to 49 CFR part 191 to determine and correct, where necessary, deficiencies related to: (i) Controller fatigue; (ii) Field equipment; (iii) The operation of any relief device; (iv) Procedures; (v) SCADA system configuration; (vi) SCADA system performance; (vii) Accuracy, timeliness, and portrayal of field information on SCADA displays; and (viii) Simulator or non-simulator training programs. (2) Each operator must establish a definition or threshold for close-call VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 events to evaluate event significance. For those events the operator determines to be significant, the operator must conduct the review required by paragraph (g)(1) of this section and the operator must share the information with all controllers. (3) Each operator must review the accuracy and timeliness of SCADA data and how it is portrayed on displays. (h) Training. Each operator must establish a training program and review the training program content to identify potential improvements at least once each calendar year, but at intervals not to exceed 15 months. An operator must train each controller to carry out the roles and responsibilities defined by the operator. In addition, the training program must include the following elements: (1) Responding to abnormal operating conditions likely to occur simultaneously or in sequence. (2) Use of a simulator or noncomputerized (tabletop) method to train controllers to recognize abnormal operating conditions, in particular leak and failure events. Simulations and tabletop exercises must include representative communications between controllers and individuals that operators would expect to be involved during actual events. Controllers will participate in improvement and development of tabletop or simulation training scenarios. (3) Providing appropriate information to the public and emergency response personnel during emergency situations, and informing controllers of the information being provided to the public or emergency responders per the operator’s procedures, if any, so that the controllers can understand the context in which this information will be received. (4) Review of procedures for LNG operating configurations that are periodically, but infrequently used. (5) Hydraulic pipeline training that is sufficient to obtain a thorough knowledge of the LNG plant’s system, especially during the development of abnormal operating conditions. (6) Site specific site training on equipment failure modes. (7) Specific training on system tools available to determine a leak or significant failure. (i) Qualification. An operator must have a program in accordance with § 193.2707 to determine that each controller is qualified. An operator’s procedures for the qualification of controllers must include provisions to: (1) Measure and verify a controller’s performance including the controller’s ability to detect abnormal and PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 emergency conditions promptly and to respond appropriately. (2) Evaluate a controller’s physical abilities, including hearing, colorblindness (color perception), and visual acuity, which could affect the controller’s ability to perform the assigned duties. (3) Evaluate a controller’s qualifications at least once each calendar year, but at intervals not to exceed 15 months. (4) Implement methods to address gradual degradation in performance or physical abilities in a controller. (5) Revoke a controller’s qualification for extended time off-duty or absence (of a duration determined by the operator based on the complexity and significance of the controller’s role), inadequate performance, impaired physical ability beyond what the operator can accommodate, influence of drugs or alcohol, or any other reason determined by the operator to be necessary to support the safe operation of an LNG plant. (6) Restore a revoked qualification by specifying the circumstances for which a complete re-qualification is required, and the circumstances for which other means of restoration may be used, such as a period of review, shadowing, retraining, or all of these. (7) Document when an oral examination is used as the means of evaluation, including the topics covered. (8) Prohibit individuals without a current controller qualification from performing the duties of a controller. (j) Validation. An operator must have a senior executive officer validate by signature not later than the date by which control room management procedures must be implemented (see paragraph (a) of this section), and annually thereafter by March 15 of each year, that the operator has: (1) Conducted a review of controller qualification and training programs and has determined both programs to be adequate; (2) Permitted only qualified controllers to operate the LNG plant; (3) Implemented the requirements of this section; (4) Continued to address ergonomic and fatigue factors; and (5) Involved controllers in finding ways to sustain and improve safety through control room management. (k) Compliance and deviations. An operator must maintain for review during inspection: (1) Records that demonstrate compliance with the requirements of this section; and (2) Documentation of decisions and analyses to support any deviation from E:\FR\FM\12SEP2.SGM 12SEP2 53101 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules the procedures required by this section. An operator must report any such deviation to PHMSA upon request, or in the case of an intrastate pipeline facility regulated by a state, upon request by the state pipeline safety authority. 15. Amend § 193.2713 by adding paragraph (a)(4) to read as follows: § 193.2713 Training: operations and maintenance. * * * * * (a) * * * (4) All controllers to carry out the control room management procedures under § 193.2523 that relate to their assigned functions. * * * * * PART 195—TRANSPORTATION OF HAZARDOUS LIQUIDS BY PIPELINE 16. The authority citation for part 195 is revised to read as follows: Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60116, 60118, and 60137; and 49 CFR 1.53. 17. In § 195.2, add definitions for ‘‘alarm’’ ‘‘control room,’’ ‘‘controller,’’ and ‘‘Supervisory Control and Data Acquisition System (SCADA)’’ as follows: § 195.2 Definitions. * * * * * Alarm means an indication provided by SCADA or similar monitoring system that a parameter is outside normal or expected operating conditions. * * * * * Control room means a central location or local station at which a control panel, computerized device, or other instrument is used by a controller to monitor or control all or part of a pipeline facility or a component of a pipeline facility. Controller means an individual who uses a control panel, computerized device, or other equipment to monitor or control all or part of a pipeline facility that the individual cannot directly observe with the naked eye. An individual who operates equipment locally, but who cannot see the equipment respond without using a closed circuit television system or other external device, is a controller when performing this activity regardless of job title or whether actions are overseen by another controller or supervisor. An individual who performs these functions on a part time basis is considered a controller only when performing these functions. * * * * * Supervisory Control and Data Acquisition System (SCADA) means a computer-based system that gathers field data, provides a structured view of pipeline system or facility operations, and may provide a means to control pipeline operations. * * * * * 18. In § 195.3(c), amend the table by adding item B.(18) to read as follows: § 195.3 * Incorporation by reference. * * (c) * * * * * * * * * * * B. * * * (18) API Recommended Practice 1165 ‘‘Recommended Practice for Pipeline SCADA Displays,’’ (January 2007) ....................... * * * 19. Amend § 195.402 by adding paragraphs (c)(15) and (e)(10) to read as follows: § 195.402 Procedural manual for operations, maintenance, and emergencies. * * * * * (c) * * * (15) Implementing the applicable control room management procedures required by § 195.454. * * * * * * * (e) * * * (10) Implementing actions required to be taken by a controller during an emergency, in accordance with § 195.454. * * * * * 20. Add § 195.454 to subpart F to read as follows: § 195.454 Control room management. (a) General. Each operator of a pipeline facility with at least one * * § 195.454(c)(1) * controller and control room must have and follow written control room management procedures that implement the requirements of this section. The procedures must be integrated, as appropriate, into the operator’s written manuals of procedures required by § 195.402, and written qualification program required by § 195.505. The operator must develop and implement the procedures no later than the dates in the table below. Develop procedures by: Implement procedures by: (1) Remote operations (control and/or monitoring) of pipelines. (2) Remote operations of equipment within a single site (e.g., pump station). (3) Pipelines with local control only .................... ebenthall on PROD1PC60 with PROPOSALS2 Control room type [insert date 12 months after effective date of final rule]. [insert date 24 months after effective date of final rule]. [insert date 30 months after effective date of final rule]. 12 months after placement in service ............. [insert date 24 months after effective date of final rule]. [insert date 30 months after effective date of final rule]. [insert date 30 months after effective date of final rule]. 12 months after placement in service. Before placing in service ................................. Upon placing in service. (4) Control rooms or local control stations placed in service after [insert effective date of the final rule], but before [insert date 12 months after the effective date of final rule]. (5) Control rooms or local control stations placed in service after [insert date 12 months after the effective date of final rule]. (b) Roles and responsibilities. Each operator must define the roles and responsibilities of a controller during normal, abnormal, and emergency VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 operating conditions. To provide for a controller’s prompt and appropriate response to operating conditions, each operator must define: PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 (1) A controller’s authority and responsibility to make decisions and take actions during normal operations. E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 53102 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules (2) A controller’s role when an abnormal operating condition is detected, even if the controller is not the first to detect the condition, including the controller’s responsibility to take specific actions and to communicate with others. (3) A controller’s role during an emergency, even if the controller is not the first to detect the emergency, including the controller’s responsibility to take specific actions and to communicate with others. (4) A controller’s responsibility to provide timely notification and coordination with the operator of another pipeline in a common corridor when a leak or failure is suspected, including upon receipt of a notification from the public concerning a suspected leak on an asset owned or operated by the other company but located in the same common corridor or right-of-way. (5) A method of recording when a controller is responsible for monitoring or controlling any portion of a pipeline facility by implementing an individual console or a system log-in feature or by documenting in the shift records the time and name of each controller who assumed the responsibility during a shift-change or other hand-over of responsibility. (c) Provide adequate information. Each operator must provide each controller with the information necessary for the controller to carry out the roles and responsibilities defined by the operator and must verify that a controller knows the equipment, components and the effects of the controller’s actions on the pipeline or pipeline facilities under the controller’s control. Each operator must: (1) Provide a controller with accurate, adequate, and timely data concerning operation of the pipeline facility. Wherever a SCADA system is used, the operator must implement API RP–1165 (incorporated by reference, see § 195.3) in its entirety, unless the operator can adequately demonstrate that a provision of API RP–1165 is not applicable or is impracticable in the SCADA system used. (2) Validate that any SCADA system display accurately depicts field equipment configuration by completing all of the following: (i) Conduct and document a point-topoint baseline verification between field equipment and all SCADA system displays to verify 100 percent of the system displays. An operator must complete the baseline verification no later than [insert date three years after effective date of final rule] or by [insert date one year after effective date of final rule] for an operator of a pipeline VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 system containing less than 500 miles of pipeline. An operator may use any documented point-to-point verification completed after [insert date three years before effective date of final rule] to meet some or all of this baseline verification. A point-to-point verification must include equipment locations, ranges, alarm set-point values, alarm activation, required alarm visual or audible response, and proper equipment or software response to SCADA system values. (ii) Verify that SCADA displays accurately depict field configuration when any modification is made to field equipment or applicable software and conduct a point-to-point verification for associated changes. (iii) Perform a point-to-point verification as part of implementing a SCADA system change for all portions of the pipeline system or facility affected by the change. (iv) Develop a plan for systematic reverification of the accuracy of the SCADA system display. (3) Establish a means for timely verbal communication among a controller, management, and field personnel. (4) Identify circumstances that require field personnel to promptly notify the controller. These circumstances must include the identification by field personnel of a leak or situation that could reasonably be expected to develop into an accident if left unaddressed. (5) Define and record critical information during each shift. (6) Provide for the exchange of information when a shift changes or when another controller assumes responsibility for operations for any reason. (7) Establish sufficient overlap of controller shifts to permit the exchange of necessary information. (8) Periodically test and verify a backup communication system or provide adequate means for manual operation or shutdown of the affected portion of the pipeline safely. (d) Fatigue mitigation. Each operator must implement methods to prevent controller fatigue that could inhibit a controller’s ability to carry out the roles and responsibilities defined by the operator. To protect against the onset of fatigue, each operator must: (1) Establish shift lengths and schedule rotations that provide controllers off-duty time sufficient to achieve eight hours of continuous sleep; (2) Educate a controller and his supervisor in fatigue mitigation strategies and how off-duty activities contribute to fatigue; PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 (3) Train a controller and his supervisor to recognize and mitigate the effects of fatigue; (4) Implement additional measures to monitor for fatigue when a single controller is on duty; and (5) Establish a maximum limit on controller hours-of-service, which may include an exception during an emergency with appropriate management approval. An operator must specify emergency situations for which a deviation from the hours-ofservice maximum limit is permitted. (e) Alarm management. Each operator using a SCADA system must assure appropriate controller response to alarms and notifications. An operator must: (1) Review SCADA operations at least once each week for: (i) Events that should have resulted in alarms or event indications that did not do so; (ii) Proper and timely controller response to alarms or events; (iii) Identification of unexplained changes in the number of alarms or controller management of alarms; (iv) Identification of nuisance alarms; (v) Verification that the number of alarms received is not excessive; (vi) Identification of instances in which alarms were acknowledged but associated response actions were inadequate or untimely; (vii) Identification of abnormal or emergency operating conditions and a review of controller response actions; (viii) Identification of system maintenance issues; (ix) Identification of systemic problems, server load, or communication problems; (x) Identification of points that have been taken off scan or that have had forced or manual values for extended periods; and (xi) Comparison of controller logs or shift notes to SCADA alarm records to identify maintenance requirements or training needs. (2) Review SCADA configuration and alarm management operations at least once each calendar year but at intervals not to exceed 15 months. At a minimum, reviews must include consideration of the following factors: (i) Number of alarms; (ii) Potential systemic issues; (iii) Unnecessary alarms; (iv) Individual controller’s performance changes over time regarding alarm or event response; (v) Alarm indications of abnormal operating conditions; (vi) Recurring combinations of abnormal operating conditions and the inclusion of such combinations in controller training; E:\FR\FM\12SEP2.SGM 12SEP2 ebenthall on PROD1PC60 with PROPOSALS2 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules (vii) Alarm indications of emergency conditions; (viii) Individual controller workload; (ix) Clarity of alarm descriptors to the controllers so controllers fully understand the meaning and nature of each alarm; and (x) Verification of correct alarm setpoint values. (3) Promptly address all deficiencies identified in the weekly and calendar year SCADA reviews. (f) Change management. Each operator must establish thorough and frequent communications between a controller, management, and field personnel when planning and implementing physical changes to pipeline equipment and configuration. Field personnel must be required to promptly notify a controller when emergency conditions exist or when performing maintenance and making field changes. (1) Maintenance procedures must include tracking and repair of controller-identified problems with the SCADA system or field instrumentation to provide for prompt response. (2) SCADA system modifications must be coordinated in advance to allow enough time for adequate controller training and familiarization unless such modifications are made during an emergency response or recovery operation. (3) An operator shall seek control room participation when pipeline hydraulic or configuration changes are being considered. (4) Merger, acquisition, and divestiture plans must be developed and used to establish and conduct controller training and qualification prior to the implementation of any changes to the controller’s responsibilities. (5) Changes to alarm set-point values, automated routine software, and relief valve settings must be communicated to the controller prior to implementation. (6) An operator must thoroughly document and keep records for each of these occurrences. (g) Operating experience. (1) Each operator must review control room operations following any event that must be reported as an accident pursuant to § 195.50 determine and correct, where necessary, deficiencies related to: (i) Controller fatigue; (ii) Field equipment; (iii) The operation of any relief device; (iv) Procedures; (v) SCADA system configuration; (vi) SCADA system performance; (vii) Accuracy, timeliness, and portrayal of field information on SCADA displays; and VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 (viii) Simulator or non-simulator training programs. (2) Each operator must establish a definition or threshold for close-call events to evaluate event significance. For those events the operator determines to be significant, the operator must conduct the review required by paragraph (g)(1) of this section and the operator must share the information with all controllers. (3) Each operator must review the accuracy and timeliness of SCADA data and how it is portrayed on displays. (h) Training. Each operator must establish a training program and review the training program content to identify potential improvements at least once each calendar year, but at intervals not to exceed 15 months. An operator must train each controller to carry out the roles and responsibilities defined by the operator. In addition, the training program must include the following elements: (1) Responding to abnormal operating conditions likely to occur simultaneously or in sequence. (2) Use of a simulator or noncomputerized (tabletop) method to train controllers to recognize abnormal operating conditions, in particular leak and failure events. Simulations and tabletop exercises must include representative communications between controllers and individuals that operators would expect to be involved during actual events. Controllers will participate in improvement and development of tabletop or simulation training scenarios. (3) Providing appropriate information to the public and emergency response personnel during emergency situations, and informing controllers of the information being provided to the public or emergency responders under § 195.440 so that the controllers can understand the context in which this information will be received. (4) On-site visits by controllers to a representative sampling of field installations similar to those for which each controller is responsible to familiarize themselves with the equipment and with station personnel functions. (5) Review of procedures for pipeline operating setups that are periodically, but infrequently used. (6) Hydraulic pipeline training that is sufficient to obtain a thorough knowledge of the pipeline system, especially during the development of abnormal operating conditions. (7) Site specific training on equipment failure modes. (8) Specific training on system tools available to determine a leak or PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 53103 significant failure and specific training on other operator contact protocols when there is reason to suspect a leak in a common pipeline corridor or rightof-way. (i) Qualification. An operator must have a program in accordance with subpart G of this part to determine that each controller is qualified. An operator’s procedures for the qualification of controllers must include provisions to: (1) Measure and verify a controller’s performance including the controller’s ability to detect abnormal and emergency conditions promptly, and to respond appropriately. (2) Evaluate a controller’s physical abilities, including hearing, colorblindness (color perception), and visual acuity, which could affect the controller’s ability to perform the assigned duties. (3) Evaluate a controller’s qualifications at least once each calendar year, but at intervals not to exceed 15 months. (4) Implement methods to address gradual degradation in performance or physical abilities in a controller. (5) Revoke a controller’s qualification for extended time off-duty or absence (of a duration determined by the operator based on the complexity and significance of the controller’s role), inadequate performance, impaired physical ability beyond what the operator can accommodate, influence of drugs or alcohol, or any other reason determined by the operator to be necessary to support the safe operation of a pipeline facility. (6) Restore a revoked qualification by specifying the circumstances for which a complete re-qualification is required, and the circumstances for which other means of restoration may be used, such as a period of review, shadowing, retraining, or all of these. (7) Document when an oral examination is used as the means of evaluation, including the topics covered. (8) Prohibit individuals without a current controller qualification from performing the duties of a controller. (j) Validation. An operator must have a senior executive officer validate by signature not later than the date by which control room management procedures must be implemented (see paragraph (a) of this section), and annually thereafter by June 15 of each year, that the operator has: (1) Conducted a review of controller qualification and training programs and has determined both programs to be adequate; E:\FR\FM\12SEP2.SGM 12SEP2 53104 Federal Register / Vol. 73, No. 178 / Friday, September 12, 2008 / Proposed Rules ebenthall on PROD1PC60 with PROPOSALS2 (2) Permitted only qualified controllers to operate the pipeline; (3) Implemented the requirements of this section; (4) Continued to address ergonomic and fatigue factors; and (5) Involved controllers in finding ways to sustain and improve safety and pipeline integrity through control room management. (k) Compliance and deviations. An operator must maintain for review during inspection: VerDate Aug<31>2005 15:20 Sep 11, 2008 Jkt 214001 (1) Records that demonstrate compliance with the requirements of this section; and (2) Documentation of decisions and analyses to support any deviation from the procedures required by this section. An operator must report any such deviation to PHMSA upon request, or in the case of an intrastate pipeline facility regulated by a state, upon request by the state pipeline safety authority. 21. Amend § 195.505 by adding paragraph (j) to read as follows: PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 § 195.505 Qualification program. * * * * * (j) Incorporate requirements applicable to controller qualification in accordance with § 195.454. Issued in Washington, DC, on September 2, 2008. Jeffrey D. Wiese, Associate Administrator for Pipeline Safety. [FR Doc. E8–20701 Filed 9–11–08; 8:45 am] BILLING CODE 4910–60–P E:\FR\FM\12SEP2.SGM 12SEP2

Agencies

[Federal Register Volume 73, Number 178 (Friday, September 12, 2008)]
[Proposed Rules]
[Pages 53076-53104]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-20701]



[[Page 53075]]

-----------------------------------------------------------------------

Part II





Department of Transportation





-----------------------------------------------------------------------



Pipeline and Hazardous Materials Safety Administration



-----------------------------------------------------------------------



49 CFR Parts 192, 193, and 195



Pipeline Safety: Control Room Management/Human Factors; Proposed Rule

Federal Register / Vol. 73 , No. 178 / Friday, September 12, 2008 / 
Proposed Rules

[[Page 53076]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Pipeline and Hazardous Materials Safety Administration

49 CFR Parts 192, 193, and 195

[Docket ID PHMSA-2007-27954]
RIN 2137-AE28


Pipeline Safety: Control Room Management/Human Factors

AGENCY: Pipeline and Hazardous Materials Safety Administration (PHMSA), 
DOT.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: PHMSA proposes to revise the Federal pipeline safety 
regulations to address human factors and other components of control 
room management. The proposed rules would require operators of 
hazardous liquid pipelines, gas pipelines, and liquefied natural gas 
(LNG) facilities to amend their existing written operations and 
maintenance procedures, operator qualification (OQ) programs, and 
emergency plans to assure controllers and control room management 
practices and procedures used maintain pipeline safety and integrity. 
This proposed rule results from a PHMSA study of controllers and 
controller performance issues known as the Controller Certification 
Project (CCERT), a National Transportation Safety Board study, safety-
related condition reports, operator visits and inspections, and 
inquiries. This rule would improve opportunities to reduce risk through 
more effective control of pipelines and require the human factors 
management plan mandated by the Pipeline Inspection, Protection, 
Enforcement, and Safety Act of 2006 (PIPES Act). These regulations 
would enhance pipeline safety by coupling strengthened control room 
management, including automated control systems, with improved 
controller training and qualifications and fatigue management. PHMSA 
expects these regulations will complement efforts already underway in 
the pipeline industry to address human factors and control room 
management, such as the development of new national consensus 
standards, including an American Petroleum Institute (API) recommended 
practices on roles and responsibilities, shift operations, management 
of change, fatigue management, alarm management and SCADA display 
standard, as well as comparable business practices at some pipeline 
companies.

DATES: Anyone interested in filing written comments on this proposal 
must do so by November 12, 2008. PHMSA will consider late comments 
filed so far as practical.

ADDRESSES: Comments should reference Docket No. PHMSA-2007-27954 and 
may be submitted the following ways:
     E-Gov Web site: https://www.regulations.gov. This Web site 
allows the public to enter comments on any Federal Register notice 
issued by any agency. Follow the instructions for submitting comments.
     Fax: 1-202-493-2251.
     Mail: DOT Docket Management System: U.S. Department of 
Transportation, Docket Operations, M-30, West Building Ground Floor, 
Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 20590-0001.
     Hand Delivery: DOT Docket Management System; West Building 
Ground Floor, Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 
20590-0001 between 9 a.m. and 5 p.m., Monday through Friday, except 
Federal holidays.
    Instructions: You should identify the docket ID, PHMSA-2007-27954, 
at the beginning of your comments. If you submit your comments by mail, 
submit two copies. To receive confirmation that PHMSA received your 
comments, include a self-addressed stamped postcard. Internet users may 
submit comments at https://www.regulations.gov.

    Note: Comments are posted without changes or edits to https://
www.regulations.gov, including any personal information provided. 
There is a privacy statement published on https://
www.regulations.gov.


FOR FURTHER INFORMATION CONTACT: Byron Coy at (609) 989-2180 or by e-
mail at Byron.Coy@dot.gov.

SUPPLEMENTARY INFORMATION: 

I. Prevention Through People

    Over the past several years, PHMSA's integrity management (IM) 
programs have been successfully driving down the two leading causes of 
pipeline failure--excavation damage and corrosion. IM programs help 
operators understand the threats affecting the integrity of their 
systems and implement appropriate actions to mitigate risks associated 
with these threats.
    Excavation damage and corrosion are, however, only part of the 
safety picture. The next logical area of program development is to 
examine the role people play in operating and maintaining pipelines. 
With this proposed rule, PHMSA is beginning implementation of a program 
that recognizes the importance of human interactions and opportunities 
for preventing risk, both errors and mitigating actions, to pipeline 
systems through a Prevention Through People (PTP) program. PTP 
addresses human impacts on pipeline system integrity. Human impacts 
include errors contributing to events, intervention to prevent or 
mitigate events, and the recognition of events that may begin the need 
for increased vigilance. The role of people, including controllers and 
those interacting with control center operations, is a vital component 
in preventing and reducing risk associated with pipeline systems. The 
proposed rule addresses requirements applicable to controllers and 
control room management.
    PHMSA has long recognized that controllers can play a key role in 
pipeline safety. Congress recognized the importance of this role in the 
Pipeline Safety Improvement Act of 2002 (PSIA) (Pub. L. 107-355) and 
the PIPES Act. A controller's actions can mitigate risk, but they can 
also introduce the potential for upset conditions. Human error 
(including those caused by mistake or fatigue) can cause or exacerbate 
events involving releases leading to safety hazards and environmental 
impacts. Controllers also respond to indications of abnormal conditions 
on the pipeline. Appropriate human response to abnormal situations can 
mitigate events, helping to prevent accidents leading to adverse 
consequences. As part of the PTP program, this proposed rule addresses 
requirements applicable to controllers, key players among the people 
who can affect pipeline safety.
    Several existing regulations strengthen the effectiveness of the 
role of people in managing safety. These include regulations on damage 
prevention programs (49 CFR 192.614 and 195.442), public awareness 
(Sec. Sec.  192.616 and 195.440), qualification of pipeline personnel 
(part 192, subpart N, part 193, subpart H, and part 195, subpart G), 
and drug and alcohol testing regulations and procedures (parts 40 and 
199). Explicitly incorporating a PTP element in IM plans would 
emphasize the role of people both in contributing to, and in reducing, 
risks. PHMSA believes this may be the best means of fostering a 
holistic approach to managing the safety impact of people on the 
integrity of pipelines. This proposed rule adds requirements applicable 
to control room management. In the future, PHMSA plans to address 
additional risks associated with human factors as well as the 
opportunities for people to mitigate risks. In addition to regulations, 
PHMSA plans to identify and promote noteworthy best practices in PTP.

[[Page 53077]]

    PHMSA recently reported to Congress on its work examining control 
room management issues as mandated in the PSIA. The report, titled 
``Qualification of Pipeline Personnel,'' includes a summary of the 
CCERT Project, a four-year effort examining control room issues in PTP. 
Although the project began with examination of qualification issues, 
during the course of the project, we identified other control room 
issues impacting the safety performance of controllers. PHMSA concluded 
that validating the adequacy of controller-related processes, 
procedures, training, and the controllers' credentials would improve 
management of control rooms, thereby enhancing safety for the public, 
the environment and pipeline employees. PHMSA also identified areas in 
which additional measures could enhance control room safety and 
minimize the risk associated with fatigue and interaction with computer 
equipment. These areas include annual validation of controller 
qualifications by senior level executives of pipeline companies, 
clearly defined responsibilities for controllers in responding to 
abnormal operating conditions, the use of formalized procedures for 
information exchange during shift turnover, and clearly established 
shift lengths combined with education on strategies to reduce the 
contribution of non-work activities to fatigue. These areas are 
addressed by requirements included in this proposed rule.

II. Background

A. Pipelines and LNG Plants

    Approximately two-thirds of our domestic energy supplies are 
transported by pipeline. There are roughly 170,000 miles of hazardous 
liquid pipelines, 295,000 miles of gas transmission pipelines, and 1.9 
million miles of gas distribution pipelines in the United States. 
Hazardous liquid pipelines carry crude oil to refineries and refined 
products to locations where these products are consumed. Hazardous 
liquid pipelines also transport highly volatile liquids (HVLs), other 
hazardous liquids such as anhydrous ammonia, and carbon dioxide. The 
regulations in 49 CFR part 195 apply to owners and operators of 
pipelines used in the transportation of hazardous liquids and carbon 
dioxide. Throughout this document, the term ``operator'' refers to both 
owners and operators of pipeline facilities.
    Gas transmission pipelines typically carry natural gas over long 
distances from gas gathering, supply, or import facilities to 
localities where it is used to heat homes, generate electricity, and 
fuel industry. Gas distribution pipelines take natural gas from 
transmission pipelines and distribute it to residential, commercial, 
and industrial customers. The regulations in 49 CFR part 192 apply to 
operators of pipelines that transport natural gas, flammable gas, or 
gas which is toxic and corrosive. Throughout this document, the term 
``gas'' refers to all gases in pipelines regulated under part 192.
    Additionally, there are currently 109 LNG import and peak shaving 
plants connected to our natural gas transmission and distribution 
pipeline systems. The volume of natural gas is reduced about 600 times 
when the gas is cooled to a liquid form. This allows large quantities 
of natural gas to be transported by ship and to be stored in insulated 
tanks. LNG import plants allow the U.S. to use natural gas produced in 
other countries and transported by ship. According to the Department of 
Energy, imported LNG provided 2% of U.S. natural gas supplies in 2003 
but that proportion is expected to grow to 21% by 2025.\1\ LNG peak 
shaving plants allow gas pipeline operators to liquefy and store 
natural gas during off-peak periods. The stored LNG is then converted 
back to natural gas when needed for periods of peak consumption. The 
risks inherent in control of these facilities can be reduced by 
application of this proposed rule.
---------------------------------------------------------------------------

    \1\ U.S. Department of Energy, Office of Fossil Energy Web site 
(https://www.fossil.energy.gov/programs/oilgas/storage/lng/feature/
whyimportant.html).
---------------------------------------------------------------------------

B. Control Rooms and Controllers

    Most pipelines are underground and operate without disturbing the 
environment or negatively impacting public safety. However, accidents 
\2\ do occasionally occur. Effective control is one key component of 
accident prevention. Controllers can help identify risks, prevent 
accidents, and minimize commodity losses if provided with the necessary 
tools and working environment. Therefore, this proposed rule is 
intended to increase the likelihood that pipeline and LNG controllers 
have the necessary knowledge, skills, abilities, and qualifications to 
help prevent accidents and that operators provide controllers with the 
training, tools, procedures, management support, and environment where 
a controller's actions can help prevent accidents and minimize 
commodity losses.
---------------------------------------------------------------------------

    \2\ The pipeline safety regulations in 49 CFR parts 191, 192, 
and 193 refer to certain harmful events on a gas pipeline system or 
LNG facility as ``incidents'' while part 195 refers to certain 
failures on a hazardous liquid pipeline system as ``accidents.'' 
Throughout this document the terms ``accident'' and ``incident'' may 
be used interchangeably to mean an event or failure on a gas or 
hazardous liquid pipeline system or LNG facility.
---------------------------------------------------------------------------

i. Background
    Pipeline systems vary from small, simple systems, to complex 
systems covering thousands of miles. Combined, these systems make up a 
vast network of pipelines reaching across the United States. Pipeline 
systems include pumps, compressors, storage tanks, valves, and other 
components. A pump station, compressor station, or terminal is usually 
a major installation consisting of large pumps, compressors, storage 
tanks, and other service equipment. Pipeline systems also include 
valves used to control pressure and to direct flow during normal 
operations, to isolate sections of pipeline for maintenance or 
emergency activities, or to maintain operating pressures within 
allowable limits.
    Most operators monitor pumps, compressors, valves, and other 
equipment from single or multiple locations, often hundreds of miles 
away. Such locations are commonly known as ``control rooms.'' The 
individuals who work in control rooms are ``controllers.'' \3\ A 
control room may have one or more controllers, who could be union or 
non-union employees. Both union and non-union controllers may work for 
the same operating company and a control room is likely to be 
operational 24 hours a day, 365 days a year, or less, depending on the 
complexity and nature of the pipeline system or LNG facilities served.
---------------------------------------------------------------------------

    \3\ Different titles exist in the industry for personnel who 
operate computer-based systems for controlling and monitoring the 
operations of pipeline facilities, some of which are controllers, 
dispatchers, operators, and board operators, but all are considered 
``controllers'' in this document.
---------------------------------------------------------------------------

    Most operators use computer-based supervisory control and data 
acquisition (SCADA) systems, distributed control systems (DCS), or 
other less sophisticated systems to gather key information 
electronically from field locations.\4\ These systems are configured to 
present field data to the controllers, and may include additional 
historical, trending, and alarm management information. Controllers 
track routine operations continuously and watch for possible developing 
abnormal operating or emergency conditions. A controller may take 
direct action through the SCADA system to correct the conditions

[[Page 53078]]

or the controller may alert and defer action to others.
---------------------------------------------------------------------------

    \4\ SCADA and DCS systems perform similar functions. Throughout 
this document, where the term SCADA is used, it should be 
interpreted to mean SCADA or DCS.
---------------------------------------------------------------------------

ii. Importance of Control Rooms and Controllers
    Control rooms and controllers are critical to the safe operation of 
pipeline systems and LNG facilities. Control rooms often serve as the 
hub or command center for decisions such as adjusting commodity flow or 
facilitating an operator's initial response to an emergency. The 
control room is the central location where humans or computers receive 
data from field sensors. Commands from the control room may be 
transmitted back to remotely controlled equipment. Field personnel also 
receive significant information from the control room. In essence, the 
control room is the ``brain'' of the pipeline system or LNG plant. 
Errors made in control rooms can have significant effects on the 
controlled systems. A controller's errors can initiate or exacerbate an 
accident. A controller's improper action or lack of action can place 
undue stresses on a pipeline segment or an LNG facility, which could 
result in a subsequent failure, the loss of service, or an increase in 
lost commodity, leading to risk to people, the environment, and the 
fuel supply. Controller responses to developing abnormal operating 
conditions or accidents can alleviate or exacerbate the consequences of 
some events regardless of the initial cause.
    A brief description of a few accidents can help illustrate the 
importance of control rooms and controllers to safe pipeline operation. 
More often than not, however, control rooms and controllers are a 
significant part of an operator's response to abnormal and emergency 
events rather than the cause.
     A batch of hazardous liquid expected to fill several tanks 
was being received at a tank terminal. A tank switchover was scheduled 
to occur late in a controller's shift. The switchover did not occur at 
the scheduled time due to a reduction in flow rate in the pipeline, but 
the controller failed to inform the relief controller at shift change. 
The oncoming controller assumed the switchover had happened as 
scheduled, and therefore did not monitor the levels in the tank being 
filled. The liquid overflowed the tank and was ignited. The resulting 
fire caused considerable damage including the destruction of two large 
storage tanks.
     A seldom-used manual valve in a hazardous liquid pipeline 
system had been closed to facilitate maintenance. The controller was 
aware that the valve was closed. The controller was not aware, however, 
that the indication on his computer display of pressure near the valve 
came from a transducer downstream of the valve. The display indicated 
it was from the upstream side of the valve. While filling the isolated 
portion of the pipeline to return it to service, the controller over-
pressurized the line, resulting in a rupture.
     While diverting hazardous liquid pipeline flow from one 
facility to another, an elevated pressure caused the rupture of a 
pipeline at a location weakened by previous third party damage. Pumps 
had automatically shut off due to the high pressures. Despite a sharp 
drop in line pressure, the controller did not recognize that the 
pipeline had failed, and re-started the pumps. As a result, a 
significant amount of product was released through the ruptured line, 
ignited, and resulted in several fatalities. Maintenance activities 
being performed on the computers of the SCADA system at the time of the 
vent hampered the controller from recognizing and reacting to the 
failure.
     A slug of contaminants was introduced into a gas 
transmission pipeline when gas was drawn from storage. The contaminants 
affected instruments and regulators as the slug moved down the 
pipeline, resulting in many control room alarms. The controller 
operating the pipeline did not recognize what was happening and failed 
to initiate corrective action in time to avoid loss of gas supply to 
several towns.
     A citizen called a gas pipeline control room to report a 
sheen on a creek in a right-of-way shared with hazardous liquid 
pipelines. The citizen called the gas control room because its 
telephone number was on the pipeline marker the citizen located in the 
corridor. The controller of the gas pipeline failed to contact the 
controllers of the liquid pipelines in the shared corridor, and 
referred the information from the call to a field office that was 
unattended at the time. The result was a delay of several days in 
responding to a potential failure of one of the liquid pipelines.
     In a similar situation, a citizen telephoned a gas control 
room and reported a leak. The controller concluded the company had no 
facilities in the area, that any problem was thus not theirs, and did 
not follow up. The leak persisted and subsequent calls to regulatory 
agencies resulted in locating a number of leaks in the area affecting 
facilities operated by the control room that took the original call.
iii. Local Control and LNG
    Many pipeline systems and LNG plants have equipment that is locally 
controlled via a control panel located on or near the field equipment. 
The individuals who operate this equipment using the control panel 
could be considered controllers depending on their shared and 
associated responsibilities with controllers at other locations. This 
may also depend on the specific equipment being controlled and whether 
or not the controlled equipment is within direct observation of the 
individual at the local control panel.
    Gas pipeline operations are sometimes associated with LNG plants. 
LNG facilities are operated from control rooms and can have locally-
controlled equipment in the same manner as pipeline facilities. In 
addition, some LNG control rooms also control pipeline systems 
connected to the LNG plant. Working from control rooms, controllers 
operate LNG facilities, pipelines associated with the facilities, and 
locally controlled equipment within LNG plants.
    Most pipeline systems today have control rooms. These facilities 
can be located at some distance from the pipeline, or they may be in 
close proximity to the pipeline. Many pipelines also have locally 
controlled equipment operated by controllers. This proposed rule 
addresses all of these situations. Pipeline and LNG facilities include 
compressor stations, hazardous liquid terminals, pump stations, LNG 
plants, and any other locations where controllers are located. In 
addition, control room also means a control center, control station, or 
any other such terminology.
iv. Providing Tools for Effective Controller Performance
    Pipeline and LNG controllers impact the safety and integrity of the 
pipeline and LNG facilities they operate by being vigilant during 
normal operations and by properly responding to abnormal operating 
conditions and potential emergency situations. Public safety can be 
enhanced when a pipeline or LNG operator provides a controller the 
necessary tools and management support, while implementing and tracking 
thoroughly developed processes used by controllers.
    SCADA systems, which are widely used throughout the pipeline 
industry, can be as simple as computerized field equipment that allows 
an individual to monitor alarms or control equipment within a pipeline 
facility; or they can be more complex and diverse to allow a

[[Page 53079]]

controller to monitor, or monitor and control, many facilities as part 
of a complex pipeline network involving various communications mediums, 
often from a control room that is hundreds of miles away. For some 
pipeline operators, the application of SCADA systems has resulted in a 
reduction of pipeline field personnel, making the role of the 
controller even more critical to the safety and integrity of pipeline 
facilities.
    Pipeline and LNG controllers also must have adequate and up-to-date 
information about the conditions and operating status of the equipment 
they monitor, or monitor and control, if they are to succeed in 
maintaining pipeline safety. Incorrect, delayed, missing, or poorly 
displayed data may confuse a controller and can lead to problems 
despite the extensive training, qualification, and abilities of the 
controller.
v. Controller Knowledge and Abilities
    Operators should assure that controllers perform their duties 
promptly and accurately, including routine operations and response to 
developing abnormal operating conditions or emergency circumstances, to 
help maintain pipeline and LNG facility safety. Existing operator 
qualification (OQ) regulations for pipeline personnel currently address 
a portion of the processes affecting a controller's ability to succeed 
in maintaining pipeline safety and integrity.
    A controller should possess certain abilities, and attain the 
knowledge and skills necessary to complete the various tasks required 
for a specific pipeline system or LNG facility. To attain the necessary 
knowledge and skills, the controller is typically required to complete 
extensive on-the-job training and is often closely observed by an 
experienced controller for a period of time. The controller must also 
review and understand appropriate procedures, including those 
associated with emergency response, and repeatedly practice the correct 
responses to a variety of abnormal operating conditions. A controller's 
skills and knowledge are then evaluated through the pipeline operator's 
OQ process. Many pipeline operators require additional company-specific 
performance requirements that are outside of the operator's OQ program.
    Many controllers routinely monitor and send commands to change flow 
rates and pressures, open and close valves, start and stop compressors 
or pumps, monitor tank levels, identify abnormal operating and 
emergency conditions, and perform a key role when a safety response is 
needed. In some pipeline systems, controllers also monitor corrosion 
control rectifiers, odorant systems, purge operations, leak detection 
equipment, and security systems. Prompted by an assortment of factors, 
controllers re-direct flow, start and stop pipeline segments, or 
further adjust flow rates to accommodate market conditions, maintenance 
activities, and weather conditions on a regional or national basis. For 
these pipelines, dynamic operating conditions require controllers to 
have a high level of knowledge, skills, and abilities to safely 
maintain systems and to promptly recognize abnormal operating 
conditions or other anomalies as situations develop. In other pipelines 
and distribution systems, controllers use computers to closely monitor 
operating conditions, and then alert field personnel to take action 
when upset, abnormal or emergency conditions arise.
    A controller needs adequate, thorough training and qualifications 
as well as appropriate timely data, a control system designed to aid in 
the prompt identification of abnormal conditions, and an understanding 
of the controller's authority to take appropriate actions.
vi. Control Room Management
    All of this must occur within an environment that facilitates 
appropriate and correct actions. Operators must appropriately manage 
the factors affecting the controller, including relevant human factors 
and operator processes and procedures. PHMSA refers to the combination 
of all these factors as control room management.
    Centralized pipeline and facility control operations generally fall 
into one of three control function categories or into a hybrid 
combination:
    1. Monitor, detect, and perform full remote control.
    2. Monitor, detect, and direct field operating personnel to perform 
specific actions.
    3. Monitor, detect, and alert field operating personnel, and defer 
action to field personnel.
    Controllers use SCADA systems to detect and monitor operational 
conditions. A controller then performs the required control function or 
directs or defers to field operations for needed attention based on the 
controller's responsibility, authority, and assessment of the 
situation.
    Individual station computer control may be implemented through:
    1. A unified control system within the station or plant, or
    2. Individual unit-mounted control panels for each piece of 
equipment or groupings of equipment.
    Pipeline operations can vary significantly based on the physical 
properties of the commodities transported. For example, compressibility 
is a fundamental difference between natural gas and some hazardous 
liquids. SCADA system configuration, communication schemes, control 
modes and applied instrumentation, pipeline system configuration and 
complexities, size, procedures, and practices can further differentiate 
pipeline operations. These differences can have dramatic effects on the 
required content and scope of a controller's training and 
qualifications, and on operational procedures and configuration of 
applied SCADA control systems. Differences in pipeline operations can 
also exist because some controllers are union employees governed by 
contract conditions and some are not. This can impact the number of 
hours worked, activities performed, number of controllers on shift, and 
other factors such as shift schedules.
    All controllers have some opportunity to mitigate risks. The degree 
to which they can affect pipeline safety may vary. For example, all 
controllers, including those that monitor only, can affect minor events 
(i.e. those not meeting reporting thresholds) and can influence the 
impact of future incidents in a positive manner. Pipeline controllers 
require similar cognitive and analytical skills. Additionally, control 
room procedures, pipeline controller tools, training, skills, and 
qualifications can impact controller performance.
    The nature of a particular control arrangement and the commodity 
transported will affect the actions an operator must take to manage the 
control environment and permit controllers to be successful in 
maintaining pipeline safety. None of these differences, though, obviate 
the need for control room management.

C. The Safety Pyramid

    Operators of gas pipeline systems must submit to PHMSA written 
reports of events meeting certain criteria as incidents. Over the past 
10 years, gas pipeline operators have submitted written reports for 
approximately 100 incidents per year on approximately 300,000 miles of 
gas transmission pipelines and approximately 130 incidents per year on 
approximately 2 million miles of distribution pipelines. Similarly, 
operators of hazardous liquid pipeline systems must submit to PHMSA 
written reports of

[[Page 53080]]

pipeline system failures meeting certain criteria as accidents. Over 
the same 10 years, hazardous liquid pipeline operators have reported an 
average of approximately 140 accidents per year on approximately 
160,000 miles of pipeline. The total number of accidents reported to 
PHMSA is about 370 per year.
    There are far more events, failures and near misses that occur on 
pipelines than those that require written reports. Some involve off-
normal conditions for which controllers or automated safety systems 
intercede to prevent serious consequences. Others do not progress to 
the point of needing controller or safety system involvement. Pipeline 
operators document some near misses, but not all. PHMSA believes there 
are other low-order events, failures and near misses that occur 
unobserved.
    The term ``safety pyramid'' was used by Dr. D.W. Heinrich (1881-
1962), an insurance company analyst who analyzed industrial accident 
prevention in the 1930s. In particular, he studied the relationship of 
events of varying significance and concluded that serious events (e.g., 
those resulting in fatalities) in any system occur in much smaller 
numbers than events of lesser significance. His work generally divided 
events into a 300-29-1 ratio, where there is 1 significant failure and 
29 notable events in every 300. Heinrich called this relationship the 
``safety pyramid.'' In turn, the number of errors and situations not 
recognized as ``events'' is even larger. Reportable pipeline accidents 
and incidents are only the tip of the safety pyramid. More events and 
failures occur at lower levels of the pyramid, including many near-miss 
events. Information about these near-miss events, whether affecting a 
gas pipeline, hazardous liquid pipeline, or LNG facility, can lead to 
identifying key elements that can prevent events and failures from 
reaching the tip of the safety pyramid. Controller vigilance and 
appropriate response to lower-level events thus serves to prevent 
reportable pipeline incidents from occurring.

D. Learning From Industry-Wide Operating Experience

    The proposed rule would require operators to establish a program to 
evaluate events that occur on their pipeline systems to identify 
lessons that can be used to improve control room performance. PHMSA 
believes it would be useful for the pipeline industry to establish a 
program to perform the same function for events occurring across the 
pipeline industry and to disseminate to all pipeline operators the 
lessons learned.
    It is self-evident that more events occur within the pipeline 
industry than on any individual pipeline system. The industry's safety 
pyramid is larger than that for any individual operator. This larger 
database of experience would provide more opportunity to learn lessons 
that can be used to improve the ability of controllers to maintain 
pipeline safety. For example, the airline industry and nuclear power 
plants have processes to collect and analyze operating experience and 
to share important lessons across their sectors. No such process exists 
within the pipeline or LNG industries. Some information about failures 
can be gleaned from news reports and discussions in trade association 
meetings, but pipeline and LNG operators do not usually share the 
details of failures. Operators are even less likely to share 
information about the bulk of close-calls and other minor events in the 
lower sector of the safety pyramid. Events with significant 
consequences (e.g., the 1999 hazardous liquid pipeline leak and 
explosion in Bellingham, Washington, or the 2001 gas transmission 
pipeline explosion near Carlsbad, New Mexico) get considerable press 
attention and become well known. The NTSB investigates significant 
pipeline events and issues reports and recommendations. Some events of 
lesser significance may be reported in trade press or by informal 
communications among pipeline operators, but there is no formalized 
process to collect and analyze information regarding close-call events 
or problems with more limited consequences in the pipeline industry.
    For larger pipeline operators, the sheer number of pipeline 
segments and stations may allow for the creation of a sufficiently 
large database of events to yield analytical value, but for most 
operators, their own experiences are not adequate to do so. Industry 
trade associations or other cooperative organizations could sponsor an 
industry-wide process to collect and analyze such information. Issues 
of proprietary information and perceived industry collusion are real 
constraints, but these have been dealt with in other industries.
    While the proposed rule would require each operator to establish a 
program to evaluate events that occur on its pipeline system, the rule 
would not require an intra-industry operating experience review 
process. PHMSA believes such intra-industry review could be useful, but 
does not consider it appropriate at this time to avoid the issues of 
unnecessary disclosure of proprietary information and perceived 
industry collusion. PHMSA encourages these industries to consider 
establishing such processes and invites the public and industry to 
comment on the value of such an inter-company review process.

III. Human Factors Studies

A. PHMSA Controller Study

    PHMSA had been studying and evaluating control room operations for 
many years and began developing control room inspection guidance in 
1999. Subsequently, Congress enacted the PSIA, which the President 
signed into law on December 17, 2002. Section 13 of the PSIA required 
the DOT to conduct a pilot program to evaluate whether pipeline 
controllers should be certified based on tests and other requirements. 
In response to the PSIA, PHMSA conducted the CCERT study and reported 
findings to Congress in a report dated December 17, 2006, entitled 
``Qualification of Pipeline Personnel.'' This project included a 
comprehensive review of existing controller training, qualification 
processes, procedures, and practices. This review also included 
identifying potential enhancements such as validation and certification 
processes currently used in other industries to enhance public safety.
    Understanding the attributes traditionally contained in existing 
operators' training and qualification programs was an essential element 
of CCERT. Process techniques, practices, and procedures are significant 
and valuable tools to train and qualify controllers. PHMSA identified 
techniques, practices, and procedures through interviews with numerous 
pipeline operators and controllers in a variety of situations. This 
included pipelines of a wide array of types and sizes and both union 
and non-union controllers.
    PHMSA determined what actions would lead to an additional assurance 
that pipeline controllers are adequately qualified to perform safety-
sensitive tasks. The project team also identified key processes and 
procedures critical to control room safety and reviewed certification 
programs. To consider validation or certification of pipeline 
operators' qualification processes, the training and qualification 
programs should be thorough and adequately administered. PHMSA's 
primary project objectives were to review and evaluate the structure 
and content of operators' training and qualification programs and to 
identify controller procedures that can have an impact on pipeline 
safety and integrity.

[[Page 53081]]

    The project focused on the content of the pipeline operators' 
administrative, training, and evaluation techniques that make up the 
controller training and qualification processes, and included a review 
of related safety and integrity procedures. Ultimately this information 
helped to:
     Identify content that should be included in an operator's 
training program for controllers.
     Identify content that should be included in the 
qualification programs to provide a higher assurance that controllers 
possess adequate knowledge, skills, and abilities to maintain the 
safety and integrity of the pipeline.
     Determine what form of validation should be used to 
ascertain that pipeline controllers are adequately qualified and 
sustain those qualifications.
     Identify aspects of safety and integrity practices and 
procedures that are critical to controllers.
    PHMSA established and implemented a strategy for receiving and 
encouraging ongoing stakeholder interaction early in the project. This 
approach involved the participation of numerous stakeholders that 
provided information including a focus group with representatives of 
the public, industry trade associations, pipeline operators, state and 
Federal pipeline safety agencies, and academia. PHMSA shared insights 
regarding key operational and logistical considerations for the project 
and collected comments from the group at key phases of the project. 
Information came directly from the focus group participants and 
indirectly from members of their respective constituencies. In 
addition, PHMSA presented project updates at numerous trade association 
meetings and other stakeholder forums to solicit additional feedback.
    PHMSA gathered supplemental information regarding controller 
qualifications from pipeline operators transporting various commodities 
with diverse control room characteristics, complex control operations 
and minimal monitoring operations, union and nonunion work 
environments, and varying pipeline mileage. Additional information was 
also obtained from the following sources:
     National Transportation Safety Board (NTSB);
     PHMSA Pipeline Technical Advisory Committees;
     National Association of Pipeline Safety Representatives 
(NAPSR);
     Pipeline trade organizations such as the
    [ctrcir] American Petroleum Institute (API),
    [ctrcir] Association of Oil Pipelines (AOPL),
    [ctrcir] American Gas Association (AGA),
    [ctrcir] American Public Gas Association (APGA), and
    [ctrcir] Interstate Natural Gas Association of America (INGAA);
     Research by
    [ctrcir] Najmedin (Najm) Meshkati, Professor of Civil/Environmental 
Engineering and Professor of Industrial and Systems Engineering at the 
University of Southern California,
    [ctrcir] Craig Harvey, Industrial and Manufacturing Systems 
Engineering, Louisiana State University, and
    [ctrcir] Marvin McCallum, Christian Richard, Battelle Seattle 
Research Centers;
     Related product and system vendors;
     Public advocate discussion lists (such as https://
tech.groups.yahoo.com/group/safepipelines)
     Other industries utilizing validation and certification 
programs, including:
    [ctrcir] Aviation,
    [ctrcir] Railroad,
    [ctrcir] Nuclear power, and
    [ctrcir] Electric power transmission.
    PHMSA gathered additional information from the Environmental 
Protection Agency, the Occupational Safety and Health Administration, 
and the Chemical Safety Board. Because training, qualification, and 
certification programs are implemented in various forms, discussions 
about lessons learned in the development, implementation, and 
maintenance of programs in other industries were especially valuable.
    PHMSA sponsored two public workshops (June 27, 2006, and May 23, 
2007) that provided various stakeholders an opportunity to discuss 
options to enhance the adequacy of control room management, provide 
substantiation of existing pipeline control management processes, 
discuss human fatigue issues, present existing qualification processes, 
and provide insights on other programs or methods used to provide for 
effective monitoring and control of pipelines.
    The workshops provided additional information and promoted 
discussion on the most critical factors emerging from the CCERT and the 
NTSB recommendations (discussed below) affecting the control and 
monitoring of gas and hazardous liquid pipelines. PHMSA provided an 
opportunity to discuss findings as a basis for providing further 
assurance about the effectiveness of pipeline control and the skills 
and qualifications of controllers. To foster discussion, PHMSA posed a 
number of specific questions in the Federal Register notices announcing 
the workshops, which were then discussed during the workshops, yielding 
valuable information, ideas, and opinions from a broad assortment of 
stakeholders.
    The first workshop was divided into several sessions, each 
highlighted by panel discussions and an open question and answer 
period. The panels were made up of subject matter experts from the 
public, industry, and government. The panelists discussed formalized 
procedures to control shift rotation schedules, shift changeover 
practices and possible ways to improve training on fatigue. Discussions 
included the CCERT recommendations providing clear direction regarding 
the controller's authority and responsibility to promote prompt 
detection and appropriate response to abnormal operating and emergency 
conditions and ways to address major changes in the controller's 
operating environment.
    The panelists discussed the importance of operators routinely 
reviewing alarm and event displays to identify when changes are 
necessary as well as additional measures to further protect against 
unauthorized access to the SCADA area. Different types of training 
associated with the recognition of abnormal operating conditions, 
emergencies, and maintaining personnel qualifications were also 
reviewed. A more detailed summary of the workshop is available in the 
CCERT docket, PHMSA-RSPA-2004-18584.
    The significant outcome of CCERT was the identification of elements 
that can provide value in controller training and qualification 
processes and the recognition of the importance of thoroughness and 
clarity of controller-related procedures that affect pipeline safety 
and integrity. Also of value was the identification of a validation 
process for the implementation and review of these same processes and 
procedures. Enhancements to operator programs affecting controllers can 
be realized with thorough and formalized procedures and practices, 
additions to training and qualification programs, stimulated 
discussions in industry fostering a continued sharing of best 
practices, and the development of industry-wide recommended practices 
and standards. Other factors can also influence a controller's ability 
to succeed. Pipeline operators should identify a controller's physical 
work environment, visual and aural distractions, ancillary work 
assignments that dilute a controller's attentiveness, workload, and 
SCADA system performance.
    The CCERT team concluded that a single controller certification 
process for the entire pipeline industry would not be appropriate for a 
number of reasons. First, because of the wide variability

[[Page 53082]]

among pipeline systems, a uniform controller qualification 
(certification) examination would have to be very general. Second, a 
general exam would need to be supplemented by significant and specific 
material for each system by each operator before a controller could 
adequately perform his duties. Third, a uniform controller 
qualification or certification test for the entire industry would not 
address many operator-specific and sometimes unique tasks critical to 
individual pipeline safety and integrity.
    The CCERT team concluded, however, that requiring operators to 
validate, review, and continuously improve the adequacy of controller-
related training, qualification, and procedures specific to each 
operator's pipeline would lead to improved public safety and better 
safety management in control rooms.
    The CCERT team also concluded:
     As a cause or contributor to pipeline events or failures, 
control rooms rank very low compared to corrosion, material defects, 
and third party damage, but controllers must respond appropriately to 
each of these identified contributing factors.
     Controllers are in a position of great importance to 
detect and react to abnormal operating and emergency conditions, 
thereby helping to avert failures and mitigate damage after a failure 
occurs.
     Controllers are key players in a company's response to 
abnormal operating and emergency conditions.
     The low probability of controller error is offset by the 
potentially high consequence of damages and injuries as a result of 
their improper actions.
     Remote monitoring or control through the use of a computer 
system may be performed in a formal control room, or numerous less 
formal settings such as an individual's office, service vehicle, or 
residence.
     The location of monitor or control functions does not 
define the nature or complexity of operations.
     Established definitions used in other regulations such as 
large or small operators based on pipeline mileage, location of the 
facility, or less than 20% of the specified minimum yield strength 
(SMYS) of the pipeline, are not good qualifiers in defining control 
room risks.
     More complex and diverse operations call for more thorough 
control room systems and processes.
     Involvement of field personnel in control activities has 
the potential to positively or negatively influence risk control.
     Although some operators still use 8-hour shifts, most 
operators have moved to 12-hour shifts.
     Choice of shift plan and rotation schedule is usually not 
supported by analytical review for fatigue.
     Most operators are performing at least a subset of the 
actions included in this proposed rule, but frequently without 
documentation of the basis for their process design choices or 
implementation methods, and sometimes without formalized procedures to 
maintain consistency or to provide for continuous improvement through 
review.
    Because controllers can have a great influence on the outcome of 
abnormal operating and emergency conditions, it is important that we 
provide for adequacy of controller knowledge, skills, abilities, and 
performance and their maintenance over time. PHMSA has identified 
fundamental operating procedures and practices, which should be used by 
pipeline controllers to enhance public safety. Most operators are 
currently using a subset of these procedures and practices, but use of 
these procedures and practices is not universal throughout the 
industry. The project team concluded that operators should be required 
to have more thorough, formalized procedures and processes for 
controller training and qualification which would be evaluated by the 
appropriate Federal or state regulatory authority.
    PHMSA collected and reviewed information from recent accident data 
analysis, complaints, inquiries, safety related condition reports, 
operator visits, PHMSA CCERT team operating experience, and the CCERT 
pilot program to be certain the activities of the pilot project 
operators and subsequent recommendations included recognition of 
lessons learned from those events that have been attributed to, or 
aggravated by, controller action or lack of action. While information 
reviewed indicates there is low probability for controller error to be 
the primary cause of an accident when compared to corrosion and other 
causal factors, this can be offset by the potentially high consequence 
of controller actions or inaction. Other industries, which employ 
validation and certification programs for control room personnel, also 
provided lessons learned in the development, implementation, and 
maintenance of validation and certification programs.
    Through the CCERT study, PHMSA identified a number of areas 
associated with the performance of control rooms that require 
enhancement. These areas were identified through numerous control room 
observations, PHMSA CCERT team operating experience, the collection of 
related research and project activities, controller cognitive skills 
review, the pilot program, and the comparisons with control room 
management issues in parallel industries. The enhancement areas 
incorporated into this proposed rule are as follows:
     Clearly define the roles and responsibilities of 
controllers to promote their prompt and appropriate response to 
abnormal operating conditions.
     Formalize procedures for recording critical information 
and for exchanging information during shift turnover or other times 
when a controller needs to be away from the desk and duties.
     Establish shift lengths, maximum hours of service 
limitations, and schedule rotations that provide sufficient time off 
work for rest in order to protect against the onset of fatigue that 
could affect the performance of pipeline controllers.
     Educate controllers and controller supervisors in fatigue 
mitigation strategies and how non-work activities contribute to fatigue 
that could affect pipeline control and control room management.
     Periodically review SCADA displays to ensure controllers 
are getting clear and reliable information from field stations and 
devices.
     Periodically audit alarm configurations and handling 
procedures to provide confidence in alarm signals and to foster 
controller effectiveness.
     Involve controllers when planning and implementing changes 
in operations.
     Maintain strong communications between controllers and 
field personnel.
     Determine how to establish, maintain, and review 
controller knowledge, skills, abilities, and qualifications.
     Develop performance metrics with particular attention to 
response to abnormal operating conditions.
     Analyze operating experience, including accidents, for 
possible involvement of the SCADA system, controller performance, and 
fatigue.
     Validate the adequacy of controller-related procedures and 
training, and the qualifications of controllers annually through 
involvement by senior-level executives of pipeline companies.
    PHMSA considers annual senior executive validation a key element. 
This would require a pipeline operator's senior executive responsible 
for pipeline operations to attest to the content and thoroughness of 
controller training and qualification programs and

[[Page 53083]]

related procedures that impact safety, and to verify that the 
individuals who operated the pipeline or LNG facility during the year 
have completed these training and qualification programs. The executive 
validations would be subject to regulatory review and inspection, and 
create a stronger ownership and responsibility of senior management in 
regard to potential fines and court proceedings. A secondary benefit of 
this validation process would be improved communication between 
executive level management, control room supervision, and controllers 
regarding concerns, duties, procedures, and processes resulting in an 
elevated awareness within each pipeline operator regarding the critical 
nature of a controller's job as well as the impact of controller duties 
on the safety and integrity of pipeline operations.
    Discussions in the first public workshop held June 27, 2006 
reflected general acknowledgement by the pipeline industry that the 
process outlined above was appropriate to reduce control room risk. 
There was also general agreement that much of the process is in place 
in many pipeline control operations. A summary of this workshop is 
available in the docket PHMSA-RSPA-2004-18584.
    PHMSA's second public workshop was held on May 23, 2007. 
Representatives of the pipeline industry, trade associations, the NTSB, 
other modes of transportation, and public interest groups presented 
their views on issues ranging from operator fatigue to the need to 
periodically review control room procedures. There was general 
agreement among workshop participants that controllers play an 
important role and that a human factors plan could have value. At the 
same time, most agreed that there was no need for major changes to 
current control room practices and staffing. A summary of this workshop 
is available in the docket PHMSA-2007-27954.

B. NTSB SCADA Study

    The NTSB conducted a safety study on hazardous liquid pipeline 
SCADA systems during the same time period as PHMSA conducted the CCERT 
study. The PHMSA project addressed a wider perspective of interest, but 
includes findings similar to those in the NTSB Report.\5\ The NTSB 
study identified areas for potential improvement, which resulted in 
five recommendations; three are incorporated in this proposed rule. 
PHMSA is addressing the other two recommendations independent of this 
proposed rulemaking.
---------------------------------------------------------------------------

    \5\ NTSB, ``Supervisory Control and Data Acquisition (SCADA) 
Systems in Liquid Pipelines,'' Safety Study NTSB/SS-05-02, adopted 
November 29, 2005.
---------------------------------------------------------------------------

    The impetus of the NTSB study was a number of hazardous liquid 
accidents investigated by the NTSB in which leaks went undetected after 
the initial indications of a leak were apparently evident on the SCADA 
system. The NTSB designed its SCADA study to examine how hazardous 
liquid pipeline companies use SCADA systems to monitor and record 
operating data and to evaluate the role of SCADA systems in leak 
detection. The study identified five areas for potential improvement:
     Display graphics.
     Alarm management.
     Controller training.
     Controller fatigue data collection.
     Leak detection systems.
    While this NTSB SCADA study specifically addressed hazardous liquid 
pipelines, NTSB included in the report an appendix listing all of its 
SCADA-related recommendations, which resulted from investigations of 
both hazardous liquid and gas pipeline accidents. Since 1976, the NTSB 
has issued approximately 30 recommendations either directly or 
indirectly related to SCADA systems involving both hazardous liquid and 
gas pipeline systems. PHMSA considers that the NTSB recommendations 
apply equally to gas and hazardous liquid pipelines and to LNG 
facilities. The recommendations are as follows:
NTSB Recommendation P-05-1
    Operators of hazardous liquid pipelines should be required to 
follow the API Recommended Practice 1165 (API RP 1165) for the use of 
graphics on the SCADA screens.
NTSB Recommendation P-05-2
    PHMSA should require pipeline companies to have a policy for the 
review and audit of SCADA-based alarms.
NTSB Recommendation P-05-3
    Operators should be required to include simulator or non-
computerized simulations for training controllers in recognition of 
abnormal operating conditions, in particular leak events.
NTSB Recommendation P-05-4
    PHMSA should change the hazardous liquid accident reporting form 
(PHMSA F 7000-1) and require operators to provide data related to 
controller fatigue. PHMSA is addressing this recommendation in a 
separate action.
NTSB Recommendation P-05-5
    PHMSA should require operators to install computer-based leak 
detection systems on all lines unless engineering analysis determines 
that such a system is not necessary. PHMSA is publishing a report on 
leak detection systems and technology in 2008.
    PHMSA is addressing the first three recommendations in this 
proposed rule. Based on PHMSA's review of accident and incident data, 
the project team found that errant SCADA displays have the potential to 
confuse or mislead controllers or field personnel. They also found very 
few operators who consider the impact of color perception impairments 
and screen clutter or who perform periodic point-to-point verifications 
of screen display data with field instrumentation. Furthermore, the 
team found that training of the controllers usually did not include 
reference material to guide controllers to particular types of displays 
to help resolve certain types of abnormal operating conditions quickly 
or to address emergency response.
    The CCERT team found through discussions with operators that 
policies were seldom in place for systematically reviewing alarms on a 
regular basis. Many operators were not analyzing the number of alarms, 
seeking to eliminate unnecessary alarms, routinely determining if new 
alarms were needed, studying alarms to consider if grouping could 
consolidate information for more effective use, looking for systemic 
alarms, or reviewing alarms to verify alarm descriptions were clear to 
the controller. In addition, operators were not reviewing alarms to 
determine if abnormal operating conditions were frequently occurring 
together or consecutively. Rate-of-change alarms often were not being 
used as operational tools for controllers. Most operators were not 
looking for potential gradual degradation of controller response or 
changes in controller performance. Operators may have to reduce 
pressure because of concerns about the integrity of the pipeline, such 
as anomalies discovered during integrity management assessments. 
However, in many cases, the operators were not changing associated 
alarm set-point values, or field relief values, correspondingly when 
implementing these pressure reductions.
    The CCERT team's discussions with controllers identified that 
generic simulators and high-fidelity (frequently referred to as 
``full'') simulators were preferred training tools. The controllers 
interviewed generally found full simulators to have significant value. 
Tabletop discussions and exercises, and computerized simulators, were 
both found to be valuable resources for controllers in training for 
response to

[[Page 53084]]

abnormal operating conditions. Direct controller involvement in 
scenario development of tabletop exercises and computer-based 
simulations can add safety value to these tools. Controllers can also 
provide significant feedback on exercise performance. However, 
controllers were frequently not represented in the development of 
exercises and frequently did not participate in exercises other than to 
call out appropriate responders. Controllers were seldom asked what 
could be done to make an exercise more realistic, provide greater value 
or improve team response performance.

C. DOT's Human Factors Coordinating Committee (HFCC)

    The Secretary of Transportation established the HFCC in 1991 to 
become the focal point for human factors issues within DOT. Since its 
inception, the HFCC, a multi-modal team with government-wide liaisons, 
has successfully addressed crosscutting human factors issues in 
transportation. The HFCC has influenced the implementation of human 
factors projects within and among DOT's operating administrations, 
provided a mechanism for exchange of human factors and related 
technical information, and provided synergy and continuity in 
implementing transportation human factors research. DOT recognizes that 
many human performance issues are crosscutting and will benefit from a 
multi-modal approach. DOT needs coordinated human factors research to 
permit large research efforts that modes cannot support individually, 
to address multi-modal transportation issues, as well as to advocate 
for timely human factors research in transportation system solutions.
    PHMSA continues to actively participate on the HFCC, and has drawn 
from the work of the HFCC to help identify fatigue management 
strategies for control room management.

IV. PIPES Act of 2006

    The PIPES Act of 2006 (Pub. L. 109-468) imposed additional 
requirements on PHMSA with respect to control room management and human 
factors. The PIPES Act requires PHMSA to issue regulations requiring 
each operator of a gas or hazardous liquid pipeline to develop, 
implement, and submit a human factors management plan designed to 
reduce risks associated with human factors, including fatigue, in each 
control room for the pipeline. Operator plans must include a maximum 
limit on the hours a controller may work in a single shift between 
periods of adequate rest. PHMSA, or a state authorized to exercise 
safety oversight, is required to review and approve operators' human 
factors plans, and operators are required to notify PHMSA (or the 
appropriate state) of deviations from the plan.
    The PIPES Act also requires PHMSA to issue standards to implement 
the first three recommendations of the NTSB SCADA safety study as 
described above. Controllers using computer equipment to monitor or 
operate pipeline facilities can be impacted by display information, 
alarms, and abnormal operating conditions regardless of what type of 
system they operate. PHMSA considers the recommendations to be equally 
applicable to hazardous liquid and gas pipelines (transmission and 
distribution) as well as LNG facilities. This proposed rule will 
respond to the mandates in the PIPES Act relative to control room 
management, human factors, and SCADA.

V. Standards, Recommended Practices, and Guidelines

    One of the actions identified by CCERT was the development of 
consensus-based best practices to promote controller success. PHMSA is 
encouraged by recent industry efforts, including industry review of 
existing standards (such as the Instrument Society of America SP-18 and 
the Engineering Equipment and Materials Users Association 191A), 
guidance material in development by the Transportation Security 
Administration (TSA) focusing on SCADA CyperSecurity, and the 
development of other guidance, recommended practices, and standard 
documents. The structured development process used to establish this 
type of material has historically yielded great safety value. Such 
efforts focused on Control Room Management have the potential