Pipeline Safety: Control Room Management/Human Factors, 53076-53104 [E8-20701]

Agencies

• Pipeline and Hazardous Materials Safety Administration
• DEPARTMENT OF TRANSPORTATION

[Federal Register Volume 73, Number 178 (Friday, September 12, 2008)]
[Proposed Rules]
[Pages 53076-53104]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-20701]



[[Page 53075]]

-----------------------------------------------------------------------

Part II





Department of Transportation





-----------------------------------------------------------------------



Pipeline and Hazardous Materials Safety Administration



-----------------------------------------------------------------------



49 CFR Parts 192, 193, and 195



Pipeline Safety: Control Room Management/Human Factors; Proposed Rule

Federal Register / Vol. 73 , No. 178 / Friday, September 12, 2008 / 
Proposed Rules

[[Page 53076]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Pipeline and Hazardous Materials Safety Administration

49 CFR Parts 192, 193, and 195

[Docket ID PHMSA-2007-27954]
RIN 2137-AE28


Pipeline Safety: Control Room Management/Human Factors

AGENCY: Pipeline and Hazardous Materials Safety Administration (PHMSA), 
DOT.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: PHMSA proposes to revise the Federal pipeline safety 
regulations to address human factors and other components of control 
room management. The proposed rules would require operators of 
hazardous liquid pipelines, gas pipelines, and liquefied natural gas 
(LNG) facilities to amend their existing written operations and 
maintenance procedures, operator qualification (OQ) programs, and 
emergency plans to assure controllers and control room management 
practices and procedures used maintain pipeline safety and integrity. 
This proposed rule results from a PHMSA study of controllers and 
controller performance issues known as the Controller Certification 
Project (CCERT), a National Transportation Safety Board study, safety-
related condition reports, operator visits and inspections, and 
inquiries. This rule would improve opportunities to reduce risk through 
more effective control of pipelines and require the human factors 
management plan mandated by the Pipeline Inspection, Protection, 
Enforcement, and Safety Act of 2006 (PIPES Act). These regulations 
would enhance pipeline safety by coupling strengthened control room 
management, including automated control systems, with improved 
controller training and qualifications and fatigue management. PHMSA 
expects these regulations will complement efforts already underway in 
the pipeline industry to address human factors and control room 
management, such as the development of new national consensus 
standards, including an American Petroleum Institute (API) recommended 
practices on roles and responsibilities, shift operations, management 
of change, fatigue management, alarm management and SCADA display 
standard, as well as comparable business practices at some pipeline 
companies.

DATES: Anyone interested in filing written comments on this proposal 
must do so by November 12, 2008. PHMSA will consider late comments 
filed so far as practical.

ADDRESSES: Comments should reference Docket No. PHMSA-2007-27954 and 
may be submitted the following ways:
     E-Gov Web site: https://www.regulations.gov. This Web site 
allows the public to enter comments on any Federal Register notice 
issued by any agency. Follow the instructions for submitting comments.
     Fax: 1-202-493-2251.
     Mail: DOT Docket Management System: U.S. Department of 
Transportation, Docket Operations, M-30, West Building Ground Floor, 
Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 20590-0001.
     Hand Delivery: DOT Docket Management System; West Building 
Ground Floor, Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 
20590-0001 between 9 a.m. and 5 p.m., Monday through Friday, except 
Federal holidays.
    Instructions: You should identify the docket ID, PHMSA-2007-27954, 
at the beginning of your comments. If you submit your comments by mail, 
submit two copies. To receive confirmation that PHMSA received your 
comments, include a self-addressed stamped postcard. Internet users may 
submit comments at https://www.regulations.gov.

    Note: Comments are posted without changes or edits to https://
www.regulations.gov, including any personal information provided. 
There is a privacy statement published on https://
www.regulations.gov.


FOR FURTHER INFORMATION CONTACT: Byron Coy at (609) 989-2180 or by e-
mail at Byron.Coy@dot.gov.

SUPPLEMENTARY INFORMATION: 

I. Prevention Through People

    Over the past several years, PHMSA's integrity management (IM) 
programs have been successfully driving down the two leading causes of 
pipeline failure--excavation damage and corrosion. IM programs help 
operators understand the threats affecting the integrity of their 
systems and implement appropriate actions to mitigate risks associated 
with these threats.
    Excavation damage and corrosion are, however, only part of the 
safety picture. The next logical area of program development is to 
examine the role people play in operating and maintaining pipelines. 
With this proposed rule, PHMSA is beginning implementation of a program 
that recognizes the importance of human interactions and opportunities 
for preventing risk, both errors and mitigating actions, to pipeline 
systems through a Prevention Through People (PTP) program. PTP 
addresses human impacts on pipeline system integrity. Human impacts 
include errors contributing to events, intervention to prevent or 
mitigate events, and the recognition of events that may begin the need 
for increased vigilance. The role of people, including controllers and 
those interacting with control center operations, is a vital component 
in preventing and reducing risk associated with pipeline systems. The 
proposed rule addresses requirements applicable to controllers and 
control room management.
    PHMSA has long recognized that controllers can play a key role in 
pipeline safety. Congress recognized the importance of this role in the 
Pipeline Safety Improvement Act of 2002 (PSIA) (Pub. L. 107-355) and 
the PIPES Act. A controller's actions can mitigate risk, but they can 
also introduce the potential for upset conditions. Human error 
(including those caused by mistake or fatigue) can cause or exacerbate 
events involving releases leading to safety hazards and environmental 
impacts. Controllers also respond to indications of abnormal conditions 
on the pipeline. Appropriate human response to abnormal situations can 
mitigate events, helping to prevent accidents leading to adverse 
consequences. As part of the PTP program, this proposed rule addresses 
requirements applicable to controllers, key players among the people 
who can affect pipeline safety.
    Several existing regulations strengthen the effectiveness of the 
role of people in managing safety. These include regulations on damage 
prevention programs (49 CFR 192.614 and 195.442), public awareness 
(Sec. Sec.  192.616 and 195.440), qualification of pipeline personnel 
(part 192, subpart N, part 193, subpart H, and part 195, subpart G), 
and drug and alcohol testing regulations and procedures (parts 40 and 
199). Explicitly incorporating a PTP element in IM plans would 
emphasize the role of people both in contributing to, and in reducing, 
risks. PHMSA believes this may be the best means of fostering a 
holistic approach to managing the safety impact of people on the 
integrity of pipelines. This proposed rule adds requirements applicable 
to control room management. In the future, PHMSA plans to address 
additional risks associated with human factors as well as the 
opportunities for people to mitigate risks. In addition to regulations, 
PHMSA plans to identify and promote noteworthy best practices in PTP.

[[Page 53077]]

    PHMSA recently reported to Congress on its work examining control 
room management issues as mandated in the PSIA. The report, titled 
``Qualification of Pipeline Personnel,'' includes a summary of the 
CCERT Project, a four-year effort examining control room issues in PTP. 
Although the project began with examination of qualification issues, 
during the course of the project, we identified other control room 
issues impacting the safety performance of controllers. PHMSA concluded 
that validating the adequacy of controller-related processes, 
procedures, training, and the controllers' credentials would improve 
management of control rooms, thereby enhancing safety for the public, 
the environment and pipeline employees. PHMSA also identified areas in 
which additional measures could enhance control room safety and 
minimize the risk associated with fatigue and interaction with computer 
equipment. These areas include annual validation of controller 
qualifications by senior level executives of pipeline companies, 
clearly defined responsibilities for controllers in responding to 
abnormal operating conditions, the use of formalized procedures for 
information exchange during shift turnover, and clearly established 
shift lengths combined with education on strategies to reduce the 
contribution of non-work activities to fatigue. These areas are 
addressed by requirements included in this proposed rule.

II. Background

A. Pipelines and LNG Plants

    Approximately two-thirds of our domestic energy supplies are 
transported by pipeline. There are roughly 170,000 miles of hazardous 
liquid pipelines, 295,000 miles of gas transmission pipelines, and 1.9 
million miles of gas distribution pipelines in the United States. 
Hazardous liquid pipelines carry crude oil to refineries and refined 
products to locations where these products are consumed. Hazardous 
liquid pipelines also transport highly volatile liquids (HVLs), other 
hazardous liquids such as anhydrous ammonia, and carbon dioxide. The 
regulations in 49 CFR part 195 apply to owners and operators of 
pipelines used in the transportation of hazardous liquids and carbon 
dioxide. Throughout this document, the term ``operator'' refers to both 
owners and operators of pipeline facilities.
    Gas transmission pipelines typically carry natural gas over long 
distances from gas gathering, supply, or import facilities to 
localities where it is used to heat homes, generate electricity, and 
fuel industry. Gas distribution pipelines take natural gas from 
transmission pipelines and distribute it to residential, commercial, 
and industrial customers. The regulations in 49 CFR part 192 apply to 
operators of pipelines that transport natural gas, flammable gas, or 
gas which is toxic and corrosive. Throughout this document, the term 
``gas'' refers to all gases in pipelines regulated under part 192.
    Additionally, there are currently 109 LNG import and peak shaving 
plants connected to our natural gas transmission and distribution 
pipeline systems. The volume of natural gas is reduced about 600 times 
when the gas is cooled to a liquid form. This allows large quantities 
of natural gas to be transported by ship and to be stored in insulated 
tanks. LNG import plants allow the U.S. to use natural gas produced in 
other countries and transported by ship. According to the Department of 
Energy, imported LNG provided 2% of U.S. natural gas supplies in 2003 
but that proportion is expected to grow to 21% by 2025.\1\ LNG peak 
shaving plants allow gas pipeline operators to liquefy and store 
natural gas during off-peak periods. The stored LNG is then converted 
back to natural gas when needed for periods of peak consumption. The 
risks inherent in control of these facilities can be reduced by 
application of this proposed rule.
---------------------------------------------------------------------------

    \1\ U.S. Department of Energy, Office of Fossil Energy Web site 
(https://www.fossil.energy.gov/programs/oilgas/storage/lng/feature/
whyimportant.html).
---------------------------------------------------------------------------

B. Control Rooms and Controllers

    Most pipelines are underground and operate without disturbing the 
environment or negatively impacting public safety. However, accidents 
\2\ do occasionally occur. Effective control is one key component of 
accident prevention. Controllers can help identify risks, prevent 
accidents, and minimize commodity losses if provided with the necessary 
tools and working environment. Therefore, this proposed rule is 
intended to increase the likelihood that pipeline and LNG controllers 
have the necessary knowledge, skills, abilities, and qualifications to 
help prevent accidents and that operators provide controllers with the 
training, tools, procedures, management support, and environment where 
a controller's actions can help prevent accidents and minimize 
commodity losses.
---------------------------------------------------------------------------

    \2\ The pipeline safety regulations in 49 CFR parts 191, 192, 
and 193 refer to certain harmful events on a gas pipeline system or 
LNG facility as ``incidents'' while part 195 refers to certain 
failures on a hazardous liquid pipeline system as ``accidents.'' 
Throughout this document the terms ``accident'' and ``incident'' may 
be used interchangeably to mean an event or failure on a gas or 
hazardous liquid pipeline system or LNG facility.
---------------------------------------------------------------------------

i. Background
    Pipeline systems vary from small, simple systems, to complex 
systems covering thousands of miles. Combined, these systems make up a 
vast network of pipelines reaching across the United States. Pipeline 
systems include pumps, compressors, storage tanks, valves, and other 
components. A pump station, compressor station, or terminal is usually 
a major installation consisting of large pumps, compressors, storage 
tanks, and other service equipment. Pipeline systems also include 
valves used to control pressure and to direct flow during normal 
operations, to isolate sections of pipeline for maintenance or 
emergency activities, or to maintain operating pressures within 
allowable limits.
    Most operators monitor pumps, compressors, valves, and other 
equipment from single or multiple locations, often hundreds of miles 
away. Such locations are commonly known as ``control rooms.'' The 
individuals who work in control rooms are ``controllers.'' \3\ A 
control room may have one or more controllers, who could be union or 
non-union employees. Both union and non-union controllers may work for 
the same operating company and a control room is likely to be 
operational 24 hours a day, 365 days a year, or less, depending on the 
complexity and nature of the pipeline system or LNG facilities served.
---------------------------------------------------------------------------

    \3\ Different titles exist in the industry for personnel who 
operate computer-based systems for controlling and monitoring the 
operations of pipeline facilities, some of which are controllers, 
dispatchers, operators, and board operators, but all are considered 
``controllers'' in this document.
---------------------------------------------------------------------------

    Most operators use computer-based supervisory control and data 
acquisition (SCADA) systems, distributed control systems (DCS), or 
other less sophisticated systems to gather key information 
electronically from field locations.\4\ These systems are configured to 
present field data to the controllers, and may include additional 
historical, trending, and alarm management information. Controllers 
track routine operations continuously and watch for possible developing 
abnormal operating or emergency conditions. A controller may take 
direct action through the SCADA system to correct the conditions

[[Page 53078]]

or the controller may alert and defer action to others.
---------------------------------------------------------------------------

    \4\ SCADA and DCS systems perform similar functions. Throughout 
this document, where the term SCADA is used, it should be 
interpreted to mean SCADA or DCS.
---------------------------------------------------------------------------

ii. Importance of Control Rooms and Controllers
    Control rooms and controllers are critical to the safe operation of 
pipeline systems and LNG facilities. Control rooms often serve as the 
hub or command center for decisions such as adjusting commodity flow or 
facilitating an operator's initial response to an emergency. The 
control room is the central location where humans or computers receive 
data from field sensors. Commands from the control room may be 
transmitted back to remotely controlled equipment. Field personnel also 
receive significant information from the control room. In essence, the 
control room is the ``brain'' of the pipeline system or LNG plant. 
Errors made in control rooms can have significant effects on the 
controlled systems. A controller's errors can initiate or exacerbate an 
accident. A controller's improper action or lack of action can place 
undue stresses on a pipeline segment or an LNG facility, which could 
result in a subsequent failure, the loss of service, or an increase in 
lost commodity, leading to risk to people, the environment, and the 
fuel supply. Controller responses to developing abnormal operating 
conditions or accidents can alleviate or exacerbate the consequences of 
some events regardless of the initial cause.
    A brief description of a few accidents can help illustrate the 
importance of control rooms and controllers to safe pipeline operation. 
More often than not, however, control rooms and controllers are a 
significant part of an operator's response to abnormal and emergency 
events rather than the cause.
     A batch of hazardous liquid expected to fill several tanks 
was being received at a tank terminal. A tank switchover was scheduled 
to occur late in a controller's shift. The switchover did not occur at 
the scheduled time due to a reduction in flow rate in the pipeline, but 
the controller failed to inform the relief controller at shift change. 
The oncoming controller assumed the switchover had happened as 
scheduled, and therefore did not monitor the levels in the tank being 
filled. The liquid overflowed the tank and was ignited. The resulting 
fire caused considerable damage including the destruction of two large 
storage tanks.
     A seldom-used manual valve in a hazardous liquid pipeline 
system had been closed to facilitate maintenance. The controller was 
aware that the valve was closed. The controller was not aware, however, 
that the indication on his computer display of pressure near the valve 
came from a transducer downstream of the valve. The display indicated 
it was from the upstream side of the valve. While filling the isolated 
portion of the pipeline to return it to service, the controller over-
pressurized the line, resulting in a rupture.
     While diverting hazardous liquid pipeline flow from one 
facility to another, an elevated pressure caused the rupture of a 
pipeline at a location weakened by previous third party damage. Pumps 
had automatically shut off due to the high pressures. Despite a sharp 
drop in line pressure, the controller did not recognize that the 
pipeline had failed, and re-started the pumps. As a result, a 
significant amount of product was released through the ruptured line, 
ignited, and resulted in several fatalities. Maintenance activities 
being performed on the computers of the SCADA system at the time of the 
vent hampered the controller from recognizing and reacting to the 
failure.
     A slug of contaminants was introduced into a gas 
transmission pipeline when gas was drawn from storage. The contaminants 
affected instruments and regulators as the slug moved down the 
pipeline, resulting in many control room alarms. The controller 
operating the pipeline did not recognize what was happening and failed 
to initiate corrective action in time to avoid loss of gas supply to 
several towns.
     A citizen called a gas pipeline control room to report a 
sheen on a creek in a right-of-way shared with hazardous liquid 
pipelines. The citizen called the gas control room because its 
telephone number was on the pipeline marker the citizen located in the 
corridor. The controller of the gas pipeline failed to contact the 
controllers of the liquid pipelines in the shared corridor, and 
referred the information from the call to a field office that was 
unattended at the time. The result was a delay of several days in 
responding to a potential failure of one of the liquid pipelines.
     In a similar situation, a citizen telephoned a gas control 
room and reported a leak. The controller concluded the company had no 
facilities in the area, that any problem was thus not theirs, and did 
not follow up. The leak persisted and subsequent calls to regulatory 
agencies resulted in locating a number of leaks in the area affecting 
facilities operated by the control room that took the original call.
iii. Local Control and LNG
    Many pipeline systems and LNG plants have equipment that is locally 
controlled via a control panel located on or near the field equipment. 
The individuals who operate this equipment using the control panel 
could be considered controllers depending on their shared and 
associated responsibilities with controllers at other locations. This 
may also depend on the specific equipment being controlled and whether 
or not the controlled equipment is within direct observation of the 
individual at the local control panel.
    Gas pipeline operations are sometimes associated with LNG plants. 
LNG facilities are operated from control rooms and can have locally-
controlled equipment in the same manner as pipeline facilities. In 
addition, some LNG control rooms also control pipeline systems 
connected to the LNG plant. Working from control rooms, controllers 
operate LNG facilities, pipelines associated with the facilities, and 
locally controlled equipment within LNG plants.
    Most pipeline systems today have control rooms. These facilities 
can be located at some distance from the pipeline, or they may be in 
close proximity to the pipeline. Many pipelines also have locally 
controlled equipment operated by controllers. This proposed rule 
addresses all of these situations. Pipeline and LNG facilities include 
compressor stations, hazardous liquid terminals, pump stations, LNG 
plants, and any other locations where controllers are located. In 
addition, control room also means a control center, control station, or 
any other such terminology.
iv. Providing Tools for Effective Controller Performance
    Pipeline and LNG controllers impact the safety and integrity of the 
pipeline and LNG facilities they operate by being vigilant during 
normal operations and by properly responding to abnormal operating 
conditions and potential emergency situations. Public safety can be 
enhanced when a pipeline or LNG operator provides a controller the 
necessary tools and management support, while implementing and tracking 
thoroughly developed processes used by controllers.
    SCADA systems, which are widely used throughout the pipeline 
industry, can be as simple as computerized field equipment that allows 
an individual to monitor alarms or control equipment within a pipeline 
facility; or they can be more complex and diverse to allow a

[[Page 53079]]

controller to monitor, or monitor and control, many facilities as part 
of a complex pipeline network involving various communications mediums, 
often from a control room that is hundreds of miles away. For some 
pipeline operators, the application of SCADA systems has resulted in a 
reduction of pipeline field personnel, making the role of the 
controller even more critical to the safety and integrity of pipeline 
facilities.
    Pipeline and LNG controllers also must have adequate and up-to-date 
information about the conditions and operating status of the equipment 
they monitor, or monitor and control, if they are to succeed in 
maintaining pipeline safety. Incorrect, delayed, missing, or poorly 
displayed data may confuse a controller and can lead to problems 
despite the extensive training, qualification, and abilities of the 
controller.
v. Controller Knowledge and Abilities
    Operators should assure that controllers perform their duties 
promptly and accurately, including routine operations and response to 
developing abnormal operating conditions or emergency circumstances, to 
help maintain pipeline and LNG facility safety. Existing operator 
qualification (OQ) regulations for pipeline personnel currently address 
a portion of the processes affecting a controller's ability to succeed 
in maintaining pipeline safety and integrity.
    A controller should possess certain abilities, and attain the 
knowledge and skills necessary to complete the various tasks required 
for a specific pipeline system or LNG facility. To attain the necessary 
knowledge and skills, the controller is typically required to complete 
extensive on-the-job training and is often closely observed by an 
experienced controller for a period of time. The controller must also 
review and understand appropriate procedures, including those 
associated with emergency response, and repeatedly practice the correct 
responses to a variety of abnormal operating conditions. A controller's 
skills and knowledge are then evaluated through the pipeline operator's 
OQ process. Many pipeline operators require additional company-specific 
performance requirements that are outside of the operator's OQ program.
    Many controllers routinely monitor and send commands to change flow 
rates and pressures, open and close valves, start and stop compressors 
or pumps, monitor tank levels, identify abnormal operating and 
emergency conditions, and perform a key role when a safety response is 
needed. In some pipeline systems, controllers also monitor corrosion 
control rectifiers, odorant systems, purge operations, leak detection 
equipment, and security systems. Prompted by an assortment of factors, 
controllers re-direct flow, start and stop pipeline segments, or 
further adjust flow rates to accommodate market conditions, maintenance 
activities, and weather conditions on a regional or national basis. For 
these pipelines, dynamic operating conditions require controllers to 
have a high level of knowledge, skills, and abilities to safely 
maintain systems and to promptly recognize abnormal operating 
conditions or other anomalies as situations develop. In other pipelines 
and distribution systems, controllers use computers to closely monitor 
operating conditions, and then alert field personnel to take action 
when upset, abnormal or emergency conditions arise.
    A controller needs adequate, thorough training and qualifications 
as well as appropriate timely data, a control system designed to aid in 
the prompt identification of abnormal conditions, and an understanding 
of the controller's authority to take appropriate actions.
vi. Control Room Management
    All of this must occur within an environment that facilitates 
appropriate and correct actions. Operators must appropriately manage 
the factors affecting the controller, including relevant human factors 
and operator processes and procedures. PHMSA refers to the combination 
of all these factors as control room management.
    Centralized pipeline and facility control operations generally fall 
into one of three control function categories or into a hybrid 
combination:
    1. Monitor, detect, and perform full remote control.
    2. Monitor, detect, and direct field operating personnel to perform 
specific actions.
    3. Monitor, detect, and alert field operating personnel, and defer 
action to field personnel.
    Controllers use SCADA systems to detect and monitor operational 
conditions. A controller then performs the required control function or 
directs or defers to field operations for needed attention based on the 
controller's responsibility, authority, and assessment of the 
situation.
    Individual station computer control may be implemented through:
    1. A unified control system within the station or plant, or
    2. Individual unit-mounted control panels for each piece of 
equipment or groupings of equipment.
    Pipeline operations can vary significantly based on the physical 
properties of the commodities transported. For example, compressibility 
is a fundamental difference between natural gas and some hazardous 
liquids. SCADA system configuration, communication schemes, control 
modes and applied instrumentation, pipeline system configuration and 
complexities, size, procedures, and practices can further differentiate 
pipeline operations. These differences can have dramatic effects on the 
required content and scope of a controller's training and 
qualifications, and on operational procedures and configuration of 
applied SCADA control systems. Differences in pipeline operations can 
also exist because some controllers are union employees governed by 
contract conditions and some are not. This can impact the number of 
hours worked, activities performed, number of controllers on shift, and 
other factors such as shift schedules.
    All controllers have some opportunity to mitigate risks. The degree 
to which they can affect pipeline safety may vary. For example, all 
controllers, including those that monitor only, can affect minor events 
(i.e. those not meeting reporting thresholds) and can influence the 
impact of future incidents in a positive manner. Pipeline controllers 
require similar cognitive and analytical skills. Additionally, control 
room procedures, pipeline controller tools, training, skills, and 
qualifications can impact controller performance.
    The nature of a particular control arrangement and the commodity 
transported will affect the actions an operator must take to manage the 
control environment and permit controllers to be successful in 
maintaining pipeline safety. None of these differences, though, obviate 
the need for control room management.

C. The Safety Pyramid

    Operators of gas pipeline systems must submit to PHMSA written 
reports of events meeting certain criteria as incidents. Over the past 
10 years, gas pipeline operators have submitted written reports for 
approximately 100 incidents per year on approximately 300,000 miles of 
gas transmission pipelines and approximately 130 incidents per year on 
approximately 2 million miles of distribution pipelines. Similarly, 
operators of hazardous liquid pipeline systems must submit to PHMSA 
written reports of

[[Page 53080]]

pipeline system failures meeting certain criteria as accidents. Over 
the same 10 years, hazardous liquid pipeline operators have reported an 
average of approximately 140 accidents per year on approximately 
160,000 miles of pipeline. The total number of accidents reported to 
PHMSA is about 370 per year.
    There are far more events, failures and near misses that occur on 
pipelines than those that require written reports. Some involve off-
normal conditions for which controllers or automated safety systems 
intercede to prevent serious consequences. Others do not progress to 
the point of needing controller or safety system involvement. Pipeline 
operators document some near misses, but not all. PHMSA believes there 
are other low-order events, failures and near misses that occur 
unobserved.
    The term ``safety pyramid'' was used by Dr. D.W. Heinrich (1881-
1962), an insurance company analyst who analyzed industrial accident 
prevention in the 1930s. In particular, he studied the relationship of 
events of varying significance and concluded that serious events (e.g., 
those resulting in fatalities) in any system occur in much smaller 
numbers than events of lesser significance. His work generally divided 
events into a 300-29-1 ratio, where there is 1 significant failure and 
29 notable events in every 300. Heinrich called this relationship the 
``safety pyramid.'' In turn, the number of errors and situations not 
recognized as ``events'' is even larger. Reportable pipeline accidents 
and incidents are only the tip of the safety pyramid. More events and 
failures occur at lower levels of the pyramid, including many near-miss 
events. Information about these near-miss events, whether affecting a 
gas pipeline, hazardous liquid pipeline, or LNG facility, can lead to 
identifying key elements that can prevent events and failures from 
reaching the tip of the safety pyramid. Controller vigilance and 
appropriate response to lower-level events thus serves to prevent 
reportable pipeline incidents from occurring.

D. Learning From Industry-Wide Operating Experience

    The proposed rule would require operators to establish a program to 
evaluate events that occur on their pipeline systems to identify 
lessons that can be used to improve control room performance. PHMSA 
believes it would be useful for the pipeline industry to establish a 
program to perform the same function for events occurring across the 
pipeline industry and to disseminate to all pipeline operators the 
lessons learned.
    It is self-evident that more events occur within the pipeline 
industry than on any individual pipeline system. The industry's safety 
pyramid is larger than that for any individual operator. This larger 
database of experience would provide more opportunity to learn lessons 
that can be used to improve the ability of controllers to maintain 
pipeline safety. For example, the airline industry and nuclear power 
plants have processes to collect and analyze operating experience and 
to share important lessons across their sectors. No such process exists 
within the pipeline or LNG industries. Some information about failures 
can be gleaned from news reports and discussions in trade association 
meetings, but pipeline and LNG operators do not usually share the 
details of failures. Operators are even less likely to share 
information about the bulk of close-calls and other minor events in the 
lower sector of the safety pyramid. Events with significant 
consequences (e.g., the 1999 hazardous liquid pipeline leak and 
explosion in Bellingham, Washington, or the 2001 gas transmission 
pipeline explosion near Carlsbad, New Mexico) get considerable press 
attention and become well known. The NTSB investigates significant 
pipeline events and issues reports and recommendations. Some events of 
lesser significance may be reported in trade press or by informal 
communications among pipeline operators, but there is no formalized 
process to collect and analyze information regarding close-call events 
or problems with more limited consequences in the pipeline industry.
    For larger pipeline operators, the sheer number of pipeline 
segments and stations may allow for the creation of a sufficiently 
large database of events to yield analytical value, but for most 
operators, their own experiences are not adequate to do so. Industry 
trade associations or other cooperative organizations could sponsor an 
industry-wide process to collect and analyze such information. Issues 
of proprietary information and perceived industry collusion are real 
constraints, but these have been dealt with in other industries.
    While the proposed rule would require each operator to establish a 
program to evaluate events that occur on its pipeline system, the rule 
would not require an intra-industry operating experience review 
process. PHMSA believes such intra-industry review could be useful, but 
does not consider it appropriate at this time to avoid the issues of 
unnecessary disclosure of proprietary information and perceived 
industry collusion. PHMSA encourages these industries to consider 
establishing such processes and invites the public and industry to 
comment on the value of such an inter-company review process.

III. Human Factors Studies

A. PHMSA Controller Study

    PHMSA had been studying and evaluating control room operations for 
many years and began developing control room inspection guidance in 
1999. Subsequently, Congress enacted the PSIA, which the President 
signed into law on December 17, 2002. Section 13 of the PSIA required 
the DOT to conduct a pilot program to evaluate whether pipeline 
controllers should be certified based on tests and other requirements. 
In response to the PSIA, PHMSA conducted the CCERT study and reported 
findings to Congress in a report dated December 17, 2006, entitled 
``Qualification of Pipeline Personnel.'' This project included a 
comprehensive review of existing controller training, qualification 
processes, procedures, and practices. This review also included 
identifying potential enhancements such as validation and certification 
processes currently used in other industries to enhance public safety.
    Understanding the attributes traditionally contained in existing 
operators' training and qualification programs was an essential element 
of CCERT. Process techniques, practices, and procedures are significant 
and valuable tools to train and qualify controllers. PHMSA identified 
techniques, practices, and procedures through interviews with numerous 
pipeline operators and controllers in a variety of situations. This 
included pipelines of a wide array of types and sizes and both union 
and non-union controllers.
    PHMSA determined what actions would lead to an additional assurance 
that pipeline controllers are adequately qualified to perform safety-
sensitive tasks. The project team also identified key processes and 
procedures critical to control room safety and reviewed certification 
programs. To consider validation or certification of pipeline 
operators' qualification processes, the training and qualification 
programs should be thorough and adequately administered. PHMSA's 
primary project objectives were to review and evaluate the structure 
and content of operators' training and qualification programs and to 
identify controller procedures that can have an impact on pipeline 
safety and integrity.

[[Page 53081]]

    The project focused on the content of the pipeline operators' 
administrative, training, and evaluation techniques that make up the 
controller training and qualification processes, and included a review 
of related safety and integrity procedures. Ultimately this information 
helped to:
     Identify content that should be included in an operator's 
training program for controllers.
     Identify content that should be included in the 
qualification programs to provide a higher assurance that controllers 
possess adequate knowledge, skills, and abilities to maintain the 
safety and integrity of the pipeline.
     Determine what form of validation should be used to 
ascertain that pipeline controllers are adequately qualified and 
sustain those qualifications.
     Identify aspects of safety and integrity practices and 
procedures that are critical to controllers.
    PHMSA established and implemented a strategy for receiving and 
encouraging ongoing stakeholder interaction early in the project. This 
approach involved the participation of numerous stakeholders that 
provided information including a focus group with representatives of 
the public, industry trade associations, pipeline operators, state and 
Federal pipeline safety agencies, and academia. PHMSA shared insights 
regarding key operational and logistical considerations for the project 
and collected comments from the group at key phases of the project. 
Information came directly from the focus group participants and 
indirectly from members of their respective constituencies. In 
addition, PHMSA presented project updates at numerous trade association 
meetings and other stakeholder forums to solicit additional feedback.
    PHMSA gathered supplemental information regarding controller 
qualifications from pipeline operators transporting various commodities 
with diverse control room characteristics, complex control operations 
and minimal monitoring operations, union and nonunion work 
environments, and varying pipeline mileage. Additional information was 
also obtained from the following sources:
     National Transportation Safety Board (NTSB);
     PHMSA Pipeline Technical Advisory Committees;
     National Association of Pipeline Safety Representatives 
(NAPSR);
     Pipeline trade organizations such as the
    [ctrcir] American Petroleum Institute (API),
    [ctrcir] Association of Oil Pipelines (AOPL),
    [ctrcir] American Gas Association (AGA),
    [ctrcir] American Public Gas Association (APGA), and
    [ctrcir] Interstate Natural Gas Association of America (INGAA);
     Research by
    [ctrcir] Najmedin (Najm) Meshkati, Professor of Civil/Environmental 
Engineering and Professor of Industrial and Systems Engineering at the 
University of Southern California,
    [ctrcir] Craig Harvey, Industrial and Manufacturing Systems 
Engineering, Louisiana State University, and
    [ctrcir] Marvin McCallum, Christian Richard, Battelle Seattle 
Research Centers;
     Related product and system vendors;
     Public advocate discussion lists (such as https://
tech.groups.yahoo.com/group/safepipelines)
     Other industries utilizing validation and certification 
programs, including:
    [ctrcir] Aviation,
    [ctrcir] Railroad,
    [ctrcir] Nuclear power, and
    [ctrcir] Electric power transmission.
    PHMSA gathered additional information from the Environmental 
Protection Agency, the Occupational Safety and Health Administration, 
and the Chemical Safety Board. Because training, qualification, and 
certification programs are implemented in various forms, discussions 
about lessons learned in the development, implementation, and 
maintenance of programs in other industries were especially valuable.
    PHMSA sponsored two public workshops (June 27, 2006, and May 23, 
2007) that provided various stakeholders an opportunity to discuss 
options to enhance the adequacy of control room management, provide 
substantiation of existing pipeline control management processes, 
discuss human fatigue issues, present existing qualification processes, 
and provide insights on other programs or methods used to provide for 
effective monitoring and control of pipelines.
    The workshops provided additional information and promoted 
discussion on the most critical factors emerging from the CCERT and the 
NTSB recommendations (discussed below) affecting the control and 
monitoring of gas and hazardous liquid pipelines. PHMSA provided an 
opportunity to discuss findings as a basis for providing further 
assurance about the effectiveness of pipeline control and the skills 
and qualifications of controllers. To foster discussion, PHMSA posed a 
number of specific questions in the Federal Register notices announcing 
the workshops, which were then discussed during the workshops, yielding 
valuable information, ideas, and opinions from a broad assortment of 
stakeholders.
    The first workshop was divided into several sessions, each 
highlighted by panel discussions and an open question and answer 
period. The panels were made up of subject matter experts from the 
public, industry, and government. The panelists discussed formalized 
procedures to control shift rotation schedules, shift changeover 
practices and possible ways to improve training on fatigue. Discussions 
included the CCERT recommendations providing clear direction regarding 
the controller's authority and responsibility to promote prompt 
detection and appropriate response to abnormal operating and emergency 
conditions and ways to address major changes in the controller's 
operating environment.
    The panelists discussed the importance of operators routinely 
reviewing alarm and event displays to identify when changes are 
necessary as well as additional measures to further protect against 
unauthorized access to the SCADA area. Different types of training 
associated with the recognition of abnormal operating conditions, 
emergencies, and maintaining personnel qualifications were also 
reviewed. A more detailed summary of the workshop is available in the 
CCERT docket, PHMSA-RSPA-2004-18584.
    The significant outcome of CCERT was the identification of elements 
that can provide value in controller training and qualification 
processes and the recognition of the importance of thoroughness and 
clarity of controller-related procedures that affect pipeline safety 
and integrity. Also of value was the identification of a validation 
process for the implementation and review of these same processes and 
procedures. Enhancements to operator programs affecting controllers can 
be realized with thorough and formalized procedures and practices, 
additions to training and qualification programs, stimulated 
discussions in industry fostering a continued sharing of best 
practices, and the development of industry-wide recommended practices 
and standards. Other factors can also influence a controller's ability 
to succeed. Pipeline operators should identify a controller's physical 
work environment, visual and aural distractions, ancillary work 
assignments that dilute a controller's attentiveness, workload, and 
SCADA system performance.
    The CCERT team concluded that a single controller certification 
process for the entire pipeline industry would not be appropriate for a 
number of reasons. First, because of the wide variability

[[Page 53082]]

among pipeline systems, a uniform controller qualification 
(certification) examination would have to be very general. Second, a 
general exam would need to be supplemented by significant and specific 
material for each system by each operator before a controller could 
adequately perform his duties. Third, a uniform controller 
qualification or certification test for the entire industry would not 
address many operator-specific and sometimes unique tasks critical to 
individual pipeline safety and integrity.
    The CCERT team concluded, however, that requiring operators to 
validate, review, and continuously improve the adequacy of controller-
related training, qualification, and procedures specific to each 
operator's pipeline would lead to improved public safety and better 
safety management in control rooms.
    The CCERT team also concluded:
     As a cause or contributor to pipeline events or failures, 
control rooms rank very low compared to corrosion, material defects, 
and third party damage, but controllers must respond appropriately to 
each of these identified contributing factors.
     Controllers are in a position of great importance to 
detect and react to abnormal operating and emergency conditions, 
thereby helping to avert failures and mitigate damage after a failure 
occurs.
     Controllers are key players in a company's response to 
abnormal operating and emergency conditions.
     The low probability of controller error is offset by the 
potentially high consequence of damages and injuries as a result of 
their improper actions.
     Remote monitoring or control through the use of a computer 
system may be performed in a formal control room, or numerous less 
formal settings such as an individual's office, service vehicle, or 
residence.
     The location of monitor or control functions does not 
define the nature or complexity of operations.
     Established definitions used in other regulations such as 
large or small operators based on pipeline mileage, location of the 
facility, or less than 20% of the specified minimum yield strength 
(SMYS) of the pipeline, are not good qualifiers in defining control 
room risks.
     More complex and diverse operations call for more thorough 
control room systems and processes.
     Involvement of field personnel in control activities has 
the potential to positively or negatively influence risk control.
     Although some operators still use 8-hour shifts, most 
operators have moved to 12-hour shifts.
     Choice of shift plan and rotation schedule is usually not 
supported by analytical review for fatigue.
     Most operators are performing at least a subset of the 
actions included in this proposed rule, but frequently without 
documentation of the basis for their process design choices or 
implementation methods, and sometimes without formalized procedures to 
maintain consistency or to provide for continuous improvement through 
review.
    Because controllers can have a great influence on the outcome of 
abnormal operating and emergency conditions, it is important that we 
provide for adequacy of controller knowledge, skills, abilities, and 
performance and their maintenance over time. PHMSA has identified 
fundamental operating procedures and practices, which should be used by 
pipeline controllers to enhance public safety. Most operators are 
currently using a subset of these procedures and practices, but use of 
these procedures and practices is not universal throughout the 
industry. The project team concluded that operators should be required 
to have more thorough, formalized procedures and processes for 
controller training and qualification which would be evaluated by the 
appropriate Federal or state regulatory authority.
    PHMSA collected and reviewed information from recent accident data 
analysis, complaints, inquiries, safety related condition reports, 
operator visits, PHMSA CCERT team operating experience, and the CCERT 
pilot program to be certain the activities of the pilot project 
operators and subsequent recommendations included recognition of 
lessons learned from those events that have been attributed to, or 
aggravated by, controller action or lack of action. While information 
reviewed indicates there is low probability for controller error to be 
the primary cause of an accident when compared to corrosion and other 
causal factors, this can be offset by the potentially high consequence 
of controller actions or inaction. Other industries, which employ 
validation and certification programs for control room personnel, also 
provided lessons learned in the development, implementation, and 
maintenance of validation and certification programs.
    Through the CCERT study, PHMSA identified a number of areas 
associated with the performance of control rooms that require 
enhancement. These areas were identified through numerous control room 
observations, PHMSA CCERT team operating experience, the collection of 
related research and project activities, controller cognitive skills 
review, the pilot program, and the comparisons with control room 
management issues in parallel industries. The enhancement areas 
incorporated into this proposed rule are as follows:
     Clearly define the roles and responsibilities of 
controllers to promote their prompt and appropriate response to 
abnormal operating conditions.
     Formalize procedures for recording critical information 
and for exchanging information during shift turnover or other times 
when a controller needs to be away from the desk and duties.
     Establish shift lengths, maximum hours of service 
limitations, and schedule rotations that provide sufficient time off 
work for rest in order to protect against the onset of fatigue that 
could affect the performance of pipeline controllers.
     Educate controllers and controller supervisors in fatigue 
mitigation strategies and how non-work activities contribute to fatigue 
that could affect pipeline control and control room management.
     Periodically review SCADA displays to ensure controllers 
are getting clear and reliable information from field stations and 
devices.
     Periodically audit alarm configurations and handling 
procedures to provide confidence in alarm signals and to foster 
controller effectiveness.
     Involve controllers when planning and implementing changes 
in operations.
     Maintain strong communications between controllers and 
field personnel.
     Determine how to establish, maintain, and review 
controller knowledge, skills, abilities, and qualifications.
     Develop performance metrics with particular attention to 
response to abnormal operating conditions.
     Analyze operating experience, including accidents, for 
possible involvement of the SCADA system, controller performance, and 
fatigue.
     Validate the adequacy of controller-related procedures and 
training, and the qualifications of controllers annually through 
involvement by senior-level executives of pipeline companies.
    PHMSA considers annual senior executive validation a key element. 
This would require a pipeline operator's senior executive responsible 
for pipeline operations to attest to the content and thoroughness of 
controller training and qualification programs and

[[Page 53083]]

related procedures that impact safety, and to verify that the 
individuals who operated the pipeline or LNG facility during the year 
have completed these training and qualification programs. The executive 
validations would be subject to regulatory review and inspection, and 
create a stronger ownership and responsibility of senior management in 
regard to potential fines and court proceedings. A secondary benefit of 
this validation process would be improved communication between 
executive level management, control room supervision, and controllers 
regarding concerns, duties, procedures, and processes resulting in an 
elevated awareness within each pipeline operator regarding the critical 
nature of a controller's job as well as the impact of controller duties 
on the safety and integrity of pipeline operations.
    Discussions in the first public workshop held June 27, 2006 
reflected general acknowledgement by the pipeline industry that the 
process outlined above was appropriate to reduce control room risk. 
There was also general agreement that much of the process is in place 
in many pipeline control operations. A summary of this workshop is 
available in the docket PHMSA-RSPA-2004-18584.
    PHMSA's second public workshop was held on May 23, 2007. 
Representatives of the pipeline industry, trade associations, the NTSB, 
other modes of transportation, and public interest groups presented 
their views on issues ranging from operator fatigue to the need to 
periodically review control room procedures. There was general 
agreement among workshop participants that controllers play an 
important role and that a human factors plan could have value. At the 
same time, most agreed that there was no need for major changes to 
current control room practices and staffing. A summary of this workshop 
is available in the docket PHMSA-2007-27954.

B. NTSB SCADA Study

    The NTSB conducted a safety study on hazardous liquid pipeline 
SCADA systems during the same time period as PHMSA conducted the CCERT 
study. The PHMSA project addressed a wider perspective of interest, but 
includes findings similar to those in the NTSB Report.\5\ The NTSB 
study identified areas for potential improvement, which resulted in 
five recommendations; three are incorporated in this proposed rule. 
PHMSA is addressing the other two recommendations independent of this 
proposed rulemaking.
---------------------------------------------------------------------------

    \5\ NTSB, ``Supervisory Control and Data Acquisition (SCADA) 
Systems in Liquid Pipelines,'' Safety Study NTSB/SS-05-02, adopted 
November 29, 2005.
---------------------------------------------------------------------------

    The impetus of the NTSB study was a number of hazardous liquid 
accidents investigated by the NTSB in which leaks went undetected after 
the initial indications of a leak were apparently evident on the SCADA 
system. The NTSB designed its SCADA study to examine how hazardous 
liquid pipeline companies use SCADA systems to monitor and record 
operating data and to evaluate the role of SCADA systems in leak 
detection. The study identified five areas for potential improvement:
     Display graphics.
     Alarm management.
     Controller training.
     Controller fatigue data collection.
     Leak detection systems.
    While this NTSB SCADA study specifically addressed hazardous liquid 
pipelines, NTSB included in the report an appendix listing all of its 
SCADA-related recommendations, which resulted from investigations of 
both hazardous liquid and gas pipeline accidents. Since 1976, the NTSB 
has issued approximately 30 recommendations either directly or 
indirectly related to SCADA systems involving both hazardous liquid and 
gas pipeline systems. PHMSA considers that the NTSB recommendations 
apply equally to gas and hazardous liquid pipelines and to LNG 
facilities. The recommendations are as follows:
NTSB Recommendation P-05-1
    Operators of hazardous liquid pipelines should be required to 
follow the API Recommended Practice 1165 (API RP 1165) for the use of 
graphics on the SCADA screens.
NTSB Recommendation P-05-2
    PHMSA should require pipeline companies to have a policy for the 
review and audit of SCADA-based alarms.
NTSB Recommendation P-05-3
    Operators should be required to include simulator or non-
computerized simulations for training controllers in recognition of 
abnormal operating conditions, in particular leak events.
NTSB Recommendation P-05-4
    PHMSA should change the hazardous liquid accident reporting form 
(PHMSA F 7000-1) and require operators to provide data related to 
controller fatigue. PHMSA is addressing this recommendation in a 
separate action.
NTSB Recommendation P-05-5
    PHMSA should require operators to install computer-based leak 
detection systems on all lines unless engineering analysis determines 
that such a system is not necessary. PHMSA is publishing a report on 
leak detection systems and technology in 2008.
    PHMSA is addressing the first three recommendations in this 
proposed rule. Based on PHMSA's review of accident and incident data, 
the project team found that errant SCADA displays have the potential to 
confuse or mislead controllers or field personnel. They also found very 
few operators who consider the impact of color perception impairments 
and screen clutter or who perform periodic point-to-point verifications 
of screen display data with field instrumentation. Furthermore, the 
team found that training of the controllers usually did not include 
reference material to guide controllers to particular types of displays 
to help resolve certain types of abnormal operating conditions quickly 
or to address emergency response.
    The CCERT team found through discussions with operators that 
policies were seldom in place for systematically reviewing alarms on a 
regular basis. Many operators were not analyzing the number of alarms, 
seeking to eliminate unnecessary alarms, routinely determining if new 
alarms were needed, studying alarms to consider if grouping could 
consolidate information for more effective use, looking for systemic 
alarms, or reviewing alarms to verify alarm descriptions were clear to 
the controller. In addition, operators were not reviewing alarms to 
determine if abnormal operating conditions were frequently occurring 
together or consecutively. Rate-of-change alarms often were not being 
used as operational tools for controllers. Most operators were not 
looking for potential gradual degradation of controller response or 
changes in controller performance. Operators may have to reduce 
pressure because of concerns about the integrity of the pipeline, such 
as anomalies discovered during integrity management assessments. 
However, in many cases, the operators were not changing associated 
alarm set-point values, or field relief values, correspondingly when 
implementing these pressure reductions.
    The CCERT team's discussions with controllers identified that 
generic simulators and high-fidelity (frequently referred to as 
``full'') simulators were preferred training tools. The controllers 
interviewed generally found full simulators to have significant value. 
Tabletop discussions and exercises, and computerized simulators, were 
both found to be valuable resources for controllers in training for 
response to

[[Page 53084]]

abnormal operating conditions. Direct controller involvement in 
scenario development of tabletop exercises and computer-based 
simulations can add safety value to these tools. Controllers can also 
provide significant feedback on exercise performance. However, 
controllers were frequently not represented in the development of 
exercises and frequently did not participate in exercises other than to 
call out appropriate responders. Controllers were seldom asked what 
could be done to make an exercise more realistic, provide greater value 
or improve team response performance.

C. DOT's Human Factors Coordinating Committee (HFCC)

    The Secretary of Transportation established the HFCC in 1991 to 
become the focal point for human factors issues within DOT. Since its 
inception, the HFCC, a multi-modal team with government-wide liaisons, 
has successfully addressed crosscutting human factors issues in 
transportation. The HFCC has influenced the implementation of human 
factors projects within and among DOT's operating administrations, 
provided a mechanism for exchange of human factors and related 
technical information, and provided synergy and continuity in 
implementing transportation human factors research. DOT recognizes that 
many human performance issues are crosscutting and will benefit from a 
multi-modal approach. DOT needs coordinated human factors research to 
permit large research efforts that modes cannot support individually, 
to address multi-modal transportation issues, as well as to advocate 
for timely human factors research in transportation system solutions.
    PHMSA continues to actively participate on the HFCC, and has drawn 
from the work of the HFCC to help identify fatigue management 
strategies for control room management.

IV. PIPES Act of 2006

    The PIPES Act of 2006 (Pub. L. 109-468) imposed additional 
requirements on PHMSA with respect to control room management and human 
factors. The PIPES Act requires PHMSA to issue regulations requiring 
each operator of a gas or hazardous liquid pipeline to develop, 
implement, and submit a human factors management plan designed to 
reduce risks associated with human factors, including fatigue, in each 
control room for the pipeline. Operator plans must include a maximum 
limit on the hours a controller may work in a single shift between 
periods of adequate rest. PHMSA, or a state authorized to exercise 
safety oversight, is required to review and approve operators' human 
factors plans, and operators are required to notify PHMSA (or the 
appropriate state) of deviations from the plan.
    The PIPES Act also requires PHMSA to issue standards to implement 
the first three recommendations of the NTSB SCADA safety study as 
described above. Controllers using computer equipment to monitor or 
operate pipeline facilities can be impacted by display information, 
alarms, and abnormal operating conditions regardless of what type of 
system they operate. PHMSA considers the recommendations to be equally 
applicable to hazardous liquid and gas pipelines (transmission and 
distribution) as well as LNG facilities. This proposed rule will 
respond to the mandates in the PIPES Act relative to control room 
management, human factors, and SCADA.

V. Standards, Recommended Practices, and Guidelines

    One of the actions identified by CCERT was the development of 
consensus-based best practices to promote controller success. PHMSA is 
encouraged by recent industry efforts, including industry review of 
existing standards (such as the Instrument Society of America SP-18 and 
the Engineering Equipment and Materials Users Association 191A), 
guidance material in development by the Transportation Security 
Administration (TSA) focusing on SCADA CyperSecurity, and the 
development of other guidance, recommended practices, and standard 
documents. The structured development process used to establish this 
type of material has historically yielded great safety value. Such 
efforts focused on Control Room Management have the potential