255.631 - Control room management

 

(a) General.

(1) This section applies to each operator of a pipeline facility with a controller working in a control room who monitors and controls all or part of a pipeline facility through a SCADA system. Each operator must have and follow written control room management procedures that implement the requirements of this section, except that for each control room where an operator's activities are limited to either or both of:

(i) Distribution with less than 250,000 services; or

(ii) Transmission without a compressor station, the operator must have and follow written procedures that implement only subdivisions (d) (regarding fatigue) and (i) (regarding compliance and deviations) of this section.

(2) The procedures required by this section must be integrated, as appropriate, with operating and emergency procedures required by sections 255.605 and 255.615 of this Part. An operator must develop the procedures no later than August 1, 2011 and must implement the procedures according to the following schedule. The procedures required by subdivision (b), paragraphs (c)(5), (d)(2) and (d)(3), and subdivisions (f) and (g) of this section must be implemented no later than October 1, 2011. The procedures required by paragraphs (c)(1) through (4), (d)(1), (4), and subdivision (e) of this section must be implemented no later than August 1, 2012. The training procedures required by subdivision (h) of this section must be implemented no later than August 1, 2012, except that any training required by another subdivision of this section must be implemented no later than the deadline for that subdivision.

(b) Roles and responsibilities. Each operator must define the roles and responsibilities of a controller during normal, abnormal, and emergency operating conditions. To provide for a controller's prompt and appropriate response to operating conditions, an operator must define each of the following:

(1) A controller's authority and responsibility to make decisions and take actions during normal operations;

(2) A controller's role when an abnormal operating condition is detected, even if the controller is not the first to detect the condition, including the controller's responsibility to take specific actions and to communicate with others;

(3) A controller's role during an emergency, even if the controller is not the first to detect the emergency, including the controller's responsibility to take specific actions and to communicate with others;

(4) A method of recording controller shift-changes and any hand- over of responsibility between controllers; and

(5) The roles, responsibilities and qualifications of others with the authority to direct or supersede the specific technical actions of a controller.

(c) Provide adequate information. Each operator must provide its controllers with the information, tools, processes and procedures necessary for the controllers to carry out the roles and responsibilities the operator has defined by performing each of the following:

(1) Implement sections 1, 4, 8, 9, 11.1, and 11.3 of API RP 1165 (as described in Section 10.3 of this Title), whenever a SCADA system is added, expanded or replaced, unless the operator demonstrates that certain provisions of sections 1, 4, 8, 9, 11.1, and 11.3 of API RP 1165 are not practical for the SCADA system used;

(2) Conduct a point-to-point verification between SCADA displays and related field equipment when field equipment is added or moved and when other changes that affect pipeline safety are made to field equipment or SCADA displays;

(3) Test and verify an internal communication plan to provide adequate means for manual operation of the pipeline safely, at least once each calendar year, but at intervals not to exceed 15 months;

(4) Test any backup SCADA systems at least once each calendar year, but at intervals not to exceed 15 months; and

(5) Establish and implement procedures for when a different controller assumes responsibility, including the content of information to be exchanged.

(d) Fatigue mitigation. Each operator must implement the following methods to reduce the risk associated with controller fatigue that could inhibit a controller's ability to carry out the roles and responsibilities the operator has defined:

(1) Establish shift lengths and schedule rotations that provide controllers off-duty time sufficient to achieve eight hours of continuous sleep;

(2) Educate controllers and supervisors in fatigue mitigation strategies and how off-duty activities contribute to fatigue;

(3) Train controllers and supervisors to recognize the effects of fatigue; and

(4) Establish a maximum limit on controller hours-of-service, which may provide for an emergency deviation from the maximum limit if necessary for the safe operation of a pipeline facility.

(e) Alarm management. Each operator using a SCADA system must have a written alarm management plan to provide for effective controller response to alarms. An operator's plan must include provisions to:

(1) Review SCADA safety-related alarm operations using a process that ensures alarms are accurate and support safe pipeline operations;

(2) Identify at least once each calendar month points affecting safety that have been taken off scan in the SCADA host, have had alarms inhibited, generated false alarms, or that have had forced or manual values for periods of time exceeding that required for associated maintenance or operating activities;

(3) Verify the correct safety-related alarm set-point values and alarm descriptions at least once each calendar year, but at intervals not to exceed 15 months;

(4) Review the alarm management plan required by this paragraph at least once each calendar year, but at intervals not exceeding 15 months, to determine the effectiveness of the plan;

(5) Monitor the content and volume of general activity being directed to and required of each controller at least once each calendar year, but at intervals not to exceed 15 months, that will assure controllers have sufficient time to analyze and react to incoming alarms; and

(6) Address deficiencies identified through the implementation of paragraphs (1) through (5) of this subdivision.

(f) Change management. Each operator must assure that changes that could affect control room operations are coordinated with the control room personnel by performing each of the following:

(1) Establish communications between control room representatives, operator's management, and associated field personnel when planning and implementing physical changes to pipeline equipment or configuration;

(2) Require its field personnel to contact the control room when emergency conditions exist and when making field changes that affect control room operations; and

(3) Seek control room or control room management participation in planning prior to implementation of significant pipeline hydraulic or configuration changes.

(g) Operating experience. Each operator must assure that lessons learned from its operating experience are incorporated, as appropriate, into its control room management procedures by performing each of the following:

(1) Review incidents that must be reported pursuant to 49 CFR part 191 to determine if control room actions contributed to the event and, if so, correct, where necessary, deficiencies related to:

(i) Controller fatigue;

(ii) Field equipment;

(iii) The operation of any relief device;

(iv) Procedures;

(v) SCADA system configuration; and

(vi) SCADA system performance.

(2) Include lessons learned from the operator's experience in the training program required by this section.

(h) Training. Each operator must establish a controller training program and review the training program content to identify potential improvements at least once each calendar year, but at intervals not to exceed 15 months. An operator's program must provide for training each controller to carry out the roles and responsibilities defined by the operator. In addition, the training program must include the following elements:

(1) Responding to abnormal operating conditions likely to occur simultaneously or in sequence;

(2) Use of a computerized simulator or non-computerized (tabletop) method for training controllers to recognize abnormal operating conditions;

(3) Training controllers on their responsibilities for communication under the operator's emergency response procedures;

(4) Training that will provide a controller a working knowledge of the pipeline system, especially during the development of abnormal operating conditions;

(5) For pipeline operating setups that are periodically, but infrequently used, providing an opportunity for controllers to review relevant procedures in advance of their application; and

(6) Control room team training and exercises that include both controllers and other individuals, defined by the operator, who would reasonably be expected to operationally collaborate with controllers (control room personnel) during normal, abnormal or emergency situations. Operators must comply with the team training requirements under this subdivision by no later than January 23, 2018.

(i) Compliance and deviations. An operator must maintain for review during inspection:

(1) Records that demonstrate compliance with the requirements of this section; and

(2) Documentation to demonstrate that any deviation from the procedures required by this section was necessary for the safe operation of a pipeline facility.