[Federal Register Volume 73, Number 178 (Friday, September 12, 2008)]
[Proposed Rules]
[Pages 53076-53104]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-20701]



[[Page 53075]]

-----------------------------------------------------------------------

Part II





Department of Transportation





-----------------------------------------------------------------------



Pipeline and Hazardous Materials Safety Administration



-----------------------------------------------------------------------



49 CFR Parts 192, 193, and 195



Pipeline Safety: Control Room Management/Human Factors; Proposed Rule

  Federal Register / Vol. 73 , No. 178 / Friday, September 12, 2008 / 
Proposed Rules  

[[Page 53076]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Pipeline and Hazardous Materials Safety Administration

49 CFR Parts 192, 193, and 195

[Docket ID PHMSA-2007-27954]
RIN 2137-AE28


Pipeline Safety: Control Room Management/Human Factors

AGENCY: Pipeline and Hazardous Materials Safety Administration (PHMSA), 
DOT.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: PHMSA proposes to revise the Federal pipeline safety 
regulations to address human factors and other components of control 
room management. The proposed rules would require operators of 
hazardous liquid pipelines, gas pipelines, and liquefied natural gas 
(LNG) facilities to amend their existing written operations and 
maintenance procedures, operator qualification (OQ) programs, and 
emergency plans to assure controllers and control room management 
practices and procedures used maintain pipeline safety and integrity. 
This proposed rule results from a PHMSA study of controllers and 
controller performance issues known as the Controller Certification 
Project (CCERT), a National Transportation Safety Board study, safety-
related condition reports, operator visits and inspections, and 
inquiries. This rule would improve opportunities to reduce risk through 
more effective control of pipelines and require the human factors 
management plan mandated by the Pipeline Inspection, Protection, 
Enforcement, and Safety Act of 2006 (PIPES Act). These regulations 
would enhance pipeline safety by coupling strengthened control room 
management, including automated control systems, with improved 
controller training and qualifications and fatigue management. PHMSA 
expects these regulations will complement efforts already underway in 
the pipeline industry to address human factors and control room 
management, such as the development of new national consensus 
standards, including an American Petroleum Institute (API) recommended 
practices on roles and responsibilities, shift operations, management 
of change, fatigue management, alarm management and SCADA display 
standard, as well as comparable business practices at some pipeline 
companies.

DATES: Anyone interested in filing written comments on this proposal 
must do so by November 12, 2008. PHMSA will consider late comments 
filed so far as practical.

ADDRESSES: Comments should reference Docket No. PHMSA-2007-27954 and 
may be submitted the following ways:
     E-Gov Web site: http://www.regulations.gov. This Web site 
allows the public to enter comments on any Federal Register notice 
issued by any agency. Follow the instructions for submitting comments.
     Fax: 1-202-493-2251.
     Mail: DOT Docket Management System: U.S. Department of 
Transportation, Docket Operations, M-30, West Building Ground Floor, 
Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 20590-0001.
     Hand Delivery: DOT Docket Management System; West Building 
Ground Floor, Room W12-140, 1200 New Jersey Avenue, SE., Washington, DC 
20590-0001 between 9 a.m. and 5 p.m., Monday through Friday, except 
Federal holidays.
    Instructions: You should identify the docket ID, PHMSA-2007-27954, 
at the beginning of your comments. If you submit your comments by mail, 
submit two copies. To receive confirmation that PHMSA received your 
comments, include a self-addressed stamped postcard. Internet users may 
submit comments at http://www.regulations.gov.

    Note: Comments are posted without changes or edits to http://www.regulations.gov, including any personal information provided. 
There is a privacy statement published on http://www.regulations.gov.


FOR FURTHER INFORMATION CONTACT: Byron Coy at (609) 989-2180 or by e-
mail at [email protected].

SUPPLEMENTARY INFORMATION: 

I. Prevention Through People

    Over the past several years, PHMSA's integrity management (IM) 
programs have been successfully driving down the two leading causes of 
pipeline failure--excavation damage and corrosion. IM programs help 
operators understand the threats affecting the integrity of their 
systems and implement appropriate actions to mitigate risks associated 
with these threats.
    Excavation damage and corrosion are, however, only part of the 
safety picture. The next logical area of program development is to 
examine the role people play in operating and maintaining pipelines. 
With this proposed rule, PHMSA is beginning implementation of a program 
that recognizes the importance of human interactions and opportunities 
for preventing risk, both errors and mitigating actions, to pipeline 
systems through a Prevention Through People (PTP) program. PTP 
addresses human impacts on pipeline system integrity. Human impacts 
include errors contributing to events, intervention to prevent or 
mitigate events, and the recognition of events that may begin the need 
for increased vigilance. The role of people, including controllers and 
those interacting with control center operations, is a vital component 
in preventing and reducing risk associated with pipeline systems. The 
proposed rule addresses requirements applicable to controllers and 
control room management.
    PHMSA has long recognized that controllers can play a key role in 
pipeline safety. Congress recognized the importance of this role in the 
Pipeline Safety Improvement Act of 2002 (PSIA) (Pub. L. 107-355) and 
the PIPES Act. A controller's actions can mitigate risk, but they can 
also introduce the potential for upset conditions. Human error 
(including those caused by mistake or fatigue) can cause or exacerbate 
events involving releases leading to safety hazards and environmental 
impacts. Controllers also respond to indications of abnormal conditions 
on the pipeline. Appropriate human response to abnormal situations can 
mitigate events, helping to prevent accidents leading to adverse 
consequences. As part of the PTP program, this proposed rule addresses 
requirements applicable to controllers, key players among the people 
who can affect pipeline safety.
    Several existing regulations strengthen the effectiveness of the 
role of people in managing safety. These include regulations on damage 
prevention programs (49 CFR 192.614 and 195.442), public awareness 
(Sec. Sec.  192.616 and 195.440), qualification of pipeline personnel 
(part 192, subpart N, part 193, subpart H, and part 195, subpart G), 
and drug and alcohol testing regulations and procedures (parts 40 and 
199). Explicitly incorporating a PTP element in IM plans would 
emphasize the role of people both in contributing to, and in reducing, 
risks. PHMSA believes this may be the best means of fostering a 
holistic approach to managing the safety impact of people on the 
integrity of pipelines. This proposed rule adds requirements applicable 
to control room management. In the future, PHMSA plans to address 
additional risks associated with human factors as well as the 
opportunities for people to mitigate risks. In addition to regulations, 
PHMSA plans to identify and promote noteworthy best practices in PTP.

[[Page 53077]]

    PHMSA recently reported to Congress on its work examining control 
room management issues as mandated in the PSIA. The report, titled 
``Qualification of Pipeline Personnel,'' includes a summary of the 
CCERT Project, a four-year effort examining control room issues in PTP. 
Although the project began with examination of qualification issues, 
during the course of the project, we identified other control room 
issues impacting the safety performance of controllers. PHMSA concluded 
that validating the adequacy of controller-related processes, 
procedures, training, and the controllers' credentials would improve 
management of control rooms, thereby enhancing safety for the public, 
the environment and pipeline employees. PHMSA also identified areas in 
which additional measures could enhance control room safety and 
minimize the risk associated with fatigue and interaction with computer 
equipment. These areas include annual validation of controller 
qualifications by senior level executives of pipeline companies, 
clearly defined responsibilities for controllers in responding to 
abnormal operating conditions, the use of formalized procedures for 
information exchange during shift turnover, and clearly established 
shift lengths combined with education on strategies to reduce the 
contribution of non-work activities to fatigue. These areas are 
addressed by requirements included in this proposed rule.

II. Background

A. Pipelines and LNG Plants

    Approximately two-thirds of our domestic energy supplies are 
transported by pipeline. There are roughly 170,000 miles of hazardous 
liquid pipelines, 295,000 miles of gas transmission pipelines, and 1.9 
million miles of gas distribution pipelines in the United States. 
Hazardous liquid pipelines carry crude oil to refineries and refined 
products to locations where these products are consumed. Hazardous 
liquid pipelines also transport highly volatile liquids (HVLs), other 
hazardous liquids such as anhydrous ammonia, and carbon dioxide. The 
regulations in 49 CFR part 195 apply to owners and operators of 
pipelines used in the transportation of hazardous liquids and carbon 
dioxide. Throughout this document, the term ``operator'' refers to both 
owners and operators of pipeline facilities.
    Gas transmission pipelines typically carry natural gas over long 
distances from gas gathering, supply, or import facilities to 
localities where it is used to heat homes, generate electricity, and 
fuel industry. Gas distribution pipelines take natural gas from 
transmission pipelines and distribute it to residential, commercial, 
and industrial customers. The regulations in 49 CFR part 192 apply to 
operators of pipelines that transport natural gas, flammable gas, or 
gas which is toxic and corrosive. Throughout this document, the term 
``gas'' refers to all gases in pipelines regulated under part 192.
    Additionally, there are currently 109 LNG import and peak shaving 
plants connected to our natural gas transmission and distribution 
pipeline systems. The volume of natural gas is reduced about 600 times 
when the gas is cooled to a liquid form. This allows large quantities 
of natural gas to be transported by ship and to be stored in insulated 
tanks. LNG import plants allow the U.S. to use natural gas produced in 
other countries and transported by ship. According to the Department of 
Energy, imported LNG provided 2% of U.S. natural gas supplies in 2003 
but that proportion is expected to grow to 21% by 2025.\1\ LNG peak 
shaving plants allow gas pipeline operators to liquefy and store 
natural gas during off-peak periods. The stored LNG is then converted 
back to natural gas when needed for periods of peak consumption. The 
risks inherent in control of these facilities can be reduced by 
application of this proposed rule.
---------------------------------------------------------------------------

    \1\ U.S. Department of Energy, Office of Fossil Energy Web site 
(http://www.fossil.energy.gov/programs/oilgas/storage/lng/feature/whyimportant.html).
---------------------------------------------------------------------------

B. Control Rooms and Controllers

    Most pipelines are underground and operate without disturbing the 
environment or negatively impacting public safety. However, accidents 
\2\ do occasionally occur. Effective control is one key component of 
accident prevention. Controllers can help identify risks, prevent 
accidents, and minimize commodity losses if provided with the necessary 
tools and working environment. Therefore, this proposed rule is 
intended to increase the likelihood that pipeline and LNG controllers 
have the necessary knowledge, skills, abilities, and qualifications to 
help prevent accidents and that operators provide controllers with the 
training, tools, procedures, management support, and environment where 
a controller's actions can help prevent accidents and minimize 
commodity losses.
---------------------------------------------------------------------------

    \2\ The pipeline safety regulations in 49 CFR parts 191, 192, 
and 193 refer to certain harmful events on a gas pipeline system or 
LNG facility as ``incidents'' while part 195 refers to certain 
failures on a hazardous liquid pipeline system as ``accidents.'' 
Throughout this document the terms ``accident'' and ``incident'' may 
be used interchangeably to mean an event or failure on a gas or 
hazardous liquid pipeline system or LNG facility.
---------------------------------------------------------------------------

i. Background
    Pipeline systems vary from small, simple systems, to complex 
systems covering thousands of miles. Combined, these systems make up a 
vast network of pipelines reaching across the United States. Pipeline 
systems include pumps, compressors, storage tanks, valves, and other 
components. A pump station, compressor station, or terminal is usually 
a major installation consisting of large pumps, compressors, storage 
tanks, and other service equipment. Pipeline systems also include 
valves used to control pressure and to direct flow during normal 
operations, to isolate sections of pipeline for maintenance or 
emergency activities, or to maintain operating pressures within 
allowable limits.
    Most operators monitor pumps, compressors, valves, and other 
equipment from single or multiple locations, often hundreds of miles 
away. Such locations are commonly known as ``control rooms.'' The 
individuals who work in control rooms are ``controllers.'' \3\ A 
control room may have one or more controllers, who could be union or 
non-union employees. Both union and non-union controllers may work for 
the same operating company and a control room is likely to be 
operational 24 hours a day, 365 days a year, or less, depending on the 
complexity and nature of the pipeline system or LNG facilities served.
---------------------------------------------------------------------------

    \3\ Different titles exist in the industry for personnel who 
operate computer-based systems for controlling and monitoring the 
operations of pipeline facilities, some of which are controllers, 
dispatchers, operators, and board operators, but all are considered 
``controllers'' in this document.
---------------------------------------------------------------------------

    Most operators use computer-based supervisory control and data 
acquisition (SCADA) systems, distributed control systems (DCS), or 
other less sophisticated systems to gather key information 
electronically from field locations.\4\ These systems are configured to 
present field data to the controllers, and may include additional 
historical, trending, and alarm management information. Controllers 
track routine operations continuously and watch for possible developing 
abnormal operating or emergency conditions. A controller may take 
direct action through the SCADA system to correct the conditions

[[Page 53078]]

or the controller may alert and defer action to others.
---------------------------------------------------------------------------

    \4\ SCADA and DCS systems perform similar functions. Throughout 
this document, where the term SCADA is used, it should be 
interpreted to mean SCADA or DCS.
---------------------------------------------------------------------------

ii. Importance of Control Rooms and Controllers
    Control rooms and controllers are critical to the safe operation of 
pipeline systems and LNG facilities. Control rooms often serve as the 
hub or command center for decisions such as adjusting commodity flow or 
facilitating an operator's initial response to an emergency. The 
control room is the central location where humans or computers receive 
data from field sensors. Commands from the control room may be 
transmitted back to remotely controlled equipment. Field personnel also 
receive significant information from the control room. In essence, the 
control room is the ``brain'' of the pipeline system or LNG plant. 
Errors made in control rooms can have significant effects on the 
controlled systems. A controller's errors can initiate or exacerbate an 
accident. A controller's improper action or lack of action can place 
undue stresses on a pipeline segment or an LNG facility, which could 
result in a subsequent failure, the loss of service, or an increase in 
lost commodity, leading to risk to people, the environment, and the 
fuel supply. Controller responses to developing abnormal operating 
conditions or accidents can alleviate or exacerbate the consequences of 
some events regardless of the initial cause.
    A brief description of a few accidents can help illustrate the 
importance of control rooms and controllers to safe pipeline operation. 
More often than not, however, control rooms and controllers are a 
significant part of an operator's response to abnormal and emergency 
events rather than the cause.
     A batch of hazardous liquid expected to fill several tanks 
was being received at a tank terminal. A tank switchover was scheduled 
to occur late in a controller's shift. The switchover did not occur at 
the scheduled time due to a reduction in flow rate in the pipeline, but 
the controller failed to inform the relief controller at shift change. 
The oncoming controller assumed the switchover had happened as 
scheduled, and therefore did not monitor the levels in the tank being 
filled. The liquid overflowed the tank and was ignited. The resulting 
fire caused considerable damage including the destruction of two large 
storage tanks.
     A seldom-used manual valve in a hazardous liquid pipeline 
system had been closed to facilitate maintenance. The controller was 
aware that the valve was closed. The controller was not aware, however, 
that the indication on his computer display of pressure near the valve 
came from a transducer downstream of the valve. The display indicated 
it was from the upstream side of the valve. While filling the isolated 
portion of the pipeline to return it to service, the controller over-
pressurized the line, resulting in a rupture.
     While diverting hazardous liquid pipeline flow from one 
facility to another, an elevated pressure caused the rupture of a 
pipeline at a location weakened by previous third party damage. Pumps 
had automatically shut off due to the high pressures. Despite a sharp 
drop in line pressure, the controller did not recognize that the 
pipeline had failed, and re-started the pumps. As a result, a 
significant amount of product was released through the ruptured line, 
ignited, and resulted in several fatalities. Maintenance activities 
being performed on the computers of the SCADA system at the time of the 
vent hampered the controller from recognizing and reacting to the 
failure.
     A slug of contaminants was introduced into a gas 
transmission pipeline when gas was drawn from storage. The contaminants 
affected instruments and regulators as the slug moved down the 
pipeline, resulting in many control room alarms. The controller 
operating the pipeline did not recognize what was happening and failed 
to initiate corrective action in time to avoid loss of gas supply to 
several towns.
     A citizen called a gas pipeline control room to report a 
sheen on a creek in a right-of-way shared with hazardous liquid 
pipelines. The citizen called the gas control room because its 
telephone number was on the pipeline marker the citizen located in the 
corridor. The controller of the gas pipeline failed to contact the 
controllers of the liquid pipelines in the shared corridor, and 
referred the information from the call to a field office that was 
unattended at the time. The result was a delay of several days in 
responding to a potential failure of one of the liquid pipelines.
     In a similar situation, a citizen telephoned a gas control 
room and reported a leak. The controller concluded the company had no 
facilities in the area, that any problem was thus not theirs, and did 
not follow up. The leak persisted and subsequent calls to regulatory 
agencies resulted in locating a number of leaks in the area affecting 
facilities operated by the control room that took the original call.
iii. Local Control and LNG
    Many pipeline systems and LNG plants have equipment that is locally 
controlled via a control panel located on or near the field equipment. 
The individuals who operate this equipment using the control panel 
could be considered controllers depending on their shared and 
associated responsibilities with controllers at other locations. This 
may also depend on the specific equipment being controlled and whether 
or not the controlled equipment is within direct observation of the 
individual at the local control panel.
    Gas pipeline operations are sometimes associated with LNG plants. 
LNG facilities are operated from control rooms and can have locally-
controlled equipment in the same manner as pipeline facilities. In 
addition, some LNG control rooms also control pipeline systems 
connected to the LNG plant. Working from control rooms, controllers 
operate LNG facilities, pipelines associated with the facilities, and 
locally controlled equipment within LNG plants.
    Most pipeline systems today have control rooms. These facilities 
can be located at some distance from the pipeline, or they may be in 
close proximity to the pipeline. Many pipelines also have locally 
controlled equipment operated by controllers. This proposed rule 
addresses all of these situations. Pipeline and LNG facilities include 
compressor stations, hazardous liquid terminals, pump stations, LNG 
plants, and any other locations where controllers are located. In 
addition, control room also means a control center, control station, or 
any other such terminology.
iv. Providing Tools for Effective Controller Performance
    Pipeline and LNG controllers impact the safety and integrity of the 
pipeline and LNG facilities they operate by being vigilant during 
normal operations and by properly responding to abnormal operating 
conditions and potential emergency situations. Public safety can be 
enhanced when a pipeline or LNG operator provides a controller the 
necessary tools and management support, while implementing and tracking 
thoroughly developed processes used by controllers.
    SCADA systems, which are widely used throughout the pipeline 
industry, can be as simple as computerized field equipment that allows 
an individual to monitor alarms or control equipment within a pipeline 
facility; or they can be more complex and diverse to allow a

[[Page 53079]]

controller to monitor, or monitor and control, many facilities as part 
of a complex pipeline network involving various communications mediums, 
often from a control room that is hundreds of miles away. For some 
pipeline operators, the application of SCADA systems has resulted in a 
reduction of pipeline field personnel, making the role of the 
controller even more critical to the safety and integrity of pipeline 
facilities.
    Pipeline and LNG controllers also must have adequate and up-to-date 
information about the conditions and operating status of the equipment 
they monitor, or monitor and control, if they are to succeed in 
maintaining pipeline safety. Incorrect, delayed, missing, or poorly 
displayed data may confuse a controller and can lead to problems 
despite the extensive training, qualification, and abilities of the 
controller.
v. Controller Knowledge and Abilities
    Operators should assure that controllers perform their duties 
promptly and accurately, including routine operations and response to 
developing abnormal operating conditions or emergency circumstances, to 
help maintain pipeline and LNG facility safety. Existing operator 
qualification (OQ) regulations for pipeline personnel currently address 
a portion of the processes affecting a controller's ability to succeed 
in maintaining pipeline safety and integrity.
    A controller should possess certain abilities, and attain the 
knowledge and skills necessary to complete the various tasks required 
for a specific pipeline system or LNG facility. To attain the necessary 
knowledge and skills, the controller is typically required to complete 
extensive on-the-job training and is often closely observed by an 
experienced controller for a period of time. The controller must also 
review and understand appropriate procedures, including those 
associated with emergency response, and repeatedly practice the correct 
responses to a variety of abnormal operating conditions. A controller's 
skills and knowledge are then evaluated through the pipeline operator's 
OQ process. Many pipeline operators require additional company-specific 
performance requirements that are outside of the operator's OQ program.
    Many controllers routinely monitor and send commands to change flow 
rates and pressures, open and close valves, start and stop compressors 
or pumps, monitor tank levels, identify abnormal operating and 
emergency conditions, and perform a key role when a safety response is 
needed. In some pipeline systems, controllers also monitor corrosion 
control rectifiers, odorant systems, purge operations, leak detection 
equipment, and security systems. Prompted by an assortment of factors, 
controllers re-direct flow, start and stop pipeline segments, or 
further adjust flow rates to accommodate market conditions, maintenance 
activities, and weather conditions on a regional or national basis. For 
these pipelines, dynamic operating conditions require controllers to 
have a high level of knowledge, skills, and abilities to safely 
maintain systems and to promptly recognize abnormal operating 
conditions or other anomalies as situations develop. In other pipelines 
and distribution systems, controllers use computers to closely monitor 
operating conditions, and then alert field personnel to take action 
when upset, abnormal or emergency conditions arise.
    A controller needs adequate, thorough training and qualifications 
as well as appropriate timely data, a control system designed to aid in 
the prompt identification of abnormal conditions, and an understanding 
of the controller's authority to take appropriate actions.
vi. Control Room Management
    All of this must occur within an environment that facilitates 
appropriate and correct actions. Operators must appropriately manage 
the factors affecting the controller, including relevant human factors 
and operator processes and procedures. PHMSA refers to the combination 
of all these factors as control room management.
    Centralized pipeline and facility control operations generally fall 
into one of three control function categories or into a hybrid 
combination:
    1. Monitor, detect, and perform full remote control.
    2. Monitor, detect, and direct field operating personnel to perform 
specific actions.
    3. Monitor, detect, and alert field operating personnel, and defer 
action to field personnel.
    Controllers use SCADA systems to detect and monitor operational 
conditions. A controller then performs the required control function or 
directs or defers to field operations for needed attention based on the 
controller's responsibility, authority, and assessment of the 
situation.
    Individual station computer control may be implemented through:
    1. A unified control system within the station or plant, or
    2. Individual unit-mounted control panels for each piece of 
equipment or groupings of equipment.
    Pipeline operations can vary significantly based on the physical 
properties of the commodities transported. For example, compressibility 
is a fundamental difference between natural gas and some hazardous 
liquids. SCADA system configuration, communication schemes, control 
modes and applied instrumentation, pipeline system configuration and 
complexities, size, procedures, and practices can further differentiate 
pipeline operations. These differences can have dramatic effects on the 
required content and scope of a controller's training and 
qualifications, and on operational procedures and configuration of 
applied SCADA control systems. Differences in pipeline operations can 
also exist because some controllers are union employees governed by 
contract conditions and some are not. This can impact the number of 
hours worked, activities performed, number of controllers on shift, and 
other factors such as shift schedules.
    All controllers have some opportunity to mitigate risks. The degree 
to which they can affect pipeline safety may vary. For example, all 
controllers, including those that monitor only, can affect minor events 
(i.e. those not meeting reporting thresholds) and can influence the 
impact of future incidents in a positive manner. Pipeline controllers 
require similar cognitive and analytical skills. Additionally, control 
room procedures, pipeline controller tools, training, skills, and 
qualifications can impact controller performance.
    The nature of a particular control arrangement and the commodity 
transported will affect the actions an operator must take to manage the 
control environment and permit controllers to be successful in 
maintaining pipeline safety. None of these differences, though, obviate 
the need for control room management.

C. The Safety Pyramid

    Operators of gas pipeline systems must submit to PHMSA written 
reports of events meeting certain criteria as incidents. Over the past 
10 years, gas pipeline operators have submitted written reports for 
approximately 100 incidents per year on approximately 300,000 miles of 
gas transmission pipelines and approximately 130 incidents per year on 
approximately 2 million miles of distribution pipelines. Similarly, 
operators of hazardous liquid pipeline systems must submit to PHMSA 
written reports of

[[Page 53080]]

pipeline system failures meeting certain criteria as accidents. Over 
the same 10 years, hazardous liquid pipeline operators have reported an 
average of approximately 140 accidents per year on approximately 
160,000 miles of pipeline. The total number of accidents reported to 
PHMSA is about 370 per year.
    There are far more events, failures and near misses that occur on 
pipelines than those that require written reports. Some involve off-
normal conditions for which controllers or automated safety systems 
intercede to prevent serious consequences. Others do not progress to 
the point of needing controller or safety system involvement. Pipeline 
operators document some near misses, but not all. PHMSA believes there 
are other low-order events, failures and near misses that occur 
unobserved.
    The term ``safety pyramid'' was used by Dr. D.W. Heinrich (1881-
1962), an insurance company analyst who analyzed industrial accident 
prevention in the 1930s. In particular, he studied the relationship of 
events of varying significance and concluded that serious events (e.g., 
those resulting in fatalities) in any system occur in much smaller 
numbers than events of lesser significance. His work generally divided 
events into a 300-29-1 ratio, where there is 1 significant failure and 
29 notable events in every 300. Heinrich called this relationship the 
``safety pyramid.'' In turn, the number of errors and situations not 
recognized as ``events'' is even larger. Reportable pipeline accidents 
and incidents are only the tip of the safety pyramid. More events and 
failures occur at lower levels of the pyramid, including many near-miss 
events. Information about these near-miss events, whether affecting a 
gas pipeline, hazardous liquid pipeline, or LNG facility, can lead to 
identifying key elements that can prevent events and failures from 
reaching the tip of the safety pyramid. Controller vigilance and 
appropriate response to lower-level events thus serves to prevent 
reportable pipeline incidents from occurring.

D. Learning From Industry-Wide Operating Experience

    The proposed rule would require operators to establish a program to 
evaluate events that occur on their pipeline systems to identify 
lessons that can be used to improve control room performance. PHMSA 
believes it would be useful for the pipeline industry to establish a 
program to perform the same function for events occurring across the 
pipeline industry and to disseminate to all pipeline operators the 
lessons learned.
    It is self-evident that more events occur within the pipeline 
industry than on any individual pipeline system. The industry's safety 
pyramid is larger than that for any individual operator. This larger 
database of experience would provide more opportunity to learn lessons 
that can be used to improve the ability of controllers to maintain 
pipeline safety. For example, the airline industry and nuclear power 
plants have processes to collect and analyze operating experience and 
to share important lessons across their sectors. No such process exists 
within the pipeline or LNG industries. Some information about failures 
can be gleaned from news reports and discussions in trade association 
meetings, but pipeline and LNG operators do not usually share the 
details of failures. Operators are even less likely to share 
information about the bulk of close-calls and other minor events in the 
lower sector of the safety pyramid. Events with significant 
consequences (e.g., the 1999 hazardous liquid pipeline leak and 
explosion in Bellingham, Washington, or the 2001 gas transmission 
pipeline explosion near Carlsbad, New Mexico) get considerable press 
attention and become well known. The NTSB investigates significant 
pipeline events and issues reports and recommendations. Some events of 
lesser significance may be reported in trade press or by informal 
communications among pipeline operators, but there is no formalized 
process to collect and analyze information regarding close-call events 
or problems with more limited consequences in the pipeline industry.
    For larger pipeline operators, the sheer number of pipeline 
segments and stations may allow for the creation of a sufficiently 
large database of events to yield analytical value, but for most 
operators, their own experiences are not adequate to do so. Industry 
trade associations or other cooperative organizations could sponsor an 
industry-wide process to collect and analyze such information. Issues 
of proprietary information and perceived industry collusion are real 
constraints, but these have been dealt with in other industries.
    While the proposed rule would require each operator to establish a 
program to evaluate events that occur on its pipeline system, the rule 
would not require an intra-industry operating experience review 
process. PHMSA believes such intra-industry review could be useful, but 
does not consider it appropriate at this time to avoid the issues of 
unnecessary disclosure of proprietary information and perceived 
industry collusion. PHMSA encourages these industries to consider 
establishing such processes and invites the public and industry to 
comment on the value of such an inter-company review process.

III. Human Factors Studies

A. PHMSA Controller Study

    PHMSA had been studying and evaluating control room operations for 
many years and began developing control room inspection guidance in 
1999. Subsequently, Congress enacted the PSIA, which the President 
signed into law on December 17, 2002. Section 13 of the PSIA required 
the DOT to conduct a pilot program to evaluate whether pipeline 
controllers should be certified based on tests and other requirements. 
In response to the PSIA, PHMSA conducted the CCERT study and reported 
findings to Congress in a report dated December 17, 2006, entitled 
``Qualification of Pipeline Personnel.'' This project included a 
comprehensive review of existing controller training, qualification 
processes, procedures, and practices. This review also included 
identifying potential enhancements such as validation and certification 
processes currently used in other industries to enhance public safety.
    Understanding the attributes traditionally contained in existing 
operators' training and qualification programs was an essential element 
of CCERT. Process techniques, practices, and procedures are significant 
and valuable tools to train and qualify controllers. PHMSA identified 
techniques, practices, and procedures through interviews with numerous 
pipeline operators and controllers in a variety of situations. This 
included pipelines of a wide array of types and sizes and both union 
and non-union controllers.
    PHMSA determined what actions would lead to an additional assurance 
that pipeline controllers are adequately qualified to perform safety-
sensitive tasks. The project team also identified key processes and 
procedures critical to control room safety and reviewed certification 
programs. To consider validation or certification of pipeline 
operators' qualification processes, the training and qualification 
programs should be thorough and adequately administered. PHMSA's 
primary project objectives were to review and evaluate the structure 
and content of operators' training and qualification programs and to 
identify controller procedures that can have an impact on pipeline 
safety and integrity.

[[Page 53081]]

    The project focused on the content of the pipeline operators' 
administrative, training, and evaluation techniques that make up the 
controller training and qualification processes, and included a review 
of related safety and integrity procedures. Ultimately this information 
helped to:
     Identify content that should be included in an operator's 
training program for controllers.
     Identify content that should be included in the 
qualification programs to provide a higher assurance that controllers 
possess adequate knowledge, skills, and abilities to maintain the 
safety and integrity of the pipeline.
     Determine what form of validation should be used to 
ascertain that pipeline controllers are adequately qualified and 
sustain those qualifications.
     Identify aspects of safety and integrity practices and 
procedures that are critical to controllers.
    PHMSA established and implemented a strategy for receiving and 
encouraging ongoing stakeholder interaction early in the project. This 
approach involved the participation of numerous stakeholders that 
provided information including a focus group with representatives of 
the public, industry trade associations, pipeline operators, state and 
Federal pipeline safety agencies, and academia. PHMSA shared insights 
regarding key operational and logistical considerations for the project 
and collected comments from the group at key phases of the project. 
Information came directly from the focus group participants and 
indirectly from members of their respective constituencies. In 
addition, PHMSA presented project updates at numerous trade association 
meetings and other stakeholder forums to solicit additional feedback.
    PHMSA gathered supplemental information regarding controller 
qualifications from pipeline operators transporting various commodities 
with diverse control room characteristics, complex control operations 
and minimal monitoring operations, union and nonunion work 
environments, and varying pipeline mileage. Additional information was 
also obtained from the following sources:
     National Transportation Safety Board (NTSB);
     PHMSA Pipeline Technical Advisory Committees;
     National Association of Pipeline Safety Representatives 
(NAPSR);
     Pipeline trade organizations such as the
    [ctrcir] American Petroleum Institute (API),
    [ctrcir] Association of Oil Pipelines (AOPL),
    [ctrcir] American Gas Association (AGA),
    [ctrcir] American Public Gas Association (APGA), and
    [ctrcir] Interstate Natural Gas Association of America (INGAA);
     Research by
    [ctrcir] Najmedin (Najm) Meshkati, Professor of Civil/Environmental 
Engineering and Professor of Industrial and Systems Engineering at the 
University of Southern California,
    [ctrcir] Craig Harvey, Industrial and Manufacturing Systems 
Engineering, Louisiana State University, and
    [ctrcir] Marvin McCallum, Christian Richard, Battelle Seattle 
Research Centers;
     Related product and system vendors;
     Public advocate discussion lists (such as http://tech.groups.yahoo.com/group/safepipelines)
     Other industries utilizing validation and certification 
programs, including:
    [ctrcir] Aviation,
    [ctrcir] Railroad,
    [ctrcir] Nuclear power, and
    [ctrcir] Electric power transmission.
    PHMSA gathered additional information from the Environmental 
Protection Agency, the Occupational Safety and Health Administration, 
and the Chemical Safety Board. Because training, qualification, and 
certification programs are implemented in various forms, discussions 
about lessons learned in the development, implementation, and 
maintenance of programs in other industries were especially valuable.
    PHMSA sponsored two public workshops (June 27, 2006, and May 23, 
2007) that provided various stakeholders an opportunity to discuss 
options to enhance the adequacy of control room management, provide 
substantiation of existing pipeline control management processes, 
discuss human fatigue issues, present existing qualification processes, 
and provide insights on other programs or methods used to provide for 
effective monitoring and control of pipelines.
    The workshops provided additional information and promoted 
discussion on the most critical factors emerging from the CCERT and the 
NTSB recommendations (discussed below) affecting the control and 
monitoring of gas and hazardous liquid pipelines. PHMSA provided an 
opportunity to discuss findings as a basis for providing further 
assurance about the effectiveness of pipeline control and the skills 
and qualifications of controllers. To foster discussion, PHMSA posed a 
number of specific questions in the Federal Register notices announcing 
the workshops, which were then discussed during the workshops, yielding 
valuable information, ideas, and opinions from a broad assortment of 
stakeholders.
    The first workshop was divided into several sessions, each 
highlighted by panel discussions and an open question and answer 
period. The panels were made up of subject matter experts from the 
public, industry, and government. The panelists discussed formalized 
procedures to control shift rotation schedules, shift changeover 
practices and possible ways to improve training on fatigue. Discussions 
included the CCERT recommendations providing clear direction regarding 
the controller's authority and responsibility to promote prompt 
detection and appropriate response to abnormal operating and emergency 
conditions and ways to address major changes in the controller's 
operating environment.
    The panelists discussed the importance of operators routinely 
reviewing alarm and event displays to identify when changes are 
necessary as well as additional measures to further protect against 
unauthorized access to the SCADA area. Different types of training 
associated with the recognition of abnormal operating conditions, 
emergencies, and maintaining personnel qualifications were also 
reviewed. A more detailed summary of the workshop is available in the 
CCERT docket, PHMSA-RSPA-2004-18584.
    The significant outcome of CCERT was the identification of elements 
that can provide value in controller training and qualification 
processes and the recognition of the importance of thoroughness and 
clarity of controller-related procedures that affect pipeline safety 
and integrity. Also of value was the identification of a validation 
process for the implementation and review of these same processes and 
procedures. Enhancements to operator programs affecting controllers can 
be realized with thorough and formalized procedures and practices, 
additions to training and qualification programs, stimulated 
discussions in industry fostering a continued sharing of best 
practices, and the development of industry-wide recommended practices 
and standards. Other factors can also influence a controller's ability 
to succeed. Pipeline operators should identify a controller's physical 
work environment, visual and aural distractions, ancillary work 
assignments that dilute a controller's attentiveness, workload, and 
SCADA system performance.
    The CCERT team concluded that a single controller certification 
process for the entire pipeline industry would not be appropriate for a 
number of reasons. First, because of the wide variability

[[Page 53082]]

among pipeline systems, a uniform controller qualification 
(certification) examination would have to be very general. Second, a 
general exam would need to be supplemented by significant and specific 
material for each system by each operator before a controller could 
adequately perform his duties. Third, a uniform controller 
qualification or certification test for the entire industry would not 
address many operator-specific and sometimes unique tasks critical to 
individual pipeline safety and integrity.
    The CCERT team concluded, however, that requiring operators to 
validate, review, and continuously improve the adequacy of controller-
related training, qualification, and procedures specific to each 
operator's pipeline would lead to improved public safety and better 
safety management in control rooms.
    The CCERT team also concluded:
     As a cause or contributor to pipeline events or failures, 
control rooms rank very low compared to corrosion, material defects, 
and third party damage, but controllers must respond appropriately to 
each of these identified contributing factors.
     Controllers are in a position of great importance to 
detect and react to abnormal operating and emergency conditions, 
thereby helping to avert failures and mitigate damage after a failure 
occurs.
     Controllers are key players in a company's response to 
abnormal operating and emergency conditions.
     The low probability of controller error is offset by the 
potentially high consequence of damages and injuries as a result of 
their improper actions.
     Remote monitoring or control through the use of a computer 
system may be performed in a formal control room, or numerous less 
formal settings such as an individual's office, service vehicle, or 
residence.
     The location of monitor or control functions does not 
define the nature or complexity of operations.
     Established definitions used in other regulations such as 
large or small operators based on pipeline mileage, location of the 
facility, or less than 20% of the specified minimum yield strength 
(SMYS) of the pipeline, are not good qualifiers in defining control 
room risks.
     More complex and diverse operations call for more thorough 
control room systems and processes.
     Involvement of field personnel in control activities has 
the potential to positively or negatively influence risk control.
     Although some operators still use 8-hour shifts, most 
operators have moved to 12-hour shifts.
     Choice of shift plan and rotation schedule is usually not 
supported by analytical review for fatigue.
     Most operators are performing at least a subset of the 
actions included in this proposed rule, but frequently without 
documentation of the basis for their process design choices or 
implementation methods, and sometimes without formalized procedures to 
maintain consistency or to provide for continuous improvement through 
review.
    Because controllers can have a great influence on the outcome of 
abnormal operating and emergency conditions, it is important that we 
provide for adequacy of controller knowledge, skills, abilities, and 
performance and their maintenance over time. PHMSA has identified 
fundamental operating procedures and practices, which should be used by 
pipeline controllers to enhance public safety. Most operators are 
currently using a subset of these procedures and practices, but use of 
these procedures and practices is not universal throughout the 
industry. The project team concluded that operators should be required 
to have more thorough, formalized procedures and processes for 
controller training and qualification which would be evaluated by the 
appropriate Federal or state regulatory authority.
    PHMSA collected and reviewed information from recent accident data 
analysis, complaints, inquiries, safety related condition reports, 
operator visits, PHMSA CCERT team operating experience, and the CCERT 
pilot program to be certain the activities of the pilot project 
operators and subsequent recommendations included recognition of 
lessons learned from those events that have been attributed to, or 
aggravated by, controller action or lack of action. While information 
reviewed indicates there is low probability for controller error to be 
the primary cause of an accident when compared to corrosion and other 
causal factors, this can be offset by the potentially high consequence 
of controller actions or inaction. Other industries, which employ 
validation and certification programs for control room personnel, also 
provided lessons learned in the development, implementation, and 
maintenance of validation and certification programs.
    Through the CCERT study, PHMSA identified a number of areas 
associated with the performance of control rooms that require 
enhancement. These areas were identified through numerous control room 
observations, PHMSA CCERT team operating experience, the collection of 
related research and project activities, controller cognitive skills 
review, the pilot program, and the comparisons with control room 
management issues in parallel industries. The enhancement areas 
incorporated into this proposed rule are as follows:
     Clearly define the roles and responsibilities of 
controllers to promote their prompt and appropriate response to 
abnormal operating conditions.
     Formalize procedures for recording critical information 
and for exchanging information during shift turnover or other times 
when a controller needs to be away from the desk and duties.
     Establish shift lengths, maximum hours of service 
limitations, and schedule rotations that provide sufficient time off 
work for rest in order to protect against the onset of fatigue that 
could affect the performance of pipeline controllers.
     Educate controllers and controller supervisors in fatigue 
mitigation strategies and how non-work activities contribute to fatigue 
that could affect pipeline control and control room management.
     Periodically review SCADA displays to ensure controllers 
are getting clear and reliable information from field stations and 
devices.
     Periodically audit alarm configurations and handling 
procedures to provide confidence in alarm signals and to foster 
controller effectiveness.
     Involve controllers when planning and implementing changes 
in operations.
     Maintain strong communications between controllers and 
field personnel.
     Determine how to establish, maintain, and review 
controller knowledge, skills, abilities, and qualifications.
     Develop performance metrics with particular attention to 
response to abnormal operating conditions.
     Analyze operating experience, including accidents, for 
possible involvement of the SCADA system, controller performance, and 
fatigue.
     Validate the adequacy of controller-related procedures and 
training, and the qualifications of controllers annually through 
involvement by senior-level executives of pipeline companies.
    PHMSA considers annual senior executive validation a key element. 
This would require a pipeline operator's senior executive responsible 
for pipeline operations to attest to the content and thoroughness of 
controller training and qualification programs and

[[Page 53083]]

related procedures that impact safety, and to verify that the 
individuals who operated the pipeline or LNG facility during the year 
have completed these training and qualification programs. The executive 
validations would be subject to regulatory review and inspection, and 
create a stronger ownership and responsibility of senior management in 
regard to potential fines and court proceedings. A secondary benefit of 
this validation process would be improved communication between 
executive level management, control room supervision, and controllers 
regarding concerns, duties, procedures, and processes resulting in an 
elevated awareness within each pipeline operator regarding the critical 
nature of a controller's job as well as the impact of controller duties 
on the safety and integrity of pipeline operations.
    Discussions in the first public workshop held June 27, 2006 
reflected general acknowledgement by the pipeline industry that the 
process outlined above was appropriate to reduce control room risk. 
There was also general agreement that much of the process is in place 
in many pipeline control operations. A summary of this workshop is 
available in the docket PHMSA-RSPA-2004-18584.
    PHMSA's second public workshop was held on May 23, 2007. 
Representatives of the pipeline industry, trade associations, the NTSB, 
other modes of transportation, and public interest groups presented 
their views on issues ranging from operator fatigue to the need to 
periodically review control room procedures. There was general 
agreement among workshop participants that controllers play an 
important role and that a human factors plan could have value. At the 
same time, most agreed that there was no need for major changes to 
current control room practices and staffing. A summary of this workshop 
is available in the docket PHMSA-2007-27954.

B. NTSB SCADA Study

    The NTSB conducted a safety study on hazardous liquid pipeline 
SCADA systems during the same time period as PHMSA conducted the CCERT 
study. The PHMSA project addressed a wider perspective of interest, but 
includes findings similar to those in the NTSB Report.\5\ The NTSB 
study identified areas for potential improvement, which resulted in 
five recommendations; three are incorporated in this proposed rule. 
PHMSA is addressing the other two recommendations independent of this 
proposed rulemaking.
---------------------------------------------------------------------------

    \5\ NTSB, ``Supervisory Control and Data Acquisition (SCADA) 
Systems in Liquid Pipelines,'' Safety Study NTSB/SS-05-02, adopted 
November 29, 2005.
---------------------------------------------------------------------------

    The impetus of the NTSB study was a number of hazardous liquid 
accidents investigated by the NTSB in which leaks went undetected after 
the initial indications of a leak were apparently evident on the SCADA 
system. The NTSB designed its SCADA study to examine how hazardous 
liquid pipeline companies use SCADA systems to monitor and record 
operating data and to evaluate the role of SCADA systems in leak 
detection. The study identified five areas for potential improvement:
     Display graphics.
     Alarm management.
     Controller training.
     Controller fatigue data collection.
     Leak detection systems.
    While this NTSB SCADA study specifically addressed hazardous liquid 
pipelines, NTSB included in the report an appendix listing all of its 
SCADA-related recommendations, which resulted from investigations of 
both hazardous liquid and gas pipeline accidents. Since 1976, the NTSB 
has issued approximately 30 recommendations either directly or 
indirectly related to SCADA systems involving both hazardous liquid and 
gas pipeline systems. PHMSA considers that the NTSB recommendations 
apply equally to gas and hazardous liquid pipelines and to LNG 
facilities. The recommendations are as follows:
NTSB Recommendation P-05-1
    Operators of hazardous liquid pipelines should be required to 
follow the API Recommended Practice 1165 (API RP 1165) for the use of 
graphics on the SCADA screens.
NTSB Recommendation P-05-2
    PHMSA should require pipeline companies to have a policy for the 
review and audit of SCADA-based alarms.
NTSB Recommendation P-05-3
    Operators should be required to include simulator or non-
computerized simulations for training controllers in recognition of 
abnormal operating conditions, in particular leak events.
NTSB Recommendation P-05-4
    PHMSA should change the hazardous liquid accident reporting form 
(PHMSA F 7000-1) and require operators to provide data related to 
controller fatigue. PHMSA is addressing this recommendation in a 
separate action.
NTSB Recommendation P-05-5
    PHMSA should require operators to install computer-based leak 
detection systems on all lines unless engineering analysis determines 
that such a system is not necessary. PHMSA is publishing a report on 
leak detection systems and technology in 2008.
    PHMSA is addressing the first three recommendations in this 
proposed rule. Based on PHMSA's review of accident and incident data, 
the project team found that errant SCADA displays have the potential to 
confuse or mislead controllers or field personnel. They also found very 
few operators who consider the impact of color perception impairments 
and screen clutter or who perform periodic point-to-point verifications 
of screen display data with field instrumentation. Furthermore, the 
team found that training of the controllers usually did not include 
reference material to guide controllers to particular types of displays 
to help resolve certain types of abnormal operating conditions quickly 
or to address emergency response.
    The CCERT team found through discussions with operators that 
policies were seldom in place for systematically reviewing alarms on a 
regular basis. Many operators were not analyzing the number of alarms, 
seeking to eliminate unnecessary alarms, routinely determining if new 
alarms were needed, studying alarms to consider if grouping could 
consolidate information for more effective use, looking for systemic 
alarms, or reviewing alarms to verify alarm descriptions were clear to 
the controller. In addition, operators were not reviewing alarms to 
determine if abnormal operating conditions were frequently occurring 
together or consecutively. Rate-of-change alarms often were not being 
used as operational tools for controllers. Most operators were not 
looking for potential gradual degradation of controller response or 
changes in controller performance. Operators may have to reduce 
pressure because of concerns about the integrity of the pipeline, such 
as anomalies discovered during integrity management assessments. 
However, in many cases, the operators were not changing associated 
alarm set-point values, or field relief values, correspondingly when 
implementing these pressure reductions.
    The CCERT team's discussions with controllers identified that 
generic simulators and high-fidelity (frequently referred to as 
``full'') simulators were preferred training tools. The controllers 
interviewed generally found full simulators to have significant value. 
Tabletop discussions and exercises, and computerized simulators, were 
both found to be valuable resources for controllers in training for 
response to

[[Page 53084]]

abnormal operating conditions. Direct controller involvement in 
scenario development of tabletop exercises and computer-based 
simulations can add safety value to these tools. Controllers can also 
provide significant feedback on exercise performance. However, 
controllers were frequently not represented in the development of 
exercises and frequently did not participate in exercises other than to 
call out appropriate responders. Controllers were seldom asked what 
could be done to make an exercise more realistic, provide greater value 
or improve team response performance.

C. DOT's Human Factors Coordinating Committee (HFCC)

    The Secretary of Transportation established the HFCC in 1991 to 
become the focal point for human factors issues within DOT. Since its 
inception, the HFCC, a multi-modal team with government-wide liaisons, 
has successfully addressed crosscutting human factors issues in 
transportation. The HFCC has influenced the implementation of human 
factors projects within and among DOT's operating administrations, 
provided a mechanism for exchange of human factors and related 
technical information, and provided synergy and continuity in 
implementing transportation human factors research. DOT recognizes that 
many human performance issues are crosscutting and will benefit from a 
multi-modal approach. DOT needs coordinated human factors research to 
permit large research efforts that modes cannot support individually, 
to address multi-modal transportation issues, as well as to advocate 
for timely human factors research in transportation system solutions.
    PHMSA continues to actively participate on the HFCC, and has drawn 
from the work of the HFCC to help identify fatigue management 
strategies for control room management.

IV. PIPES Act of 2006

    The PIPES Act of 2006 (Pub. L. 109-468) imposed additional 
requirements on PHMSA with respect to control room management and human 
factors. The PIPES Act requires PHMSA to issue regulations requiring 
each operator of a gas or hazardous liquid pipeline to develop, 
implement, and submit a human factors management plan designed to 
reduce risks associated with human factors, including fatigue, in each 
control room for the pipeline. Operator plans must include a maximum 
limit on the hours a controller may work in a single shift between 
periods of adequate rest. PHMSA, or a state authorized to exercise 
safety oversight, is required to review and approve operators' human 
factors plans, and operators are required to notify PHMSA (or the 
appropriate state) of deviations from the plan.
    The PIPES Act also requires PHMSA to issue standards to implement 
the first three recommendations of the NTSB SCADA safety study as 
described above. Controllers using computer equipment to monitor or 
operate pipeline facilities can be impacted by display information, 
alarms, and abnormal operating conditions regardless of what type of 
system they operate. PHMSA considers the recommendations to be equally 
applicable to hazardous liquid and gas pipelines (transmission and 
distribution) as well as LNG facilities. This proposed rule will 
respond to the mandates in the PIPES Act relative to control room 
management, human factors, and SCADA.

V. Standards, Recommended Practices, and Guidelines

    One of the actions identified by CCERT was the development of 
consensus-based best practices to promote controller success. PHMSA is 
encouraged by recent industry efforts, including industry review of 
existing standards (such as the Instrument Society of America SP-18 and 
the Engineering Equipment and Materials Users Association 191A), 
guidance material in development by the Transportation Security 
Administration (TSA) focusing on SCADA CyperSecurity, and the 
development of other guidance, recommended practices, and standard 
documents. The structured development process used to establish this 
type of material has historically yielded great safety value. Such 
efforts focused on Control Room Management have the potential of 
enhancing safety, especially when all key stakeholders are included and 
contribute to the process.
    The following is a list of identified applicable standards, 
recommended practices, white papers, and guidance material that have 
been established, revised, or that are currently under development:
     API RP-1165, SCADA Display Standard.
     American Society of Mechanical Engineers (ASME) B31Q, 
Operator Qualifications.
     API 1164, SCADA Security.
     API RP1167, Alarm Management.
     AGA, Alarm Management.
     API RP 1161, Qualification of Liquid Pipeline Personnel.
     TSA, SCADA CyperSecurity Guidance Material.
     API RP 1168, Control Room Management.
     ISA SP-18, Instrument Signals and Alarms.
     EEMUA 191A, Alarm Systems--A Guide to Design, Management 
and Procurement.
    API recommended practice on control room management was initiated 
in February, 2008 and is anticipated to be completed in February, 2009. 
It is anticipated this document will address four of the nine 
enhancement areas addressed in PHMSA research and required in the PIPES 
Act. Specific guidance anticipated in this recommended practice will 
address: (1) Roles and Responsibilities, (2) Shift Operations, (3) 
Management of Change, and (4) Fatigue. PHMSA anticipates guidance on 
such aspects as clarifying operator's expectations for controllers to 
take action, information flow needed on field activities that could 
affect pipeline operations, direction of shift rotation and time 
between shifts, extent of off-duty activity and fatigue management 
strategy, personal responsibility for rest, how to recognize and 
mitigate fatigue, and the content of education programs to share with 
families of the controllers.
    PHMSA and NAPSR have been participating in the development of this 
recommended practice and other national consensus document efforts and 
will continue to support, participate in, and encourage the development 
of national consensus standards and recommended practices. Once these 
materials are completed, PHMSA will review them and consider a 
regulatory amendment to incorporate by reference all or parts of such 
applicable documents in amended regulations.

VI. PHMSA's Proposed Approach

    PHMSA is proposing to require that appropriate control room 
management elements be incorporated into operator plans and procedures 
already required by existing regulations. PHMSA believes this approach 
will minimize the burden on operators and will prove more effective in 
the long term, because it will integrate these elements directly into 
the existing operator programs associated with these actions. This will 
also avoid operators having another plan that may create or exacerbate 
internal communication complexities. As is the case with other 
regulations, an operator would not be expected to establish processes 
and procedures for those tasks not applicable to their operations.
    These requirements would apply to operators of hazardous liquid, 
gas transmission, and gas distribution pipeline facilities, as well as 
to

[[Page 53085]]

operators of LNG facilities. The requirements would not apply to 
operators of master meters or petroleum gas systems unless the operator 
transports gas as a primary activity. Master meter and petroleum gas 
pipeline systems are generally very simple and typically consist of 
only pipe, service regulators, meters, and manual valves. These systems 
do not typically include a control room, equipment requiring local 
control or computer systems for operations, or provisions for 
continuous remote monitoring. Operators of these systems are excluded 
from the scope of this proposed regulation. This proposed exclusion is 
consistent with other PHMSA initiatives and regulations.
    The control room management elements describe ``what'' an operator 
must include but not ``how'' an operator must carry out such elements. 
This is typical of performance-based regulations and it recognizes the 
significant diversity present among pipeline systems and control rooms.
    One of the elements proposed is a plan that each operator would 
develop and implement to limit the maximum length of time that a 
controller could work in a single shift between periods of adequate 
rest. The PIPES Act specifies that PHMSA (or a state authority) may not 
approve a control room management plan that does not include such a 
limit. This rule does not propose a maximum hours of service limit, 
since PHMSA recognizes operator-specific factors may affect this limit 
for each operator. Many controllers work 12-hour shifts, as do 
individuals with similar jobs in other industries. PHMSA has no 
technical objection to 12-hour shifts. For control rooms staffed on a 
24-hour basis, we also recognize that additional time is required at 
the beginning and end of each shift to accomplish a thorough shift 
turnover between incoming and outgoing controllers. Thorough shift 
turnover procedures are important and are one of the elements included 
in this proposed rule.
    Research performed by others has repeatedly identified a need for 
individuals to have eight hours sleep each day to maintain their best 
performance.\6\ PHMSA understands that operators have limited control 
over what a controller does during off-shift hours, but the agency 
expects that shift schedules will be established to provide a 
reasonable opportunity for a controller to achieve eight hours of sleep 
and for operators to educate controllers on the importance and need for 
adequate rest. PHMSA expects operators to take these factors into 
consideration when establishing a limit on the maximum hours an 
individual controller would work in a single shift, between periods of 
adequate rest. Operators should also consider other factors that may be 
unique to their operations and should provide an adequate amount of 
time between shifts so that controllers can rest and be expected to be 
free from fatigue.
---------------------------------------------------------------------------

    \6\ For a discussion of research concerning fatigue and need for 
sleep, see Federal Motor Carrier Safety Administration proposed 
rule, May 2, 2000 (65 FR 25540). PHMSA is not relying on any 
particular study cited by FMCSA for its action here, but rather on 
the totality of research indicating that an 8-hour sleep period is 
necessary to provide for optimum human performance.
---------------------------------------------------------------------------

    Shift change may not be the only time that controllers relieve each 
other and need to communicate critical information. Operators need to 
consider what other factors may determine when a thorough and complete 
set of information is necessary to be communicated to controllers and 
their supervisors. PHMSA will take all the above factors into 
consideration when reviewing operators' shift plans, rotations and 
schedules and educational programs about the importance of adequate 
rest.
    PHMSA will fulfill the PIPES Act requirement to review operator 
plans by evaluating related programs, procedures, records, and related 
documentation during inspections. PHMSA will also develop guidance to 
assist inspectors in conducting comprehensive inspections and 
evaluations addressing all required control room management elements. 
This guidance will help Federal and State agencies achieve maximum 
impact from the evaluation of operators' plans, maintain consistency 
and uniformity among inspections, and reduce the amount of subjectivity 
during inspections.

VII. The Proposed Rule

    This proposed rule would affect operators of hazardous liquid, gas 
transmission, and gas distribution pipelines and operators of LNG 
facilities that use controllers. The nature of these facilities and 
their related control rooms vary, as do the complexity of pipeline 
systems and facilities. The proposed rule would not affect master meter 
operators or operators of petroleum gas systems unless the operator 
transports gas as a primary activity. This performance-based rule 
describes the necessary elements and outcomes operators must accomplish 
but does not prescribe exactly how operators must incorporate each 
element. Each operator must have documented procedures, guidelines or 
practices, tailored to the operator's specific systems, control regime, 
and circumstances.
    Controllers play a critical role in any system that uses human-
machine interface to monitor or control pipeline systems, LNG 
facilities, or other equipment. The nature of that role varies with the 
type of commodity and the relative complexity of the pipeline system 
and facilities, but the analytical and cognitive skills needed are 
similar in all cases. Gas industry trade groups have expressed their 
view that controllers have limited opportunity to affect pipeline 
safety; PHMSA disagrees. Furthermore, gas pipeline controllers 
interviewed by PHMSA and those serving as subject matter experts on the 
ASME B31Q \7\ national consensus standards team for operator 
qualifications have also indicated that their actions could impact 
safety. While the compressibility of gas and the rapid progression of 
gas transmission pipeline failures generally make it unlikely that 
controller actions can cause an incident or mitigate the immediate 
effects of an incident, PHMSA believes that controller actions in gas 
pipeline systems can make incidents more likely.
---------------------------------------------------------------------------

    \7\ ASME B31Q is a national consensus standard governing 
qualification of pipeline operating personnel. A team of experts 
representing various technical disciplines within pipeline operating 
companies, including controllers, developed the standard.
---------------------------------------------------------------------------

    PHMSA also believes that controllers can hinder mitigative actions 
after the initial consequences of a rupture; can recognize abnormal 
operating conditions and intercede to prevent incidents; and can 
routinely perform significant functions to operate the pipeline and 
facilities in a safe manner. PHMSA also notes that all controllers 
serve important functions in the response to incidents and accidents. 
In many cases, controllers serve as the first line of defense to 
prevent incidents and accidents, and thus serve an important safety 
function requiring special training and qualification. PHMSA concludes 
that the minimum actions required by this proposed rule, expressed in 
simple performance terms, are necessary and reasonable. PHMSA also 
concludes that many are these actions already being used or exceeded by 
pipeline operators and that imposition of these requirements will 
improve safety without unreasonable burden.
    This proposed rule would add provisions to 49 CFR parts 192, 193, 
and 195. Rather than describe these changes on a section-by-section 
basis, this document describes them by topic

[[Page 53086]]

because the general content of the changes in each part is the same.

A. Changes to Operations and Maintenance (O&M) Manuals

    PHMSA is proposing the human factors management plan required by 
the PIPES Act be comprised of several enhancements in each operator's 
written O&M procedures manual(s), OQ program, and emergency procedures 
plan. PHMSA believes this makes it more likely that the actions 
required in this proposed rule will be integrated effectively into 
pipeline operations, thus limiting the potential for miscommunications 
to occur.
    PHMSA is proposing to include these requirements in a separate 
section within each part because we believe the verification and 
deviation reporting provisions of this proposed rule will be easier to 
understand if included in a separate code section for control room 
management.

B. Definitions

    This proposed rule adds the definitions of four key terms to 
improve the clarity of the proposed new requirements: Alarm, 
controller, control room, and SCADA.
    An alarm is defined as an indication provided by SCADA or a similar 
monitoring system that a monitored parameter is outside normal or 
expected operating conditions. Controllers need to be aware of these 
conditions, and a number of these conditions need to be controlled in 
order not to overwhelm the controllers. The proposed rule provides for 
periodic actions to review alarm management. The new definition is 
intended to make certain that treatment of these abnormal indications 
is addressed as part of this management, whether or not individual 
operators call them alarms.
    Fundamentally, a controller is an individual who uses computer-
based equipment to monitor, or monitor and control, all or part of a 
pipeline system or LNG facility. Individuals who monitor or control a 
pipeline or LNG facility using computerized systems are controllers. 
For the purposes of this rule, individuals who operate equipment 
locally but who cannot actually see the equipment respond without using 
a closed circuit television system or other external devices are 
controllers when performing these activities, regardless of their job 
title or whether their actions are overseen by other controllers or 
supervisors. Conversely, individuals who operate equipment locally and 
can see the equipment respond without using a closed circuit television 
system or other external devices are not controllers. Maintenance and 
other personnel accessing data from the control system are not 
controllers.
    While controller oversight of individuals operating equipment 
locally can facilitate the recognition of inappropriate control actions 
and possibly mitigate their consequences, the oversight does not 
generally allow prevention of inappropriate actions before they create 
adverse conditions. PHMSA believes that preventing actions that could 
result in unfavorable consequences is more important than identifying 
and possibly mitigating these actions after they occur. Therefore, we 
conclude that treating individuals operating equipment locally as 
controllers, even if they are subject to oversight or supervision by 
other trained individuals, is necessary to maintain public safety.
    A control room is traditionally a central location where a pipeline 
system or LNG facility is monitored or controlled, regardless of 
whether all, or only part, of a pipeline system or LNG facility is 
monitored or controlled. Control rooms may include multiple stations 
for individual controllers who monitor or control portions of the 
pipeline system or facility, or instead may house a single controller. 
Central locations within a field station (e.g., pump or compressor 
station, terminals) that include controls for multiple pieces of 
equipment are considered control rooms for purposes of this proposed 
rule, though the equipment at such field locations may not include the 
capability to monitor or control portions of the pipeline outside of 
the field station. A control room is sometimes referred to as a control 
center, control station or by other similar terminology. However, a 
controller may perform his duties by non-traditional means such as 
using a laptop in a vehicle.
    This proposed rule adds a definition for SCADA. These are the 
computer-based systems that collect and display information about the 
status of the pipeline or facility and display that information to 
controllers for their use in monitoring or controlling the pipeline or 
facility. Many SCADA systems provide the capability to control pipeline 
equipment from remote control panels but systems that only provide 
monitoring information are also considered SCADA systems.

C. Implementation Schedules

    PHMSA recognizes that different pipeline systems possess different 
levels of risk from potential controller errors. We also recognize that 
developing and implementing procedures for more complex systems that 
pose the greatest risks needs to be thoroughly analyzed. Operators must 
take the time necessary to be thorough in developing their procedures. 
Complex systems often require additional time to train all personnel 
and fully implement these procedures. For some pipelines, negotiations 
with unions may be required to implement these requirements; such 
negotiations take time. PHMSA has tried to balance these needs in the 
implementation schedules included in this proposed rule.
    Operators of hazardous liquid pipelines and gas transmission 
pipelines controlled or monitored remotely and operators of LNG plants 
with controllers would be required to develop procedures within one 
year after the effective date of the final rule. These operators would 
have one additional year to implement these procedures completely, 
including all necessary training.
    The proposed rule would require operators of hazardous liquid 
pipelines and gas transmission pipelines to develop procedures for 
control rooms that control only equipment within a single site (e.g., 
pump or compressor station) within two years after the effective date 
of the final rule and to implement those procedures within an 
additional six months. This reflects the relatively lower risk 
associated with control rooms for these single facilities and allows 
the operators of the more complex pipelines to focus their initial 
efforts on remote-operation control rooms where potential risk is 
greater.
    Operators of gas distribution systems would have two years after 
the effective date of the final rule to both develop and implement 
procedures. These systems operate at lower pressures, usually have 
field response crews in close proximity to instrumentation, and pose 
lower consequence risks from controllers. Many gas distribution 
operators are small companies or municipal departments that will 
require additional time to manage limited technical resources available 
to write procedures. At the same time, the relative simplicity of these 
small systems makes it easier to train controllers and implement new 
procedures.
    Pipeline systems that rely solely on local control pose less 
consequence risk than more automated and remote control actions. These 
small pipeline systems generally rely on the most limited resources. 
This proposed rule allows 30 months after the effective date of the 
final rule for operators of these pipeline systems to both develop and 
implement the necessary procedures.

[[Page 53087]]

    Implementing changes for existing systems and facilities takes 
time. The situation is different for new installations and existing 
facilities that are significantly changed (e.g., implementation of a 
new SCADA system). The proposal would require operators of systems with 
control rooms that are placed in service or significantly modified more 
than 12 months after the effective date of the final rule to develop 
procedures as part of the design and installation of the new systems 
and to implement those procedures when the control room is placed in 
service. Control rooms that will be implemented within 12 months of the 
effective date of the final rule are well along in design and planning 
and PHMSA concludes it is best to treat these facilities as existing 
control rooms.
    Mergers and acquisitions can present a unique challenge for 
controllers and control rooms. Controllers must develop an 
understanding of the hydraulics of a new system; become familiar with 
new display graphics; handle an increased workload on existing 
consoles; learn new hardware and software systems using different 
instrumentation or control methods and changed alarm designations and 
priorities; and participate in a shadow control scheme until training 
is complete. Detailed plans on how to introduce each element into the 
remaining control room and how to train and qualify controllers on 
newly introduced systems must be developed. For example, each operator 
must develop and implement a plan that includes how controllers will 
provide input on alarm descriptors, how this input will be implemented, 
and how controllers will receive training on alarm descriptors before a 
system is under their authority or responsibility for monitor or 
control.

D. Roles and Responsibilities

    The proposed rules require each operator to clearly define and 
document the roles and responsibilities of controllers for prompt and 
appropriate response to abnormal operating conditions and emergencies. 
Such documentation will also define the controller's authority and the 
pipeline operator's expectation for the controller to take action. 
Controllers are often the first to become aware of developing abnormal 
operating conditions or emergencies and can often play a critical role 
in response to these events. Timely and appropriate controller actions 
can arrest developing problems and return a pipeline system or LNG 
facility to normal operations. Conversely, untimely or improper 
controller actions can exacerbate abnormal operating conditions, which 
could potentially lead to incidents and accidents.
    Sometimes controllers are not the first to notice a problem. 
Problems may be identified by field personnel or reported by the 
public. Controllers must know their roles in responding to these 
situations and in communicating with management, field staff, the 
public, government agencies, emergency response personnel, and other 
operators of pipelines or utilities that may share a common right-of-
way.
    For situations that pose the most significant risks to public 
safety and the environment, prompt action by controllers is often 
needed. In other situations, management may expect controllers to 
consult with them before taking actions. Therefore, controllers must 
know the limits of their responsibility and authority for making 
safety-related decisions and for taking safety-related actions in all 
situations. The proposed rule requires operators to develop processes 
so that management and controllers have uniform expectations and 
understandings about response requirements before an abnormal operating 
condition or emergency arises. The proposed rule would also require 
operators to establish processes to allow controllers to seek and 
receive management input in a timely manner when required.

E. Assuring Adequate Information

    Controllers must have accurate and up-to-date information about the 
status of the pipeline system, equipment, or facilities they monitor or 
control. For example, they need to know pressures, flow rates, and 
temperatures, as well as the operating status of compressor and pump 
stations, the position of valves, and the availability of standby 
equipment that might be substituted in the event of a failure. They 
also need to know what effects power loss would have on equipment 
status. Without timely and correct information, controllers cannot take 
appropriate actions to control normal pipeline operations nor can they 
promptly identify abnormal situations and take actions to arrest event 
progression and prevent larger problems. This proposed rule requires 
each operator to develop processes to provide that controllers receive 
the timely and necessary information they need to fulfill their 
responsibilities at all times.

F. SCADA

    Many pipeline operators use SCADA, DCS, or internet-based systems 
to allow controllers to monitor or control pipeline systems or LNG 
facilities remotely. SCADA is used in this document to mean SCADA, DCS 
or other methods of communicating data for monitoring or controlling 
pipeline systems and LNG facilities.
    SCADA systems must be configured and programmed to provide accurate 
information to the controller and to transmit any command actions 
accurately. It is also important for controllers to recognize and react 
to information changes about the state of the pipeline. Cluttered or 
poorly organized SCADA screens may not be logical to a controller. 
Unless a controller quickly recognizes SCADA information, he or she may 
not be able to process the information into knowledge upon which to 
base control actions.
    The API recognized the need for clear and logical SCADA displays 
and published a recommended practice, API RP-1165. This recommended 
practice provides guidance to operators to help them develop SCADA 
screens that display information clearly, logically, and without 
clutter to maximize the ability of controllers to use the information 
effectively. This proposed rule requires pipeline operators with SCADA 
systems to follow API RP-1165 or be able to demonstrate that the 
recommended practice is inapplicable or impracticable.
    SCADA information is only useful when accurate, timely, and 
properly displayed. Complex SCADA systems receive information from 
sensors, transmitters, and other equipment located throughout an LNG 
plant or pipeline system and use algorithms to convert the information 
into a more useful form for the controller. SCADA systems must also 
provide for unexpected communication interruptions from one or more 
instruments or transmitters. The loss of a few data points must not 
result in a complete loss of system information or system malfunction 
to the controller.
    SCADA systems must have a backup communication system, which is 
tested periodically to verify its performance. Alternatively, a 
pipeline operator must have an adequate means to operate manually or 
provisions to shut down the affected portion of the pipeline safely. 
Server load should also be reviewed on a regular basis and monitored 
for increased activity affecting controller-required tools. Operators 
should be aware of software-specific concerns (e.g., through user-group 
meetings) and should develop methods to prevent these issues from 
affecting controller performance.
    SCADA systems must have provisions to accommodate different kinds 
of

[[Page 53088]]

problems, for example, stale data. When communications problems arise, 
a SCADA system may present the most recent (though stale) data until 
data communications are restored. SCADA systems must display this stale 
data in a manner that is easily recognized by the controller, 
particularly when the data have not been updated for a significant 
amount of time. Not all SCADA systems are configured to provide 
warnings (flags) to controllers to warn of stale data. Therefore, the 
proposed rule requires operators to identify methods to allow 
controllers to recognize stale data at all times.
    SCADA system integrity is usually verified when the system is 
initially installed by checking instrument readings and other data on 
each display screen. The readings and data are checked for accuracy and 
to ascertain that they match the readings on the corresponding field 
equipment or transmitters. The installation also verifies that signals 
issued from the SCADA panels result in the proper control of the 
corresponding equipment in the field. SCADA data processing is also 
verified during installation. While all this serves to verify the 
initial SCADA installation, SCADA systems, pipeline systems, and LNG 
facilities can change over time. Any of these changes can lead to 
misinformation problems for both controllers and field personnel.
    To verify that existing SCADA systems are accurate, this proposed 
rule would require operators to conduct an initial point-to-point 
baseline verification for each SCADA system to validate and document 
that field equipment configurations agree with computer displays. 
Operators would check from transmitter-to-display to verify that the 
correct values (and units) are displayed on the SCADA screens at the 
correct relative locations. Operators would also verify that alarm and 
event functions occur at specific set-points or upon certain actions by 
the correct corresponding equipment and that all controlled equipment 
appropriately responds to SCADA inputs and outputs. This requirement is 
intended to verify that existing SCADA systems are accurate despite 
changes that may have been made without verification since the initial 
installation.
    Operators of pipeline systems with more than 500 miles would be 
required to complete the baseline verification within three years of 
the effective date of the final rule. However, because SCADA systems 
for large pipeline systems can have tens of thousands of data points to 
check, it is not practical to require a complete verification at one 
time. To offer some relief for these more complex systems, the proposed 
rule would allow operators to credit verifications conducted up to 
three years before the effective date of the final rule towards the 
baseline verification. Operators of pipeline systems with less than 500 
miles would be required to complete validation within one year of the 
effective date of the final rule. This reflects the relative simplicity 
of performing verification for these smaller systems and PHMSA's belief 
in the importance of prompt baseline verifications. PHMSA invites 
comments on the appropriateness of these time periods. We further 
invite comments on alternative approaches to achieve the intent of 
assuring baseline verification for each SCADA system. Another approach, 
for example, might be a risk-based schedule to build off the risk 
analyses most operators have previously completed for their integrity 
management programs.
    Once the baseline SCADA system has been verified, operators should 
document and verify changes as they occur. Therefore, the proposed rule 
requires operators to verify SCADA screens versus field configurations 
when modifications or repairs are made to field equipment. For SCADA 
system changes or new SCADA systems, however, the proposed rule 
requires point-to-point verifications as part of the implementation 
process for all portions of the pipeline system or LNG facility 
affected by the change. The rule would also require operators to 
develop and implement procedures to handle system maintenance changes 
and SCADA point verifications such as alarm set-points, display 
locations, value confirmations, and the proper operation of software 
algorithms. Operators must make maintenance change notifications to 
controllers as they occur and set a maximum time limit for changes to 
be made and verified to the appropriate SCADA system displays and alarm 
features. Individual operators would also be required to develop a plan 
for systematic re-verification of the accuracy of the SCADA system 
display.
    Lastly, the proposed rule would require SCADA changes brought about 
by mergers or buy-outs to be treated as a new SCADA system 
implementation and verified accordingly.

G. Shift Change

    SCADA systems and other means of providing real-time information to 
controllers concerning the status of pipeline systems are important, 
but such systems are not the only information important to a controller 
in carrying out his duties. Controllers need to be aware of activities 
that have occurred, are underway, or planned that could affect pipeline 
operations during a shift. This includes, but is not limited to, 
planned modifications and maintenance activities, noted indicators of 
possible near-term problems including alarms, indications of any 
abnormal operating condition, communications concerns or malfunctions, 
points taken off-scan, and the unavailability of key field personnel. 
Field personnel must promptly inform controllers when work is done that 
could affect controller duties or displayed information. Under the 
proposal, an operator's procedures must provide for making this 
necessary non-computer-based information available to controllers.
    PHMSA considers verbal communications important because accurate 
verbal contact can provide for immediate verification of maintenance 
activities and equipment status, and can corroborate information 
received from other sources. Therefore, the proposed rule requires that 
operators provide for timely verbal communications between controllers 
and field personnel. Controllers must contact field personnel, on 
occasion, to investigate the reason for abnormal indications, to carry 
out emergency response actions, or to perform actions that cannot be 
done remotely from the control room. Field personnel must inform 
controllers when equipment is taken out of service, when values are 
forced or locked in place, or when events that can have a near-term 
impact on safety occur. Field personnel must promptly contact 
controllers when conditions are identified that could indicate a leak 
or incipient accident. Field personnel should be trained and encouraged 
to contact the control center as quickly as possible whenever a leak is 
suspected. The proposed rule also requires that operators identify in 
procedures those circumstances, actions, and conditions for which field 
personnel must notify the control room.
    Operators should implement individual console or system log-in 
features, if these are available, or record on the shift-change records 
the time and the name of the controller who is responsible during the 
shift-change procedure. While most pipelines operate 24 hours a day, 
seven days a week, some do not. Small pipelines, such as those 
dedicated to a single facility, may operate only as needed or for only 
certain hours of the day. Many transmission pipeline systems have 
implemented more sophisticated and complex control schemes and can 
require extensive involvement of technical personnel other than

[[Page 53089]]

controllers. More thorough procedures and processes are needed to 
manage these activities. In all cases, it is important that controllers 
have a complete understanding of the conditions and activities 
affecting the pipeline, including non-computer based information.
    The proposed rule addresses this need by requiring that critical 
information be recorded during each shift. Oncoming controllers can 
review the log to make themselves aware of recent activities and 
current conditions, even in those cases where a pipeline is not in 
continuous operation and there is no ``shift change'' between 
controllers. Operators would demonstrate compliance with this 
requirement by making documented information available during 
regulatory inspections.
    For pipelines that operate continuously, controllers are expected 
to interact with those who relieve them in order to communicate 
important information. Virtually all pipeline operators with multiple 
shifts expect controllers to provide such a turnover of information. 
Shift change is not the only time that controllers are relieved of 
their duties. Individual pipeline operators may relieve controllers at 
breaks or at times when the individual is required to perform other 
duties. Exchange of critical information is essential to the safe 
operation of pipeline facilities at these times. PHMSA's CCERT 
interviews with pipeline operators and controllers identified several 
instances where there were no formal procedures for conducting shift 
turnover and no clear understanding of the information that was to be 
communicated when personnel relief occurs. In those instances, each 
individual controller determined what needed to be communicated. The 
proposed rule requires that operators provide for exchange of 
information during shift turnover, including defining the minimum set 
of information that must be communicated (e.g., by check sheet). 
Adequate information may vary across different parts of an operator's 
entire pipeline system. Each operator would be expected to define this 
set of information, as this information would be aligned to the 
specific system requirements. Operators must also provide for an 
overlap of controller shifts sufficient to accomplish the necessary 
exchange of information.
    Controllers often have duties to communicate with personnel outside 
their companies as well. In many cases, pipelines share a common right-
of-way with other pipelines or utilities. A problem on the pipeline can 
affect these other pipelines or utilities and controllers need to 
understand when it is their responsibility to notify these other 
companies of potential problems. Controllers also often receive calls 
from the public or emergency responders reporting indication of 
problems. Since a control room is often staffed continuously, pipeline 
markers usually list the control room telephone number for the public 
to report problems.
    A controller answering a call from the public or emergency 
responders must obtain enough information from the caller to understand 
the nature of the problem. Operators should provide training for 
controllers to help assist them in obtaining complete and accurate 
information. A controller must determine whether the problem is on his 
pipeline or area of responsibility. If a controller determines a 
problem is not on the pipeline he or she controls, the controller must 
communicate the information to those who can address the problem, even 
if this is the operator of another pipeline in a shared right-of-way. 
Operators need to make sure that controllers know who to contact in the 
event of a potential problem in a shared right-of-way, regardless of 
which pipeline is affected.
    Controllers should also be required to contact other operators in a 
common right-of-way when aware of a leak associated within their area 
of responsibility. There may be conditions when repairing a pipeline 
that may elevate the risk associated with another pipeline in the same 
corridor. For this reason, when controllers discover or are made aware 
of leaks in a common pipeline corridor, they should contact all of the 
operators in that corridor and explain the situation so that all 
pipeline operators can work together to minimize potential damage.

H. Fatigue

    Fatigue is a key safety issue for PHMSA. The NTSB also considers 
fatigue one of its ``top ten'' safety concerns for all modes of 
transportation. Fatigue can result in a loss of vigilance or a lack of 
effective attention by a pipeline controller. All pipelines and 
facilities normally have safety systems in place to protect against 
accidents. The prudent use of safety systems, however, does not reduce 
the importance of controllers as the first line of defense in 
preventing accidents.
    In most instances, monotony, not physical exertion, causes 
controller fatigue. Monitoring pipeline operations from a computer 
panel for many hours can be quite monotonous, especially for normal, 
uneventful operations during the usual overnight human rest cycle. It 
is important that pipeline operators take actions to help ensure that 
controllers are not unduly affected by fatigue and verify that 
controllers remain vigilant.
    Key among these actions is establishing shift length and schedule 
rotations to protect against the onset of fatigue and providing 
controllers the opportunity to get sufficient rest between work shifts. 
Many pipeline controllers work rotating shifts; that is, a controller 
may work day shifts, night shifts, and possibly swing shifts within the 
same week or within a few weeks or a month. There has been extensive 
research by specialists in human behavior concerning shift work and the 
effect these shift changes have on sleep patterns and fatigue. Topics 
addressed in the research include the direction of shift rotation 
(i.e., forward or back), the amount of time between shifts to help 
provide for adequate rest, and the effects of off-duty activities on 
fatigue during duty hours.
    Many pipelines operate on 12-hour shifts, while others operate on 
eight-hour shifts or shifts of other lengths. PHMSA does not object to 
12-hour shifts, but we do note that shift rotations have seldom been 
established based on research or what is best for the pipeline 
controllers. Instead, the CCERT team found that shift rotation and 
length have usually been established through management-union 
negotiations or because the controllers prefer a specific schedule. 
Moreover, we found that controllers prefer 12-hour shifts because they 
result in longer periods of time off. Maximizing time off, however, 
does not necessarily maximize the mitigation of fatigue. Operators who 
continue to use 12-hour shifts should have procedures that include 
provisions for unexpected holdovers or call-outs and they must ensure 
the shifts are managed in a manner that requires controllers to have 
adequate periods of rest between shifts to help protect against the 
onset of fatigue during controller shifts.
    Additionally, research shows that individuals need to have eight 
hours of sleep per day to maintain their best performance; and that 
work schedules can have a detrimental impact on an individual's 
circadian rhythm. PHMSA recognizes that pipeline and LNG facility 
operators cannot control or monitor controllers' off-duty time, but 
operators can educate controllers on the need for adequate periods of 
rest. Because off-duty time activities can influence on-duty fatigue, 
controllers must accept responsibility for structuring their off-duty 
time to allow for adequate rest and eight hours of sleep. The proposed 
rule requires operators to train controllers and their supervisors in 
fatigue management

[[Page 53090]]

strategies and how non-work activities can contribute to fatigue. 
Supervisors and controllers must also be trained to recognize and 
mitigate the effects of fatigue among controllers on a shift. These 
training programs will require controllers and supervisors to exercise 
personal responsibility for having adequate rest and prudent fatigue 
management. In addition, these education programs must include 
information that can be shared with the family of controllers because 
they too need to understand that off-duty activities must allow time 
for adequate rest to avoid on-duty fatigue.
    In many control rooms, multiple controllers work together on a 
shift along with a supervisor. In these circumstances, controllers can 
watch for signs of co-worker fatigue and supervisors can oversee 
assigned staff to help identify and mitigate instances of fatigue. Some 
control rooms, however, operate with a single controller on shift. In 
those instances, there is no other person present to recognize when the 
controller is affected by fatigue. Accordingly, the proposed rule 
requires operators to establish provisions to verify that a single 
controller remains vigilant.
    While PHMSA is not establishing an overall limit on the maximum 
length of time a controller can work in a single shift, this proposed 
rule requires operators to include in their written procedures a limit 
on the length of time a controller can work and a requirement for 
adequate rest between shifts. This proposed rule will meet the 
requirements of the PIPES Act. The proposed rule allows operators to 
base the limit on the particular operating circumstances of each 
pipeline and to include provisions for deviations in emergency 
situations.
    PHMSA believes operators should establish an hours-of-service limit 
based on its normal pattern of operations and in a manner that will 
preclude individual controllers from working more hours than the 
operator expects under normal circumstances. Operators should address 
unusual and emergency situations using provisions for approved 
exceptions that should be included in written procedures. Operators 
should maintain documentation of these situations.

I. Alarm Management

    A principal function of SCADA systems is to ``alarm'' or notify a 
controller of circumstances when pressure, flow, temperature, or other 
key pipeline operating parameters are outside the expected norms. Many 
controllers acknowledge an alarm or event by silencing an audible sound 
or responding to a flashing indication on a control screen. Controllers 
must then take action to address the cause of the alarm or the effect 
on the pipeline or facility. In some cases immediate action is 
required; in other cases action can be deferred. Sometimes, the alarm 
may simply be related to system changes such as the expected startup of 
another unit and no action is required. Qualified controllers use their 
judgment, experience and training to manage alarm response. Management 
should review controllers' response to alarms and appropriately address 
situations that require immediate or deferred actions to maintain 
pipeline safety.
    Alarm response and associated event information can help determine 
whether abnormal operating conditions are promptly recognized, that the 
responses to these conditions are properly handled in a timely manner, 
and that controller abilities are not degrading over time. Alarms and 
notifications can also provide information about the health and 
operational status of communication and SCADA systems.
    The proposed rule requires two levels of alarm management review. 
On no less than a weekly basis, operators would be required to review 
pipeline operations and the alarms and events that have been received. 
Operators would confirm that events on the pipeline that should have 
triggered alarms actually did. Operators would review controller 
response to alarms to identify if abnormal operating conditions had 
occurred and that the controller took proper action in a suitable 
amount of time. Operators must also identify any unexplained changes in 
the number of alarms received or in controller management of those 
alarms, and take actions, as needed, to arrest any potentially 
degrading situations either in controller performance or equipment 
problems. Operators must identify ``nuisance alarms'' for which action 
is not required and determine whether controllers actually need to 
receive such notifications so that the total number of alarms is not 
excessive. Both nuisance alarms and an excessive number of non-nuisance 
alarms can contribute to a sense of complacency about alarm response. 
Complacency can contribute to a situation in which controllers 
acknowledge alarms but do not take action to clear them on a timely 
basis. This factor must also be considered in the weekly reviews and 
the associated system or instrumentation maintenance activities. 
However, operators may choose to capture other operational and 
maintenance information through alarm systems that are channeled to 
others responsible to manage such information.
    Once each calendar year (with intervals not to exceed 15 months), 
the proposed rule requires that operators undertake a more detailed 
review of alarm configuration and management. This review must consider 
the number of alarms, potential systemic issues related to field 
equipment or the SCADA system, potential systemic issues resulting in 
excessive or unusual alarms, unnecessary alarms, changes in controller 
performance in response to alarms, and a review of alarm set-point 
values. Operators must also consider alarm indications of abnormal 
operating conditions, including identifying any that occur frequently 
in combination and assuring that these combinations are included in 
controller training. Alarm descriptors and naming conventions also need 
to be reviewed for clarity and consistency. Operators must consider 
controller workload with respect to the number and nature of alarms 
received. Alarms should also be reviewed for ongoing maintenance issues 
or communication problems that need to be solved. Incident and accident 
reviews should include a provision to check alarm or notification 
operations for any required changes. The procedure must have a 
mechanism to provide for controller feedback to alarm and notification 
modifications.

J. Change Management

    Changes to the pipeline system are important and can affect the 
ability of a controller to do his job. System changes can affect the 
hydraulics of the pipeline and change the response to control inputs. 
It is important that controllers be aware of changes being made and 
that controllers are involved early in the change process to help 
identify and alleviate any undesirable effects on controllers and 
control room operations. Similarly, changes to the SCADA system, or to 
the instruments it monitors, can also affect a controller's 
understanding of conditions on the pipeline and his recognition of the 
need for control actions.
    The proposed rule requires operators to establish thorough and 
frequent communications between controllers, management, and field 
personnel when planning and implementing changes to pipeline equipment 
and configuration. Maintenance procedures must ensure that problems 
with SCADA or field instrumentation critical to controllers are 
resolved promptly and properly documented. SCADA system modifications 
must also be coordinated with controllers and affected pipeline 
operating personnel. It is not always

[[Page 53091]]

practical to coordinate changes before they are made, particularly when 
a change is in response to an emergency. In those instances, operators 
must make affected personnel and controllers aware of the change as 
soon as practical and document why this occurred. When field equipment, 
pipeline configuration, or SCADA changes are planned in advance, 
coordination should also be done so that controllers who are off-duty 
get informed of these changes prior to implementation. Controllers 
shall have time to study the implications of targeted changes and to 
become familiar with the anticipated system changes before they are 
initiated. Finally, controllers shall be represented by a controller, 
controller supervisor or by someone very familiar with control room 
operations when changes that can affect pipeline hydraulics, 
configuration or control system changes are considered so that 
controller perspectives and potential impacts can be considered early 
in the planning process and appropriate adjustments and training can be 
developed.
    Whenever possible, operators should thoroughly test changes on an 
off-line system. Management of change procedures shall also include how 
operators will inform controllers of changes before they operate the 
system, especially the controllers who are not on shift at the time the 
changes are made.

K. Learning From Individual Operating Experience

    Events that occur on a pipeline provide one of the best 
opportunities to improve the operation of the pipeline. Such events 
include those that must be reported to PHMSA by regulation and those 
with little or no consequences. Reviewing the causes of an event can 
help identify underlying problems, which, if properly addressed, would 
reduce the risk of future events occurring or resulting in more 
significant consequences. Reviewing the response to events can help 
identify areas in which emergency response and abnormal operating 
procedures can be improved or where additional training for controllers 
and other personnel may be appropriate. Individual controller logs or 
shift notes can provide valuable insight into maintenance requirements 
or communication concerns, both those provided by instrumentation and 
those required of other employees. Reviewing these logs and working to 
remove problem instrumentation or communication concerns can help to 
maintain pipeline safety.
    The proposed rule requires operators to review all reportable 
accidents and incidents on a routine basis to identify and correct 
deficiencies related to:
     Controller fatigue
     Field equipment
     Procedures
     SCADA system configuration
     SCADA system performance including communications
     Simulator or non-simulator training programs
    Operators must also review non-reportable events (e.g., ``close-
calls'') to identify and address those that could be significant if 
left unaddressed or coupled with other events. Each operator would 
establish a definition or event threshold for which a review would be 
conducted. Once this definition or event threshold has been 
established, procedures must require that operators review information 
about each close-call and share information regarding the proper 
response with all controllers.

L. Training

    Training is a key element in assuring the success of pipeline 
controllers in maintaining safe operations. Therefore, operators must 
provide controllers the necessary training to completely understand the 
pipeline and control systems they operate. The proposed rule would 
require each operator to include certain content in its controller 
training programs. The proposed rule includes a minimum set of elements 
that overlap and supplement existing OQ programs. These elements are as 
follows:
    1. Response to abnormal operating conditions and emergencies. These 
responses are a major element of controllers' contribution to safety. 
Correct actions can mitigate events without significant consequences. 
Incorrect actions can aggravate abnormal situations and make 
consequences worse. Training for controllers must include emphasis on 
generic and task specific abnormal conditions that are likely to occur 
simultaneously or sequentially. Controllers shall be trained to respond 
to such events and to recognize them as indicators or precursors of 
potentially more serious situations.
    2. Simulator or tabletop exercises for training controllers to 
recognize abnormal operating conditions such as leaks or failures. Some 
abnormal events occur infrequently. Thus, experience on the job does 
not necessarily prepare a controller to identify and respond to all 
abnormal events, nor does it verify that a controller's ability is 
maintained over time. Computer-based simulators or tabletop exercises 
afford the opportunity for controllers to practice identifying and 
responding to safety-significant situations that controllers may not 
encounter during routine shift operations. The proposed rule also 
requires operators to involve controllers in the development and 
improvement of training simulations. Operators should conduct tabletop 
exercises or computerized simulations that require emergency response 
field personnel and personnel involved with commodity movement to be 
involved from terminals, compressor stations, pump stations, and on the 
pipeline right-of-way.
    3. Training controllers to understand the operator's public 
awareness program in detail. Controllers are often involved in 
communication with the public, particularly when the public reports 
unexpected events. API Recommended Practice 1162, ``Public Awareness 
Programs for Pipeline Operations'' (API RP-1162) recommends sharing 
public awareness objectives, information and material used in its 
public awareness program with employees. Many Public Awareness Programs 
include components for key employee training in public awareness and 
specific communication training for specific key employees. Controllers 
shall be considered as specific key employees if they are responsible 
for responding to public or emergency responder calls.\8\
---------------------------------------------------------------------------

    \8\ Implementation of public awareness programs conforming to 
API RP1162 is required for gas pipelines by Sec.  192.616 and for 
hazardous liquid pipelines by Sec.  195.440.
---------------------------------------------------------------------------

    4. Providing appropriate information to the public and emergency 
response personnel during emergency situations. In some cases, 
controllers may not ask the right questions or provide the correct 
response when communicating with the public or emergency responders 
during an emergency. Specific training will help ensure that the 
information controllers provide to the public and to emergency 
personnel will maximize public safety and that the information 
exchanged is complete and accurate.
    5. Periodic visits by controllers to a field installation similar 
to that which the controllers monitor or control. These visits would 
help familiarize controllers with the equipment, field terminology, and 
equipment operation. They would see how weather might affect access to 
a specific location and observe the functions of station personnel. 
Normally pipeline equipment is displayed as an icon on a controller's 
computer screen. When it is operated or something is amiss, it may 
change color, flash or change shape. Controllers must understand what 
these changes mean in

[[Page 53092]]

the field. In the past, many controllers moved up from field positions 
and had a thorough knowledge of field operations. Today, many pipelines 
hire controllers who do not have field experience and who have limited 
knowledge of the physical and practical aspects of pipeline operations. 
Providing an opportunity for controllers to actually see the equipment 
and talk to station personnel will help expand the controllers' 
awareness of site specific information. Further, discussions with field 
personnel in routine, non-stressful situations can help establish a 
familiarity that will facilitate more efficient and accurate 
communication during abnormal events. Ideally, controllers would visit 
the facilities they operate. PHMSA recognizes, however, that this is 
not always practical. Many pipeline systems cover extensive geographic 
areas, and controllers may be responsible for operating pipeline 
segments many hundreds of miles from the control room where they work. 
For this reason, the proposed rule specifies that visits should be to a 
representative sampling of field installations similar to those for 
which the controller is responsible.
    6. Review of procedures for operating setups that occur 
infrequently. Day-to-day experience does little to help controllers 
retain knowledge related to functions not routinely performed. It is 
thus important that training programs emphasize and provide instruction 
on these unusual operating conditions.
    7. Pipeline hydraulics training sufficient to obtain a thorough 
knowledge of the pipeline system, especially the pipeline's response to 
abnormal situations. Often, controllers know what to expect when the 
operating set-up changes because the controllers have seen the impact 
of these changes many times, but sometimes controllers do not 
necessarily know why flows and pressures change the way they do. A 
basic understanding of pipeline hydraulics, as applied to the pipeline 
a controller monitors, will help the controller understand what typical 
responses are to changes in the operating status of individual pieces 
of equipment and what to expect in the event of a leak or failure. This 
understanding will enable the controller to better identify situations 
outside normal operations.
    8. Specific training on how power failures affect sites of 
controller responsibility. The operator should provide site-specific 
training to the controllers regarding the state of equipment upon power 
loss and what the effect will be. This will assist the controller in 
identifying other field resources that may be needed to properly repair 
or operate a location affected by natural disaster such as a flood, 
hurricane, tornado or earthquake.
    9. Specific system tools available to determine a leak or 
significant failure. Controllers should receive training about what 
tools exist, including trends or other displays, that help to determine 
quickly the status of the pipeline or aid in leak and significant 
failure detection.

M. Qualification

    Operators already provide for the qualification of certain 
individuals to evaluate their abilities and to determine that they are 
able to apply the necessary knowledge and skills acquired in training. 
The proposed rule would require additional controller qualifications to 
measure or verify a controller's performance, including the prompt 
detection of, and appropriate response to, abnormal and emergency 
conditions that are likely to occur. Additions to controller 
qualifications would be implemented in conjunction with an operator's 
OQ program pursuant to the existing regulations in 49 CFR parts 192, 
193, and 195. The rule would not prescribe a single means of evaluating 
a controller's abilities. Operators can use observation of on-shift 
activities to perform part of this verification. Simulators and 
tabletop exercises can also be used to verify a controller's ability to 
detect conditions not seen on shift and that the controller is ready 
and able to take appropriate actions in response. PHMSA has found that 
most operators' OQ programs call for re-qualification every three 
years; however, this rule would require an annual qualifications review 
for controllers. In addition, operators would be required to provide 
ongoing controller performance metrics and evaluation between annual 
qualifications review to help detect any gradual degradation in 
performance.
    Qualified controllers must have the physical abilities to perform 
the job. Most pipeline control systems use different colors to 
represent different operating states and display system information and 
status using icons and text that may vary in size depending on the 
complexity of an individual display. While many operators do not 
explicitly test controllers for colorblindness or visual acuity, it is 
essential that controllers be tested for these visual abilities. This 
does not mean that controllers who are colorblind or who lack visual 
acuity must be relieved of duties. Special accommodations may be 
needed, such as using different shapes, flashing indications, or 
increasing the size of icons and text on an individual controller's 
screen. The rule would not prescribe a specific test for these physical 
abilities, but operators would be required to ascertain through 
periodic testing and associated documentation that any deficiencies in 
these physical attributes would not negatively affect the controller's 
performance of assigned duties.
    The proposed rule would also require operators to specify the 
reasons for which a controller's qualification must be revoked. The 
reasons must include extended absence or time off-duty (for a duration 
determined by the operator), inadequate performance, impaired abilities 
(e.g., vision, hearing) beyond that which the operator can accommodate, 
influence of drugs or alcohol, and any other circumstances for which 
the operator considers revocation appropriate. Operators would also be 
required to have procedures for restoring a revoked qualification, 
which may include complete re-qualification, or limited testing, a 
period of review, shadowing, retraining, or all of these.
    Lastly, PHMSA recognizes that many operators use oral examinations 
as part of their qualification programs. Experienced operators and 
trainers quiz controllers on their knowledge of various aspects of 
their job. PHMSA believes this can be a very effective means of judging 
a person's abilities. Unlike a written test, an oral examination allows 
the evaluator to probe apparent weaknesses in more depth. Oral 
examiners can inquire in more detail in areas where the candidate 
appears to be hesitant, weak or unsure of the answers. This can allow a 
more thorough evaluation of a controller's knowledge to perform 
required duties.
    If an operator chooses to use oral examinations as part of its 
controller qualification program, the rule would require the operator 
to document the examination and include a list of the topics covered 
during the oral examination. This documentation will facilitate 
internal audits, assist with providing consistency in controller 
training, and allow the operator's training personnel to vary the 
content of future evaluations to test knowledge in other areas.

N. Validation

    PHMSA considers controllers to be extremely important in providing 
for pipeline safety. Accordingly, PHMSA believes that it is appropriate 
to involve senior pipeline executives in helping to determine that 
controllers are qualified, that internal communication is enhanced, and 
that controller needs are being addressed. The proposed rule

[[Page 53093]]

would require that a senior executive officer validate certain aspects 
of controller training, qualification, and compliance with the 
requirements of this rule. Operators would be required to have a senior 
executive officer sign a validation each calendar year that confirms 
that the operator has:
     Conducted a review of controller qualifications and 
controller training and determined that both are adequate;
     Permitted only qualified controllers to operate the 
pipeline;
     Implemented the requirements of the rule;
     Continued to address ergonomic and fatigue factors; and
     Involved controllers in finding ways to sustain and 
improve safety and pipeline integrity through control room management.

O. Compliance and Deviations

    The proposed rule would require operators to maintain records that 
demonstrate compliance with the regulation and to document any 
deviations from their control room management procedures. In addition, 
the operators would be required to report any deviations upon request 
by PHMSA or the appropriate state pipeline safety authority. These 
requirements are derived from the PIPES Act, which specifies that 
operators must document compliance with their human factors and control 
room management plans and report any deviations. Operators would be 
required to report deviations only when requested by PHMSA, or in the 
case of an intrastate pipeline facility, when requested by the 
appropriate state pipeline safety authority. Such a request is 
anticipated to occur during a pipeline safety inspection, but may occur 
at any time at the discretion of PHMSA or the state pipeline safety 
authority.

VIII. Regulatory Analyses and Notices

Privacy Act Statement

    Anyone may search the electronic form of comments received in 
response to any of our dockets by the name of the individual submitting 
the comment (or signing the comment if submitted for an association, 
business, labor union, etc.). You may review DOT's complete Privacy Act 
Statement in the Federal Register published on April 11, 2000 (65 FR 
19477).

Executive Order 12866 and DOT Policies and Procedures

    This proposed rulemaking is a significant regulatory action under 
Executive Order 12866 (58 FR 51735; Oct. 4, 1993), and it is a 
significant regulatory action under the U.S. Department of 
Transportation regulatory policies and procedures (44 FR 11034; Feb. 
26, 1979). Therefore, the Office of Management and Budget (OMB) has 
received a copy of this proposed rulemaking to review.
    The proposed rule is not expected to adversely affect the economy 
or the environment. For those costs and benefits that can be quantified 
the present value of net benefits are expected to be about $65 million 
over a ten year period after all of the requirements are implemented. 
The monetary costs of the rule are expected to average about $25 
million per year. Therefore, within the meaning of Executive Order 
12866, the proposed rule is not expected to be an economically 
significant regulatory action due to cost because it will not exceed 
the annual $100 million threshold for economic significance.
    However, there is substantial congressional, industry, and public 
interest in control room operations and human factors management plans. 
The proposed rule's immediate impact is minimal because some of its 
components are already included in existing regulations; moreover, in 
some pipeline companies, other requirements are standard practice or 
considered to be good business practices.

Regulatory Flexibility Act

    Under the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), PHMSA 
must consider whether rulemaking actions would have a significant 
economic impact on a substantial number of small entities. While PHMSA 
does not collect information on the number of employees or revenues of 
pipeline operators, we do continuously seek information on the number 
of small pipeline operators to more fully determine any impacts our 
proposed regulations may have on small entities.
    The Small Business Administration's criterion for defining a small 
entity in the hazardous liquid pipeline industry is 1,500 or fewer 
employees. PHMSA estimates there are 10 to 20 small entities in the 
hazardous liquid pipeline industry. For the gas pipeline industry, the 
size standard for a small natural gas gathering or transmission 
business is $6.5 million or less in annual revenues and the size 
standard for a small natural gas distribution business is 500 or fewer 
employees. PHMSA estimates there are about 480 natural gas transmission 
and gathering companies that have $6.5 million or less in annual 
revenues and about 1,000 natural gas distribution companies that have 
500 or fewer employees. Therefore, there are a total of about 1,500 
small entities that would be affected by the proposed rule.
    PHMSA has considered the effects of the proposed rule on small 
pipeline operators. The total estimated aggregate annual costs of the 
rule across the entire pipeline industry over 10 years ranges from 
about $21 million per year to $37 million per year. Therefore, the 
average annual cost to the approximately 2,500 companies (large and 
small entities) is about $8,400 to $14,800 per year. For the larger 
operators with more controllers, the costs will be higher than the 
average. For the smaller operators with fewer controllers it will be 
less than average. Based on these figures, PHMSA does not believe there 
will be a significant impact on a substantial number of small entities, 
but PHMSA seeks comments on this analysis.

Executive Order 13175

    PHMSA has analyzed this rulemaking according to Executive Order 
13175, ``Consultation and Coordination with Indian Tribal 
Governments.'' Because the proposed rule would not significantly or 
uniquely affect the communities of the Indian tribal governments or 
impose substantial direct compliance costs, the funding and 
consultation requirements of Executive Order 13175 do not apply.

Paperwork Reduction Act

    PHMSA proposes to revise the Federal pipeline safety regulations to 
address human factors and other components of control room management. 
The proposed rules would require operators of hazardous liquid 
pipelines, gas pipelines, and LNG facilities to amend their existing 
written operations and maintenance procedures, operator qualification 
programs, and emergency plans.
    This proposed rule also contains some information collection 
requirements. As required by the Paperwork Reduction Act of 1995 (44 
U.S.C. 3507(d)), DOT will submit a copy of the Paperwork Reduction Act 
analysis to OMB for its review. A copy of the analysis will also be 
entered in the docket. PHMSA is proposing to require pipeline operators 
to keep records and logs related to control room operations for 
inspection purposes and to have a senior executive officer of each 
operator validate that the operator has complied with the regulatory 
requirements, reviewed its qualification and training, permitted only 
qualified controllers to operate the pipeline, addressed fatigue 
factors, and involved controllers in finding improvements. The record 
keeping requirements in the proposed rule are consistent with good 
business practices

[[Page 53094]]

and are designed to enhance current control room management practices.
    To calculate the information collection burden for the record 
keeping related to control room management practices, PHMSA estimates 
there are approximately 2,500 pipeline and LNG facility operators that 
would need to keep records and logs and that it would take 
approximately one hour per week, per operator to generate and maintain 
the necessary records. Therefore, PHMSA calculates it would take 
slightly more than 130,000 hours per year for the 2,500 pipeline 
operators to maintain the necessary records. PHMSA expects that most 
operators currently maintain records and logs for inspection purposes 
and that they generate records on a daily basis. Therefore, we estimate 
the cost for the industry would be negligible since controllers 
generally perform this function as part of the control room operations. 
PHMSA acknowledges, however, that there may be some additional cost for 
storage and filing, depending on what the records contain and how they 
are packaged. Assuming that operators store between two and four cubic 
feet of records (at $23.00 per cubic foot) within their facility per 
year, PHMSA estimates that it would cost between $115,000 and $230,000 
annually to store and maintain the records for inspection purposes.
    Additionally, PHMSA estimates there are approximately 3,420 
controllers in the pipeline industry and that it would take 
approximately one hour per year, per employee to document performance 
appraisals. Therefore, PHMSA calculates it would take pipeline 
operators approximately 3,420 hours per year to document employees' 
performance. We estimate it would take a senior official approximately 
one-half hour to review and sign-off on a validation document for each 
controller. PHMSA estimates the annual cost would be between $76,950 
and $153,900 depending on the average wage rate used in the 
calculation. The lower bound uses the average wage rate for a General 
Operations Manager published by the Bureau of Labor Statistics of 
$45.00 per hour ($22.50 per half-hour), while the upper bound uses the 
industry estimates of $90.00 per hour ($45.00 per half-hour). 
Therefore, PHMSA concludes that this proposed rule contains only minor 
additional paperwork burden and procedure implementation.
    Pursuant to 44 U.S.C. 3506(c)(2)(B), the PHMSA solicits comments 
concerning: Whether these information collection requirements are 
necessary for PHMSA to properly perform its functions, including 
whether the information has practical utility; the accuracy of PHMSA's 
estimates of the burden of the information collection requirements; the 
quality, utility, and clarity of the information to be collected; and 
whether the burden of collecting information on those who are to 
respond, including through the use of automated collection techniques 
or other forms of information technology, may be minimized.

Unfunded Mandates Reform Act of 1995

    This proposed rulemaking does not impose unfunded mandates under 
the Unfunded Mandates Reform Act of 1995. It does not result in costs 
of $132 million or more to either State, local, or tribal governments, 
in the aggregate, or to the private sector, and is the least burdensome 
alternative that achieves the objective of the proposed rulemaking.

National Environmental Policy Act

    PHMSA has analyzed the proposed rulemaking for purposes of the 
National Environmental Policy Act (42 U.S.C. 4321 et seq. ) and 
preliminarily determined the proposed rulemaking may provide beneficial 
impacts on the quality of the human environment. If pipeline operators 
comply with the technical elements of the proposed rule, this would 
reduce adverse impacts on the physical environment by reducing the 
number and severity of pipeline releases. For example, by addressing 
the exchange of information at shift change and the length of shifts to 
reduce controller fatigue, pipeline operators could reduce the number 
of incidents and the consequences of releases that may harm the 
physical environment. Similarly, the review of SCADA procedures and 
alarm audits will lead to the use of better technology, which will have 
a positive impact on operator response to abnormal operating 
conditions, accidents, and incidents that have the potential for 
adverse environmental impacts. The following elements of the proposed 
rule will also lead to a better functioning control room and fewer 
possibilities for environmental degradation: Involving controllers when 
planning and implementing changes in operations; maintaining strong 
communications between controllers and field personnel; determining how 
to establish, maintain, and review controller qualifications, abilities 
and performance metrics, with particular attention to response to 
abnormal operating conditions; and analyzing operating experience 
including accidents and incidents for possible involvement of the SCADA 
system, controller performance, and fatigue. PHMSA's analysis suggests 
there are no adverse significant environmental impacts associated with 
the proposed rule. The draft environmental assessment is available for 
review and comment in the docket. PHMSA will make a final determination 
on environmental impact after reviewing the comments on this proposal.

Executive Order 13132

    PHMSA has analyzed the proposed rulemaking according to Executive 
Order 13132 (``Federalism''). The proposal does not have a substantial 
direct effect on the States, the relationship between the national 
government and the States, or the distribution of power and 
responsibilities among the various levels of government. The proposed 
rulemaking does not impose substantial direct compliance costs on State 
and local governments. This proposed regulation would not preempt state 
law for intrastate pipelines. Therefore, the consultation and funding 
requirements of Executive Order 13132 do not apply.

Executive Order 13211

    Transporting gas and hazardous liquids impacts the nation's 
available energy supply. However, this proposed rulemaking is not a 
``significant energy action'' under Executive Order 13211 and is not 
likely to have a significant adverse effect on the supply, 
distribution, or use of energy. Further, the Administrator of the 
Office of Information and Regulatory Affairs has not identified this 
proposal as a significant energy action.

List of Subjects

49 CFR Part 192

    Incorporation by reference, Gas, Natural gas, Pipeline safety, 
Reporting and recordkeeping requirements.

49 CFR Part 193

    Liquefied natural gas, Incorporation by reference, Pipeline safety, 
and Reporting and recordkeeping requirements.

49 CFR Part 195

    Ammonia, Carbon dioxide, Incorporation by reference, Petroleum, 
Pipeline safety, Reporting and recordkeeping requirements.
    For the reasons provided in the preamble, PHMSA proposes to amend 
49 CFR part 192, 193, and 195 as follows:

[[Page 53095]]

PART 192--TRANSPORTATION OF NATURAL GAS AND OTHER GAS BY PIPELINE: 
MINIMUM FEDERAL SAFETY STANDARDS

    1. The authority citation for part 192 is revised to read as 
follows:

    Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60110, 
60113, 60116, 60118, and 60137; and 49 CFR 1.53.

    2. In Sec.  192.3, add definitions for ``alarm,'' ``control room,'' 
``controller,'' and ``Supervisory Control and Data Acquisition System 
(SCADA)'' as follows:


Sec.  192.3  Definitions.

* * * * *
    Alarm means an indication provided by SCADA or similar monitoring 
system that a parameter is outside normal or expected operating 
conditions.
    Control room means a central location or local station at which a 
control panel, computerized device, or other instrument is used by a 
controller to monitor or control all or part of a pipeline facility or 
a component of a pipeline facility.
    Controller means an individual who uses a control panel, 
computerized device, or other equipment to monitor or control all or 
part of a pipeline facility that the individual cannot directly observe 
with the naked eye. An individual who operates equipment locally, but 
who cannot see the equipment respond without using a closed circuit 
television system or other external device, is a controller when 
performing this activity regardless of job title or whether actions are 
overseen by another controller or supervisor. An individual who 
performs these functions on a part time basis is considered a 
controller only when performing these functions.
* * * * *
    Supervisory Control and Data Acquisition System (SCADA) means a 
computer-based system that gathers field data, provides a structured 
view of pipeline system or facility operations, and may provide a means 
to control pipeline operations.
* * * * *
    3. In Sec.  192.7, amend the table in paragraph (c)(2) by adding 
item B.(7) to read as follows:


Sec.  192.7  What documents are incorporated by reference partly or 
wholly in this part?

* * * * *
    (c) * * *
    (2) * * *

------------------------------------------------------------------------
 
------------------------------------------------------------------------
 
                              * * * * * * *
B. * * *
(7) API Recommended Practice 1165               Sec.   192.631(c)(1)
 ``Recommended Practice for Pipeline SCADA
 Displays,'' (January 2007).
 
                              * * * * * * *
------------------------------------------------------------------------

    4. Amend Sec.  192.605 by adding paragraph (b)(12) to read as 
follows:


Sec.  192.605  Procedural manual for operations, maintenance, and 
emergencies.

* * * * *
    (b) * * *
    (12) Implementing the applicable control room management procedures 
required by Sec.  192.631.
* * * * *
    5. Amend Sec.  192.615 by adding paragraph (a)(11) to read as 
follows:


Sec.  192.615  Emergency plans.

    (a) * * *
    (11) Actions required to be taken by a controller during an 
emergency in accordance with Sec.  192.631.
* * * * *
    6. Add Sec.  192.631 to subpart L to read as follows:


Sec.  192.631  Control room management.

    (a) General. Each operator of a pipeline facility with at least one 
controller and control room must have and follow written control room 
management procedures that implement the requirements of this section. 
The procedures must be integrated, as appropriate, into the operator's 
written manual of operations and maintenance procedures required by 
Sec.  192.605, written qualification program required by Sec.  192.805, 
and written emergency plans required by Sec.  192.615. The operator 
must develop and implement the procedures no later than the dates in 
the following table.

------------------------------------------------------------------------
                               Develop procedures   Implement procedures
      Control room type                by:                   by:
------------------------------------------------------------------------
(1) Remote operations         [insert date 12       [insert date 24
 (control and/or monitoring)   months after          months after
 of gas transmission           effective date of     effective date of
 pipelines.                    final rule].          final rule].
(2) Remote operations of      [insert date 24       [insert date 30
 equipment within a single     months after          months after
 site (e.g., compressor        effective date of     effective date of
 station).                     final rule].          final rule].
(3) Gas distribution          [insert date 24       [insert date 24
 pipelines.                    months after          months after
                               effective date of     effective date of
                               final rule].          final rule].
(4) Gas pipelines with local  [insert date 30       [insert date 30
 control only.                 months after          months after
                               effective date of     effective date of
                               final rule].          final rule].
(5) Control rooms or local    12 months after       12 months after
 control stations placed in    placement in          placement in
 service after [insert         service.              service.
 effective date of the final
 rule], but before [insert
 date 12 months after the
 effective date of final
 rule].
(6) Control rooms or local    Before placing in     Upon placing in
 control stations placed in    service.              service.
 service after [insert date
 12 months after the
 effective date of final
 rule].
------------------------------------------------------------------------

    (b) Roles and responsibilities. Each operator must define the roles 
and responsibilities of a controller during normal, abnormal, and 
emergency operating conditions. To provide for a controller's prompt 
and appropriate response to operating conditions, each operator must 
define:
    (1) A controller's authority and responsibility to make decisions 
and take actions during normal operations.
    (2) A controller's role when an abnormal operating condition is 
detected, even if the controller is not the first to detect the 
condition, including the controller's responsibility to take

[[Page 53096]]

specific actions and to communicate with others.
    (3) A controller's role during an emergency, even if the controller 
is not the first to detect the emergency, including the controller's 
responsibility to take specific actions and to communicate with others.
    (4) A controller's responsibility to provide timely notification 
and coordination with the operator of another pipeline in a common 
corridor when a leak or failure is suspected, including upon receipt of 
a notification from the public concerning a suspected leak on an asset 
owned or operated by the other company but located in the same common 
corridor or right-of-way.
    (5) A method of recording when a controller is responsible for 
monitoring or controlling any portion of a pipeline facility by 
implementing an individual console or a system log-in feature or by 
documenting in the shift records the time and name of each controller 
who assumed the responsibility during a shift-change or other hand-over 
of responsibility.
    (c) Provide adequate information. Each operator must provide each 
controller with the information necessary for the controller to carry 
out the roles and responsibilities defined by the operator and must 
verify that a controller knows the equipment, components and the 
effects of the controller's actions on the pipeline or pipeline 
facilities under the controller's control. Each operator must:
    (1) Provide a controller with accurate, adequate, and timely data 
concerning operation of the pipeline facility. Wherever a SCADA system 
is used, the operator must implement API RP-1165 (incorporated by 
reference, see Sec.  192.7) in its entirety, unless the operator can 
adequately demonstrate that a provision of API RP-1165 is not 
applicable or is impracticable in the SCADA system used.
    (2) Validate that any SCADA system display accurately depicts field 
equipment configuration by completing all of the following:
    (i) Conduct and document a point-to-point baseline verification 
between field equipment and all SCADA system displays to verify 100 
percent of the system displays. An operator must complete the baseline 
verification no later than [insert date three years after effective 
date of final rule] or by [insert date one year after effective date of 
final rule] for an operator of a pipeline system containing less than 
500 miles of pipeline. An operator may use any documented point-to-
point verification completed after [insert date three years before 
effective date of final rule] to meet some or all of this baseline 
verification. A point-to-point verification must include equipment 
locations, ranges, alarm set-point values, alarm activation, required 
alarm visual or audible response, and proper equipment or software 
response to SCADA system values.
    (ii) Verify that SCADA displays accurately depict field 
configuration when any modification is made to field equipment or 
applicable software and conduct a point-to-point verification for 
associated changes.
    (iii) Perform a point-to-point verification as part of implementing 
a SCADA system change for all portions of the pipeline system or 
facility affected by the change.
    (iv) Develop a plan for systematic re-verification of the accuracy 
of the SCADA system display.
    (3) Establish a means for timely verbal communication among a 
controller, management, and field personnel.
    (4) Identify circumstances that require field personnel to promptly 
notify the controller. These circumstances must include the 
identification by field personnel of a leak or situation that could 
reasonably be expected to develop into an incident if left unaddressed.
    (5) Define and record critical information during each shift.
    (6) Provide for the exchange of information when a shift changes or 
when another controller assumes responsibility for operations for any 
reason.
    (7) Establish sufficient overlap of controller shifts to permit the 
exchange of necessary information.
    (8) Periodically test and verify a backup communication system or 
provide adequate means for manual operation or shutdown of the affected 
portion of the pipeline safely.
    (d) Fatigue mitigation. Each operator must implement methods to 
prevent controller fatigue that could inhibit a controller's ability to 
carry out the roles and responsibilities defined by the operator. To 
protect against the onset of fatigue, each operator must:
    (1) Establish shift lengths and schedule rotations that provide 
controllers off-duty time sufficient to achieve eight hours of 
continuous sleep;
    (2) Educate a controller and his supervisor in fatigue mitigation 
strategies and how off-duty activities contribute to fatigue;
    (3) Train a controller and his supervisor to recognize and mitigate 
the effects of fatigue;
    (4) Implement additional measures to monitor for fatigue when a 
single controller is on duty; and
    (5) Establish a maximum limit on controller hours-of-service, which 
may include an exception during an emergency with appropriate 
management approval. An operator must specify emergency situations for 
which a deviation from the hours-of-service maximum limit is permitted.
    (e) Alarm management. Each operator using a SCADA system must 
assure appropriate controller response to alarms and notifications. An 
operator must:
    (1) Review SCADA operations at least once each week for:
    (i) Events that should have resulted in alarms or event indications 
that did not do so;
    (ii) Proper and timely controller response to alarms or events;
    (iii) Identification of unexplained changes in the number of alarms 
or controller management of alarms;
    (iv) Identification of nuisance alarms;
    (v) Verification that the number of alarms received is not 
excessive;
    (vi) Identification of instances in which alarms were acknowledged 
but associated response actions were inadequate or untimely;
    (vii) Identification of abnormal or emergency operating conditions 
and a review of controller response actions;
    (viii) Identification of system maintenance issues;
    (ix) Identification of systemic problems, server load, or 
communication problems;
    (x) Identification of points that have been taken off scan or that 
have had forced or manual values for extended periods; and
    (xi) Comparison of controller logs or shift notes to SCADA alarm 
records to identify maintenance requirements or training needs.
    (2) Review SCADA configuration and alarm management operations at 
least once each calendar year but at intervals not to exceed 15 months. 
At a minimum, reviews must include consideration of the following 
factors:
    (i) Number of alarms;
    (ii) Potential systemic issues;
    (iii) Unnecessary alarms;
    (iv) Individual controller's performance changes over time 
regarding alarm or event response;
    (v) Alarm indications of abnormal operating conditions;
    (vi) Recurring combinations of abnormal operating conditions and 
the inclusion of such combinations in controller training;
    (vii) Alarm indications of emergency conditions;
    (viii) Individual controller workload;
    (ix) Clarity of alarm descriptors to the controllers so controllers 
fully

[[Page 53097]]

understand the meaning and nature of each alarm; and
    (x) Verification of correct alarm set-point values.
    (3) Promptly address all deficiencies identified in the weekly and 
calendar year SCADA reviews.
    (f) Change management. Each operator must establish thorough and 
frequent communications between a controller, management, and field 
personnel when planning and implementing physical changes to pipeline 
equipment and configuration. Field personnel must be required to 
promptly notify a controller when emergency conditions exist or when 
performing maintenance and making field changes.
    (1) Maintenance procedures must include tracking and repair of 
controller-identified problems with the SCADA system or field 
instrumentation to provide for prompt response.
    (2) SCADA system modifications must be coordinated in advance to 
allow enough time for adequate controller training and familiarization 
unless such modifications are made during an emergency response or 
recovery operation.
    (3) An operator shall seek control room participation when pipeline 
hydraulic or configuration changes are being considered.
    (4) Merger, acquisition, and divestiture plans must be developed 
and used to establish and conduct controller training and qualification 
prior to the implementation of any changes to the controller's 
responsibilities.
    (5) Changes to alarm set-point values, automated routine software, 
and relief valve settings must be communicated to the controller prior 
to implementation.
    (6) An operator must thoroughly document and keep records for each 
of these occurrences.
    (g) Operating experience.
    (1) Each operator must review control room operations following any 
event that must be reported as an incident pursuant to 49 CFR part 191 
to determine and correct, where necessary, deficiencies related to:
    (i) Controller fatigue;
    (ii) Field equipment;
    (iii) The operation of any relief device;
    (iv) Procedures;
    (v) SCADA system configuration;
    (vi) SCADA system performance;
    (vii) Accuracy, timeliness, and portrayal of field information on 
SCADA displays; and
    (viii) Simulator or non-simulator training programs.
    (2) Each operator must establish a definition or threshold for 
close-call events to evaluate event significance. For those events the 
operator determines to be significant, the operator must conduct the 
review required by paragraph (g)(1) of this section and the operator 
must share the information with all controllers.
    (3) Each operator must review the accuracy and timeliness of SCADA 
data and how it is portrayed on displays.
    (h) Training. Each operator must establish a training program and 
review the training program content to identify potential improvements 
at least once each calendar year, but at intervals not to exceed 15 
months. An operator must train each controller to carry out the roles 
and responsibilities defined by the operator. In addition, the training 
program must include the following elements:
    (1) Responding to abnormal operating conditions likely to occur 
simultaneously or in sequence.
    (2) Use of a simulator or non-computerized (tabletop) method to 
train controllers to recognize abnormal operating conditions, in 
particular leak and failure events. Simulations and tabletop exercises 
must include representative communications between controllers and 
individuals that operators would expect to be involved during actual 
events. Controllers will participate in improvement and development of 
tabletop or simulation training scenarios.
    (3) Providing appropriate information to the public and emergency 
response personnel during emergency situations, and informing 
controllers of the information being provided to the public or 
emergency responders under Sec.  192.616 so that the controllers can 
understand the context in which this information will be received.
    (4) On-site visits by controllers to a representative sampling of 
field installations similar to those for which each controller is 
responsible to familiarize themselves with the equipment and with 
station personnel functions.
    (5) Review of procedures for pipeline operating setups that are 
periodically, but infrequently used.
    (6) Hydraulic pipeline training that is sufficient to obtain a 
thorough knowledge of the pipeline system, especially during the 
development of abnormal operating conditions.
    (7) Site specific training on equipment failure modes.
    (8) Specific training on system tools available to determine a leak 
or significant failure and specific training on other operator contact 
protocols when there is reason to suspect a leak in a common pipeline 
corridor or right-of-way.
    (i) Qualification. An operator must have a program in accordance 
with subpart N of this part to determine that each controller is 
qualified. An operator's procedures for the qualification of 
controllers must include provisions to:
    (1) Measure and verify a controller's performance including the 
controller's ability to detect abnormal and emergency conditions 
promptly and to respond appropriately.
    (2) Evaluate a controller's physical abilities, including hearing, 
colorblindness (color perception), and visual acuity, which could 
affect the controller's ability to perform the assigned duties.
    (3) Evaluate a controller's qualifications at least once each 
calendar year, but at intervals not to exceed 15 months.
    (4) Implement methods to address gradual degradation in performance 
or physical abilities in a controller.
    (5) Revoke a controller's qualification for extended time off-duty 
or absence (of a duration determined by the operator based on the 
complexity and significance of the controller's role), inadequate 
performance, impaired physical ability beyond what the operator can 
accommodate, influence of drugs or alcohol, or any other reason 
determined by the operator to be necessary to support the safe 
operation of a pipeline facility.
    (6) Restore a revoked qualification by specifying the circumstances 
for which a complete re-qualification is required, and the 
circumstances for which other means of restoration may be used, such as 
a period of review, shadowing, retraining, or all of these.
    (7) Document when an oral examination is used as the means of 
evaluation, including the topics covered.
    (8) Prohibit individuals without a current controller qualification 
from performing the duties of a controller.
    (j) Validation. An operator must have a senior executive officer 
validate by signature not later than the date by which control room 
management procedures must be implemented (see paragraph (a) of this 
section), and annually thereafter by March 15 of each year, that the 
operator has:
    (1) Conducted a review of controller qualification and training 
programs and has determined both programs to be adequate;
    (2) Permitted only qualified controllers to operate the pipeline;
    (3) Implemented the requirements of this section;

[[Page 53098]]

    (4) Continued to address ergonomic and fatigue factors; and
    (5) Involved controllers in finding ways to sustain and improve 
safety and pipeline integrity through control room management.
    (k) Compliance and deviations. An operator must maintain for review 
during inspection:
    (1) Records that demonstrate compliance with the requirements of 
this section; and
    (2) Documentation of decisions and analyses to support any 
deviation from the procedures required by this section. An operator 
must report any such deviation to PHMSA upon request, or in the case of 
an intrastate pipeline facility regulated by a state, upon request by 
the state pipeline safety authority.
    7. Amend Sec.  192.805 by adding paragraph (j) to read as follows:


Sec.  192.805  Qualification program.

* * * * *
    (j) Incorporate requirements applicable to controller qualification 
in accordance with Sec.  192.631.

PART 193--LIQUEFIED NATURAL GAS FACILITIES: FEDERAL SAFETY 
STANDARDS

    8. The authority citation for part 193 is revised to read as 
follows:

    Authority: 49 U.S.C. 5103, 60102, 60103, 60104, 60108, 60109, 
60110, 60113, 60116 and 60118, and 60137; and 49 CFR 1.53.

    9. In Sec.  193.2007 add definitions for ``alarm,'' ``control 
room,'' ``controller,'' and ``Supervisory Control and Data Acquisition 
System (SCADA)'' as follows:


Sec.  193.2007   Definitions.

* * * * *
    Alarm means an indication provided by SCADA or similar monitoring 
system that a parameter is outside normal or expected operating 
conditions.
* * * * *
    Control room means a central location or local station at which a 
control panel, computerized device, or other instrument is used by a 
controller to monitor or control all or part of an LNG plant.
    Controller means an individual who uses a control panel, 
computerized device, or other equipment to monitor or control all or 
part of an LNG plant that the individual cannot directly observe with 
the naked eye. An individual who operates equipment locally, but who 
cannot see the equipment respond without using a closed circuit 
television system or other external device, is a controller when 
performing this activity regardless of job title or whether actions are 
overseen by another controller or supervisor. An individual who 
performs these functions on a part time basis is considered a 
controller only when performing these functions.
* * * * *
    Supervisory Control and Data Acquisition System (SCADA) means a 
computer-based system that gathers field data, provides a structured 
view of pipeline system or facility operations, and may provide a means 
to control facility operations.
* * * * *
    10. Amend Sec.  193.2013 by adding item F. to the list in paragraph 
(b) and by adding item F. to the table in paragraph (c) to read as 
follows:


Sec.  193.2013   Incorporation by reference.

* * * * *
    (b) * * *
    F. American Petroleum Institute (API), 1220 L Street, NW., 
Washington, DC 20005-4070.
    (c) * * *

------------------------------------------------------------------------
 
------------------------------------------------------------------------
 
                              * * * * * * *
F. American Petroleum Institute (API): (1)     Sec.   193.2523(c)(1)
 API Recommended Practice 1165 ``Recommended
 Practice for Pipeline SCADA Displays,''
 (January 2007).
------------------------------------------------------------------------

    11. Revise Sec.  193.2441 to read as follows:


Sec.  193.2441  Control room.

    Each LNG plant must have a control room from which operations and 
warning devices are monitored as required by this part. A control room 
must have the following capabilities and characteristics:
    (a) It must be located apart or protected from other LNG facilities 
so that it is operational during a controllable emergency.
    (b) Each remotely actuated control system and each automatic 
shutdown control system required by this part must be operable from the 
control room.
    (c) Each control room must have personnel in continuous attendance 
while any of the components under its control are in operation, unless 
the control is being performed from another control room that has 
personnel in continuous attendance.
    (d) If more than one control room is located at an LNG Plant, each 
control room must have more than one means of communication with each 
other control room.
    (e) Each control room must have a means of communicating a warning 
of hazardous conditions to other locations within the plant frequented 
by personnel.
    12. Amend Sec.  193.2503 by adding paragraph (h) to read as 
follows:


Sec.  193.2503   Operating procedures.

* * * * *
    (h) Implementing the applicable control room management procedures 
required by Sec.  193.2523.
    13. Amend Sec.  193.2509 by adding paragraph (b)(5) to read as 
follows:


Sec.  193.2509   Emergency procedures.

* * * * *
    (b) * * *
    (5) Actions required to be taken by a controller during an 
emergency in accordance with Sec.  193.2523.
    14. Add Sec.  193.2523 to subpart F to read as follows:


Sec.  193.2523   Control room management.

    (a) General. Each operator must have and follow written control 
room management procedures that implement the requirements of this 
section. The procedures must be integrated, as appropriate, into the 
written operating procedures manuals required by Sec.  193.2503, 
written emergency procedures required by Sec.  193.2509, and written 
training plans required by Sec.  193.2713. For LNG plants that exist on 
[insert effective date of final rule], operators must develop the 
procedures by [insert date 12 months after effective date of final 
rule] and implement them by [insert date 24 months after effective date 
of final rule]. For LNG plants placed in service after [insert 
effective date of final rule], but before [insert date 12 months after 
effective date of final rule], procedures must be developed and 
implemented no later than 12 months after placing the plant in service. 
For LNG plants placed in service after [insert date 12 months after the 
effective date of final rule], procedures must be developed before

[[Page 53099]]

the plant begins operation and must be implemented when operations 
commence.
    (b) Roles and responsibilities. Each operator must define the roles 
and responsibilities of a controller during normal, abnormal, and 
emergency operating conditions. To provide for a controller's prompt 
and appropriate response to operating conditions, each operator must 
define:
    (1) A controller's authority and responsibility to make decisions 
and take actions during normal operations.
    (2) A controller's role when an abnormal operating condition is 
detected, even if the controller is not the first to detect the 
condition, including the controller's responsibility to take specific 
actions and to communicate with others.
    (3) A controller's role during an emergency, even if the controller 
is not the first to detect the emergency, including the controller's 
responsibility to take specific actions and to communicate with others.
    (4) A method of recording when a controller is responsible for 
monitoring or controlling a pipeline facility or portion thereof by 
implementing an individual console or a system log-in feature or by 
documenting in the shift records the time and name of each controller 
who assumed the responsibility during a shift-change or other hand-over 
of responsibility.
    (c) Provide adequate information. Each operator must provide each 
controller with the information necessary for the controller to carry 
out the roles and responsibilities defined by the operator and must 
verify that a controller knows the equipment, components, and the 
effects of the controller's actions on the facilities under the 
controller's control. Each operator must:
    (1) Provide a controller with accurate, adequate, and timely data 
concerning operation of the facility. Wherever a SCADA system is used, 
the operator must implement API RP-1165 (incorporated by reference, see 
Sec.  193.2013) in its entirety, unless the operator can adequately 
demonstrate that a provision of API RP-1165 is not applicable or is 
impracticable in the SCADA system used.
    (2) Validate that any SCADA system display accurately depicts field 
equipment configuration by completing all of the following:
    (i) Conduct and document a baseline point-to-point verification 
between field equipment and all SCADA system displays to verify 100 
percent of the system displays. An operator must complete the baseline 
verification no later than [insert date 2 years after effective date of 
final rule]. An operator may use any documented point-to-point 
verification completed after [insert date three years before effective 
date of final rule] to meet some or all of this baseline verification. 
A point-to-point verification must include equipment locations, ranges, 
alarm set-point values, alarm activation, required alarm visual or 
audible response, and proper equipment or software response to SCADA 
system value.
    (ii) Verify that SCADA displays accurately depict field 
configuration when any modification is made to field equipment or 
applicable software and conduct a point-to-point verification for 
associated changes.
    (iii) Perform a point-to-point verification as part of implementing 
a SCADA system change for all portions of the LNG facility affected by 
the change.
    (iv) Develop a plan for systematic re-verification of the accuracy 
of the SCADA system display.
    (3) Establish a means for timely verbal communication among a 
controller, management, and field personnel.
    (4) Identify circumstances that require field personnel to promptly 
notify the controller. These circumstances must include the 
identification by field personnel of a leak or situation that could 
reasonably be expected to develop into an incident if left unaddressed.
    (5) Define and record critical information during each shift.
    (6) Provide for the exchange of information when a shift changes or 
when another controller assumes responsibility for operations for any 
reason.
    (7) Establish sufficient overlap of controller shifts to permit the 
exchange of necessary information.
    (d) Fatigue mitigation. Each operator must implement methods to 
prevent controller fatigue that could inhibit a controller's ability to 
carry out the roles and responsibilities defined by the operator. To 
protect against the onset of fatigue, each operator must:
    (1) Establish shift lengths and schedule rotations that provide 
controllers off-duty time sufficient to achieve eight hours of 
continuous sleep;
    (2) Educate a controller and the controller's supervisor in fatigue 
mitigation strategies and how off-duty activities contribute to 
fatigue;
    (3) Train a controller and his supervisor to recognize and mitigate 
the effects of fatigue;
    (4) Implement additional measures to monitor for fatigue when a 
single controller is on duty; and
    (5) Establish a maximum limit on controller hours-of-service, which 
may include an exception during an emergency with appropriate 
management approval. An operator must specify emergency situations for 
which a deviation from the hours-of-service maximum limit is permitted.
    (e) Alarm management. Each operator using a SCADA system must 
assure appropriate controller response to alarms and notifications. An 
operator must:
    (1) Review SCADA operations at least once each week for:
    (i) Events that should have resulted in alarms or event indications 
that did not do so;
    (ii) Proper and timely controller response to alarms or events;
    (iii) Identification of unexplained changes in the number of alarms 
or controller management of alarms;
    (iv) Identification of nuisance alarms;
    (v) Verification that the number of alarms received is not 
excessive;
    (vi) Identification of instances in which alarms were acknowledged 
but associated response actions were inadequate or untimely;
    (vii) Identification of abnormal or emergency operating conditions 
and a review of controller response actions;
    (viii) Identification of system maintenance issues;
    (ix) Identification of systemic problems, server load, or 
communication problems;
    (x) Identification of points that have been taken off scan or that 
have had forced or manual values for extended periods; and
    (xi) Comparison of controller logs or shift notes to SCADA alarm 
records to identify maintenance requirements or training needs.
    (2) Review SCADA configuration and alarm management operations at 
least once each calendar year but at intervals not to exceed 15 months. 
At a minimum, reviews must include consideration of the following 
factors:
    (i) Number of alarms;
    (ii) Potential systemic issues;
    (iii) Unnecessary alarms;
    (iv) Individual controller's performance changes over time 
regarding alarm or event response;
    (v) Alarm indications of abnormal operating conditions;
    (vi) Recurring combinations of abnormal operating conditions and 
the inclusion of such combinations in controller training;
    (vii) Alarm indications of emergency conditions;
    (viii) Individual controller workload;
    (ix) Clarity of alarm descriptors to the controllers so controllers 
fully

[[Page 53100]]

understand the meaning and nature of each alarm; and
    (x) Verification of correct alarm set-point values.
    (3) Promptly address all deficiencies identified in the weekly and 
calendar year SCADA reviews.
    (f) Change management. Each operator must establish thorough and 
frequent communications between a controller, management, and field 
personnel when planning and implementing physical changes to facility 
equipment and configuration. Field personnel must be required to 
promptly notify a controller when emergency conditions exist or when 
performing maintenance and making field changes.
    (1) Maintenance procedures must include tracking and repair of 
controller-identified problems with the SCADA system or field 
instrumentation to provide for prompt response.
    (2) SCADA system modifications must be coordinated in advance to 
allow enough time for adequate controller training and familiarization 
unless such modifications are made during an emergency response or 
recovery operation.
    (3) An operator shall seek control room participation when LNG 
plant hydraulic or configuration changes are being considered.
    (4) Merger, acquisition, and divestiture plans must be developed 
and used to establish and conduct controller training and qualification 
prior to the implementation of any changes to the controller's 
responsibilities.
    (5) Changes to alarm set-point values, automated routine software, 
and relief valve settings must be communicated to the controller prior 
to implementation.
    (6) An operator must thoroughly document and keep records for each 
of these occurrences.
    (g) Operating experience.
    (1) Each operator must review control room operations following any 
event that must be reported as an incident pursuant to 49 CFR part 191 
to determine and correct, where necessary, deficiencies related to:
    (i) Controller fatigue;
    (ii) Field equipment;
    (iii) The operation of any relief device;
    (iv) Procedures;
    (v) SCADA system configuration;
    (vi) SCADA system performance;
    (vii) Accuracy, timeliness, and portrayal of field information on 
SCADA displays; and
    (viii) Simulator or non-simulator training programs.
    (2) Each operator must establish a definition or threshold for 
close-call events to evaluate event significance. For those events the 
operator determines to be significant, the operator must conduct the 
review required by paragraph (g)(1) of this section and the operator 
must share the information with all controllers.
    (3) Each operator must review the accuracy and timeliness of SCADA 
data and how it is portrayed on displays.
    (h) Training. Each operator must establish a training program and 
review the training program content to identify potential improvements 
at least once each calendar year, but at intervals not to exceed 15 
months. An operator must train each controller to carry out the roles 
and responsibilities defined by the operator. In addition, the training 
program must include the following elements:
    (1) Responding to abnormal operating conditions likely to occur 
simultaneously or in sequence.
    (2) Use of a simulator or non-computerized (tabletop) method to 
train controllers to recognize abnormal operating conditions, in 
particular leak and failure events. Simulations and tabletop exercises 
must include representative communications between controllers and 
individuals that operators would expect to be involved during actual 
events. Controllers will participate in improvement and development of 
tabletop or simulation training scenarios.
    (3) Providing appropriate information to the public and emergency 
response personnel during emergency situations, and informing 
controllers of the information being provided to the public or 
emergency responders per the operator's procedures, if any, so that the 
controllers can understand the context in which this information will 
be received.
    (4) Review of procedures for LNG operating configurations that are 
periodically, but infrequently used.
    (5) Hydraulic pipeline training that is sufficient to obtain a 
thorough knowledge of the LNG plant's system, especially during the 
development of abnormal operating conditions.
    (6) Site specific site training on equipment failure modes.
    (7) Specific training on system tools available to determine a leak 
or significant failure.
    (i) Qualification. An operator must have a program in accordance 
with Sec.  193.2707 to determine that each controller is qualified. An 
operator's procedures for the qualification of controllers must include 
provisions to:
    (1) Measure and verify a controller's performance including the 
controller's ability to detect abnormal and emergency conditions 
promptly and to respond appropriately.
    (2) Evaluate a controller's physical abilities, including hearing, 
colorblindness (color perception), and visual acuity, which could 
affect the controller's ability to perform the assigned duties.
    (3) Evaluate a controller's qualifications at least once each 
calendar year, but at intervals not to exceed 15 months.
    (4) Implement methods to address gradual degradation in performance 
or physical abilities in a controller.
    (5) Revoke a controller's qualification for extended time off-duty 
or absence (of a duration determined by the operator based on the 
complexity and significance of the controller's role), inadequate 
performance, impaired physical ability beyond what the operator can 
accommodate, influence of drugs or alcohol, or any other reason 
determined by the operator to be necessary to support the safe 
operation of an LNG plant.
    (6) Restore a revoked qualification by specifying the circumstances 
for which a complete re-qualification is required, and the 
circumstances for which other means of restoration may be used, such as 
a period of review, shadowing, retraining, or all of these.
    (7) Document when an oral examination is used as the means of 
evaluation, including the topics covered.
    (8) Prohibit individuals without a current controller qualification 
from performing the duties of a controller.
    (j) Validation. An operator must have a senior executive officer 
validate by signature not later than the date by which control room 
management procedures must be implemented (see paragraph (a) of this 
section), and annually thereafter by March 15 of each year, that the 
operator has:
    (1) Conducted a review of controller qualification and training 
programs and has determined both programs to be adequate;
    (2) Permitted only qualified controllers to operate the LNG plant;
    (3) Implemented the requirements of this section;
    (4) Continued to address ergonomic and fatigue factors; and
    (5) Involved controllers in finding ways to sustain and improve 
safety through control room management.
    (k) Compliance and deviations. An operator must maintain for review 
during inspection:
    (1) Records that demonstrate compliance with the requirements of 
this section; and
    (2) Documentation of decisions and analyses to support any 
deviation from

[[Page 53101]]

the procedures required by this section. An operator must report any 
such deviation to PHMSA upon request, or in the case of an intrastate 
pipeline facility regulated by a state, upon request by the state 
pipeline safety authority.
    15. Amend Sec.  193.2713 by adding paragraph (a)(4) to read as 
follows:


Sec.  193.2713  Training: operations and maintenance.

* * * * *
    (a) * * *
    (4) All controllers to carry out the control room management 
procedures under Sec.  193.2523 that relate to their assigned 
functions.
* * * * *

PART 195--TRANSPORTATION OF HAZARDOUS LIQUIDS BY PIPELINE

    16. The authority citation for part 195 is revised to read as 
follows:

    Authority: 49 U.S.C. 5103, 60102, 60104, 60108, 60109, 60116, 
60118, and 60137; and 49 CFR 1.53.

    17. In Sec.  195.2, add definitions for ``alarm'' ``control room,'' 
``controller,'' and ``Supervisory Control and Data Acquisition System 
(SCADA)'' as follows:


Sec.  195.2  Definitions.

* * * * *
    Alarm means an indication provided by SCADA or similar monitoring 
system that a parameter is outside normal or expected operating 
conditions.
* * * * *
    Control room means a central location or local station at which a 
control panel, computerized device, or other instrument is used by a 
controller to monitor or control all or part of a pipeline facility or 
a component of a pipeline facility.
    Controller means an individual who uses a control panel, 
computerized device, or other equipment to monitor or control all or 
part of a pipeline facility that the individual cannot directly observe 
with the naked eye. An individual who operates equipment locally, but 
who cannot see the equipment respond without using a closed circuit 
television system or other external device, is a controller when 
performing this activity regardless of job title or whether actions are 
overseen by another controller or supervisor. An individual who 
performs these functions on a part time basis is considered a 
controller only when performing these functions.
* * * * *
    Supervisory Control and Data Acquisition System (SCADA) means a 
computer-based system that gathers field data, provides a structured 
view of pipeline system or facility operations, and may provide a means 
to control pipeline operations.
* * * * *
    18. In Sec.  195.3(c), amend the table by adding item B.(18) to 
read as follows:


Sec.  195.3  Incorporation by reference.

* * * * *
    (c) * * *

------------------------------------------------------------------------
 
------------------------------------------------------------------------
 
                              * * * * * * *
B. * * *
(18) API Recommended Practice 1165              Sec.   195.454(c)(1)
 ``Recommended Practice for Pipeline SCADA
 Displays,'' (January 2007).
 
                              * * * * * * *
------------------------------------------------------------------------

    19. Amend Sec.  195.402 by adding paragraphs (c)(15) and (e)(10) to 
read as follows:


Sec.  195.402  Procedural manual for operations, maintenance, and 
emergencies.

* * * * *
    (c) * * *
    (15) Implementing the applicable control room management procedures 
required by Sec.  195.454.
* * * * *
    (e) * * *
    (10) Implementing actions required to be taken by a controller 
during an emergency, in accordance with Sec.  195.454.
* * * * *
    20. Add Sec.  195.454 to subpart F to read as follows:


Sec.  195.454  Control room management.

    (a) General. Each operator of a pipeline facility with at least one 
controller and control room must have and follow written control room 
management procedures that implement the requirements of this section. 
The procedures must be integrated, as appropriate, into the operator's 
written manuals of procedures required by Sec.  195.402, and written 
qualification program required by Sec.  195.505. The operator must 
develop and implement the procedures no later than the dates in the 
table below.

------------------------------------------------------------------------
                               Develop procedures   Implement procedures
      Control room type                by:                   by:
------------------------------------------------------------------------
(1) Remote operations         [insert date 12       [insert date 24
 (control and/or monitoring)   months after          months after
 of pipelines.                 effective date of     effective date of
                               final rule].          final rule].
(2) Remote operations of      [insert date 24       [insert date 30
 equipment within a single     months after          months after
 site (e.g., pump station).    effective date of     effective date of
                               final rule].          final rule].
(3) Pipelines with local      [insert date 30       [insert date 30
 control only.                 months after          months after
                               effective date of     effective date of
                               final rule].          final rule].
(4) Control rooms or local    12 months after       12 months after
 control stations placed in    placement in          placement in
 service after [insert         service.              service.
 effective date of the final
 rule], but before [insert
 date 12 months after the
 effective date of final
 rule].
(5) Control rooms or local    Before placing in     Upon placing in
 control stations placed in    service.              service.
 service after [insert date
 12 months after the
 effective date of final
 rule].
------------------------------------------------------------------------

    (b) Roles and responsibilities. Each operator must define the roles 
and responsibilities of a controller during normal, abnormal, and 
emergency operating conditions. To provide for a controller's prompt 
and appropriate response to operating conditions, each operator must 
define:
    (1) A controller's authority and responsibility to make decisions 
and take actions during normal operations.

[[Page 53102]]

    (2) A controller's role when an abnormal operating condition is 
detected, even if the controller is not the first to detect the 
condition, including the controller's responsibility to take specific 
actions and to communicate with others.
    (3) A controller's role during an emergency, even if the controller 
is not the first to detect the emergency, including the controller's 
responsibility to take specific actions and to communicate with others.
    (4) A controller's responsibility to provide timely notification 
and coordination with the operator of another pipeline in a common 
corridor when a leak or failure is suspected, including upon receipt of 
a notification from the public concerning a suspected leak on an asset 
owned or operated by the other company but located in the same common 
corridor or right-of-way.
    (5) A method of recording when a controller is responsible for 
monitoring or controlling any portion of a pipeline facility by 
implementing an individual console or a system log-in feature or by 
documenting in the shift records the time and name of each controller 
who assumed the responsibility during a shift-change or other hand-over 
of responsibility.
    (c) Provide adequate information. Each operator must provide each 
controller with the information necessary for the controller to carry 
out the roles and responsibilities defined by the operator and must 
verify that a controller knows the equipment, components and the 
effects of the controller's actions on the pipeline or pipeline 
facilities under the controller's control. Each operator must:
    (1) Provide a controller with accurate, adequate, and timely data 
concerning operation of the pipeline facility. Wherever a SCADA system 
is used, the operator must implement API RP-1165 (incorporated by 
reference, see Sec.  195.3) in its entirety, unless the operator can 
adequately demonstrate that a provision of API RP-1165 is not 
applicable or is impracticable in the SCADA system used.
    (2) Validate that any SCADA system display accurately depicts field 
equipment configuration by completing all of the following:
    (i) Conduct and document a point-to-point baseline verification 
between field equipment and all SCADA system displays to verify 100 
percent of the system displays. An operator must complete the baseline 
verification no later than [insert date three years after effective 
date of final rule] or by [insert date one year after effective date of 
final rule] for an operator of a pipeline system containing less than 
500 miles of pipeline. An operator may use any documented point-to-
point verification completed after [insert date three years before 
effective date of final rule] to meet some or all of this baseline 
verification. A point-to-point verification must include equipment 
locations, ranges, alarm set-point values, alarm activation, required 
alarm visual or audible response, and proper equipment or software 
response to SCADA system values.
    (ii) Verify that SCADA displays accurately depict field 
configuration when any modification is made to field equipment or 
applicable software and conduct a point-to-point verification for 
associated changes.
    (iii) Perform a point-to-point verification as part of implementing 
a SCADA system change for all portions of the pipeline system or 
facility affected by the change.
    (iv) Develop a plan for systematic re-verification of the accuracy 
of the SCADA system display.
    (3) Establish a means for timely verbal communication among a 
controller, management, and field personnel.
    (4) Identify circumstances that require field personnel to promptly 
notify the controller. These circumstances must include the 
identification by field personnel of a leak or situation that could 
reasonably be expected to develop into an accident if left unaddressed.
    (5) Define and record critical information during each shift.
    (6) Provide for the exchange of information when a shift changes or 
when another controller assumes responsibility for operations for any 
reason.
    (7) Establish sufficient overlap of controller shifts to permit the 
exchange of necessary information.
    (8) Periodically test and verify a backup communication system or 
provide adequate means for manual operation or shutdown of the affected 
portion of the pipeline safely.
    (d) Fatigue mitigation. Each operator must implement methods to 
prevent controller fatigue that could inhibit a controller's ability to 
carry out the roles and responsibilities defined by the operator. To 
protect against the onset of fatigue, each operator must:
    (1) Establish shift lengths and schedule rotations that provide 
controllers off-duty time sufficient to achieve eight hours of 
continuous sleep;
    (2) Educate a controller and his supervisor in fatigue mitigation 
strategies and how off-duty activities contribute to fatigue;
    (3) Train a controller and his supervisor to recognize and mitigate 
the effects of fatigue;
    (4) Implement additional measures to monitor for fatigue when a 
single controller is on duty; and
    (5) Establish a maximum limit on controller hours-of-service, which 
may include an exception during an emergency with appropriate 
management approval. An operator must specify emergency situations for 
which a deviation from the hours-of-service maximum limit is permitted.
    (e) Alarm management. Each operator using a SCADA system must 
assure appropriate controller response to alarms and notifications. An 
operator must:
    (1) Review SCADA operations at least once each week for:
    (i) Events that should have resulted in alarms or event indications 
that did not do so;
    (ii) Proper and timely controller response to alarms or events;
    (iii) Identification of unexplained changes in the number of alarms 
or controller management of alarms;
    (iv) Identification of nuisance alarms;
    (v) Verification that the number of alarms received is not 
excessive;
    (vi) Identification of instances in which alarms were acknowledged 
but associated response actions were inadequate or untimely;
    (vii) Identification of abnormal or emergency operating conditions 
and a review of controller response actions;
    (viii) Identification of system maintenance issues;
    (ix) Identification of systemic problems, server load, or 
communication problems;
    (x) Identification of points that have been taken off scan or that 
have had forced or manual values for extended periods; and
    (xi) Comparison of controller logs or shift notes to SCADA alarm 
records to identify maintenance requirements or training needs.
    (2) Review SCADA configuration and alarm management operations at 
least once each calendar year but at intervals not to exceed 15 months. 
At a minimum, reviews must include consideration of the following 
factors:
    (i) Number of alarms;
    (ii) Potential systemic issues;
    (iii) Unnecessary alarms;
    (iv) Individual controller's performance changes over time 
regarding alarm or event response;
    (v) Alarm indications of abnormal operating conditions;
    (vi) Recurring combinations of abnormal operating conditions and 
the inclusion of such combinations in controller training;

[[Page 53103]]

    (vii) Alarm indications of emergency conditions;
    (viii) Individual controller workload;
    (ix) Clarity of alarm descriptors to the controllers so controllers 
fully understand the meaning and nature of each alarm; and
    (x) Verification of correct alarm set-point values.
    (3) Promptly address all deficiencies identified in the weekly and 
calendar year SCADA reviews.
    (f) Change management. Each operator must establish thorough and 
frequent communications between a controller, management, and field 
personnel when planning and implementing physical changes to pipeline 
equipment and configuration. Field personnel must be required to 
promptly notify a controller when emergency conditions exist or when 
performing maintenance and making field changes.
    (1) Maintenance procedures must include tracking and repair of 
controller-identified problems with the SCADA system or field 
instrumentation to provide for prompt response.
    (2) SCADA system modifications must be coordinated in advance to 
allow enough time for adequate controller training and familiarization 
unless such modifications are made during an emergency response or 
recovery operation.
    (3) An operator shall seek control room participation when pipeline 
hydraulic or configuration changes are being considered.
    (4) Merger, acquisition, and divestiture plans must be developed 
and used to establish and conduct controller training and qualification 
prior to the implementation of any changes to the controller's 
responsibilities.
    (5) Changes to alarm set-point values, automated routine software, 
and relief valve settings must be communicated to the controller prior 
to implementation.
    (6) An operator must thoroughly document and keep records for each 
of these occurrences.
    (g) Operating experience.
    (1) Each operator must review control room operations following any 
event that must be reported as an accident pursuant to Sec.  195.50 
determine and correct, where necessary, deficiencies related to:
    (i) Controller fatigue;
    (ii) Field equipment;
    (iii) The operation of any relief device;
    (iv) Procedures;
    (v) SCADA system configuration;
    (vi) SCADA system performance;
    (vii) Accuracy, timeliness, and portrayal of field information on 
SCADA displays; and
    (viii) Simulator or non-simulator training programs.
    (2) Each operator must establish a definition or threshold for 
close-call events to evaluate event significance. For those events the 
operator determines to be significant, the operator must conduct the 
review required by paragraph (g)(1) of this section and the operator 
must share the information with all controllers.
    (3) Each operator must review the accuracy and timeliness of SCADA 
data and how it is portrayed on displays.
    (h) Training. Each operator must establish a training program and 
review the training program content to identify potential improvements 
at least once each calendar year, but at intervals not to exceed 15 
months. An operator must train each controller to carry out the roles 
and responsibilities defined by the operator. In addition, the training 
program must include the following elements:
    (1) Responding to abnormal operating conditions likely to occur 
simultaneously or in sequence.
    (2) Use of a simulator or non-computerized (tabletop) method to 
train controllers to recognize abnormal operating conditions, in 
particular leak and failure events. Simulations and tabletop exercises 
must include representative communications between controllers and 
individuals that operators would expect to be involved during actual 
events. Controllers will participate in improvement and development of 
tabletop or simulation training scenarios.
    (3) Providing appropriate information to the public and emergency 
response personnel during emergency situations, and informing 
controllers of the information being provided to the public or 
emergency responders under Sec.  195.440 so that the controllers can 
understand the context in which this information will be received.
    (4) On-site visits by controllers to a representative sampling of 
field installations similar to those for which each controller is 
responsible to familiarize themselves with the equipment and with 
station personnel functions.
    (5) Review of procedures for pipeline operating setups that are 
periodically, but infrequently used.
    (6) Hydraulic pipeline training that is sufficient to obtain a 
thorough knowledge of the pipeline system, especially during the 
development of abnormal operating conditions.
    (7) Site specific training on equipment failure modes.
    (8) Specific training on system tools available to determine a leak 
or significant failure and specific training on other operator contact 
protocols when there is reason to suspect a leak in a common pipeline 
corridor or right-of-way.
    (i) Qualification. An operator must have a program in accordance 
with subpart G of this part to determine that each controller is 
qualified. An operator's procedures for the qualification of 
controllers must include provisions to:
    (1) Measure and verify a controller's performance including the 
controller's ability to detect abnormal and emergency conditions 
promptly, and to respond appropriately.
    (2) Evaluate a controller's physical abilities, including hearing, 
colorblindness (color perception), and visual acuity, which could 
affect the controller's ability to perform the assigned duties.
    (3) Evaluate a controller's qualifications at least once each 
calendar year, but at intervals not to exceed 15 months.
    (4) Implement methods to address gradual degradation in performance 
or physical abilities in a controller.
    (5) Revoke a controller's qualification for extended time off-duty 
or absence (of a duration determined by the operator based on the 
complexity and significance of the controller's role), inadequate 
performance, impaired physical ability beyond what the operator can 
accommodate, influence of drugs or alcohol, or any other reason 
determined by the operator to be necessary to support the safe 
operation of a pipeline facility.
    (6) Restore a revoked qualification by specifying the circumstances 
for which a complete re-qualification is required, and the 
circumstances for which other means of restoration may be used, such as 
a period of review, shadowing, retraining, or all of these.
    (7) Document when an oral examination is used as the means of 
evaluation, including the topics covered.
    (8) Prohibit individuals without a current controller qualification 
from performing the duties of a controller.
    (j) Validation. An operator must have a senior executive officer 
validate by signature not later than the date by which control room 
management procedures must be implemented (see paragraph (a) of this 
section), and annually thereafter by June 15 of each year, that the 
operator has:
    (1) Conducted a review of controller qualification and training 
programs and has determined both programs to be adequate;

[[Page 53104]]

    (2) Permitted only qualified controllers to operate the pipeline;
    (3) Implemented the requirements of this section;
    (4) Continued to address ergonomic and fatigue factors; and
    (5) Involved controllers in finding ways to sustain and improve 
safety and pipeline integrity through control room management.
    (k) Compliance and deviations. An operator must maintain for review 
during inspection:
    (1) Records that demonstrate compliance with the requirements of 
this section; and
    (2) Documentation of decisions and analyses to support any 
deviation from the procedures required by this section. An operator 
must report any such deviation to PHMSA upon request, or in the case of 
an intrastate pipeline facility regulated by a state, upon request by 
the state pipeline safety authority.
    21. Amend Sec.  195.505 by adding paragraph (j) to read as follows:


Sec.  195.505   Qualification program.

* * * * *
    (j) Incorporate requirements applicable to controller qualification 
in accordance with Sec.  195.454.

    Issued in Washington, DC, on September 2, 2008.
Jeffrey D. Wiese,
Associate Administrator for Pipeline Safety.
 [FR Doc. E8-20701 Filed 9-11-08; 8:45 am]
BILLING CODE 4910-60-P