This part of the risk analysis is concerned with specifying which asset the study will apply to. The system can be a pipeline or the process piping system within an industrial plant. The type of system is also related to the type of information to be collected.

Relevant information is collected to identify hazards, threats and critical locations, for example, high consequence areas (HCA). The information is collected by means of field trips with specialized personnel and equipment and adequate planning. The minimum information required includes:

- Pipeline characteristics.

- Design and construction data.

- Process flow diagrams.

- Environment characteristics.

- Operating data.

- Inspection, monitoring, repair, and maintenance records.

- Change management histories.

- Specific studies such as HAZOP (Hazard and Operability Analysis), RCM (Reliability Centred Maintenance), geotechnical diagnostics.

- Other.

The precision and accuracy of the input data for the risk assessment has a direct influence on its results, especially in relation to the accuracy of the results obtained. It is recommended that the information be uploaded and stored in a geo-referenced digital database and/or a geographic information system, which allows the results of the risk analysis to be easily visualized.

Segmentation refers to the identification of similar characteristics that allow a system to be divided into parts or components with the same expectation of deterioration. It can be segmented by parameters associated with the asset or with the environment, as shown in Table 1.

Once the information has been collected, reviewed, and integrated, the hazards that can evolve and become threats to the integrity of the pipeline are identified. The threats that can affect pipeline integrity are grouped into twelve (12) categories, classified according to NTC 5901 [4], API 1160 [5], and ASME B31.8S [6]. A general classification according to their time-dependence of threats to pipeline integrity is shown in Table 2.

Among the methods used to perform the identification are:

- Structured methods, such as operational hazard studies (HAZOP) and failure mode and effects analysis (FMEA).

- Comparative methods, such as checklists, hazard indices, and reviews of in-house or industry failure histories.

- Methods that provide a logical path, such as fault tree analysis.

Overview. The PoF model discussed in this paper corresponds to a new way that establishes relationships among failures inducing factors, their corresponding failures times and failure phenomena by understanding the physical process leading to the failure mechanism. This was introduced by Kent Muhlbauer on pipelines, called the risk triad or Quantitative Risk Reference Model algorithm, as shown on the left side of Figure 2, in which the variables that affect the PoF are classified in three factors: exposure factor, mitigation factor and resistance factor measured or estimated in verifiable and commonly used units of measurement [7], [8], [9], [10].

- Exposure (attack) factor: refers to the type and unmitigated aggressiveness of each process that can precipitate failure (the component is taken to be completely unprotected and highly vulnerable to failure). It is expressed in units of "events per time and distance", i.e., events/km-year or events/mile-year. In other words, an exposure event is an event that, in the absence of mitigation and resistance, will result in a failure. To estimate exposure, the component is taken to be completely unprotected and highly vulnerable to a failure.

- Mitigation factor (defense): refers to the type and effectiveness of each mitigation measure designed to block or reduce an exposure. It is measured in units of percentage (%).

- Resistance factor: refers to the measure or estimate of the system's ability to absorb damage without failure. In other words, it is the ability of the system to resist failure in the presence of the failure mechanism. It is measured in units of percent (%).

Mitigation and resistance are measured in units of %, which represents "fraction of damage or failure scenarios avoided". For example, a mitigation effectiveness of 90% means that 9 of the next 10 exposures will not result in damage. A resistance of 60% means that 40% of the following damage scenarios will result in failure, 60% will not.

This model uses the same data as the qualitative and semi-quantitative approaches to help with continuity and keep conversion costs down but uses them in a different way. The modifications to the main algorithm consist of simple, straightforward changes to the categorization of variables and the mathematics used to combine them to calculate risk scores. The new algorithms are easily set up and run-in spreadsheets or a desktop database, i.e., no specialized software is needed.

Among the advantages of this algorithm are it allows differentiation between absolute exposure to a hazard, mitigation effectiveness and system resistance, which leads directly to better risk management decisions; it eliminates the need to reweight variables; and it allows greater flexibility to present results in absolute (probabilistic) or relative terms, depending on the user's needs. However, the new assessments are more verifiable and defensible, as they are based on absolute rather than relative terms, although it requires investing some time and energy in establishing the new assessment model with legitimate values for the systems being assessed [7], [8], [9], [10].

Table 3 summarizes the units used in the model for time-independent hazards such as third-party damage and those associated with weather and external forces.

Table 4 summarizes the units used in the model for time-dependent hazards such as internal corrosion and external corrosion, specifically mils per year (mpy), where mils is one thousandth of an inch. The mpy values lead to an estimate of Time To Failure (TTF), define as the time period before failure would occur, under the wall loss and available strength assumptions. In other words, TTF is the time before the pipeline fails given the pipe wall thickness and the rate of wall loss from corrosion mechanisms.

Logic gates. The algorithm uses the tree structure for estimating the PoF from the probabilities of the underlying basic event, through OR and AND Gates to connect an output event with the associated input events, where the collective effect of the components failures could lead to a system failure. OR and AND Gates are logical symbols that represent events that can be defined by one or more lower level events. The use of these logic gates in risk models represents a distinct improvement over older methods, as it allows for a better representation of how the parameters that materialize a hazard behave.

OR gates. OR gates imply independent events which are additive (note: two events are independent if the knowledge that one occurred does not affect the chance the other occurs). The OR gate function calculates the probability of any of one (or more) of the inputs events could case the output event occur.

According to statistical theory [11], [12], [13], if E₁, E₂ and E_n be independent events, the probabilities of those events are P₁, P₂ and P_n. Since the probability that event E₁ happens is P₁, then the probability that it does not happen is 1 - P₁. Similarly, the probability of non-happening of event E₂ is 1 − P₂, and the probability of non-happening of event E_n is 1 − P_n.

Now, the probability of non-happening of any of the events is: (1 − P₁)(1 − P₂) ... (1 − P_n).

Thus, if there are i input events, each assigned with a probability of occurrence P_i, then the probability P_OR that any i events’ occurring is given by [9], [11]:

The OR gate is used for calculating the overall mitigation effectiveness from several mitigation measures. This function captures the idea that probability rises due to the effect of either a single factor with a high influence or the accumulation of factors with lesser influences (or any combination), as follows:

The OR gate is also used for calculating the overall resistance from several resistance factors, as follows.

M_i and R_ibeing each of the mitigation and resistance factors contemplated in the model that implies dependent events. Each M_i is effective in a certain percentage to prevent failures in the studied pipe segment, reflecting its potential impact on risk reduction.

AND Gates. The use of the AND gate implies dependent events that must be combined by multiplication, where any sub variable can have a huge influence. For instance, when all events in a series happen and there is dependence among the events, then the result is the product of all probabilities. The probability of failure in this case is calculated as follows [9], [10]:

Reducing the probability of failure occurs by reducing the exposure to the hazard through mitigation or reducing the probability of failure through resistance. To evaluate PoF from time-independent failure a mechanism, those that appear random and do not worsen with time, then it is considers that PoF is modulated by the mitigation effectiveness and resistance factors, as follows:

In other way, having good mitigation effectiveness and adequate resistance reduces asset exposure, which implies that PoF is reduced.

Example 1. For third party threat, an exposure factor of 0,2 events/km-year was found, i.e., one event every five years, on a given pipeline segment. Applying several mitigation actions, a total mitigation of 95% was obtained.

The mitigation factors can be the one call system (M₁ = 20%), the Right-of-Way surveillance (M₂ = 20%), the protective measures (M₃ = 60%), and the depth of cover (M₄ = 80%). Then, the total

Similarly, a total resistance of 75% was obtained. The resistance factor can be due to API Grade Pipe Specification (R₁) and diameter/thickness ratio (R₂) of the pipe, among others selected by each company. What is the PoF?

Situation data are:

- Exposure = 0,2 events/km-year,

- %Mitigation = 0,95,

- %Resistance = 0,75.

Applying equation (5) we obtain:

Thus, the PoF is 0,0025 failures (event) per km-year or 2,5 x 10^-3 failures per km-year.

To describe the PoF behavior for time-dependent hazards, such as internal and external corrosion, the PoF model with the shortest time to failure (TTF) is used to consider the time degradation. Failures behaviors refer to the observations changes of states which occur during the failure process and are characterized by recording Time To Failure of the component. TTF defines the time when the system no longer meets its design specifications (the time a component is expected to fail).

The TTF is proportional to the resistance (the greater the resistance, the longer the life of the asset) and is inversely proportional to the exposure level modulated by the resulting mitigation (the lower mitigated exposure, the longer life of the asset), as shown below:

In a conservative approximation, and considering constant failure rate, TTF can be taken as the inverse of the PoF [13],thus

Example 2. Assume a pipeline of 0,25 in nominal thickness. It has been determined that soil corrosivity creates an external corrosion exposure of 4,0 mpy. Two mitigation systems are considered: one the coating with a mitigation effectiveness of 70% and second the cathodic protection system with a mitigation effectiveness of 80%.

For external corrosion, the resistance factor considered is the remaining wall thickness. Wall thickness measurements were made and, considering the inherent uncertainty of the measurement, an effective wall thickness (t) of 0,220 in, (i.e. t = 220 mils) was obtained. Determine the PoF for external corrosion threat.

Situation data are:

- Exposure = 4,0 mpy

- Coating mitigation (M1) = 0,70

- Cathodic protection mitigation (M2) = 0,80

- Resistance = 0,220 in = 220 mils

Calculations: the total percent mitigation (%M) is:

Now, applying the equation (6) and (7):

To determine the CoF, the guidelines of API RP 581 are followed (as shown on the right side of Figure 2), expressing the consequence results in USD$/event. Based on this, the risk is expressed in USD$/km - year.

To qualify the risks results obtained (R = PoF x CoF), the methodology of numerical values associated with the probability and consequence of failure considered in the recommended practice API RP 581, shown in Table 5, is followed, specifically in its “Table 2: Numerical Values Associated with PoF and Financial-based CoF Categories”. The results of the Examples 1 and 2 indicates that PoF in the Very High and High category respectively.

Note: Each Company may select the corresponding ranges.

To implement the Quantitative Risk Reference Model algorithm to calculate the PoF for a real case, a natural gas pipeline transportation operator was taken. The algorithm was applied to determine the PoF for the external corrosion threat. The effective wall thickness (t) was taken from the Example 2 (t = 220 mils).

Several risks workshops were held with the participation of personnel from operations, maintenance and mainly from mechanical integrity management of the asset. In the workshops, the generalities of the risk triad model were shown and then they began to discuss which variables formed the exposure factor, which the mitigation factor and which the resistance factor, based on a previous experience in semi-quantitative PoF algorithm. The mitigation percentages were established by consensus among the participants.

Exposure factor. Since external corrosion is a time-dependent threat, the exposure factor is expressed in mpy. If corrosion rate data by ILI inspection or other technique are available, these values will be used as the exposure factor. Other exposure factors, such as type of soil and electrical interference, will also be considered.

The ranges and criteria for exposure and mitigation factors are based on those provided by the National Association of Corrosion Engineers (NACE) in their standards, handbooks, and articles. As a second option, we used articles or academic texts recognized in the industry.

Each operator is able to select the weight for corrosiveness; i.e., it can be 1 to 5 mpy or 1 to 10 mpy. Normally, this is done based on the corrosion trend behavior. Corrosiveness degree should be selected based on the industry's best practices, such as AMPP - NACE (Association for Materials Protection and Performance - National Association Corrosion Engineer) or API (American Petroleum Institute) standards.

When there are four options to the exposure factor category, the one with the least impact is assigned 1 mpy, the next 3 mpy, the next 4 mpy, and the one with the greatest impact 5 mpy. For example, in the case of soil aggressiveness based on chloride concentration, there are four ranges, as shown in Table 6.

If there were only three choices, then the smallest is assigned 1 mpy, the next 3 mpy and the largest 5 mpy, as used here.

Three exposure factors were taken in this document, analyzed through nine parameters, as evidenced in Table 7. The first exposure factor is the pitting corrosion rate, the second is the soil corrosivity, and the third is the electrical interference.

The pitting corrosion is obtained from inspection tool, as In Line Inspections (ILI) and using the NACE SP0775-13 (Table 2: Qualitative Categorization of Carbon Steel Corrosion Rates for Oil Production Systems) to classify the corrosion growth rate. The soil corrosivity is described by the type of soil [17]; the presence of pollutants, chlorides and sulfates [16]; the soil resistivity [16]; the REDOX potential [18], and the presence of sulfate-reducing bacteria (BSR) [19].

The third exposure factor refers to alternating current (AC interference) electric interference and is obtained from electric interference studies under NACE SP0177-2019 standard (Mitigation of Alternating Current and Lightning Effects on Metallic Structures and Corrosion Control Systems).

Three segments with the following characteristics were taken for the assessment: S₁ with a high exposure, S₂ with an intermediate exposure and S₃ with a low exposure (Table 7). If all factors are weighted with a value of 1, the minimum total exposure would be 9 (as shown for the segment S₃) and if all are weighted with a value of 5, the maximum total would be 45 (as shown for the segment S₁), according to the results of the risk analysis workshops.

Then, the minimum value obtained is 9 mpy and the maximum value is 45 mpy. These values must be adjusted to the initially selected scale (1- 5 mpy), according to Table 8.

Mitigation factor. The mitigation factors are related to the coating, the cathodic protection system, the inspections performed on the coating (type and frequency) and the remaining indications (coating and pipe) after repairs (Table 9).

The mitigation percentage was determined according to expert judgment and the operator´s experience, as follow:

- A high percentage of mitigation was taken for S₁.

- the worst percentage of mitigation was taken for S₂ and,

- An intermediate percentage of mitigation was taken for S3 giving credit to the coating system and compliance with NACE Cathodic Protection criteria.

The mitigation factors taken into account are coating type (FBE or coal tar); coating age; NACE Cathodic Protection compliance; DCVG inspections and repair program.

The %M per segment was performed according to equation (3), based on the mitigation factors that, in the expert's opinion, apply to each exposure factor category (Table 10).

For example, to mitigate the pitting corrosion (the first exposure factor), all mitigation measures apply. Then, for segment S₁, the total mitigation percentage obtained is:

For soil corrosivity applied M₁ and M₂ mitigations, then:

For S3 segment, we obtain:

When the mitigation percentage is less than zero, or takes negative values, as for S₂ segment, indicates that there is no active mitigation, therefore a value of zero is taken.

To obtain the total mitigation for each segment, an OR logic gate is applied for the exposure factor category that applies. For example, for segment 3, we have:

Comparing S₁ and S₂ mitigation results, it can be seen then that complying with the DCVG inspection and coating repair program is very important to ensure the integrity of the pipeline, in order to obtain a high percentage of mitigation, which is in line with the experience of most companies to control the external corrosion threat.

The mitigation percentage (M₃ factor) for the cathodic protection system was taken according to compliance with NACE SP0169 criteria, as shown in Table 11.

For the mitigation factor related to the results of the DCVG technique, the criteria in Table 12 are followed [20].

Resistance factor. The resistance factor in this case corresponds to the minimum remaining wall thickness. For all segments under study, are taken 220 mils. Thus, PoF is finally calculated according to equation (7), which for each of the segments studied.

For S₁ segment, we have:

In summary, although there is a large exposure, the mitigation measures are effective and therefore the PoF is low.

For S₂ segment, we have:

For S₃ segment, we have:

According to API RP 581 categories, S₁ (which, although it has a high exposure, also has a high percentage of mitigation,) is in category 1 (PoF Low); S₂ (the worst mitigation percentage) is in category 4 (PoF High), and S₃ is in category 3 (PoF medium).

If the potential consequence of failure have a cost of USD$1’010,000/event (Consequence Category D, according to API RP 581 criteria, Table 5), then the risk (R = PoF * CoF) determined for each segment obtained is shown in Table 13.

We can show the results in a balance risk matrix as shown in Figure 3.