Information Advisory IA 2024-002 – Management System Audits

Information Advisory IA 2024-002 – Management System Audits [PDF 290 KB]

File 5061574
11 October 2024

Please find attached the Canada Energy Regulator (CER) Information Advisory (IA), CER IA 2024-002, which summarizes the findings of management system audits the CER completed in 2023-2024. These audits focused on regulated companies’ management of control rooms and damage prevention.

These findings are important to share so all companies are aware of any necessary improvements needed to their own management system. Companies are expected to proactively identify, analyze, and manage hazards and risks to prevent harm to people, property, and the environment. The CER is communicating these audit findings to all regulated companies so they can proactively review their management system to determine if any of the issues in this Information Advisory exist, and address them, as the CER will incorporate these learnings into its future compliance and oversight activities, including audits.

If you require any further information or clarification, please contact the Director of Audit, Enforcement, and Investigation through our toll-free number at 1-800-899-1265.

This and other advisories are published on the CER Safety and Environment website.

Best regards,

Signed by

Tracy Sletto
Chief Executive Officer

Attachment: 2023-2024 Canada Energy Regulator – Management System Audits: Information Advisory (CER IA 2024-002)

Information Advisory
CER IA 2023-002
11 October 2024

2023-2024 Canada Energy Regulator - Management System Audits

Basis for Issuance

The Canada Energy Regulator (CER) requires all companies to establish and implement an effective management system to proactively identify and analyse hazards and manage the associated risks to prevent harm to people and the environment. Well-designed and implemented management systems, as described in the Canadian Energy Regulator Onshore Pipeline Regulations (SOR/99-294) (OPR), enable hazard management, learning, and continual improvement throughout an organization. When coupled with a robust safety culture, management systems support strong safety and environmental protection performance and outcomes.

Background

As part of its ongoing oversight activities, the CER’s 2023-2024 compliance audit program focused on two areas of management system function: control room management and the damage prevention program. Three companies were audited for each area, for a total of six audits. Companies were chosen based on the CER’s oversight risk identification and prioritization model. Each audit was focused on one issue, or management system requirement. These focused audits help the CER to promote compliance with management system requirements across the energy industry. Both topics have been audited in previous years. The objectives of the audits are detailed in the audit reports on the CER’s website.

The CER assigns one of two potential findings to each audit protocol, either no issues identified or non-compliant. A finding of no issues identified indicates that no non-compliances were identified during the audit. This is based on the information provided by the company and reviewed by the auditor within the context of the audit scope. A non-compliant finding indicates the company has not demonstrated that it has met the legal requirements, necessitating the development of a corrective and preventive action plan to resolve the deficiency.

In July 2021, the CER published its Management System and Protection Program Audit Protocols, which are intended to help describe and explain the CER’s expectations of regulated companies regarding their management system obligations. These audit protocols are relevant to the lessons learned described in this Information Advisory and should be referred to for additional context.

Audit Learnings

Deficiencies from the audits are summarized below to promote learning and improvement across all CER-regulated companies. A general summary of the issues found from year to year, and the specific findings from the two audit streams are included in this Information Advisory. For a more detailed summary, please refer to the audit reports on the CER’s website.

General

One primary area where CER auditors continue to see issues from year to year regardless of the topic are related to having proper processes in place.

There are several components to a process CER auditors look for when conducting an audit. A partial definition of what is required for a process is listed below. The OPR identifies several areas that require a process.

"A documented series of interrelated actions that take place in an established order and are directed toward a specific result. To be a compliant process, ensure the following are addressed:

• Describe the purpose, scope, objective, and specific results that the process is intended to achieve;
• Describe the series of interacting actions or steps that take place in an established order;
• Define the roles, responsibilities, and authorities of staff to ensure the process is appropriately applied;
• Where required, references other relevant processes, procedures, and work instructions; and describe how it is integrated with each section 55 program;
• Processes must contain explicit required actions including roles, responsibilities, and authorities for staff establishing, managing, and implementing the processes; and
• Processes must incorporate or contain linkage to procedures, where required to meet the process requirements.”

Companies should review their processes and ensure that they align with this definition. More information on the CER’s expected outcomes can be found in the CER’s Updated Operations Audit Protocols and Guidance Document.

Additional findings specific to each audit topic include the following:

Control Room Management (CRM) Audits:

The CRM audits focused on compliance to the OPR and the Canadian Standards Association Z662:2019, Oil and gas pipeline systems.

Control rooms monitor various parameters across the pipelines, such as flow rates, pressure and temperature readings. Control rooms are often the first line of defense in locating and responding to abnormalities. Auditing control room management practices is a proactive method to identify what is working well and what needs improvement.

The CRM audits found issues in the following areas:

• Program documents not fully implemented and still in draft stage.
• Company operating different control rooms with different hazard inventories and different training activities for the same commodities and the same operational needs. This deficiency highlighted how the company’s management system was not fully driving its processes and activities.
• Some expected procedures were missing in operations and maintenance manuals as related to control room functions.
• Company unable to demonstrate it had completed an audit within the last three years of its pipeline control systems.

Additionally, there were issues identified with document control, including:

• ineffective tracking of revision history;
• undefined document authorizer; and
• undefined revision review period.

The most frequent non-compliant finding from all six CRM audits relates to subsections 55(1) and 55(2) of the OPR. This provision requires companies to audit their pipeline control systems at least once every three years, and to document the deficiencies and corresponding correction actions.

Damage Prevention Program (DPP) Audits:

The DPP audits focused on compliance with the OPR and the Canadian Energy Regulator Pipeline Damage Prevention Regulations – Obligations of Pipeline Companies (DPR-O). Damage prevention regulations apply to any activity that disturbs the soil near federally regulated pipelines or power lines. Preventing damage is a shared responsibility between regulated companies, landowners, stakeholders, and those who live and work near federally regulated pipelines and power lines. DPP audits look at all the activities regulated companies are conducting internally and externally to ensure pipelines are safe.

The DPP audits found issues in the following areas:

• no DPP that meets the requirements of the OPR and the DPR-O;
• failure to internally report hazards that were related to unauthorized activities;
• DPP failing to incorporate all the required processes and procedures of a program;
• documents were not updated or maintained properly;
• controls not addressing the risks;
• controls were not comprehensive;
• controls not being communicated to workers exposed to potential risks;
• changes not being managed consistently;
• tasks and roles of key DPP personnel not documented; and
• company not implementing its public relations activities.

The most frequent non-compliant finding from all six audits relates to paragraph 16(f) of the DPR-O (Damage Prevention Program) requiring a process for managing requests for the consent to construct a facility across, on, along or under a pipeline, to engage in an activity that causes a ground disturbance within the prescribed area or to operate a vehicle or mobile equipment across the pipeline.

Next Steps

CER-regulated companies are expected to review and address the deficiencies described in this Information Advisory and verify they do not exist in their management system. The CER will incorporate these learnings into its future compliance and oversight activities, which may include future audits in these areas.

Date modified:

2024-12-04