Management System and Protection Program Audit Protocol

Management System and Protection Program Audit Protocol [PDF 117 KB]

Background

Companies are responsible for meeting the requirements of the National Energy Board Act (NEB Act) and related regulations in order to manage safety and security, and protect the environment during the entire lifecycle of their facilities, from design through construction, operation and abandonment.

The National Energy Board (Board) expects that pipeline companies operate in a systematic, comprehensive and proactive manner that manages risks. The Board expects that companies have effective, fully developed and implemented management systems and protection programs that provide for continual improvement. A carefully-designed and well-implemented management system supports a strong culture of safety, and is fundamental to keeping people safe and protecting the environment.

As required by the National Energy Board Onshore Pipeline Regulations (OPR), companies must establish, implement and maintain effective management systems and protection programs in order to anticipate, prevent, mitigate and manage conditions that may adversely affect the safety and security of the company’s pipelines, employees, the general public, as well as property and the environment.

National Energy Board Management System and Protection Program Audit Protocol

The Board utilizes a number of methods for assessing compliance with its regulatory requirements which include audits of company management systems, and protection programs for safety, environment, integrity, pipeline crossings and public awareness, emergency management and security.

Companies will be audited and evaluated against the legal requirements within the NEB Act and its associated regulations, other applicable legislation and standards including the Canada Labour Code and CSA Z662, as well as any conditions contained within applicable Board certificates or orders enforced by the Board (collectively, Legal Requirements).

As part of this audit process and in accordance with the OPR, companies will be audited and evaluated against the processes, procedures and standards that each company identifies as being part of its management system and protection programs.

The Board uses its standardized audit protocol to assist in both organizing and communicating its management system and protection program requirements, and in verifying that a company’s management system and protection programs meet Legal Requirements. This protocol is made available to companies and the public to promote transparency and understanding of the Board’s audit process.

The standardized audit protocol has been organized in a table format for ease of reference. The table has been divided into five categorical elements. These elements are further divided into 17 sub-elements, which are supported with the Board’s expectations and associated legal references. The Legal Requirements referred to in the standardized audit protocol are not exhaustive, and do not reflect all of the Legal Requirements audited to.

The total complement of applicable Legal Requirements audited to ultimately varies depending on  the specific processes, activities, locations and certificate requirements of the company being audited, and are generally communicated to an audited company over the course of the audit as the Board implements its audit process.

Reporting

Following the Board’s review of the company’s management system and protection programs, the Board will issue an audit report containing its findings of compliance and non-compliance. For evaluation and reporting purposes, the terms of compliant and non-compliant are defined as follows:

Compliant:
The element meets Legal Requirements. The company has demonstrated that it has developed and implemented its management system and protection programs, processes and procedures to meet Legal Requirements.
Non-Compliant:
The element does not meet Legal Requirements. The company has not demonstrated that it has developed and implemented its management system and protection programs, process and procedures to meet the Legal Requirements. A Corrective Action Plan (CAP) is required.

Following the Board’s issuance of the audit report, an audited company will be required to develop and implement a CAP to address any non-compliance. The CAP will be submitted for the Board’s approval prior to its implementation.

A company’s CAP is required to clearly describe:

  • Compliance objectives and outcomes with documented measures for success;
  • Plans for developing and implementing any needed changes to programs, procedures and practices, including changes to training and competency requirements; and
  • Schedules of implementation, including any key interim implementation dates.

Schedules for implementation must be based on risk, with high and/or imminent risk issues being addressed as quickly as practicable.

Companies that do not effectively implement Board-approved CAPs will be subject to the Board’s compliance assurance processes and enforcement tools including administrative monetary penalties, as applicable.

A description of the Board’s audit process including pre- and post-audit administrative requirements will be provided to companies during the audit notification and planning process.

Contact

The National Energy Board’s Management System and Protection Program Audit Protocol is maintained and administered by the Board’s Operations Business Unit. For further information, please contact the Board’s Director of Planning, Coordination and Reporting (ph: 403-292-4800; toll free: 1-800-899-1265), or visit the Board’s website at www.neb-one.gc.ca.

  

NEB Management System and Protection Program
- Audit Elements

1.0 POLICY AND COMMITMENT

1.1 Leadership Accountability

The company shall have an accountable officer appointed who has the appropriate authority over the company’s human and financial resources required to establish, implement and maintain its management system and protection programs, and to ensure that the company meets its obligations for safety, security and protection of the environment. The company shall have notified the Board of the identity of the accountable officer within 30 days of the appointment and ensure that the accountable officer submits a signed statement to the Board accepting the responsibilities of their position.

References:
Environment:[1]
OPR[2] section 6.2
Safety:
OPR section 6.2
Integrity:
OPR section 6.2
Crossings and Public Awareness:
PCR Part II[3] section 4; OPR sections 6.1, 6.2, 40, 47, 48
Emergency Management:
OPR section 6.2
Security:
OPR section 6.2

1.2 Policy and Commitment Statements

Expectations: The company shall have documented policies and goals intended to ensure activities are conducted in a manner that ensures the safety and security of the public, workers, the pipeline, and protection of property and the environment. The company shall base its management system and protection programs on those policies and goals. The company shall include goals for the prevention of ruptures, liquids and gas releases, fatalities and injuries and for the response to incidents and emergency situations.

The company shall have a policy for the internal reporting of hazards, potential hazards, incidents and near-misses that includes the conditions under which a person who makes a report will be granted immunity from disciplinary action. The company’s accountable officer shall prepare a policy statement that sets out the company’s commitment to these policies and goals and shall communicate that statement to the company’s employees.

References:
Environment:
OPR section 6.3
Safety:
OPR section 6.3
Integrity:
OPR section 6.3
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.3, 40, 47, 48
Emergency Management:
OPR section 6.3
Security:
OPR section 6.3

 

2.0 PLANNING

2.1 Hazard Identification, Risk Assessment and Control[4]

Expectations: The company shall have an established, implemented and effective process for identifying and analyzing all hazards and potential hazards. The company shall establish and maintain an inventory of hazards and potential hazards. The company shall have an established, implemented and effective process for evaluating the risks associated with these hazards, including the risks related to normal and abnormal operating conditions.  As part of its formal risk assessment, a company shall keep records to demonstrate the implementation of the hazard identification and risk assessment processes.

The company shall have an established, implemented and effective process for the internal reporting of hazards, potential hazards, incidents and near-misses, and for taking corrective and preventive actions, including the steps to manage imminent hazards. The company shall have and maintain a data management system for monitoring and analyzing the trends in hazards, incidents, and near-misses.

The company shall have an established, implemented and effective process for developing and implementing controls to prevent, manage and mitigate the identified hazards and risks. The company shall communicate those controls to anyone exposed to the risks.

References:
Environment:
OPR section 6.5(1) (c), (d), (e), (f), (r), (s)
Safety:
OPR section 6.5(1)(c), (d), (e), (f), (r), (s)
Integrity:
OPR section 6.5(1)(c), (d), (e), (f), (r), (s)
Crossings and Public Awareness:
PCR Part II section 4, OPR sections 6.1, 6.5(1)(c), (d), (e), (f), (r), (s), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(c), (d), (e), (f), (r), (s)
Security:
OPR section 6.5(1)(c), (d), (e), (f), (r), (s)

2.2 Legal Requirements

Expectations: The company shall have an established, implemented and effective process for identifying and monitoring compliance with all legal requirements that are applicable to the company in matters of safety, security and protection of the environment. The company shall have and maintain a list of those legal requirements. The company shall have a documented process to identify and resolve non-compliances as they relate to legal requirements, which includes updating the management and protection programs as required.

References:
Environment:
OPR section 6.5(1)(g), (h), (i)
Safety:
OPR section 6.5(1)(g), (h), (i)
Integrity:
OPR section 6.5(1)(g), (h), (i)
Crossings and Public Awareness:
PCR Part II section 4;  OPR sections 6.1, 6.5(1)(g), (h), (i), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(g), (h), (i)
Security:
OPR section 6.5(1)(g), (h), (i)

2.3 Goals, Objectives and Targets

Expectations: The company shall have an established, implemented and effective process for developing and setting goals, objectives and specific targets relevant to the risks and hazards associated with the company’s facilities and activities (i.e., construction, operation and maintenance). The company’s process for setting objectives and specific targets shall ensure that the objectives and targets are those required to achieve its goals, and shall ensure that the objectives and targets are reviewed annually.

The company shall include goals for the prevention of ruptures, liquid and gas releases, fatalities and injuries, and for the response to incidents and emergency situations. The company’s goals shall be communicated to employees.

The company shall develop performance measures for assessing the company’s success in achieving its goals, objectives, and targets. The company shall annually review its performance in achieving its goals, objectives and targets and the performance of its management system. The company shall document the annual review of its performance, including the actions taken during the year to correct any deficiencies identified in its quality assurance program, in an annual report, signed by the accountable officer.

References:
Environment:
OPR sections 6.3, 6.5(1)(a), (b), 6.6
Safety:
OPR sections 6.3, 6.5(1)(a), (b), 6.6
Integrity:
OPR sections 6.3, 6.5(1)(a), (b), 6.6
Crossings and Public Awareness:
PCR Part II section 4, OPR sections 6.1, 6.3, 6.5(1)(a), (b), 6.6, 40, 47, 48
Emergency Management:
OPR sections 6.3, 6.5(1)(a), (b), 6.6
Security:
OPR sections 6.3, 6.5(1)(a), (b), 6.6

2.4 Organizational Structure, Roles and Responsibilities

Expectations: The company shall have a documented organizational structure that enables it to meet the requirements of its management system and its obligations to carry out activities in a manner that ensures the safety and security of the public, company employees and the pipeline, and protection of property and the environment. The documented structure shall enable the company to determine and communicate the roles, responsibilities and authority of the officers and employees at all levels. The company shall document contractors’ responsibilities in its construction and maintenance safety manuals.

The documented organizational structure shall also enable the company to demonstrate that the human resources allocated to establishing, implementing and maintaining the management system are sufficient to meet the requirements of the management system and to meet the company’s obligations to design, construct, operate or abandon its facilities to ensure the safety and security of the public and the company’s employees, and the protection of property and the environment. The company shall complete an annual documented evaluation in order to demonstrate adequate human resourcing to meet these obligations.

References:
Environment:
OPR sections 6.4, 20, 31
Safety:
OPR sections 6.4, 20, 31
Integrity:
OPR sections 6.4, 20, 31
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.4, 20, 31, 40, 47, 48  
Emergency Management:
OPR sections 6.4, 20, 31
Security:
OPR sections 6.4, 20, 31

 

3.0 IMPLEMENTATION

3.1 Operational Control-Normal Operations

Expectations: The company shall have an established, implemented and effective process for developing and implementing corrective, mitigative, preventive and protective controls associated with the hazards and risks identified in elements 2.0 and 3.0, and for communicating these controls to anyone who is exposed to the risks.

The company shall have an established, implemented and effective process for coordinating, controlling and managing the operational activities of employees and other people working with or on behalf of the company.

References:
Environment:
OPR section 6.5(1)(e), (f), (q)
Safety:
OPR section 6.5(1)(e), (f), (q)
Integrity:
OPR section 6.5(1)(e), (f), (q)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(e), (f), (q), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(e), (f), (q)
Security:
OPR section 6.5(1)(e), (f), (q)

3.2 Operational Control-Upset or Abnormal Operating Conditions

Expectations: The company shall establish and maintain plans and procedures to identify the potential for upset or abnormal operating conditions, accidental releases, incidents and emergency situations. The company shall also define proposed responses to these events and prevent and mitigate the likely consequence and/or impacts of these events. The procedures must be periodically tested and reviewed, and revised where appropriate (for example, after upset or abnormal events). The company shall have an established, implemented and effective process for developing contingency plans for abnormal events that may occur during construction, operation, maintenance, abandonment or emergency situations.

References:
Environment:
OPR section 6.5(1)(c), (d), (e), (f), (t)
Safety:
OPR section 6.5(1)(c), (d), (e), (f), (t)
Integrity:
OPR section 6.5(1)(c), (d), (e), (f), (t)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(c), (d), (e), (f), (t), 32, 40, 47, 48
Emergency Management:
OPR section 6.5(1)(c), (d), (e), (f), (t)
Security:
OPR section 6.5(1)(c), (d), (e), (f), (t)

3.3 Management of Change

Expectations: The company shall have an established, implemented and effective process for identifying and managing any change that could affect safety, security or protection of the environment, including any new hazard or risk, any change in a design, specification, standard or procedure and any change in the company’s organizational structure or the legal requirements applicable to the company.

References:
Environment:
OPR section 6.5(1)(i)
Safety:
OPR section 6.5(1)(i)
Integrity:
OPR section 6.5(1)(i)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(i), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(i)
Security:
OPR section 6.5(1)(i)

3.4 Training, Competence and Evaluation

Expectations: The company shall have an established, implemented and effective process for developing competency requirements and training programs that provide employees and other persons working with or on behalf of the company with the training that will enable them to perform their duties in a manner that is safe, ensures the security of the pipeline and protects the environment.

The company shall have an established, implemented and effective process for verifying that employees and other persons working with or on behalf of the company are trained and competent, and for supervising them to ensure that they perform their duties in a manner that is safe, ensures the security of the pipeline and protects the environment. The company shall have an established, implemented and effective process for making employees and other persons working with or on behalf of the company aware of their responsibilities in relation to the processes and procedures required by the management system or the company’s protection programs.

The company shall have an established, implemented and effective process for generating and managing training documents and records.

References:
Environment:
OPR section 6.5(1)(j), (k), (l), (p)
Safety:
OPR section 6.5(1)(j), (k), (l), (p)
Integrity:
OPR section 6.5(1)(j), (k), (l), (p)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(j), (k), (l), (p), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(j), (k), (l), (p)
Security:
OPR section 6.5(1)(j), (k), (l), (p)

3.5 Communication

Expectations: The company shall have an established, implemented and effective process for the internal and external communication of information relating to safety, security and environmental protection.  The process should include procedures for communication with the public, company employees, contractors, regulatory agencies and emergency responders.
References:
Environment:
OPR section 6.5(1)(m)
Safety:
OPR section 6.5 (1)(m)
Integrity:
OPR section 6.5(1)(m)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(m), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(m)
Security:
OPR section 6.5 (1)(m)

3.6 Documentation and Document Control

Expectations: The company shall have an established, implemented and effective process for identifying the documents required for the company to meet its obligations to conduct activities in a manner that ensures the safety and security of the public, company employees and the pipeline, and protection of property and the environment. The documents shall include all of the processes and procedures required as part of the company’s management system.

The company shall have an established, implemented and effective process for preparing, reviewing, revising and controlling documents, including a process for obtaining approval of the documents by the appropriate authority. The documentation should be reviewed and revised at regular and planned intervals.

Documents shall be revised where changes are required as a result of legal requirements. Documents should be revised immediately where changes may result in significant negative consequences.

References:
Environment:
OPR section 6.5(1)(i), (n), (o), 6.5(3)
Safety:
OPR sections 6.5(1)(i), (n), (o), 6.5(3)
Integrity:
OPR sections 6.5(1)(i), (n), (o), 6.5(3)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(i), (n), (o), 6.5(3), 40, 47, 48
Emergency Management:
OPR sections 6.5(1)(i), (n), (o), 6.5(3)
Security:
OPR sections 6.5(1)(i), (n), (o), 6.5(3)

 

4.0 CHECKING AND CORRECTIVE ACTION

4.1 Inspection, Measurement and Monitoring

Expectations: The company shall have an established, implemented and effective process for inspecting and monitoring the company’s activities and facilities to evaluate the adequacy and effectiveness of the protection programs and for taking corrective and preventive actions if deficiencies are identified. The evaluation shall include compliance with legal requirements.

The company shall have an established, implemented and effective process for evaluating the adequacy and effectiveness of the company’s management system, and for monitoring, measuring and documenting the company’s performance in meeting its obligations to perform its activities in a manner that ensures the safety and security of the public, company employees and the pipeline, and protection of property and the environment.

The company shall have an established, maintained and effective data management system for monitoring and analyzing the trends in hazards, incidents and near-misses. The company shall have documentation and records resulting from the inspection and monitoring activities for its programs.

The company management system shall ensure coordination between its protection programs, and the company should integrate the results of its inspection and monitoring activities with other data in its hazard identification and analysis, risk assessments, performance measures and annual management reviews, to ensure continual improvement in meeting the company’s obligations for safety, security and protection of the environment.

References:
Environment:
OPR sections 6.1(d), 6.5(1)(g), (s), (u), (v), (w), (x), 56
Safety:
OPR sections 6.1(d), 6.5(1)(g), (s), (u), (v), (w), (x), 56
Integrity:
OPR sections 6.1(d), 6.5(1)(g), (s), (u), (v), (w), (x), 56
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(g), (s), (u), (v), (w), (x), 40, 47, 48
Emergency Management:
OPR sections 6.1(d), 6.5(1)(g), (s), (u), (v), (w), (x), 56
Security:
OPR sections 6.1(d), 6.5(1)(g), (s), (u), (v), (w), (x), 56

 

4.2 Investigating and Reporting Incidents and Near-misses

Expectations: The company shall have an established, implemented and effective process for reporting on hazards, potential hazards, incidents and near-misses, and for taking corrective and preventive actions. This should include conducting investigations where required or where hazards, potential hazards, incidents and near-misses have or could have resulted in the safety and security of the public, company employees and the pipeline, and protection of property and the environment, being significantly compromised.

The company shall have an established, maintained and effective data management system for monitoring and analyzing the trends in hazards, incidents and near-misses.

The company should integrate the results of its reporting on hazards, potential hazards, incidents and near-misses with other data in hazard identification and analysis, risk assessments, performance measures and annual management reviews, to ensure continual improvement in meeting the company’s obligations for safety, security and protection of the environment.

References:
Environment:
OPR sections 6.5(1)(r), (s), (u), (w), (x), 52
Safety:
OPR sections 6.5(1)(r), (s), (u), (w), (x), 52
Integrity: OPR sections 6.5(1)(r), (s), (u), (w), (x), 52 Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(r), (s), (u), (w), (x), 40, 47, 48, 52
Emergency Management:
OPR sections 6.5(1)(r), (s), (u), (w), (x), 52
Security:
OPR sections 6.5(1)(r), (s), (u), (w), (x), 52

4.3 Internal Audits

Expectations: The company shall have an established, implemented and effective quality assurance program for its management system and for each protection program, including a process for conducting regular inspections and audits and for taking corrective and preventive actions if deficiencies are identified. The audit process should identify and manage the training and competency requirements for staff carrying out the audits.

The company should integrate the results of its audits with other data in hazard identification and analysis, risk assessment, performance measures and annual management review, to ensure continual improvement in meeting the company’s obligations for safety, security and protection of the environment.

References:
Environment:
OPR section 6.5(1)(w), (x)
Safety:
OPR section 6.5(1)(w), (x)
Integrity:
OPR section 6.5(1)(w), (x)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(w), (x), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(w), (x)
Security:
OPR section 6.5(1)(w), (x)

4.4 Records Management

Expectations: The company shall have an established, implemented and effective process for generating, retaining, and maintaining records that document the implementation of the management system and its protection programs, and for providing access to those who require them in the course of their duties.

References:
Environment:
OPR section 6.5(1)(p)
Safety:
OPR section 6.5(1)(p)
Integrity:
OPR section 6.5(1)(p)
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(p), 40, 47, 48
Emergency Management:
OPR section 6.5(1)(p)
Security:
OPR section 6.5(1)(p)

 

5.0 MANAGEMENT REVIEW

Expectations: The company shall have an established, implemented and effective process for conducting an annual management review of the management system and each protection program and for ensuring continual improvement in meeting the company’s obligations to perform its activities in a manner that ensures the safety and security of the public, company employees and the pipeline, and protection of property and the environment. The management review should include a review of any decisions, actions and commitments which relate to the improvement of the management system and protection programs, and the company’s overall performance.

The company shall complete an annual report for the previous calendar year, signed by the accountable officer, that describes the performance of the company’s management system in meeting its obligations for safety, security and protection of the environment and the company’s achievement of its goals, objectives and targets during that year, as measured by the performance measures developed under the management system and any actions taken during that year to correct deficiencies identified by the quality assurance program. The company shall submit to the Board a statement, signed by the accountable officer, no later than April 30 of each year, indicating that it has completed its annual report.

References:
Environment:
OPR sections 6.5(1)(w), (x), 6.6
Safety:
OPR sections 6.5(1)(w), (x), 6.6
Integrity:
OPR sections 6.5(1)(w), (x), 6.6
Crossings and Public Awareness:
PCR Part II section 4; OPR sections 6.1, 6.5(1)(w), (x), 6.6, 40, 47, 48
Emergency Management:
OPR sections 6.5(1)(w), (x), 6.6
Security:
OPR sections 6.5(1)(w), (x), 6.6

Endnotes

[1] The “References” in this table contain specific examples of the legal requirements applicable to each element but are not exhaustive and do not represent a complete list of all applicable legal requirements audited to, which are found within the NEB Act and its associated regulations, as well as other applicable legislation, technical and other standards including the Canada Labour Code and CSA Z662, and any conditions contained within applicable certificates or orders enforced by the Board.

[2] National Energy Board Onshore Pipeline Regulations SOR/99-294 (OPR)

[3] National Energy Board Pipeline Crossing Regulations, Part II, SOR/88-529 (PCR Part II)

[4] Hazard:  Source or situation with a potential for harm in terms of injury, ill health, damage to property, damage to workplace and environment, or a combination of these. Risk:  Combination of the likelihood and consequence(s) of a specified hazardous event occurring.

Date modified: