Canada Energy Regulator (CER) – CER Management System Requirements and CER Management System Audit Guide
Table of Contents
- 1.0 Introduction
- 2.0 OPR Section 6 Management System Expectations
- 3.0 Management System Linkages
- 4.0 Initial Audit Information Request
- 5.0 Further Information and Frequently Asked Questions
- Appendix I – Definitions
1.0 Introduction
1.1 Overview
This Guidance document has been developed to assist management system practitioners in furthering their knowledge of the Canada Energy Regulator’s (CER) management system requirements. This document is divided into sections that describe how the Canadian Energy Regulator Onshore Pipeline Regulations (OPR) regulations are applied in a management system context. In addition to providing an explanation of what the OPR management system requirements are, this document provides guidance on what the CER is looking for when it conducts a management system audit. There is also some information on how the CER structures its audits and what a basic audit information request, that would be sent to a company during an audit, would look like.
These guidance notes are not a substitute for the Canadian Energy Regulator Act (CER Act) or any regulations made thereunder, including the OPR, or any other applicable legislation, standards, or conditions enforced by the CER or against which the CER audits companies. To achieve compliance with the OPR, reference should be made to the OPR itself, and reliance should not be placed on this Guide alone since the Guide is intended to supplement the users’ understanding of the OPR Management System requirements as part of the CER’s audit process. To the extent there is any inconsistency between this Guide and the CER Act or its regulations, or any other applicable standards or conditions, the legal requirements are paramount.
The CER’s purpose is to promote safety and security, environmental protection, and efficient energy infrastructure and markets in the Canadian public interest within the mandate set by Parliament in the regulation of pipelines, energy development and trade. Company development and implementation of carefully designed Management Systems are fundamental to keeping people safe and protecting the environment.
A Management System means the system set out in sections 6.1 to 6.6 of the OPR. It is an approach designed to effectively manage and reduce risk as well as being adaptable to changing conditions. It includes the necessary organizational structures, resources, accountabilities, policies, processes and procedures for an organization to fulfill all tasks related to safety, security and environmental protection. The management system and its protection programs, listed in section 55 of the OPR, must take into consideration all applicable requirements of the CER Act, its applicable regulations, standards referenced in the regulations as well as company-specific standards, and company-specific CER orders and certificates. The OPR regulates the lifecycle of a pipeline, therefore a lifecycle approach to management systems must be applied to the design, construction, operation and abandonment stages of a pipeline.
A carefully designed and well implemented management system supports a strong culture of safety, and is fundamental to keeping people safe and protecting the environment.
1.2 Purpose
The OPR requires regulated companies to establish, implement and maintain management systems and protection programs in order to anticipate, prevent, manage and mitigate conditions that may adversely affect the safety and security of the company’s pipelines, employees, the public, as well as property and the environment. The CER has developed this Guide to identify what the CER is looking for from companies during its audits; specifically what is required to achieve an OPR-compliant management system as it applies to the company’s OPR section 55 programs (s. 55 programs) for safety, pipeline integrity, environmental protection, emergency management, damage prevention, and security over the whole lifecycle of regulated pipelines as defined in the Canadian Energy Regulator Act.
The CER has developed guidance on the following three key areas of the audit process:
- OPR sections 6.1-6.6 management system process requirements
Section 2.0 of this document introduces guidance, provides clarification and sets out the CER’s expectations for sections 6.1 to 6.6 of the OPR. - OPR requirements regarding management system, process and task integration (linkages)
Section 3.0 of this document provides guidance on the OPR section 6 management system linkages. It sets out the CER’s expectations for which individual section 6 elements are to be integrated with one another in the management system. - Audit initial information request (IR)
Section 4.0 of this document provides basic information on the IR that will be sent to the auditee and gives guidance on how to address and fulfill the IR’s requirements.
1.3 Audits
Audits are one of the CER’s compliance verification activities (CVAs) available to confirm that regulated companies are managing their risks and meeting all of their legal requirements connected to their management systems. An audit is an impartial review of a set of criteria related to the management system, programs, procedures and processes as required by the OPR. An audit evaluates the adequacy of a company’s management system, programs, procedures, processes, and other items or things required by the OPR against the regulatory requirements as well as company’s own requirements. An audit typically includes document/record review, observations, interviews, sampling and testing, in any combination. The objective is to verify compliance with requirements using an audit protocol (or set of audit criteria) developed for a specific audit topic. As part of the process, the CER prepares a draft audit report (for review and comment), prepares a final report and if non-compliances have been noted, the auditee must prepare a corrective and preventive action plan (CAPA Plan) to resolve findings of non-compliance.
For additional information, review the Management System and Protection Program Audit Protocols on the CER’s website.
1.4 Definitions
The CER has prepared a series of definitions for use in understanding management system requirements. Interested parties should refer to current CER Audit Definitions in Appendix I for guidance. Appendix I may be updated during continual improvement cycles, so it is important that companies consult the Appendix regularly. For words that are not otherwise defined, the ordinary meaning applies as read in its entire context (e.g. we will apply a plain language approach to words, as they are defined in the dictionary). However, technical terms or terms of art will be assigned their appropriate meaning.
2.0 OPR Section 6 Management System Expectations
2.1 General
The OPR uses both performance and prescriptive-based requirements. For additional information on what performance based and prescriptive based requirements are, refer to section 5.2 below. Where the requirements are performance-based, companies have the flexibility and scalability to customize its management system approach based on their unique operational requirements and company needs. This flexibility should not be interpreted to mean that sections of the regulations do not need to be adhered to; all sections of the regulations are applicable to CER-regulated pipeline companies and must be complied with. The flexibility comes in “how” a company will meet the requirements.
Section 6 of the OPR states:
The purpose of these Regulations is to require and enable a company to design, construct, operate or abandon a pipeline in a manner that ensures:
- a) the safety and security of persons;
- b) the safety and security of pipelines and abandoned pipelines; and
- c) the protection of property and the environment.
Subsections 6.1-6.6 prescribe how pipeline companies must develop their management systems in furtherance of the purposes set out in section 6. These subsections of the OPR contain a series of requirements, which are legally binding, that companies must demonstrate they are in compliance with when developing, establishing and implementing their management system and associated supporting goals, targets, processes, procedures, standards, manuals and/or work instructions.
This Guide is not to be treated as a “script or cook book.” On its own, it will not provide the user with a functioning management system, but it does aim to help companies understand the CER’s expectations and what the CER is looking for when it performs management system or program audits. Each company is required to develop a management system that fits its specific operations, activities, hazards, risks and all other management system components. The company’s management system must apply to the entire lifecycle of a pipeline, from design through to abandonment.
As there will be varying approaches to how a company implements section 6, the CER has developed this guidance document to support:
- consistency of interpretation;
- clarification of meaning; and
- context.
2.2 OPR Sections 6.1 to 6.4 Management System Expectations
Sections 6.1 to 6.4 are intended to ensure a company has an integrated management system and protection programs that enable it to meet the legal requirements and appropriately address safety, security, and the protection of the environment. These sections set the ground rules for what must be included in the company’s management system, the associated processes and programs. Not every element of sections 6.1 to 6.4 will be discussed below. Companies are expected to review the OPR in detail and determine how all requirements will be met for their specific management system requirements. During this process, companies should also consider how they will demonstrate compliance with the OPR to external auditors (like the CER), and to its internal auditors while conducting internal quality assurance activities.
Section 6.1
This prescriptive section sets out the requirements for a management system. It is broader in scale and scope than the individual process and program requirements that are found in other parts of the OPR. To help the user, this section breaks down what each paragraph of subsection 6.1(1) means and requires. The terms “establish”, “implement” and “maintain” are defined in the Audit Definitions.
Subsection 6.1(1) requires that companies establish, implement and maintain a management system that
- (a) is explicit, comprehensive and proactive. This means that the management system is written down (documented) and identified as the company’s management system. The CER expects the management system to be explicit such that it doesn’t take further explanation to understand how it works and how it is applied to the company’s activities. Comprehensive means the management system addresses each of the requirements for a management system and the associated processes, programs and other supporting materials required by the OPR for the management system. It also must apply to all of a company’s regulated assets and activities and addresses the entire life cycle of the company’s pipelines and facilities. Proactive means that the management system must be able to anticipate and address emerging issues that could affect (at a minimum) the safety and security of persons, facilities and the environment. The company’s management system must also be subjected to periodic review through inspections and audits and any deficiencies or gaps are to be addressed through continual improvement.
- (b) Integrates the company’s operational activities and technical systems with its management of human and financial resources. This means there must be demonstrable linkages or interconnections between the company’s activities (over the whole life cycle of facilities) and its technical systems (such as control room systems) with the company’s management of human and financial resources. In other words, a company’s management system must be connected to how the company manages its human resources (by ensuring there are adequate numbers of human resources to safely carry out the regulated activity) as well as adequate financial resources to carry out the regulated activity. An example is pipeline integrity. The management system must ensure an interconnection between the company’s integrity management program and the human and financial resources needed to carry out the integrity management work identified by the integrity management program. Pipeline integrity is just one example -companies need to go through all of the sections of the OPR to determine where connections must be established between their operational activities, technical systems and the management of human and financial resources. Companies should be prepared to demonstrate this integration during an audit.
- (c) Applies to all the company’s activities involving the design, construction, operation or abandonment of a pipeline and to the programs referred to in section 55. The management system applies to the entire life cycle of the CER-regulated facilities and to all the section 55 programs – emergency management, integrity management, safety management, security management, damage prevention and environment protection. Companies should be prepared to demonstrate these linkages during an audit. To follow an integrated management system approach requires the integrated assessment and management of hazards and risks by requiring all six section 55 programs to be run in connection with each other.
- (d) Ensures coordination between the programs referred to in section 55. The management system and its various programs must be coordinated. Consider how the programs and the management system work together and how the processes and procedures established within the management system and the programs speak to one another. There must be processes in place to ensure activities are not undertaken in isolation which creates risk in other parts of the company’s operations. For example, a company’s integrity management program may require an integrity activity be undertaken. The integrity management program should point to processes in the other section 55 programs that would be triggered by the integrity management work – for example, safety, environment, damage prevention, security and emergency management (in the event an incident were to occur during the integrity management activity).
- (e) Corresponds to the size of the company, to the scope, nature and complexity of its activities and to the hazards and risks associated with those activities. This section provides some discretion to companies in establishing their management systems – however, just because a company has few CER-regulated facilities, that in and of itself will not justify a smaller – scale management system. Depending on the overall complexity of that company’s operations, or significantly, the hazards and risks associated with that company’s activities – that company’s management system must still address all the items identified in section 6 and the balance of the OPR.
Section 6.2
This section requires all regulated companies to appoint an accountable officer. The accountable officer needs to be in a position with sufficient authority to ensure the company’s management system and its related programs are established, implemented and maintained in accordance with sections 6.1 to 6.6 and that the company’s obligations under the OPR are met. The accountable officer must have the authority to control the financial and human resources necessary to meet the management system requirements and, by extension, all integrated programs.
Section 6.3
This section prescribes that companies shall establish documented policies and goals to ensure that the purposes referred to in paragraphs 6(a) to (c) are achieved and that its obligations under the OPR are met.
In addition to the types of policies and goals that must be established and documented above, paragraphs 6.3(1)(a) and (b) both contain specific policies and or/goal requirements. Paragraph 6.3(1)(a) requires “a policy for the internal reporting of hazards, potential hazards, incidents and near misses…under which a person who makes a report will be immune from disciplinary action.” Paragraph 6.3(1)(b) requires the establishment of goals for the prevention of ruptures, liquid and gas releases, fatalities and injuries and for the response to incidents and emergency situations.
Subsection 6.3(2) requires that companies base their management systems and their protection programs (cited in section 55 of the OPR) on the policies and goals discussed in subsection 6.3(1). Policies and goals must also be connected to the specific purposes identified in paragraph 6(a) through (c) and companies must be prepared to demonstrate how these policies and goals are effective in achieving the purposes of safety, security and protection of the environment. Goals and policies should not be so broad that they fail to provide direction to senior management and staff.
Section 6.4
This section requires companies to be able to demonstrate that their documented organizational structure has the required human resources in the right places in their organizational structure in order to carry out all that is required by the OPR. In addition to this, the company needs to determine and communicate defined roles, responsibilities, and authority of officers and employees at all levels of the company. Finally, companies must conduct a documented annual evaluation of need, to ensure they maintain adequate human resources allocated to the establishment, implementation and ongoing maintenance of their management system.
2.3 OPR Section 6.5(1) Management System Processes Expectations
The OPR requires companies to establish and implement the processes and documentation required for an explicit, comprehensive and proactive integrated management system. All processes, and other requirements identified in subsections 6.5(1) (a) to (x) are applicable to all section 55 programs as well.
When reviewing each individual element of subsection 6.5(1), companies must remember that each one always starts with:
- A company shall, as part of its management system and the programs referred to in section 55,
This reinforces the need for each process or other management system requirement to be integrated within the management system and to all section 55 programs.
As section 6.5(1) contains the majority of the OPR’s management system requirements, the CER has developed additional guidance for each individual element of this section. The following information outlines how to understand and apply these guidance documents when companies are establishing, implementing and maintaining their own individual management systems and associated processes, procedures and other supporting materials. As stated above, the OPR was developed to allow companies the flexibility and scalability to customize their management system as best fits their operational requirements and company needs. The following information provides guidance on what the CER is expecting for each element of section 6.5(1). How companies best address this is determined by each individual company.
Each OPR section 6.5(1) CER guidance document is organized in a table format that outlines the CER management system process requirements, attached as Management System and Protection Program Audit Protocols.
Table 1 – Guidance – Example
OPR subsection 6.5(1) A company shall, as part of its management system and the programs referred to in section 55,
(a) establish and implement a process for setting the objectives and specific targets that are required to achieve the goals established under subsection 6.3(1) and for ensuring their annual review.
Outcomes:
- The company has a compliant process that is established and implemented.
- The company has set objectives and targets that are required to achieve the goals established under subsection 6.3(1).
- All objectives are relevant to the company’s management system when considering the scope of the process and their application to s.55 programs.
- An annual review of the objectives and targets is performed by the company.
- The review determines if the objectives were achieved or if corrective or preventive actions are needed.
Process |
Established |
Implemented |
---|---|---|
To be compliant, ensure the process addresses the following:
In addition to the above process definition requirements, the documented process steps for OPR paragraph 6.5(1)(a) must include the following content and linkages to other management system elements:
|
To demonstrate that the process is established, ensure the following are addressed:
|
To demonstrate that the process is implemented, ensure the following are addressed:
|
To better understand the example above, the following sections, one to five, provide the kind of information that the CER will be looking for; however, refer to each specific table in the Management System and Protection Program Audit Protocols for the pertinent requirements.
- Outcomes will:
- provide direction to the company as to what is expected from its management system for this specific element; and
- provide guidance on how to have a compliant management system.
- Describe purpose, scope, objective and specific result including:
- a description of the series of interacting actions/steps that take place in an established order;
- roles, responsibilities and authorities defined to ensure the process is applied;
- references to relevant processes, procedures and work instructions; and
- descriptions of how the process is integrated with each section 55 program, where interactions would be reasonably expected to occur.
- Each management system element must:
- have its own specific criteria associated with it;
- have its own specific linkages to other management system elements that need to be explicitly demonstrated; and
- be specifically assessed based on various audit tests to confirm it is established and implemented.
- To demonstrate that the management system element is “established”, provide evidence that the element is:
- developed in the company required format;
- approved and endorsed for use by the appropriate management authority;
- communicated appropriately in the organization;
- taught to staff who require knowledge of the process; and
- an approved process documented for a minimum three (3) months.
- To demonstrate that the management system element is “implemented”, provide evidence of:
- company use of the process;
- consistent company use of required forms and records;
- action steps are performed as required; and
- the process being used for a minimum of three (3) months.
2.4 Audit Protocol Table Guidance
Part 1
The top half, or the generic portion, of the table outlines the CER’s expectations for the basic requirements of a Management System. The CER has defined the terms “Process”, “Established” and “Implemented” in the context of a CER Management System Audit (see Audit Definitions, Appendix I). During an Audit, the CER will evaluate company-provided documentation to verify the company is meeting what is required. All Management System elements in subsection 6.5(1) that have a Process requirement will need to follow the approach outlined in the table above.
There is an exception to this table structure for the following paragraphs, 6.5(1)(b), (d), (h), (s) and (w), as they do not require the development of a specific process. In these instances, the CER checks compliance by confirming that each of the deliverables required within those paragraphs are developed, established, used and maintained. For example, paragraph 6.5(1)(s) requires companies establish and maintain a data management system for monitoring and analyzing the trends in hazards, incidents and near-misses. If this management system element is being audited, the CER will confirm that the company has established and is maintaining that data management system. The CER will require evidence from the company demonstrating that the data management system is being used properly and by the relevant human resources. Regulated companies need to ensure that each management system element and required processes, systems, outputs, products or deliverables are integrated with all section 55 programs. While a CER audit may only focus or target one of these programs, the expected outcome for the process, output or deliverable is that it is applicable to all programs. Using paragraph 6.5(1)(s) as an example, the CER requires that the data management system for monitoring and analyzing trends in hazards, incidents and near-misses are integrated across section 55 programs, for example, safety, integrity, security, environment, damage prevention and emergency management.
The bottom half of Table 1, which contains the specific linkages, and starts with “In addition to the above Process definition requirements…” is specific to the management system element. To achieve compliance, companies should address these specific criteria since the CER uses these during an audit to evaluate the adequacy of the company’s processes, procedures, programs, systems, etc. in support of that specific management system requirement. The evaluation during an audit will test the process to determine if it is fit for purpose and provides a consistent desired end result.
The bottom half of the first row for each individual Table 1 contains the minimum expected linkages for that respective management system element. They are identified by the bold red lettering. The linkages in these tables are not exhaustive and do not represent all possible linkages including other applicable legislation, technical and other standards, including but not limited to the Canada Labour Code, CSA standards, and any CER conditions within certificates or orders enforced by the CER.
3.0 Management System Linkages
As previously stated, management system elements cannot function in individual silos nor can they ignore the section 55 programs, as the company’s management system will be found to be in non-compliance. As companies have the freedom to structure their management system to best suit their individual needs, a company can develop processes or procedures that reside in one part of their management system and then reference or link it to other parts of their management system. As an example, section 6 of the OPR requires companies to have a process for corrective and preventive actions for more than one management system element. A company could develop individual corrective and preventative action process/ procedures for each management system element, or it could develop the process/procedure once and then reference or link it to all management system elements that require it. The CER expects that the reference or linkage is explicit and done with an overall intent or purpose and this is easily identifiable in the company’s documentation.
The OPR section 6.1 defines the requirements for a company to establish, implement and maintain a management system that is explicit, comprehensive and proactive. The management system elements in section 6 are neither independent nor isolated, but are interconnected as inputs and outputs to one another and to other elements within the OPR. The CER expects that a compliant management system will contain a minimum amount of linkages (as shown in the audit tables) to ensure the management system is functioning systematically, comprehensively and as an integrated system.
Companies are required to develop and implement their own management system and include linkages between management system elements to adequately address their own unique operations. These linkages can extend beyond the linkages found in the CER guidance document and audit tables. However, the CER expects companies to be able to demonstrate and explain the intent and design of their management system, and to demonstrate how individual processes, programs, activities, and procedures are connected to one another, on purpose, to function as one complete functional management system.
4.0 Initial Audit Information Request
4.1 General
The following section provides general guidance and background to the CER’s regulated companies when the CER initiates an audit. The CER issues an initial audit announcement letter to the regulated company which informs the company of the CER’s intent to conduct an audit. The letter provides the auditee with basic information on the audit scope, subject matter and the general timelines for audit completion. Next, the company will receive an initial information request (IR). The IR is an important step in the audit process as it provides an opportunity for the CER to request specific information related to the:
- company management system; and
- individual or specific processes, database, inventory, list, etc.
The CER has developed a generic IR (Table 2) as a base template document specific to each subsection 6.5(1) management system element. Companies should note that the Table 1 and the initial IR are complementary. These documents are intended to provide information to companies about the type of information the CER seeks during an audit. However, based on the audit topic, the initial IR may be altered or additional questions added to address the specific audit focus.
The information provided here is generic in nature, and while it provides the basic structure of the IR, auditees should not expect the official audit version to be exactly as, or limited to, items contained in this guidance document. For example, additional questions may be added related to standards incorporated by reference, or questions specific to a company’s CER issued conditions as part of an approval.
The company is expected to make available the most up to date, relevant information and supporting management system documentation and records to answer each question. As part of the audit, the CER will review all of the relevant documentation made available by the company prior to the onsite portion of the audit. Additional supplemental IRs may be sent for greater clarification.
The generic IR template has two columns:
- column 1 has the questions from the CER which the company must respond to; and
- column 2 is for the company to provide its response, including specific direction as to where the CER can find the most pertinent information in the company’s materials (i.e. describe page numbers or sections where the company’s demonstration of compliance can be found) or state how each document satisfies the company’s overall response.
The CER’s Lead Auditor will address specific questions with respect to IR content and method of making the required data available at the start of every audit with the auditee.
Table 2 – Initial Information Request – Example
OPR subsection 6.5(1) A company shall, as part of its management system and the programs referred to in section 55,
(a): establish and implement a process for setting the objectives and specific targets that are required to achieve the goals established under subsection 6.3(1) and for ensuring their annual review.
Information Request Reference Number |
Information Request |
Company ResponseTable Note a |
---|---|---|
1 |
Make available the company’s documented Process for paragraph 6.5(1)(a). |
<insert response> |
2 |
Make available any other relevant supporting documentation or records used by the company in support of its Process for setting objectives and specific targets. Examples could be Procedures or work instructions. |
<insert response> |
3 |
Make available documentation or records of how this Process is being integrated with each OPR s. 55 program. |
<insert response> |
4 |
Make available records and documents to demonstrate how the company addresses the following:
|
<insert response> |
5 |
Demonstrate through records that the Process has been used as intended for a minimum three (3) months. |
<insert response> |
6 |
Make available documents and records to demonstrate the annual review by company management of the objectives and specific targets and any actions taken to address those areas where the company did not meet the objectives or targets. |
|
5.0 Further Information and Frequently Asked Questions
5.1 Further Information
The CER’s Audit protocols are maintained and administered by the CER’s System Operations Business Unit.
Additional information can be found on the CER’s website.
At the CER, we are committed to continual improvement. We welcome your feedback on this Guidance document or any component of the CER’s Regulatory Framework. If you have comments or suggestions, please send an email to Regulatory.Framework@cer-rec.gc.ca
5.2 Frequently Asked Questions
The following section outlines frequently asked questions regarding the CER’s approach to management systems audits and OPR section 6. Additional information can be found in the Management System and Protection Program Audit Protocols and the Audit Definitions, Appendix 1.
Regulatory Reference: General
Question:
- Explain the difference between performance-based requirements and prescribed requirements?
Answer:
- The CER uses a mix of performance-based and prescriptive regulations. Prescriptive regulations expressly state what must be done by a regulated party in order to achieve compliance. Under a purely prescriptive regulation, the regulated party must meet the exact wording of the regulation in order to be compliant. For example, in situations where the regulation states a specific kind of technology or thing must be used – if that technology or thing is not being used (irrespective of whether what is being used is equivalent, better or worse), the regulated entity will be found non-compliant.
- Performance-based regulations are outcomes-based. They often will set out what must be achieved, but how the outcomes are achieved is up to the regulated party – so long as what is being done by the regulated party actually achieves the outcomes stipulated by the regulations. The OPR contains a blend of these elements. Subsection 6.5(1) is an example. The prescriptive components set out what the company must have as part of its management system and the programs referred to in section 55. Under paragraph (a), the company must establish and implement a process for setting the objectives and specific targets that are required to achieve the goals established under subsection 6.3(1) and for ensuring their annual review. This is all prescriptive – the performance-based aspect of the section pertains to how the process is established and implemented. As well, the contents of the process (so long as it meets the outcome of setting objectives and specific targets) is also up to the company.
Regulatory Reference: General
Question:
- How does a company demonstrate linkages or integration to be compliant with the OPR?
Answer:
- Linkages generally provide the inputs and outputs between a management system’s various processes, procedures, policies, programs, standards, manuals, work instructions or other supporting materials to ensure that nothing is missed in the workflow. Companies are expected to address all linkage requirements on an on-going basis as part of their basic compliance requirements. The protocols identify the minimum required linkages based on regulatory expectations. A company may have additional linkages based on their own management system requirements.
- Companies must also demonstrate that the management system is being implemented as intended. Processes are linked within the company’s management system. In many, but not all situations, the output of one process is the input of another. Companies need to demonstrate how documents / processes/ programs etc. are aligned and, where necessary, linked to one another.
- Processes and linkages need to be kept up to date as they are a significant aspect of a company’s management system. There should be minimal lag time between changes in a company’s management system and the update to the process documents that the linkages support.
- An example of a linkage is how the Hazard Inventory (required in paragraph 6.5(1)(d) of the OPR) interacts with the process steps for evaluating risks required by paragraph 6.5(1)(e) in that the risk evaluation must utilize the inventory of hazards to be compliant with the OPR. Because those management system elements work together, the processes and/or procedures must refer to one another.
Regulatory Reference: OPR paragraph 6.5(1)(a)
Question:
- Explain the difference between objectives, targets and key performance indicators.
Answer:
- Objectives typically specify a desired outcome and are typically qualitative. An example of an objective is “We wish to minimize incidents”.
- Targets are tied to objectives. They typically include a performance measure that has a quantitative or numeric aspect and typically has a timeframe. An example of a target is “We will achieve a 20% reduction in incidents for the calendar year ending 31 December”.
- Key performance indicators, which are a best practice, are those that measure the effectiveness of something to determine if a desired result was achieved. An example of a key performance indicator is “We will measure our lost time incident rate”.
Regulatory Reference: OPR paragraph 6.5(1)(v) & (w), 6.6(1)
Question:
- Why and how does a company develop corrective actions for issues identified with established objectives and targets?
Answer:
- As part of the management system, a review or evaluation of the achievement of objectives and targets needs to be performed to determine if the company management system is achieving its desired outcome. If the objectives and targets were not achieved, companies should try to determine why they were not achieved and it may be necessary to implement corrective actions. Examples of corrective actions may include process changes, program changes, new or reviewed controls, etc.
Regulatory Reference: OPR paragraph 6.5(1)(e)
Question:
- Explain how a company determines risk acceptance.
Answer:
- The CER is not in a position to explain how each company determines its risk tolerance. For the purposes of the management system, it is incumbent upon companies to establish and implement a process for evaluating the risks associated with the hazards and potential hazards they identify as part of their regulated activities, including the risks related to normal and abnormal operating conditions. Companies must also establish and implement a process for developing and implementing controls to prevent, manage and mitigate the identified hazards, potential hazards and risks and for communicating those controls to anyone who is exposed to the risks. Companies should consider who is authorized to approve activities that have a higher risk level.
- A change management process is also required for identifying and managing any change that could affect safety, security or the protection of the environment, including any new hazard or risk, any change in a design, specification, standard or procedure and any change in the company’s organizational structure or the legal requirements applicable to the company.
- These risk processes are not to be confused with requirements for risk assessments for HVP pipelines pursuant to section 10 of the OPR.
Regulatory Reference: OPR paragraph 6.5(1)(g) and (h)
Question:
- Explain the difference between legal requirements and regulatory requirements.
Answer:
- Regulatory requirements are the same as legal requirements and must be obeyed. Legal (or regulatory) requirements include requirements specified in all applicable acts, regulations, orders (issued by the CER, CER inspectors or the courts), conditions imposed on companies in CER authorizations such as certificates or approval orders, commitments made to the CER in applications and/or corrective or preventive actions made in response to compliance verification activities like inspections or audits. A company is expected to comply with its own standards to the extent that these standards are included in their own management system and the company states that it is bound to follow them.
Regulatory Reference: OPR paragraph 6.5(1)(g) and (h)
Question:
- Explain what ‘clause level’ is.
Answer:
- The word “clause” has been used to explain the level of detail required in the list of legal requirements and ‘clause level’ is the primary content or where a specific obligation is created. The clause level can go down to the subparagraphs within applicable legislation (acts and regulations) or standards. The CER allows the company to determine the specific clause level for inclusion in its legal list; however, the identification of the appropriate “clause level” must demonstrate that the company has reviewed the key content of the regulatory requirement and determined its applicability, or non-applicability for inclusion in the legal list. In terms of CSA and other consensus standards incorporated by reference into the OPR, this would often be at the clause or sub-clause level or in the case of regulations it is often at the subsection, paragraph or even the subparagraph level. The use of the word “clause” was to provide a common understanding to those who often work with the consensus standards in the CER regulated companies, but may not work as often with the legislation.
Regulatory Reference: OPR paragraph 6.5(1)(g) and (h)
Question:
- Explain the link of the legal register to external communication.
Answer:
- The legal list is an information source to be used as an input to various other management system requirements; communication is just one of them. If a company has identified its applicable legal requirements, it will be better able to identify what external stakeholders are required to engage with and what information they are required to provide and when.
Regulatory Reference: OPR paragraph 6.5(1)(g) and (h)
Question:
- Explain why the legal list needs to include all OPR section 55 programs.
Answer:
- The legal list needs to include all legal requirements that are applicable to safety (including the Safety Management, Integrity Management, Emergency Management and Damage Prevention programs), environmental protection (the Environment program), and security (the Security Management program). To the extent that there are other OPR requirements touching upon safety, environmental protection and security that are outside the section 55 programs (for example, section 18 dealing with construction safety), the legal list needs to include such references. The legal list is not limited to the CER Act and its associated regulations – the legal list must include any legislation (down to the clause level) that is applicable to matters of safety, security and environmental protection, whether that legislation is federal, provincial/territorial or municipal.
Regulatory Reference: OPR paragraph 6.5(1)(g) and (h)
Question:
- Explain the linkages for the legal list.
Answer:
- The linkages for the legal list refer to other elements of the management system that need to use the list of applicable legal requirements. As in the example above, there are other requirements and processes that require the legal list as input. Others include quality assurance, training, inspections, etc.
Regulatory Reference: OPR paragraph 6.5(1)(j) and (k)
Question:
- Explain the expectation of the linkages between roles and responsibilities and competency and training.
Answer:
- Roles and responsibilities are key inputs for competency and training as the employees and those working on behalf of the company need to have training and clear understanding of their own roles and responsibilities. A company must have linkages between roles and responsibilities and training Programs to ensure Adequate Competencies are achieved.
Regulatory Reference: OPR paragraph 6.5(1)(j) and (k)
Question:
- Explain the scope of training and competency as it applies to the management system and programs.
Answer:
- The CER expects companies to determine the competency requirements and the necessary training programs specific to the company management system and programs to ensure staff are capable of performing their duties safely, ensure the protection of the environment and the safety and security of the pipeline. However, this does not mean that all staff are required to be experts at the intricacies of the company’s management system. Companies need to determine the scope and approach to competency requirements and how training programs are established and implemented including the level of detail in the training programs.
Regulatory Reference: OPR paragraph 6.5(1)(t)
Question:
- What is the scale of the contingency plans that are required as part of the OPR paragraph 6.5(1)(t)?
Answer:
- Contingency plans must be commensurate with the scope and scale of the abnormal events that could occur over the entire lifecycle of the regulated facilities constructed and operated by the company. This must include a review of the consequences of each event. Contingency plans must not be limited to emergency situations only, because abnormal events do not always result in an emergency. Regardless of the scale of the contingency plan, it must be documented and it should include the competencies staff require so they are able to recognize abnormal operating conditions and implement the contingency plans as needed.
Regulatory Reference: OPR paragraph 6.5(1)(t)
Question:
- What are multi-level scenarios?
Answer:
- Multi-level scenarios are situations where there can be inter-related or cascading events during an activity or incident whereby an initial situation can evolve into a different situation with varying potential and actual consequences. Additionally, multi-event scenarios can include several smaller events or incidents that cascade on each other making the overall situation more complex than the individual events or incidents. To align with a proactive management system, companies need to identify and consider multi-level scenarios to ensure adequate hazard identification, hazard analysis, evaluation of risks and determination of controls. Multi-level scenarios also play a role in contingency and emergency planning as part of the management system.
Regulatory Reference: OPR paragraph 6.5(1)(t)
Question:
- What are ‘Abnormal conditions’?
Answer:
- Abnormal conditions are conditions that are different or unusual from what is expected or normal. Abnormal events are those events or situations where the operation of facilities, processes, or activities, etc. occurs outside of what is desired or planned for normal operating conditions.
- An Abnormal event has the potential to affect the people or the environment. Examples include operating either above or below design limits, environmental incidents such as a wildfire that has the potential to affect regulated facilities, significant medical incidents or overpressure of a pipeline beyond normal operating conditions.
Regulatory Reference: OPR paragraph 6.5(1)(x)
Question:
- Explain why an annual review is required.
Answer:
- The OPR requires a management system that includes a performance review. The annual review provides a mechanism for companies to review the adequacy and effectiveness of their management system. Corrective actions provide a basis for areas of improvement to be identified, developed, implemented and monitored to closure.
Regulatory Reference: OPR paragraph 18
Question:
- How does a prime contractor model apply to third party contractors performing work on behalf of a CER-regulated company?
Answer:
- The prime contractor model does not apply to CER-regulated pipelines as there is no provision for transferring occupational health and safety responsibility or liability onto a contractor under federal law. CER-regulated companies cannot shift or transfer any of their ultimate responsibilities to contractors working on their behalf.
- Sections 18, 20 and 54 of the OPR prescribes what companies contracting for the provision of services for the construction of a pipeline must do. While the regulations allow companies to contract for the provision of services for the construction of pipelines, those companies must still exercise the control and oversight required in the OPR.
- For maintenance activities, sections 29 and 30 of the OPR establish similar responsibilities as outlined above.
- The OPR requires CER-regulated companies to be responsible for establishing, implementing and providing oversight of protective programs regarding safety, security and environmental protection throughout the lifecycle of regulated facilities. This includes the construction phase. The CER reminds companies that it is ultimately the certificate or order holder who is responsible for projects.
- Regulated companies must establish clear and explicit roles and responsibilities for both its employees and those working on behalf of the company. These clear and explicit roles and responsibilities will promote compliance and provide certainty with respect to the identification and management of hazards and ultimately better safety and environmental outcomes.
Regulatory Reference: General
Question:
- Provide some examples of the documents and records for the regulatory requirements of paragraph 6.5(1)(a-x).
Answer:
- The following table provides some examples of documents and records that a company may want to have in place for each management system element. Note this table is not exclusive, companies may have other documents and records that they believe work best for their specific management system.
Regulation |
Examples to Demonstrate Compliance |
---|---|
paragraph 6.5(1)(a) establish and implement a process for setting the objectives and specific targets that are required to achieve the goals established under subsection 6.3(1) and for ensuring their annual review. |
|
paragraph 6.5(1)(b) develop performance measures for assessing the company’s success in achieving its goals, objectives and targets. |
|
paragraph 6.5(1)(c) establish and implement a process for identifying and analyzing all hazards and potential hazards. |
|
paragraph 6.5(1)(d) establish and maintain an inventory of the identified hazards and potential hazards |
|
paragraph 6.5(1)(e) establish and implement a process for evaluating and managing the risks associated with the identified hazards, including the risks related to normal and abnormal operating conditions. |
|
paragraph 6.5(1)(f) establish and implement a process for developing and implementing controls to prevent, manage and mitigate the identified hazards and the risks and for communicating those controls to anyone who is exposed to the risks |
|
paragraph 6.5(1)(g) establish and implement a process for identifying, and monitoring compliance with all legal requirements that are applicable to the company in matters of safety, security and protection of the environment. |
|
paragraph 6.5(1)(h) establish and maintain a list of those legal requirements. |
|
paragraph 6.5(1)(i) establish and implement a process for identifying and managing any change that could affect safety, security or the protection of the environment, including any new hazard or risk, any change in a design, specification, standard or procedure and any change in the company’s organizational structure or the legal requirements applicable to the company. |
|
paragraph 6.5(1)(j) establish and implement a process for developing competency requirements and training programs that provide employees and other persons working with or on behalf of the company with the training that will enable them to perform their duties in a manner that is safe, ensures the security of the pipeline and protects the environment. |
|
paragraph 6.5(1)(k) establish and implement a process for verifying that employees and other persons working with or on behalf of the company are trained and competent and for supervising them to ensure that they perform their duties in a manner that is safe, ensures the security of the pipeline and protects the environment. |
|
paragraph 6.5(1)(l) establish and implement a process for making employees and other persons working with or on behalf of the company aware of their responsibilities in relation to the processes and procedures required by this section. |
|
paragraph 6.5(1)(m) establish and implement a process for the internal and external communication of information relating to safety, security and protection of the environment. |
|
paragraph 6.5(1)(n) establish and implement a process for identifying the documents required for the company to meet its obligations under section 6. |
|
paragraph 6.5(1)(o) establish and implement a process for preparing, reviewing, revising and controlling those documents, including a process for obtaining approval of the documents by the appropriate authority. |
|
paragraph 6.5(1)(p) establish and implement a process for generating, retaining and maintaining records that document the implementation of the management system and the programs referred to in section 55 and for providing access to those who require them in the course of their duties. |
|
paragraph 6.5(1)(q) establish and implement a process for coordinating and controlling the operational activities of employees and other people working with or on behalf of the company so that each person is aware of the activities of others and has the information that will enable them to perform their duties in a manner that is safe, ensures the security of the pipeline and protects the environment. |
|
paragraph 6.5(1)(r) establish and implement a process for the internal reporting of hazards, potential hazards, incidents and near-misses and for taking corrective and preventive actions, including the steps to manage imminent hazards. |
|
paragraph 6.5(1)(s) establish and maintain a data management system for monitoring and analyzing the trends in hazards, incidents and near-misses. |
|
paragraph 6.5(1)(t) establish and implement a process for developing contingency plans for abnormal events that may occur during construction, operation, maintenance, abandonment or emergency situations. |
|
paragraph 6.5(1)(u) establish and implement a process for inspecting and monitoring the company’s activities and facilities to evaluate the adequacy and effectiveness of the programs referred to in section 55 and for taking corrective and preventive actions if deficiencies are identified. |
|
paragraph 6.5(1)(v) establish and implement a process for evaluating the adequacy and effectiveness of the company’s management system and for monitoring, measuring and documenting the company’s performance in meeting its obligations under section 6. |
|
paragraph 6.5(1)(w) establish and implement a quality assurance program for the management system and for each program referred to in section 55, including a process for conducting audits in accordance with section 53 and for taking corrective and preventive actions if deficiencies are identified. |
|
paragraph 6.5(1)(x) establish and implement a process for conducting an annual management review of the management system and each program referred to section 55 and for ensuring continual improvement in meeting the company’s obligations under section 6. |
|
Appendix I – Definitions
All terms defined in this appendix include the present and past tense, where applicable. Definitions may be updated during continual improvement cycles, so it is important that companies consult this appendix regularly.
Abnormal: Abnormal conditions are different or unusual from what is expected under normal operating conditions. Abnormal events are those events or situations where the operation of facilities, processes, or activities occurs outside of the desired or planned normal operating conditions. An abnormal event has the potential to affect people or the environment. Examples include, operating either above or below design standards, an environmental incident such as a wildfire, significant medical incidents or overpressure or under- pressure of a pipeline beyond or below normal operating conditions.
Adequate: The subject of the assessment (management system, programs, procedures or processes) complies with the scope, documentation requirements and, where applicable, the stated goals and outcomes of the CER Act, its associated regulations and referenced standards. Within the CER’s regulatory requirements, this is demonstrated through documentation.
Audit: A systematic, documented verification process of objectively obtaining and evaluating evidence to determine whether specified activities, events, conditions, management systems or information about these matters conform to audit criteria and legal requirements, and communicating the results of the process to the company.
Competencies: The skills, knowledge and experience necessary to perform a job duty safely and appropriately.
Compliant: The CER uses this term to indicate that, based on the information made available and reviewed, no non-compliances relating to the protocol item referenced were identified during the audit. A Corrective and Preventive Corrective Action (CAPA) plan is not required to be developed.
Contingency plans: Plans established by companies to address possible abnormal events or situations that may occur. Contingency plans include roles, responsibilities and steps to ensure adequate actions are taken if the abnormal event or situation occurs. Contingency plans can be integrated with incident management procedures, emergency management programs and procedures along with other section 55 programs where applicable.
Developed: Any thingFootnote 1 prescribed by the OPR that a company is required to develop has been created in the format required by the company and meets the described regulatory requirements.
Effective: Any thing prescribed by the OPR that a company is required to develop, establish and implement meets its stated goals, objectives, targets and regulated outcomes. Continual improvement of that thing is being demonstrated by the company. Within the CER’s regulatory requirements, continual improvement is primarily demonstrated in company records evidencing processes for inspections, measurement, monitoring, investigation, quality assurance, audit and management review and corrective action as outlined in the OPR and evidence that the processes are being followed and these activities undertaken.
Established: Any thing prescribed by the OPR that a company is required to develop has been developed in the company required format, has been approved and endorsed for use by the appropriate management authority and communicated throughout the organization. All company staff and other persons working on behalf of the company or others that may require knowledge of the policy, program, process, procedure or thing are aware of it and its application. Staff and other third party contractors who use the processes, procedures, programs, standards and work instructions have been adequately trained on how to use the thing and can demonstrate they are adequately trained and following the requirements. The company has demonstrated that the policy, process, program, standard, procedure or work instruction or thing has been implemented on a permanent basis. As a measure of “permanent basis”, the CER requires the requirement to be implemented, meeting all of the prescribed requirements, for three months.
Finding: The conclusion reached based upon an evaluation of the evidence against audit criteria. Findings may fall into two categories, compliant or non-compliant. For non-complaint findings, corrective actions will be required.
Hazard: (per CSA Z662) a condition or event that might cause a failure or damage incident or anything that has the potential to cause harm to people, property, or the environment.
Implemented: A process or other thing prescribed by the OPR that has been approved and endorsed for use by the appropriate management authority. It has been communicated throughout the organization. All staff and persons working on behalf of the company or others that may require knowledge of the process or other thing required by the OPR are aware of it and its application.
Staff has been trained on how to use the process or other thing required by the OPR. Staff and others working on behalf of the company have demonstrated use of the process or other thing prescribed by the OPR. Staff and others working on behalf of the company have demonstrated use of the process or other requirement. Records and interviews have provided evidence of full implementation of the requirement, as prescribed (i.e., the process or procedures are not partially utilized).
Inspection: An observation and evaluation of the conditions against a set of criteria. Inspections can include document/record review, interviews and observations.
Inventory: A documented compilation of required items. The inventory must be demonstrable as a stand-alone product that is without the need for additional supporting material, but the content must be integrated into the company’s management system, section 55 programs and management system processes and maintained so that it is up-to-date.
List: A documented compilation of required items. The list must be demonstrable as a stand-alone product; that is, without the need for additional supporting material, but the content must be integrated into the company’s management system and management system processes and maintained so that it is up-to-date.
Maintained: A policy, program, process, procedure, standard, work instruction or other thing required by the OPR has been kept current in the format required by the company and continues to meet regulatory requirements. With documents, the company must demonstrate that it meets the document management requirements in OPR, paragraph 6.5(1)(o). With records, the company must demonstrate that it meets the records management requirements in OPR, paragraph 6.5(1)(p).
Management System: The system set out in OPR sections 6.1 to 6.6. It is a systematic approach designed to effectively manage and reduce risk and promote continual improvement. The system includes the organizational structures, resources, accountabilities, policies, processes and procedures required for the company to meet its obligations related to safety, security and environmental protection. The CER management system requirements are set out in OPR sections 6.1 to 6.6. Therefore, in evaluating a company’s management system, the CER considers more than the specific requirements of section 6.1. It considers how well the company has developed, incorporated and implemented the policies and goals on which it must base its management system as described in section 6.3; its organizational structure as described in section 6. 4; and considers the establishment, implementation, development and/or maintenance of the processes, inventory and list described in section 6.5(1). As stated in sections 6.1(c) and (d), the company’s management system and processes must apply and be applied to the programs described in section 55.
Non-Compliant: The audited company has not demonstrated that it has developed and implemented programs, process and procedures that meet the legal requirements relating to the protocol item referenced. A Corrective and Preventive Action plan must be developed and submitted to the CER for approval.
Potential Hazards: A hazard (see definition above) that the company, its employees or anyone working on behalf of the company may be exposed to based on potential activities or conditions that may occur or be reasonably expected to occur in the construction, operation or abandonment of the company’s facilities. The identification, documentation and mitigation of potential hazards applies, at a minimum, to all section 55 programs, and to all CER-regulated activities. Potential hazards must be identified over a range of conditions and not limited to normal operating conditions.
Practice: A repeated or customary action that is well understood by the persons authorized to carry it out.
Procedure: A documented series of steps followed in a regular and defined order thereby allowing individual activities to be completed in an effective and safe manner. A procedure also outlines the roles, responsibilities and authorities required for completing each step.
Process: A documented series of interrelated actions that take place in an established order and are directed toward a specific result. To be a compliant process, ensure the following are addressed:
- Describe the purpose, scope, objective and specific results that the process is intended to achieve;
- Describe the series of interacting actions or steps that take place in an established order;
- Define the roles, responsibilities and authorities of staff to ensure the process is appropriately applied;
- Where required, references other relevant processes, procedures and work instructions; and
- Describe how it is integrated with each s.55 program.
Additional information regarding processes is as follows:
OPR section 6.5(1) describes the CER’s required management system processes. In evaluating a company’s management system processes, the CER considers whether each process or thing required by the OPR has been established, implemented, developed or maintained as described within each section; whether the process is documented; and whether the process is designed to address the requirements of the process, for example a process for identifying and analyzing all hazards and potential hazards. Processes must contain explicit required actions including roles, responsibilities and authorities for staff establishing, managing and implementing the processes. The CER considers this to constitute a common 5 w’s and h approach (who, what, where, when, why and how). The CER recognizes that the OPR processes have multiple requirements; companies may therefore establish and implement multiple processes, as long as they are designed to meet the legal requirements and integrate any processes linkages contemplated by the OPR section.
Processes must incorporate or contain linkage to procedures, where required to meet the process requirements.
As the processes constitute part of the management system, the required processes must be developed in a manner that allows them to function as part of the system. The required management system is described in OPR section 6.1. The processes must be designed in a manner that enables or ensures the company is following its policies and goals established and required by section 6.3.
Further, OPR section 6.5(1) indicates that each process must be part of the management system and the programs referred to in OPR section 55. Therefore, to be compliant, the process must also be designed in a manner which considers the specific technical requirements associated with each program and is applied to and meets the process requirements within each program. The CER recognizes that single process may not meet all of the programs; in these cases it is acceptable to establish governance processes as long as they meet the process requirements (as described above) and direct the program processes to be established and implemented in a consistent manner that allows for the management system to function as described in 6.1.
Program: A documented set of processes and procedures designed to regularly accomplish a result as well as information outlining how plans, processes and procedures are linked; in other words, how each one contributes to the result. A company regularly plans and evaluates its program to check that the program is achieving the intended results.
(The CER has applied the following interpretation of the OPR for evaluating compliance of programs required by the NEB regulations.)
The program must include details on the activities to be completed including what, where, by whom, when, and how. The program must also include the resources required to complete the activities.
(Management System) Quality Assurance Program: A quality assurance program for a company’s management system is used for the systematic monitoring and evaluation of the management system, each program referred to in section 55, including a process for conducting audits according to section 53 and for taking corrective and preventative actions if deficiencies are identified.
Quality Assurance Program: The program required by section 15 of the OPR for the purpose of ensuring that the pipe and components to be used in the pipeline meet the specifications referred to in section 14 of the OPR.
Supervising: To ensure that employees, company contractors and independent third party contractors working for and on behalf of the company perform their duties in a manner that is safe, maintains the security of the pipeline and protects the environment. Formal roles and responsibilities are defined for supervising and can include a reporting function.
- Date modified: