Information Advisory IA 2023-002 – Management System Audits

Information Advisory IA 2023-002 – Management System Audits [PDF 244 KB]

File OF-Surv-Gen11 01
1 August 2023

To:
Oil and Gas Pipeline Companies under the Jurisdiction of the Canada Energy Regulator
Canadian Association of Petroleum Producers
Provincial and Territorial Regulators
  • 2022-23 Canada Energy Regulator - Management System Audits: Information Advisory

Please find attached the Canada Energy Regulator (CER) Information Advisory (IA) CER IA 2023-002.

The CER has issued the following IA that summarizes the findings of audits the CER has completed this past year related to regulated companies’ management of contaminated sites and management of damage prevention.

These findings are important to share so that all companies are aware where improvements may be necessary to their own management systems and can benefit from these learnings to proactively identify, analyze, and manage hazards and risks to prevent harm to people and the environment. CER-regulated companies are expected to review the management system learning areas noted below and apply lessons learned in their own management system. The CER will also incorporate these learnings into its future compliance and oversight activities, including audits.

If you require any further information or clarification, please contact the Director of Audit, Enforcement, and Investigation through our toll-free number at 1-800-899-1265.

This and other advisories are published on the CER Safety and Environment website.

Best regards,

Signed by

Tracy Sletto
Chief Executive Officer

Attachment: 2022-23 Canada Energy Regulator – Management System Audits: Information Advisory (CER IA 2023-002)


CER IA 2023-002
August 2023

2022-23 Canada Energy Regulator - Management System Audits: Information Advisory

Basis for Issuance

The CER requires all companies to establish and implement an effective management system to proactively identify and analyse hazards and manage the associated risks to prevent harm to people and the environment. A well-designed and implemented management system, as described in the Canadian Energy Regulator Onshore Pipeline Regulations (SOR/99-294) (OPR), enables hazard management, learning, and continual improvement throughout an organization. When coupled with a robust safety culture, it supports strong safety and environmental protection performance and outcomes.

Background

As part of its ongoing oversight activities, the CER’s 2022/23 compliance audit program focused on two areas of management system function: the management of contaminated sites and the management of damage prevention. Three companies were audited for each area. Companies were selected based on several factors, including the CER oversight risk identification and prioritization model.

This is the second consecutive year in which the CER focused on contaminated sites management as a subject for its compliance audits. The lessons learned from last year’s contaminated sites audits are summarized in the CER Information Advisory CER IA 2022-001 and detailed in the audit reports on the CER’s external website.

In July 2021 the CER published its Management System and Protection Program Audit Protocols, which are intended to help describe and explain the CER’s expectations of regulated companies regarding their management systems obligation. Those protocols are relevant to the lessons described in this Information Advisory and should be referred to for additional context.

Management System Learning Areas

Deficiencies identified during the audits are summarized in this Information Advisory to promote learning and improvement across all CER-regulated companies. The audit reports also discuss areas where no issues were identified. These details may be helpful for companies as they compare the results to their own management system.\

Management System Processes

Subsection 6.5(1) of the OPR lists several requirements for companies to meet as part of their management system and the protection programs referred to in section 55 of the OPR. This means that the requirement must be met throughout the entire management system including the governance level and the program level throughout the entire life cycle of a pipeline.

During this year’s audits, it was found that one auditee had developed processes suitable for the requirements of the larger overarching corporate level, but these same processes were not all referenced at the program level. Companies need to design their management system processes so they can work at both the corporate level and the program level or have overarching corporate level processes and more focused program level processes that link and interact with one another to meet the overall requirements.

Process Requirements

Further to the previous paragraph, in some cases, there appeared to be a misunderstanding over what constitutes a process. Where a paragraph under subsection 6.5(1) calls for a company to establish and implement a process, it is not enough for a company to state in its documentation that it commits to meeting the requirement. An established process must document the who, what, when, where, why, and how of the process. For a process to be considered implemented, the CER requires a company to demonstrate that it has established a documented process; it is being correctly followed; any training required related to the process has been provided to staff; and it has been in active use for at least 90 days.

Management System Programs

The OPR requires companies to have six protection programs, and each has specific requirements as detailed in the regulation. One is an Environmental Protection Program (EPP) which must meet the requirements of sections 6 and 48 of the OPR. While the management of contaminated sites is not a specific section or paragraph in the OPR, as part of a comprehensive EPP the CER would expect to see processes, procedures, and work instructions for managing contaminated sites included as part of the program.

Another protection program required by the OPR is a Damage Prevention Program which must meet the requirements of sections 6 and 47.2 of the OPR. Section 47.2 also requires that the program comply with section 16 of the Canadian Energy Regulator Pipeline Damage Prevention Regulations – Obligations of Pipeline Companies (SOR/2016-133) (DPR-O)

One of the companies audited for damage prevention had a program which met some of the requirements of the OPR and some of section 16 of the DPR-O, but not all. For example, the auditee allowed passenger-sized vehicles to cross the pipeline without requiring consent from the company, which is not compatible with the requirements of paragraph 16(f) of the DPR-O. All requirements of the applicable regulations must be met for the program to be compliant.

Internal Audits

The OPR requires companies to conduct compliance audits in accordance with section 53 of the OPR and program audits as per the requirements of section 55. The regulations require that these audits are to be completed at intervals not exceeding three years. The purpose of a compliance audit is for a company to verify compliance with the legislated requirements listed in subsection 53(1) of the OPR. Program audits are to be carried out on all the protection programs listed in section 55 and are intended to verify that each program is meeting or exceeding the requirements of the OPR and other applicable legislation under the CER Act and operating in accordance with the company’s own specific requirements.

In one case the company provided the auditors with evidence of a number of assurance activities that it was carrying out, including internal audits but none of the audit reports provided proof that a thorough section 55 program audit had been conducted on the Damage Prevention Program. If a proper section 55 program audit had been carried out, the company would have found some of the deficiencies noted in this information advisory, including missing processes at the program level required by subsection 6.5(1) of the OPR.

Next Steps

CER-regulated companies are expected to review and address the deficiencies noted and confirm they do not exist in their management systems. The CER will incorporate these learnings into its future compliance and oversight activities, which may include future audits in these areas.

Date modified: