Pipeline Risk Assessment: Threat Interaction—A Case of Confusing Terminology

As we continue this exploration of pipeline risk assessment, let’s tackle some terminology obstacles.  Pipeline risk assessment is a challenging topic on its own, so added confusion from terminology is most unwelcome.


In some recent regulatory initiatives, a criticism has arisen regarding some pipeline operators’ failure to properly account for ‘threat interaction’ in their formal risk assessments. To most, ‘threat interaction’ means the coincident occurrence(s) of multiple integrity threats and their combined impact on failure potential.  Seems straightforward.  However, confusion surrounding the word ‘threat’ has resulted in the observed weaknesses in some risk assessments.

This confusion can be traced to certain guidance documents.  One of the most important pipeline industry integrity management guidance documents identifies nine primary threat conditions.  In that document, the nine threats are placed into three separate categories.

Time Dependent Threats (threats which tend to grow over time)

  • Internal Corrosion
  • External Corrosion
  • Stress Corrosion Cracking[1]

Time-stable Threats (defined as threats which do not grow over time unless acted upon by another condition or failure mechanism)

  • Manufacturing
  • Fabrication/Construction
  • Equipment

Time Independent Threats (random events, not influenced by time)

  • Human Error
  • Third Party Damage
  • Earth Movement, Outside Force, or Weather


At first glance, these may all appear to represent failure mechanisms.  Actually, these nine threats contain two different ‘flavors’ of threat:  failure mechanisms and weakness locations.  Some are not failure mechanisms at all but rather potential weak points or locations of ‘increased vulnerability’.  Manufacturing defects, construction defects, and equipment are not failure mechanisms–they do not cause failure.  There has to be an underlying failure mechanism at work before a lamination, pipe seam issue, wrinkle bend, or gasket becomes a point of failure.  They are locations of possible increased susceptibility to certain failure mechanisms, but they themselves are not failure mechanisms.

So, some of these listed ‘threats’ are failure mechanisms and some of them are locations of potential weakness.  Both are ‘threats’ to integrity and both need to be in a risk assessment.  However, using the same term for both can cause a problem since failure mechanisms must be handled differently than ‘potential weak spots’ when performing the risk assessment.

The confusion is apparent in some attempts to employ a type of matrix showing which ‘threats’ may interact.  That is not a full solution.  All possible combinations and the wide range of implications of each cannot be handled in a simple matrix.  Such matrices are incomplete, confusing, and completely unnecessary.  A much simpler solution is available—read on.

The terminology confusion goes further.  In the same guidance document, Manufacturing Defects and Construction Defects, are separated for special treatment as potentially ‘stable’ threat categories.  The concept of a ‘stable threat’ is not found in risk assessment in other industries. The phrase ‘stable threat’ is defined in other documents to denote a condition in which the integrity of a pipeline is not threatened within a predictable time period.   Presumably, this means that the potential weakness may exist but be judged to be non-injurious under certain conditions.  This is essentially a determination of acceptable risk—when the incremental failure potential added by the feature is deemed insignificant, the issue is labeled as being ‘stable’.  This mixture of risk acceptability within the risk assessment adds more confusion.  The measurement of risk should be free of acceptability judgments.  Risk management should only be done after the risk assessment.

Obtaining Clarity

Fortunately, these issues are almost entirely due to terminology.  Proper measuring of PoF avoids all complications by using all information appropriately.  Threat interaction happens automatically when data is used properly.  The category of ‘stable threat’ becomes unnecessary, leaving the two categories seen in other industries’ listings of failure mechanisms—time-dependent and time-independent.

The simple solution to avoiding these complications was described in a previous column detailing the measurement of PoF.  The independent measurements of exposure, mitigation, and resistance (ie, the attack, the defense, and the survivability if defense fails) to arrive at PoF for each pipeline segment will ensure that such problems do not arise.

Features categorized as manufacturing or construction anomalies such as wrinkle bends and hook cracks in low-frequency ERW seams should be treated as locations of potentially lower resistance.  They may be more susceptible—less resistive—to unmitigated exposures of external forces or fatigue.  Locations of identified metal loss or laminations will generally have reduced resistance to further corrosion.

Similarly, features categorized as ‘equipment threats’ such as gaskets , pump seals, and pressure-control equipment should also be treated as locations of differing resistance characteristics.  Their presence does not constitute a new exposure—the attack is normally the same as on the nearby pipe.  However, they may have reduced resistance to certain failure mechanisms (unmitigated exposures) such as external forces or fatigue. These features often warrant a separate evaluation of PoF from nearby pipe, fittings, and other appurtenances.  This is consistent with a practice of proper segmentation (see previous article).

By coupling all failure mechanisms with all potential weaknesses on a segment, full recognition of any and all interactions is assured.  There is no need for special categories of threat nor special treatment of interactions.  All are already fully included in the fundamental design of the risk assessment.

Remember that direct numerical estimates of risk – a measure of some consequence over time and space, like ‘losses per km-year’ – are the most meaningful measures of risk we can create. Anything less is a compromise. Compromises lead to inaccuracies; inaccuracies lead to diminished decision-making, leading to misallocation of resources; leading to inefficiency and unnecessary risk.

Good risk estimates are extremely valuable. They are readily obtained once we understand risk and how to measure it.


Future Column Topics

The Troubles with Weightings

Damage vs Failure—An Important Distinction

Measuring Damage Potential—What is Attacking?  How Effective are Defenses?

Consequences of Failure—ID the Scenarios

“The Perfect Storm” Chain of Events

What if I don’t have much data?

How do I handle non-pipe assets?

Myth Busting—I don’t have enough data

Getting Info from SME’s—Facilitation!

Published March 2013

Read the pdf version of the article