49 CFR 192.917: Threat Identification for Gas Transmission Pipelines

49 CFR 192.917 requires operators of gas transmission pipelines to identify and evaluate all potential threats to each covered pipeline segment using a structured, data-driven process. This section is the entry point for the entire integrity management decision chain under Subpart O — the quality of threat identification directly determines the quality of everything downstream, from assessment method selection to reassessment intervals to preventive measures. A weak threat identification process produces a weak program, regardless of how much money is spent on inspections.

What Is 49 CFR 192.917?

Section 192.917 sits within Subpart O of 49 CFR Part 192, which establishes the integrity management requirements for gas transmission pipelines that could affect high consequence areas. Specifically, 192.917 addresses how an operator identifies potential threats to each covered segment.

The regulation requires operators to consider all threat categories identified in ASME/ANSI B31.8S, the industry standard that provides the technical framework for gas transmission integrity management. These categories include external corrosion, internal corrosion, stress corrosion cracking, manufacturing defects, construction defects, equipment failures, third-party and mechanical damage, incorrect operations, and weather and outside force threats.

Beyond the threat categories themselves, 192.917 requires operators to evaluate how identified threats may interact with one another and to account for the quality and completeness of available data when drawing conclusions about threat significance. These two requirements — threat interaction analysis and data quality consideration — are where most programs fall short.

Why Threat Identification Matters

Threat identification under 192.917 is not a standalone compliance exercise. It is the foundation on which every subsequent program decision is built. When it is done well, every downstream decision has a defensible basis. When it is done poorly, the program develops structural weaknesses that compound with each reassessment cycle.

The downstream effects are direct. The threats identified for a covered segment determine which assessment methods are appropriate under 192.921, 192.923, and 192.925. They influence how risk is prioritized across segments under 192.911. They shape preventive and mitigative measure selection under 192.935. They inform reassessment interval decisions under 192.937. And they form the basis for the program evaluation required under 192.939.

If a threat is not identified, it cannot be assessed. If it cannot be assessed, it cannot be detected. If it cannot be detected, it goes unexamined through every reassessment cycle until it produces a failure. A PHMSA inspector reviewing the program will not independently discover a missed threat — they evaluate whether the operator followed its own procedure. The missed threat only surfaces in an incident investigation.

Key Requirements

Comprehensive Threat Consideration

Operators must evaluate every threat category from ASME B31.8S for each covered segment. The requirement is not to rate every threat as significant — it is to evaluate every threat and document the basis for that evaluation. Dismissing a threat without documented reasoning is a common audit finding. The burden is not on PHMSA to disprove that a threat exists; it is on the operator to demonstrate that each threat was considered and that any low or not-applicable rating is supported by data.

Segment-Specific Analysis

The threat identification must be specific to each covered segment. Two segments on the same pipeline system may face materially different threats due to differences in soil conditions, coating type, pipe vintage and manufacturer, proximity to construction activity, operating pressure, or landuse context. A threat identification that applies the same ratings uniformly across the system without accounting for these differences does not satisfy the regulation and does not serve the program's actual purpose.

Data Quality Consideration

The regulation explicitly requires operators to consider the quality and completeness of data used in the threat identification process. If data is missing, uncertain, or outdated, the evaluation must account for that uncertainty. Programs that assign low threat ratings despite data gaps — and document no basis for doing so — create audit risk and create genuine safety risk. The appropriate response to a data gap is not to assume the threat is low; it is to acknowledge the gap and apply a conservative evaluation or develop a plan to obtain the missing data.

Threat Interaction Analysis

Operators must evaluate how identified threats may interact with one another. Interacting threats are two or more damage mechanisms occurring at the same location simultaneously. Common examples include a dent with co-located metal loss, external corrosion at an unsupported span near a geohazard, and accelerated corrosion under heat-treated sleeves or girth weld coating. The interaction between threats creates a materially different risk profile than either condition in isolation.

Threat interaction analysis is the component of 192.917 that is most consistently done poorly. The challenge is partly organizational — at large operators, threat categories may be managed by separate technical groups that have no natural mechanism for comparing findings across domains. At smaller operators, a single person covers all threat categories but may lack the depth or capacity to rigorously evaluate how conditions combine. The result, across operator sizes, is that interacting threats are systematically underevaluated relative to single-threat conditions.

The best practice for interacting threat management is GIS-driven spatial analysis that links co-located threat data from multiple sources — ILI runs, CP survey records, aerial survey findings, geohazard databases — into a unified view that can identify overlapping conditions. The output should be a register of identified interactions with documented dispositions: accept the risk and document the basis, investigate further with site-specific data collection, mitigate immediately for clear hazards, or establish a monitoring program with defined trigger thresholds. That register format is what makes interacting threats auditable and manageable as a population over time.

Practical Implementation

Effective threat identification reflects the reality of the pipeline system, not the structure of a template. Programs that hold up under audit consistently demonstrate the following characteristics.

Grounded in actual data. Threat evaluations reference specific data sources: ILI results, CP survey records, leak history, excavation findings, soil resistivity measurements, and operational history. Generic threat lists that do not cite supporting data are the single most common weakness in 192.917 compliance.

Connected to assessment method selection. An auditor reviewing the program should be able to trace a direct line from the threats identified for each segment to the assessment method chosen for that segment. If the connection is not apparent in the documentation, the program logic is broken at one of its most important joints.

Updated when conditions change. Threat identification is not a one-time exercise. New ILI results, system modifications such as pressure increases, flow reversals or pump additions, land use changes near the pipeline corridor, and incident or maintenance findings all generate information that should be integrated into the threat evaluation. Programs that have not been updated despite receiving new assessment data raise immediate questions about whether the program actually functions as a management tool.

Honest about data limitations. Every pipeline system has data gaps. The appropriate response to a gap is to acknowledge it and apply a conservative evaluation or document a plan to resolve it. An operator who rates manufacturing threats as low despite the absence of seam assessment records, with no documented basis for that conclusion, has created an analytically indefensible position.

Enforcement and Audit Focus

The following patterns appear with notable frequency in PHMSA enforcement actions and audit findings related to 192.917:

Generic threat lists applied uniformly across segments. The same table of threat ratings copied from segment to segment without differentiation. This demonstrates that the analysis was performed at the template level rather than the segment level and is one of the clearest signals to a PHMSA auditor that the program is a compliance artifact.

Ratings without data citations. Threat rankings assigned without reference to the specific records or observations that support them. Auditors expect documentation that traces each significant rating to the evidence underlying it.

Dismissals without reasoning. Threats rated low or not applicable with no documented explanation. The absence of reasoning for a low rating is as problematic as the absence of an evaluation — both suggest the process was not actually performed.

No visible update mechanism. Threat identification that has not been revised despite material changes in conditions or the arrival of new assessment data. Static programs suggest the threat identification is not connected to program operations.

Missing interaction analysis. Evaluating each threat in isolation without addressing whether identified threats could combine to create elevated risk. Programs that document individual threat categories but show no evidence of interaction analysis have an explicit gap relative to the regulatory requirement.

Frequently Asked Questions

What threat categories must be considered under 192.917?

Operators must consider all threat categories identified in ASME B31.8S: external corrosion, internal corrosion, stress corrosion cracking, manufacturing defects (including long seam and pipe body defects), construction defects, equipment failures, third-party and mechanical damage, incorrect operations, and weather and outside force threats. Each category must be evaluated for each covered segment with documented results.

Does 192.917 require every threat to be rated as significant?

No. The requirement is to evaluate every threat, not to rate every threat as significant. However, when a threat is rated as low or not applicable, the basis for that determination must be documented and supported by available data. Dismissing a threat without reasoning is a common enforcement finding.

How often should threat identification be updated?

The regulation does not prescribe a specific update frequency, but the program evaluation requirements under 192.939 expect threat identification to reflect current conditions. Best practice calls for review whenever new assessment data arrives, whenever operational changes occur — such as pressure increases, service conversions, or significant system modifications — and whenever incident or maintenance findings reveal conditions not captured in the current threat picture. Programs that remain static in the face of new information are structurally vulnerable under audit.

How does stress corrosion cracking factor into 192.917 threat identification?

SCC is a required threat category under ASME B31.8S and must be evaluated for each covered segment. High-pH SCC is most common within the first 15 to 20 miles downstream of a compressor station in high-pH soil environments. Near-neutral pH SCC is more broadly distributed and more difficult to evaluate because susceptibility depends on coating condition, soil chemistry, and cathodic protection effectiveness in combination. Where SCC is identified as a potential threat, assessment options for gas pipelines are limited: pressure testing (including spike testing), EMAT tools (with noted identification challenges), and SCCDA programs that follow a process similar to ECDA with enhanced focus on environmental conditions and SCC-specific criteria.

What makes an interacting threat evaluation technically defensible?

A defensible interacting threat evaluation begins with a GIS-based or spatially integrated review of co-located conditions across threat categories. It documents which combinations were identified, the analytical basis for the risk assessment of each combination, and the disposition decision — whether the identified interaction was accepted, flagged for further investigation, mitigated, or placed on a monitoring program with defined thresholds. Where co-located conditions require stress analysis, scour analysis, or other engineering evaluations, those analyses should be documented as part of the threat record. The goal is a register that can be audited and managed as a population over time.

Related Regulations and Resources

• 49 CFR Part 192 Hub (parent hub)
• Pipeline Integrity Management Overview
• Pipeline Integrity Assessment Methods
• High Consequence Areas — Definitions and Identification
• PHMSA Enforcement Trends

---

Need a better way to navigate regulation context? Kondwit connects PHMSA enforcement cases to CFR section-level threat identification requirements in one platform. Learn more

---

See how Kondwit connects regulatory sections, enforcement history, and inspection questions. Request a demo

---

Matthew Brown, PE Licensed Professional Engineer | 15+ years pipeline integrity and compliance experience

Matthew Brown is a pipeline integrity engineer specializing in integrity management program development, regulatory compliance, threat assessment, and audit preparation. He has supported operators across transmission, distribution, and hazardous liquid systems with program development, documentation review, and PHMSA audit support.

This content is for informational and educational purposes only. It does not constitute engineering services, legal advice, or a professional engineering opinion. Operators should consult qualified professionals for system-specific compliance decisions.