Pipeline product loss without a corresponding pressure transient.
This is the story a volume-balance leak-detection system tells the operator on a quarterly reconciliation cycle: "We're short by some barrels this quarter. Within tuned tolerance, but unexplained." By the time the integrity team raises the question, the product is gone, the trail is cold, and the next reconciliation cycle is already running.
For one EI customer — a Tier-1 crude operator with ~310 miles of pipeline through remote South Texas — that pattern had been running for nine months across a single segment crossing rural county roads. The legacy CPM had no path to localize the loss. The operator had no path to the source.
Pre-detection window
Length of the unreconciled-loss pattern that the volume-balance system had been silently absorbing into its tolerance band before EI was deployed.
Per-event signature
Magnitude of each individual pressure-drop event — well below the legacy alarm floor of any threshold-based system tuned for catastrophic-failure response.
Alerts fired by legacy CPM
Across the entire nine-month pattern. The CPM did exactly what it was tuned to do — and missed every individual event because none crossed its threshold alone.
Why volume-balance CPM can't see organized theft.
Volume-balance leak detection compares product going into a pipeline segment against product coming out. The difference, integrated over a reconciliation window, becomes the alarm criterion. The mathematics has two structural blind spots that organized theft exploits with surgical precision.
Per-event volume is small enough to disappear into measurement uncertainty. Spread across a month, the integrated loss just clears statistical significance — but the volume-balance algorithm was never tuned to fire on a 0.3%-monthly anomaly. It fires on instantaneous rupture-magnitude rate-of-change. Theft is the opposite problem: persistent, periodic, and below the noise floor of every individual measurement window.
Cross-stream NPW detection inverts the problem. Each hot-tap event — even a small one — produces a sharp, asymmetric pressure-drop signature that propagates upstream and downstream at close to the speed of sound. The model isn't looking at integrated volume over an hour. It's looking at the shape of the pressure waveform on a 10-millisecond resolution. Small volume doesn't mean small signature.
The detection signature.
Inside 21 days of EI deployment, the cross-stream model began flagging a recurring pattern that the legacy system was structurally unable to see. Three signature characteristics made the pattern unmistakable once visible.
Amplitude clustering
Every event landed in the same 0.4–0.7 PSI dip window. Real leaks vary widely in magnitude as the defect grows over time. Tap signatures are bounded by the tap geometry — same hardware, same opening, same dip envelope.
Time-of-day clustering
Events concentrated between 02:00 and 04:00 local, on Tuesday and Sunday nights. A corrosion-induced leak does not care what day of the week it is. A scheduled extraction operation does.
GPS clustering
Cross-station NPW arrival-timing resolved every event to the same 180-yard segment, repeatedly, to within the model's ±25-foot localization envelope. A leak might wander as a defect grows. A tap doesn't move.
What the integrity team saw the morning EI surfaced it.
The screenshot below is an anonymized reconstruction of the EI operations dashboard's pattern-detection panel for this segment. Real coordinates have been removed; event timestamps shifted; the physical layout preserved.
Note that the pattern-analysis panel doesn't say "leak." It says "field inspect + law enforcement brief." EI's pattern detector knows that repeated, sub-PSI, scheduled, identically-located events have a much higher likelihood of being a deliberate actor than a developing corrosion defect. The recommended action changes accordingly.
From signal to interdiction in three weeks.
Three SPL100-class units (now EI Sentinel) installed at the segment's upstream, midpoint, and downstream measurement points. First MQTT publish to cloud confirmed within four minutes of power-on.
Combined v3 model trained on the operator's prior 60 days of pressure history. Detection envelope settled within ±0.45 PSI of predicted downstream pressure across all flow regimes.
Cross-stream model flags a -0.6 PSI signature, duration ~7 minutes, localized to a 200-yard segment near a farm-to-market road crossing. Operator dismisses as a possible commissioning artifact; alert logged.
Identical signature shape. Same time-of-day window. GPS within 18 feet of the first event. Integrity team flags for pattern review.
EI's pattern-analysis panel flips from informational to NON-RANDOM. Recommended action escalates to "field inspect + LE brief." Operator's integrity manager calls EI ops for review.
Operator's right-of-way team walks the 180-yard cluster zone. Notes recently disturbed soil at a culvert under the farm-to-market road; no obvious surface tap. Decision to plan for the next predicted extraction window.
Operator's security lead provides EI's event log, time-of-day pattern, GPS heatmap, and pattern-detector output. Joint operation planned for the next Tuesday night extraction window.
Officers on station 90 minutes prior. Saddle tap welded onto the live line; vacuum truck staged on the culvert access road; partial product inventory inside the truck. Three subjects detained without incident.
Operator's emergency-response team coordinated with state troopers using EI's live operations view. Segment isolated, pressure bled down on the affected span, repair crew dispatched for permanent weld remediation.
Theft from interstate shipment (18 U.S.C. § 659) and state organized-criminal-activity charges (Tex. Penal Code § 71.02). EI event logs, dashboards, and pattern-detector output entered as supporting evidence in the prosecution's filing.
What the interdiction did to the rest of the operator's program.
Closed an audit variance
The nine-month unreconciled-loss line item on the segment's integrity-management report now closes with a documented interdiction outcome. Auditor signed off without an additional CAP.
Loss-prevention credit unlocked
Operator's pipeline-pollution-liability carrier requested EI's detection log as part of the loss-prevention credit category on the next renewal. Documented sub-minute + sub-PSI detection moved the operator into a lower risk band.
Internal protocol change
Operator's integrity-management plan now lists EI's pattern-analysis panel as the primary surveillance method for third-party-damage detection across the entire 310-mile footprint. Quarterly pattern review built into the operating procedure.
The point isn't theft. The point is what theft proves about detection.
Pipeline operators don't budget for theft detection. They budget for leak detection — the corrosion failure, the third-party excavation strike, the weld defect — and they want to know whether your CPM will catch it before it becomes a reportable release.
Theft detection is harder. The magnitude is smaller. The cycle is deliberately spaced to fall below volume-balance thresholds. The signal is buried in the operational noise the operator's own pumps and valves generate every day.
A detection system fast enough and precise enough to catch a small organized hot-tap is, by construction, fast enough and precise enough to catch the small real leak from corrosion-induced wall failure or third-party excavation strike. Same physics. Same model. Same alert pipeline.
Theft is the worst-case detection problem. If we catch it, we catch everything you're actually budgeted for.