RELIABILITY ANALYSIS OF MULTIPLEX CONTROL SYSTEM OF SUBSEA BLOWOUT PREVENTER BASED ON STOCHASTIC PETRI NET

Original scientific paper The multiplex (MUX) control system of subsea blowout preventer (BOP) plays a vital role in providing safe working conditions for the subsea drilling activities. According to the working states and critical failure modes of the MUX control system, this paper presents its stochastic Petri nets (SPN) model, taking into account the imperfect fault detection capacity. The numerical analysis method is proposed based on the isomorphic continuous-time Markov chain of the model. The reliability indexes, namely reliability, availability and MTTF of the MUX control system and pilot hydraulic control system are obtained and compared. In addition, the effects of fault coverage factor on state probabilities and availability of the MUX control system are researched and the uncertainty analysis of the firing rates related to MTTF is also performed.


Introduction
A blowout preventer (BOP) is a device that allows the well to be sealed to confine the well fluids in the wellbore [1].Subsea BOPs are supposed to deal with extreme erratic pressures and uncontrolled flow coming from a well reservoir during subsea drilling activities, which are critical to the safety of crew, rig and ocean environment.On April 20, 2010, a well control incident resulted in explosions and a fire on Deepwater Horizon rig.Eleven people lost their lives and many people were injured in this tragedy.Besides, massive offshore oil spilt into the Gulf of Mexico and it is the worst ecological disaster in US history.One important reason of the well blowout was that the BOPs could not function [2].Therefore, high reliability of the BOPs is very important.
A typical subsea BOP stack is made up of four ram BOPs, two annular BOPs, a hydraulically operated wellhead connector, a hydraulically operated lower marine riser connector, and lots of choke and kill valves.BOP control systems operate equipment used to control pressure during well control operations.A single operation such as opening a kill valve or closing a ram is called a "function".Functions are controlled by hydraulic signals that operate valves.At present, there are two kinds of BOP control systems, pilot hydraulic (PH) control system and multiplex (MUX) control system [3].The control system for a subsea BOP stack is required to be designed to deliver power fluid at sufficient volume and pressure to operate selected functions within allowable response times.For example, the control system shall have a closing response time not exceeding 45 seconds [1].For deepwater drilling activities, PH control system cannot be used because the BOP closing times will not satisfy the closing time requirements.Since electronically coded commands travel faster through conductive cables than hydraulic signals do through hose bundles, a MUX control system is used for deepwater drilling.
In response to practical needs, some researchers have done many studies in reliability analysis of the subsea BOP control system.The Markov and Bayesian models for the electrical control system of the subsea BOP system are proposed in the view of hardware structure and the performance of triple modular redundancy system and double dual modular redundancy system are compared [4,5].Deepwater BOP reliability and well kick data in the US Gulf of Mexico Outer Continental Shelf region are collected and the fault trees of the BOP system are presented [6,7,8].However, fault trees method belongs to static analysis beyond the capability of describing the dynamic characteristics of the system, which does not consider the system state changes over time or the impact of fault sequence on the reliability of the system.In addition, it is unable to describe the repair acts after the failures of the system [9,10].
Petri net (PN) is a powerful tool for reliability models, consisting of places, transitions and directed arcs [11].PNs are suitable for modeling and analyzing systems with parallelization, synchronization and confliction [12].They are convenient for qualitative and quantitative analysis of the system and easily extended.Stochastic Petri net (SPN) is defined as a timed PN whose transition firing periods are exponentially distributed random variables [13].The variable means that an enabled transition can be fired after an exponentially distributed time delay.SPN has been widely used in the reliability analysis of the systems in various fields.Kleyner and Volovoi [14] presented an application of SPN to calculate the availability of safety critical on-demand systems and the model is illustrated with a case study of an automotive electronics airbag controller.Zhong et al. [15] established a SPN model of China Urban Emergency Response System and the performance analysis is performed based on the isomorphic Markov chain.Tuysuz and Kahraman [16] present a method for modeling and analysis of time critical, dynamic and complex systems using SPN with fuzzy sets and a numerical example is given to show the applicability of proposed approach.Lei et al [17] studied the performance of wireless opportunistic schedulers in multiuser systems based on the presented SPN models and performance of both opportunistic and nonopportunistic schedulers are compared in terms of average queue length, mean throughput, average delay and dropping probability.Marsan et al. [18] used generalized SPNs for the performance analysis of asynchronous transfer mode local area networks that adopt the available bit rate service category.Li et al. [19] presented the generalized SPNs modular modeling method to reveal the influence on system performance by the logistic model of reconfigurable manufacturing system.
This paper presents a SPN model of the MUX control system of subsea BOP, based on the working states and failure modes.The remainder of the paper is organized as follows: Section 2 introduces the MUX control system.In Section 3, the SPN model is developed and analyzed.Section 4 covers the analytical results and discussions.Section 5 summarizes the paper.

System description
According to the failure position, a subsea BOP system is divided into eight subsystems, namely, annular preventer, connector, flexible joint, ram preventer, choke & kill valve, choke & kill lines, MUX/PH control system and dummy items [8].As shown in Fig. 1, a subsea MUX control system is mainly made up of central control unit (CCU), driller's panel, toolpusher's panel, MUX cable reel, hydraulic power unit (HPU), accumulators and two control pods [20].
The driller's and tool pusher's panels display illuminated push buttons to control or monitor functions.The CCU connects the panels with the MUX cable reel.It contains the central processing units, application programs, and other components that control communications and functions between the surface and the pods.MUX cable reels carrying an armored cable provide power and communications paths from the CCU to each subsea pod.HPU and accumulators are used to provide hydraulic power for controlling the BOP stack.For PH control system, the CCU is replaced by the hydraulically controlled manifold valves.Hydraulic umbilical cables are used to carry pilot signals and power fluid to the pods [21].
Control pod is the core of the MUX control system, which serves as the subsea control valve manifold and contains all of the pressure regulators and control valves required to operate the subsea functions.For high reliability, two control pods are mounted on the lower riser package on the BOP stack.Each pod can operate all subsea functions, but only one pod is active at the same time and the other pod is hot standby.The system will be retrieved to the surface for repair in case of any major problem associated with one pod.When a major problem is found in the active pod, the other pod will control the subsea BOP and preparations will be made to retrieve the lower marine riser package and riser to surface.The control panels initiated the demand on the subsea control system.The demand signal is multiplexed down the umbilical to the subsea pod, where the signal is decoded and performed.For example, to close a BOP ram, the demand signal will be sent to the subsea control pod and decoded.The decoded signal will open a solenoid electrically and therefore, the proper hydraulic valve will receive a hydraulic pilot signal.This pilot signal will cause the hydraulic valve to shift and send stored and pressurized hydraulic fluid to the BOP ram to be closed.

Modelling and analysis 3.1 Stochastic Petri nets
SPN has become a graphical and mathematical modeling tool for analysis of the static and dynamic systems.Its transition firing time is exponentially distributed random variables, which means that an enabled transition can fire after an exponentially distributed time delay [13].A SPN is a 6-tuple [11], ) ( is a finite set of transitions (drawn as rectangles). ( is a set of arcs.An arc connects a transition to a place or a place to a transition with a directed arrow.
is the set of firing rates associated with the transitions.
A transition can be enabled if the tokens in its input places are more than the requirements marked on the input arcs.When an enabled transition is fired, appropriate tokens are removed from the input places to the output places at the end of the firing time.Due to the memoryless property of exponential distribution of firing delays, each transition has a constant firing rate.

System modelling
The subsea BOP system may fail when it is located on the rig.And during running the BOP or pulling it out of the water, it may also fail.In the above phases, the BOP is not acting as a well barrier.These failures are not safety-critical.However, most of the failures occur when the subsea BOP stack is on the wellhead, which might cause well kicks or blowout.Therefore, the failures of the subsea BOP system on the wellhead are regarded as safety critical failures in terms of well control [8].In this paper, only the critical failures are considered to develop the model.For MUX control system, its critical failure modes includes "loss of all functions both pods", "loss of all functions one pod", "loss of one function both pods", "loss of all functions one pod", "loss of several functions one pod" and unknown failures.When the MUX control system fails, it will be pulled out of the water and repaired.Before the repaired system returns to normal operation on the wellhead, an install test is necessary.After the success of an install test, the drilling activities can start again.During the period of normal operation, scheduled tests including pressure tests and function tests are also needed in order to ensure the high reliability.The scheduled pressure test is performed every seven days.In addition, failures may occur during the install tests or scheduled tests.Therefore, when the subsea BOP is on the wellhead, it is in normal operation or being tested or failed and waiting for repair.
In most cases about system reliability modeling, one important assumption is that all the failures can be detected.That is to say that the fault coverage factor is 100 %.However, the practical fault diagnosis capacity is not perfect and influenced by the diagnostic system, human factor, environmental factor et al [22].Some failures may not be detected, so the practical fault coverage factor is less than 100 %.The detected failures can be repaired immediately.But, the undetected failures will be found during the scheduled tests and then repaired.Based on the working states and critical failure modes, the SPN model with imperfect fault coverage of MUX control system of the subsea BOP is presented in Fig. 2. Except for "Loss of all functions both pods" failure, PH control system has the same failure modes with MUX control system.Therefore, the SPN model of PH control system can be represented by removing place P0 and transition T01 in Fig. 2. In addition, some firing rates of transitions are different and the values will be given later.
The meanings of places in the model are as follows.P0: the MUX control system is in normal operation; P1: the system is failed and the failure is detected; P2: the system is failed but the failure is undetected.P3: the system is repaired and performing an install test; P4: the system is performing a scheduled test.
The meanings of the transitions are as follows.T1: detected failure "loss of all functions both pods" occurs; T2: detected failure "loss of all functions one pod" occurs; T3: detected failure "loss of one function both pods" occurs; T4: detected failure "loss of one function one pod" occurs; T5: detected failure "loss of several functions one pod" occurs; T6: detected unknown failure occurs; T7: undetected failures occur; T8: repair the failed system with undetected failures; T9: detected failures occur during the install test; T10: repair the failed system with detected failures; T11: undetected failures occur during the install test; T12: the scheduled test is finished; T13: starts a scheduled test; T14: detected failures occur during the scheduled test; T15: undetected failures occur during the scheduled test;T16: the install test is finished.

Quantitative analysis of the model
In this section, the method to perform numerical analysis is proposed.It has been proved that a SPN model is isomorphic to a continuous time Markov chain (CTMC) due to the memoryless property of the exponentially distributed delays [23].The CTMC can be obtained according to the reachable marking set of the SPN model.Then, performance analysis of the system is performed based on the CTMC.
In the SPN model, the initial marking is M0 = (1,0,0,0,0) and the reachable marking sets of all activation are as follows: M0 = (1,0,0,0,0), M1 = (0,1,0,0,0), M2 = (0,0,1,0,0), M3 = (0,0,0,1,0), M4 = (0,0,0,0,1).The average activation rates of T1, T2, T3, …, T16 are 1 λ , 2 λ , 3 λ ,…, 16 λ respectively.The CTMC is obtained as shown in Fig. 3.The transition matrix of CTMC is obtained in Eq. ( 1).Technical Gazette 24, 1(2017), 7-14 where, 4 q λ λ λ = + + .P i (i = 0, 1, 2, 3, 4) is defined as the steady-state probability of state M i .The state probabilities expression is as follows: Availability is defined as the probability that the system is operating at an instant of time or over a given time interval.The equation for transient availability is where ( ) 1 X t = means that the services are available.The steady-state availability is defined as: lim ( ) Reliability is referred to the probability that a system can perform its required functions under stated conditions during the period [0, t].Mathematically, it is expressed as follows， is the failure probability density function and T is the continuous random variable of correct operation time.One point to note is that the reliability of the system is not related to repairs, so the transition arcs related to repairs after failures have to be omitted to calculate the reliability.With the steady-state and transient probabilities of each state, the reliability and availability can be computed.
Mean time to failure (MTTF) is an important reliability index for the system.The specific steps for calculation are as follows [24]: ( denotes the possible state of the system at time t.The initial condition is P(0) = 1,0,0,0,0,0 and it means that the system is in normal operation.The system will fail when it enters into state 1 M , 2 M or 3 M , which are defined as the absorbing states.Deleting the related elements of the absorbing states in matrix Q, the Q R can be obtained: (2) After the Laplace transform of P(t), Eq. ( 8) is derived.
(3) Finally, the equation to compute MTTF is Based on Reference [8], probability values about failures, tests and repairs are collected.In normal operation period, the failure rates of "loss of all functions both pods", "loss of all functions one pod", "loss of one function both pods", "loss of one function one pod", "loss of several functions one pod" and unknown failures are denoted by 1 ' λ , 2 ' λ , 3 ' λ , 4 ' λ , 5 ' λ and 6 ' λ respectively.Their values are λ 1 '= 3,8080e−6, λ 2 '= 3,0464e−5, λ 3 '= 1,5232e−5, λ 4 '= 2,2848e−5, λ 5 '= 3,8080e−6 and λ 6 '= 3,0464e−5.The failure rate during the scheduled tests and install tests is λ scheduled = 2,4907e−5 and λ install = 1,9372e−5 respectively.Here, the fault coverage factor c is assumed to be 95 %.According to the property of exponential distribution, 1/λ ij is the mean time of the system going from state M i into state M j [23].All the firing rates of transitions for MUX control system and PH control system are listed in Tab. 1.According to Eq. ( 2), the steady-state probability of each state, the steady-state availability and MTTF of MUX and PH control system are listed in Tab. 2. Compared with PH control system, MUX control system has a little lower steady-state availability and MTTF.However, it is important that MUX control system is used in deeper water and the working environment is harsher and more complicated.
The transient probability of each state for the MUX control system can be calculated by solving Eq. (3).Transient availability and reliability of the MUX control system and PH control system is shown in Fig. 4 and Fig. 5 respectively.Fig. 4 shows that availability of the two kinds of control systems decreases quickly and will reach stable values in the first hundreds of hours.PH control system has a little higher stable availability than the MUX control system, which is in accordance with the steadystate analysis results in Tab. 2. Fig. 5 shows that PH control system has a little higher reliability than MUX control system.The effects of fault coverage factor on the probability of each state and availability of the system are researched and shown in Fig. 6.In Fig. 6a, the probability of state 0 M decreases very quickly and it approaches a stable value soon.Increasing the fault coverage factor can improve the probability of state M 0 .Fig. 6b shows that the probability increases over time and it reaches a stable value in about 200 hours when the factor is not 0. When the fault coverage factor is 0, the system will never go into state M 1 , because the failures cannot be detected.Figs.6b and 6c show that the effects of fault coverage factor on state M 1 and M 2 are opposite.When the fault coverage factor is 1, the system will never enter into state M 2 , because all the failures can be detected.Fig. 6d shows that the fault coverage factor has greater effects on the probability of state 3 M in the first 1000 hours.In order to make the curves more distinct in Fig. 6e, the initial value of x-axis is set as 30.As shown in the figure, the probability increases quickly and then decreases until reaching a stable value as time passes by.High coverage factor can also improve its probability.As shown in Fig. 6f, availability increases as the fault coverage factor increases.The higher diagnostic coverage, the sooner availability reaches a stable value.λ is the reciprocal of mean lasting time for a scheduled test.Therefore, MTTF of the MUX control system is affected by the firing rates about failures in normal operation period and scheduled tests, the test frequency and test lasting time.As the firing rates might not be accurate, uncertainty analysis is performed.
Assuming that the values of λ operation , λ scheduled , λ 12 and λ 13 are subjected to an uncertainty of ±20 %.The upper and lower bounds of MTTF of the system are plotted in Fig. 7.It is shown that the failure rates during the normal operation have the greatest effects on MTTF while the failure rate during the scheduled tests period has little effects on MTTF.With decreasing λ 12 , MTTF increases, because the probability of failures is lower in state M 4 than in state M 0 .In addition, increasing the test frequency 13 λ can improve MTTF of the system.

Conclusions
In this paper, a SPN model of the MUX control system for the subsea BOP is presented, taking into account the imperfect fault coverage.Reliability, availability and MTTF are evaluated based on the isomorphic CTMC of the model.
(1) Transient reliability, availability and steady-state availability and MTTF of MUX and PH control systems have been obtained based on the derived equations.
(2) Compared with PH control system, MUX control system has a little lower reliability, availability and MTTF, but it is used in deeper water with more complicated working conditions.
(3) The fault coverage factor has different effects on the state probabilities of the MUX control system and increasing the value can improve the availability of the system.
(4) MTTF is more easily influenced by the failure rates in normal operation period and the failure rate in the scheduled tests has the lowest influence.In order to improve MTTF, great efforts should be made to reduce the critical failures of MUX control system.

Figure 1
Figure 1 Schematic of a MUX control system

Figure 2
Figure 2 SPN model of the MUX control system of subsea BOP

Figure 3 1 P
Figure 3 CTMC of the SPN model P i (t) is the transient probability of state M i at time t.It can be calculated by solving Eq. (3).The initial conditions are 0 (0) 1 P

Figure 4
Figure 4 Transient availability of MUX and PH control system

Figure 5
Figure 5 Transient reliability of MUX and PH control system

Figure 6 13 λ
Figure 6 Effects of the fault coverage factor on (a) transient probability of state M0, (b) transient probability of state M1, (c) transient probability of state M2, (d) transient probability of state M3, (e) transient probability of state M4, (f) availability of MUX control system Based on Eqs.(7) ÷ (9), MTTF of the MUX control system depends on the firing rates 1 λ , 2 λ , 3 λ , 4 λ , 5 λ , 6 λ , 7 λ , 12 λ , 13 λ , 14 λ , 15 λ and is not related to the fault coverage factor.For simplicity, the failure rate of the system during the normal operation period and scheduled tests is denoted by λ operation and λ scheduled respectively.The expressions are

Figure 7
Figure 7Effects of main firing rates on MTTF of MUX control system 1

Table 1
Values of the firing rates of transitions

Table 2
Steady-state probability values and MTTF for MUX and PH control systems