Original Article

Proc IMechE Part O:

J Risk and Reliability

Reliability and availability modeling of 1–14

© IMechE 2020
Article reuse guidelines:
Subsea Autonomous High Integrity sagepub.com/journals-permissions
DOI: 10.1177/1748006X20947851

Pressure Protection System with journals.sagepub.com/home/pio

partial stroke test by Dynamic

Bayesian

Chuan Wang1 , Yupeng Liu1, Wen Hou2, Chao Yu3, Guorong Wang1 and
Yuyan Zheng1

Abstract
Subsea Autonomous High Integrity Pressure Protection System is used in the subsea production process to lower
the pressure level of downstream equipment and pipelines and to protect low-pressure pipelines and equipment. Once
fail- ure occurs, it will cause serious environmental damage and huge economic losses. In this article, a method of
Dynamic Bayesian networks is proposed based on different failure types detected by different test methods. The
reliability and availability of HIPPS with different detection methods were analyzed quantitatively. The results show
that the perfor- mance of the system is improved significantly after inspection and maintenance. Compared with
traditional methods, the performance of HIPPS is improved after the partial stroke test is introduced. Through sensitivity
analysis, it is found that failure rates have a greater impact on the reliability of HIPPS valves. Increasing partial stroke test
coverage can improve HIPPS performance. To improve the reliability of HIPPS, it is necessary to improve the reliability of
the execution unit, especially the HIPPS valves. The analysis of the PST strategy can provide a theoretical basis for
selecting the frequency of partial stroke test and functional test interval in actual projects.

Keywords
Dynamic Bayesian networks, High Integrity Pressure Protection System, reliability, availability, partial stroke test, func-
tional test

Date received: 20 November 2019; accepted: 16 July 2020

Introduction during normal operation and a verification test is

Due to the high-pressure specifications and require- required to detect possible faults. 5 Even though self-
ments of deep-sea equipment, the development costs of diagnostic testing can detect some faults, it has the dis-
deep-sea oil and gas resources are constantly advantage of detecting a limited number of faults.
increasing, which will hinder the development of oil Faults that cannot be detected by a self-diagnostic test
wells when a new production line is needed. One are considered hidden (or undetected) hazards, and
approach is to con- nect the existing outlet pipeline to functional tests can reveal these hidden faults. The SIS
the pipeline infra- structure, but pressure fluctuations recommended safety instrument function (SIF)
between the deep
well and the existing low-pressure pipeline pose a risk.
This risk can be reduced by installing HIPPS in an 1
School of Mechatronic Engineering, Southwest Petroleum University,
underwater production system. 1–4 However, when the Chengdu, Sichuan, China
HIPPS fails, the high-pressure oil and gas will enter the 2
CNPC Baoji Oilfield Machinery Corporation Ltd., Baoji, Shaanxi, China
low-pressure submarine pipelines, causing serious envi- 3
Oil Production Service Co., CETS LTD., Tianjin, China
ronmental damage and economic losses. Therefore,
Corresponding author:
HIPPS requires high reliability. Chuan Wang, School of Mechatronic Engineering, Southwest
HIPPS is a typical safety instrument system (SIS), Petroleum University, Xindu Avenue No.8, Chengdu, Sichuan 610500,
and the last element (HIPPS valve) is usually passive China.
Email: cwang_swpu@163.com
2 Proc IMechE Part O: J Risk and Reliability 00(0)

reliability measure is the PFDavg. 6 The effectiveness of

method, the dynamic reliability of HIPPS and the
functional testing has been fully studied in the existing
improvement of equipment performance are analyzed.
reliability evaluation literature. Torres-Echeverrı
The rest of this article is organized as follows: In
´a et al.7 modeled and optimized functional testing
‘‘Description of HIPPS’’ section, the structure and
strate- gies, quantified detected and undetected failures,
function of the HIPPS will be introduced. Section
and evaluated the effects of different test frequencies
‘‘Dynamic Bayesian network modeling’’ introduces the
and strategies. Liu and Rausand 8 used Petri net model
theory of DBNs, PST, and FT, and also classifies fail-
to study the impact of three testing strategies, including
simultaneous testing, sequential testing, and staggered ure efficiency according to the detected faults to estab-
testing, on SIS subsystems at different demand rates. lish the DBNs. Section ‘‘Results and discussions’’
Frequent functional testing is impractical for off- gives the results of reliability evaluation and sensitivity
shore oil and gas exploration and production. 9,10 For anal- ysis based on DBNs. Section ‘‘Conclusion’’ gives
HIPPS valves, FT can fully verify whether the valve the conclusions of this study.
can be closed as required. However, because of the
strong stress FT may cause some damage to the valve. 11
Description of HIPPS
In addition, the need to shut down the entire system
during functional testing may cause other operational A Subsea Autonomous High Integrity Pressure
problems.9,12,13 Since PST can be carried out without Protection System module is a safety device that allows
interfering with production, PST is introduced as a sup- high-pressure production wells to be safely tied into
plement to FT.14,15 For HIPPS valves, PST is the par- existing lower pressure-rated pipelines.4
tial stroke operation of the valve, which can meet the The structure of the HIPPS19–21 is shown in
movement requirements of the valve and detect several Figure 1. Three pressure transmitters (PT1, PT2, PT3)
dangerous faults. form a voting system that transmits pressure signals
To evaluate the influence of PST on HIPPS perfor- from the pipeline to the underwater control module.
mance, several reliability evaluation methods have been The voting system is a 2/3(G) system, which automati-
developed. Summers and Zachary 14 have shown how to cally switches to 1/2(G) voting system when one of the
calculate PFDavg in a 1oo1 system, taking into account pressure sensors is damaged. The logic solver in the
the impact of some stroke tests. Jin and Rausand16 underwater control module receives signals to judge. It
developed an approximate generalized expression for a works in two ways. When line pressure is normal, the
redundant voting system for PST. Brissaud et al.17 solenoid pilot valves SV1 and SV2 connect the high-
developed the precise PFDavg formula for the KooN pressure accumulator to HIPPS valve 1 and HIPPS
system, taking into account both periodic and aperiodic valve 2, respectively. The high-pressure fluid of the
PST. In addition, Pascual et al. 18 explored the optimal high-pressure accumulator flows to HV1 and HV2. At
PST interval by considering periodic and non-periodic this time, HV1 and HV2 are open, and the fluid in the
tests. Innal et al.15 considered the effects of PST and pipeline can flow normally.
different repair times and established a new generalized When the pipeline pressure is determined to be
formula for SISs by using the multi-phase Markov higher than the set value, the pressure transmitter (PT)
model. Wu et al.5 modeled the degradation process of detects the pipeline pressure change and transmits the
the final components with Weibull distribution, pro-
signal to the underwater control module. After receiv-
posed a method for reliability assessment of the end-
ing the signal and judging, the output signal of the logic
component of SIS with time-varying failure rates, and
solver in the underwater control module controls the
studied the improvement of the system reliability by
solenoid pilot valves conversion, and SV1 and SV2
PST and FT.
Most of the above studies evaluated the impact of
PST on equipment reliability with PFDavg. These stud-
ies mainly improved the calculation formula of PFDavg
and the calculation method of PST coverage on the
basis of considering different influencing factors. There
is no specific analysis and evaluation of the improve-
ment reduction of the performance of the equipment in
the long term. In view of the above shortcomings, this
article presents a dynamic reliability analysis of HIPPS
to evaluate the reduction of reliability reduction in the
long-term production process, and to analyze the reduc-
tion of improvement of HIPPS performance after the
introduction of PST. Therefore, a dynamic Bayesian
model is established in this article, which fully
considers the influence of self-diagnosis test, partial
stroke test and functional test on reliability. By using
the Bayesian Figure 1. Schematic diagram of HIPPS structure.
 Wang et 3

Figure 2. Reliability block diagram of HIPPS.

connect the hydraulic fluid with the HIPPS Valve.

HIPPS valve 1 and HIPPS valve 2 lose the supply of
high-pressure fluid in the high-pressure accumulator,
and the hydraulic fluid in the HIPPS valve is Figure 3. k/n(G) principle block diagram.
discharged by the action of the spring. The HIPPS
valve closes and cuts off the fluid supply in the line.
Depending on the configuration, HIPPS can be redundant system. Figure 3 is the schematic diagram of
viewed as a complex series-parallel system, as shown a typical k/n(G) system.
in Figure 2. According to the reliability block diagram In a general voting system, if k = n, that is, the n/n
of HIPPS, it can be divided into three subsystems. A system is equivalent to the series system of n compo-
vot- ing system is composed of a pressure transmitter. nents; k = 1, that is, 1/n system, which is equivalent to
The execution unit is also a tandem system consisting a parallel system with n components; If 1 \ =k \
of two actuators. An execution route composed of SV1 =n, it is called majority voting system.
and HV1 in series, and an execution route composed of Assuming that each component in the voting system
SV2 and HV2 in series, respectively. fails independently and the reliability of each compo-
nent is the same, grade Ri = R (i = 1, 2., n), then
Dynamic Bayesian network modeling the reliability of the system is:
n
X n—i
, k4n ð3Þ
Dynamic Bayesian network RS n
= i= i R ð1 —
i

Dynamic Bayesian network is based on the principle of k

RÞ
probability theory, combining the Bayesian network As shown in Figure 4, the DBN modeling process of
structure with the time series principle effectively, and k/n voting system is illustrated by taking three parent
forming a probability distribution model that can nodes as examples. For 3/3 systems, for example, series
pro- cess the timeliness information. systems, the system fails when one of the components
A DBN22 is defined to be a pair ðB1 , B! Þ, fails (the node state is YES). For a 1/3 system, a paral-
where B1 is a BN which defines the prior P(Z1), and lel system, failure occurs only when all components
B! is a two-slice temporal Bayes net (2TBN) which fail. For a voting system with k = 2, as long as two
defines the transition probability P Zt Zt—1 by means compo- nents work normally (node state is NO), the
ð jgraph) as follows23:
of a DAG (directed acyclic system can work normally.
In the series system shown in Figure 4(a), the parent
YN nodes A, B, and C at time t = 0 are extended to time
PðZt jZt—1 Þ P Zit jPa t ð t = 1 by using inter-slice arc, respectively. The
i prob-
where Zi is the ith node at time t, and Pa(Zi ) is
the nodes and conditional probability, so the child node D
t t
parents of Z in the networks. The semantics of a
i does not need to use the inter-slice arc connection. The
DBN can bet defined by ‘‘unrolling’’ the 2TBN until nodes in the same time slice are connected from the
we have T time-slices. The resulting joint distribution parent nodes to the child node by an in-slice arc. The
is then given by series system shown in Figure 4 has the same structure
as the parallel system and majority voting systems.
YT YN Considering the same initial data, due to the difference
PðZ1:T Þ P Zi jPa in conditional probability, it can be seen that the
ð
i =1 i =1 t t bility of the parallel system and the majority voting sys-
tem is different from that of the series system at time
t = 1.
DBN modeling of redundant voting system After the structure of DBN is determined, the para-
Redundant voting system 24,25 (k/n voting system) refers meters of DBN need to be determined. The first is to
to the system that is not a failure system as long as determine the conditional probability of the intermedi-
there are no less than k components in the n ate and child nodes, which is described in detail in sec-
components that make up the system, which is also tions ‘‘Conditional probability table’’ and ‘‘DBN
known as k/n(G)
4 Proc IMechE Part O: J Risk and Reliability 00(0)

Figure 4. DBN of (a) 3/3(G), (b) 1/3(G), and (c) 2/3(G) systems with three components.

Table 1. CPTof D for series system.

A B C P(D = NO|A,B,C) A B C P(D = NO|

A,B,C)
NO NO NO 1 NO YES NO 0
NO NO YES 0 YES NO NO 0
NO YES YES 0 YES YES NO 0
YES NO YES 0 YES YES YES 0

modeling of HIPPS.’’ Failure rate and repair rate of An important factor to consider in the reliability
the parent nodes are denoted by l and m, respec- evaluation of equipment is incomplete coverage.29 This
tively.26 Assume the current time is t and the time inter- article considers this important problem by defining a
val between two-time slices is Dt. It is known that the coverage factor c, which can be expressed as c = P
state NO means the node is in normal working state, (sys- tem recovers|fault occurs).30 It reflects the ability
and the state YES means the node is in a failure state. of the system to automatically recover from the
Then, the transition probability of the nodes with tem- occurrence of a fault. The DBN model of the system
poral links between two-time slices is given by27: composed of three components is proposed in this
article. When the system is in series, when any
PðXi ðt + DtÞ = NOjXi ðtÞ = NOÞ = e—lDt ð4Þ
component fails, the sys- tem cannot be restored. For
PðXi ðt + DtÞ = YESjXi ðtÞ = NOÞ = 1 — e—lDt parallel system, when one or two components fail, the
system can be restored. In the case of a 2oo3 voting
ð5Þ PðXiðt + DtÞ = NOjXiðtÞ = YESÞ =1 — e—mDt system, the system can be restored only if a component
ð6Þ fails. Therefore, the imperfect coverage affects both
parallel and 2oo3 vot-
PðX ðt + DtÞ = YESjX ðtÞ = YESÞ = e—mDt
ð7Þ
i i ing systems. In a system with a given coverage factor c,
the conditional probability table (CPT) of the state of
node D is shown in Tables 1–3. For the three systems,
Conditional probability table the coverage factor c is 0.9.31
For a DBN with n parent nodes and m states for each
parent nodes, it requires mn independent parameters to
Partial stroke testing
completely specify the CPT. 28 It can be seen that when
n increases, the parameters need to be determined grow Concept. Partial stroke test (PST) as a supplement to
exponentially. Obviously, it is not feasible to determine functional test (FT), is widely used in the final elements
so many parameters to determine CPT. In order to of SISs.9 Partial stroke test refers to the partial opera-
solve this problem, noisy OR-gate and noisy AND-gate tion of the valve, which can not only meet the require-
models are used for series and parallel systems, ments of valve movement but also reveal a part of the
respectively. specific dangerous faults through small movement.
 Wang et 5

Table 2. CPTof D for parallel system.

A B C P(D = NO|A,B,C) A B C P(D = NO|

A,B,C)
NO NO NO 1 NO YES NO c
NO NO YES c YES NO NO c
NO YES YES c YES YES NO c
YES NO YES c YES YES YES 0

Table 3. CPTof D for 2/3(G) system.

A B C P(D = NO|A,B,C) A B C P(D = NO|

A,B,C)
NO NO NO 1 NO YES NO c
NO NO YES c YES NO NO c
NO YES YES 0 YES YES NO 0
YES NO YES 0 YES YES YES 0

This small movement of the valve has negligible effect

on process flow and pressure, so partial stroke testing
can be performed without any additional production
disturbances that may cause process shutdowns. 8,15 In
offshore oil and gas exploration, it is of high impor-
tance to reduce the number of planned and unplanned
stops. Reducing the number of planned and unplanned
stops is important in offshore oil and gas exploration.
Because the unnecessary shutdown test will lead to pro-
duction loss, resulting in the increase in production
costs, it can also cause wear and tear caused by strong Figure 5. Overview of the relevant failure rates.
stress on the valve. The use of PST can reduce the
num- ber of times of complete valve closure (i.e. FT)
and avoid the problem of strong stress.14 (1) Due to the addition of software and hardware,
the system is more complex.
Advantages and disadvantages. As a supplement to func- (2) Increased wear due to more frequent operation;
tional testing,10 PST is introduced in two different
ways:
PST coverage. According to different testing methods,
(1) Keeping the FT interval unchanged and add PST the failure rate of SIS can be divided into three types. Self-
within the initial FT interval to improve unknown diagnostic tests reveal only part of the fault pat- tern, the
una- vailability. This approach will improve the DD fault. Functional tests revealed DU fail- ures and
security of the system. verified that the system was still capable of performing the
(2) The introduction of PST while maintaining the required functions. Partial stroke test- ing partially
per- formance of the system extends the FT interval. replaces the need for full functional testing and covers
This approach will help reduce operational costs. fault modes not found by self-diagnostic testing. Figure 5
illustrates how to divide the failure rate into three types
Advantages of PST are as follows: according to different detection methods.
Considering the previous descriptions, the dangerous
failures rate is specified by the following relation:
(1) Since PST can detect faults with only minor move-
ment of the valve, it reduces the number of times the IEC 61508 defines diagnostic coverage as the frac-
valve enters a completely closed state, thus reducing tion of dangerous failures that are detected by diagnos-
the wear area of the valve; tic among all failures.
(2) Reduced probability of sticking seals due to more
uDC = lDD=lD ð8Þ
frequent operation of the valve;
(3)Reduced the interference of production process Since the PST reveals some of the failures not cov-
caused by FT; ered by self-diagnostics testing, the PST coverage is
defined as the fraction of dangerous undetected failures
But PST also has some disadvantages, such as:
6 Proc IMechE Part O: J Risk and Reliability 00(0)

Figure 6. DBN models for different test methods.

is 100%;
Table 4. Failure rates and MTTR of components. 3. PST shall be conducted once a month and func-
tional test shall be conducted once a year.
Component lDU lD MTTR (h)

Pressure transmitter (PT) 0.4E-6 1.5E-6 6 DBN modeling of HIPPS

Analogue input (AP) 0.04E-6 0.04E-6 7.3
Logic solver (LS) 0.03E-6 0.03E-6 7.3 Since the introduction of self-diagnosis and PST, the
Digital output (DP) 0.04E-6 0.04E-6 7.3 failure rate of basic events is divided into two parts,
Solenoid pilot valve (SV) 0.8E-6 1.37E-6 15.4
HIPPS valve (HV) 2.1E-6 2.7E-6 22
Accumulator (AC) 0.38E-6 0.38E-6 13

reviled by PST among all dangerous undetected

failures.
uPST = lDU, PST=lDU

ð9Þ

The three failure rates lDD, lDU, PST, and lDU, FT

may all be expressed in terms of lD as follows:

lD = lDD + lDU

ð10Þ
lDD = uDC 3 lD

ð11Þ
lDU, PST = ð1 — uDCÞ 3 uPST 3 lD

ð12Þ
lDU, FT = ð1 — uDCÞ 3 ð1 — uPSTÞ 3 lD

ð13Þ
Failure rates of each component are found accord-
ing to OREDA and the literature32 as shown in Table
4. Failure rates lDD can be calculated according to
Table 4. Therefore, in this article, the diagnostic cover-
age is no longer selected. Meanwhile, the following
hypothesis is given:

1. Repaired the faults detected by PST and functional

tests, and the equipment was restored as new;
2. According to the literature,10 the coverage of
PST is 60% and the coverage of functional tests
 Wang et 7
Table 5. CPT for HV1 with SD.

HV1DD HV1DU HV1

NO YES

NO NO 1 0
NO YES 0 1
YES NO 0 1
YES YES 0 1

DU failures and DD failures, which are converted into

the parent node of the original basic event when setting
up the self-diagnosis DBN. Similarly, when
establishing DBN of PST, the failure rates of basic
events are divided into two parts: PST detectable faults
and PST undetectable faults. Taking HV1 as an
example, the DBN model as shown in Figure 6 is
established. Figure 6(a) shows the DBN model that
converts the DU fault and DD fault into the parent node
of the original base event. Figure 6(b) shows the DBN
model where the original base event is the parent node.
Figure 6(c) is a DBN model for converting a fault that
self-diagnosis, and PST can detect while PST cannot
detect the origi- nal base event parent node.
In Figure 6(a), node HV1DD represents DD failures
in the failures of HV1, and node HV1DU represents
DU failures in the failures of HV1. The CPT for
HV1with SD is shown in Table 5. The transition matrix
of DD failures is calculated by substituting lDD into
equations (4)–(7). Similarly, the transition matrix of
DU failures is calculated by lDU . In Figure 6(c), node
HV1DUPST represents PST detectable faults in the
failures of HV1, and node HV1DUOUT represents
undetectable failure of PST in the failures of HV1. The
transition matrix of each parent node is determined
by lDD , lDU, PST , and lDU, OUT , respectively. The
condi- tional probability is shown in Table 6.
Figure 7 compares the results of three DBN models,
verifying the feasibility of this modeling method. Curve
a in Figure 7 corresponds to the data calculated by
model a in Figure 6, curve b corresponds to the data
obtained by model b in Figure 6, and curve c
8 Proc IMechE Part O: J Risk and Reliability 00(0)

Table 6. CPT for HV1 with PST.

corresponds to the data obtained by model c in Figure
6. It can be seen that the data obtained by these three
HV1DUPST HV1DUOUT HV1DU modeling methods are basically consistent.
NO YES Since the HIPPS is a series-parallel system, its DBN
model can be developed by integrating the DBN of
NO NO 1 0 each subsystem using the modeling methods described
NO YES 0 1 in section ‘‘Dynamic Bayesian network modeling’’ and
YES NO 0 1
YES YES 0 1 this section. As described in section ‘‘Description of
HIPPS,’’ convert the reliability block diagram of Figure
2 into a DBN model for HIPPS. Figure 8 shows the
DBNs of HIPPS without repair. There are three meth-
ods to improve the performance of HIPPS: SD, PST,
and FT. There are two inspection methods in practical
engineering. First, the traditional inspection means is
the combination of self-diagnosis and functional test-
ing. Another method is a new detection method, which
is based on the traditional method and adds partial
stroke test. Figure 9 shows the DBNs of HIPPS with
SDFT, and Figure 10 shows the DBNs of HIPPS with
SDPSFT. As shown in Figure 8, the nodes EU, SCM,
and PTs represent the execution unit (EU), the subsea
control module (SCM) and the pressure transmitter
voting system (PTs), respectively.
The failure rate and repair rate of HIPPS compo-
nents are shown in Table 4. The transition probability
of basic events is established according to equations
Figure 7. Results validation of DBN models with different test (4)–(7). For the parallel subsystem, considering
methods.

Figure 8. DBNs of HIPPS without repair.

 Wang et 9

Figure 9. DBNs of HIPPS with self-diagnosis and function test.

incomplete coverage, this article sets the coverage fac- the values should be always greater than the one
tor as 0.9. from the set of x — yðy 2 xÞ attributes;
Take the child node of L1 in Figure 8 as an example
Validation of the method and model to verify the correctness of DBN model. When the state
NO of node HV1 is set to 80 from 100, the reliability of
Model validation is one key issue of the proposed
the system is reduced from 99.87 to 97.83 in the second
DBNs because of that it can provide a reasonable
time slice. When the state of node SV1 is set from 100
amount of confidence in the results of the model. In the
to 80, the reliability of the system is reduced to 96.202
present study, a three-axiom-based validation method
in the second time slice. Similarly, change the state of
is used for partial validation of the developed DBNs.
the HV1 child nodes in Figure 9. When the state of
The three axioms33–35 are as follows:
HV1DD NO is set from 100 to 80, the reliability of the
system is reduced from 99.87 to 99.36 in the second
(1) Increasing/decreasing the prior probabilities of time slice. When the status of node HV1DU is set from
parent nodes slightly will lead to the relative 100 to 80, the reliability of the system is reduced to
increase/decrease of the posterior probabilities of 97.96 in the second time slice. The state NO of child
the corresponding child nodes; node HV1DUPST and HV1DUOUT in figure 10 is set
(2) The influence degree to the child node caused by to 80 in turn, and the reliable line in the second time
the change of probability distributions of parent
slice is reduced from 99.87 to 99.39 and 99.29, respec-
nodes should be consistent;
tively. By changing the states of multiple parent nodes,
(3) The total influence magnitudes of the combination
it can be found that the reliability of the system has
of the probability variations from x attributes on
changed, thus verifying the rationality of the model.
10 Proc IMechE Part O: J Risk and Reliability 00(0)

Figure 10. DBNs of HIPPS with self-diagnosis, partial stroke test, and function test.

Results and discussions inspection and maintenance methods. As can be seen

from Figure 12, the reliability of the EU dropped to
Reliability and availability 0.87 in the 120th month. After the SDFT or SDPSFT,
Figure 11 shows the reliability of HIPPS, and the avail- EU performance can be maintained at a very high level.
ability of HIPPS with different inspection and mainte- Of course, the effect of using SDPSFT is better than
nance methods, including SD, PST, FT, SDFT, and that of using SDFT.
SDPSFT. Figure 11(b) shows the availability of HIPPS Figure 13 shows the dynamic reliability and avail-
with FT, SDFT, and SDPSFT from the 20th to the 50th ability curves of the subsea control module with differ-
month of interception in Figure 11(a). As can be seen ent inspection and maintenance methods. Since SD and
from Figure 11, the reliability of the system gradually PST cannot detect the fault of the subsea control mod-
decreases over time. Reliability dropped to 0.776 in the ule, SD and PST cannot improve the performance of
120th month. It is found that the performance of the the subsea control module. It can be clearly seen from
system has been improved by different maintenance Figure 13 that the curve of reliability coincides with the
methods. The detection method of SD or PST is curve of SD and PST, and the curve of SDFT coincides
limited, so the performance improvement of the system with the curve of SDPSFT.
is also limited. As the FT can detect all fault types, the Figure 14 shows the reliability and availability of the
system performance improvement after using FT is PTs, respectively. It can be seen that the variation trend
extremely significant. Combined with the application in of reliability curves is consistent with that of HIPPS.
practical engineering, the system performance As time progresses, the reliability decreases. Like the
improvement after using SDPSFT is better than that subsea control module, the PST cannot detect the faults
after using SDFT. of PTs and therefore cannot improve the performance
Similarly, Figure 12 shows the dynamic reliability of PTs. However, SD can detect partial faults of PTs,
and availability curves of the EU with different
 Wang et 1

Figure 11. Reliability and availability of HIPPS.

Figure 12. Reliability and availability of EU.

Figure 13. Reliability and availability of the SCM.

so it can significantly improve the performance of PTs. inspection and maintenance methods. The most effec-
The reliability of the PTs dropped to 0.93 in the 120th tive way to improve performance is the combination of
month. self-diagnosis, partial stroke test and functional test
Through comparative analysis, it is found that the (SDPSFT).
performance of HIPPS is improved by using different
12 Proc IMechE Part O: J Risk and Reliability 00(0)

Figure 14. Reliability and availability of PTs.

Sensitivity analysis
As the parameters of the DBN are calculated according
to the failure rates, repair rates, coverage factor, and
PST coverage, sensitivity analysis is carried out for the
two commonly used methods in practical engineering.

Effect of the failure rates. Sensitivity analysis assumes

that failure rates are not accurate. The reliability of
the HIPPS at the given time of the 12th month is
com- puted, assuming that each failure rate is subject
to an uncertainty of 20%. The upper and lower
bounds of the reliability are plotted in Figure 15. It
can be seen that the failure rate of components
increases and the reliability of the system decreases in
the 12th month. If the failure rates of components are
reduced, the relia- bility of the components will be
improved. This rule applies to all testing and Figure 15. Effects of failure rates on the reliability of HIPPS.
maintenance methods men- tioned in this article. As
is shown in Figure 16, the upper and lower bounds of
the availability are plotted. It can be seen that the methods. It shows that the coverage factor has a
failure rates of components increase and the greater influence on reliability. By comparing different
availability of the system decreases in the 12th detection and maintenance methods, it is found that
month. If the failure rates of components are the influence degree of failure rates on the reliability
reduced, the availability of the components will be and availability of the system are in order: without
improved. However, for different detection and mainte- repair . with SDFT . with SDPSFT.
nance methods, the failure rates of components have
different impacts on the components. Due to the
large failure rate of HV, it is most sensitive with Effect of the PST coverage. The methods of PST are not
respect to the failure rate. Therefore, it is very unique, so the PST coverage is not unique. However,
important to reduce the failure rates of HV to improve all research and development technologies are designed
the reliability of the system. Failure rates in the order to increase PST coverage. According to previous litera-
of influence reduction to the reliability and tures, the range of PST coverage is usually 60% to
availability are HV . SV . PT . AC . AP = 70%. In this article, the sensitivity analysis of PST cov-
DP . LS. erage is carried out, and the PST coverage is assumed
to increase by 5% each time based on 60%. The impact
analysis of PST coverage on reliability is shown in
Effect of the coverage factor on system performance. The
influence of the coverage factor on system reliability is Figure 18. PST can only test valves. Therefore, this arti-
shown in Figure 17. As coverage increases, so does sys- cle analyzes the influence of the PST coverage on the
tem reliability. The results show that the coverage fac- availability of HIPPS. As shown in Figure 18, the influ-
tor has a different influence on the reliability of the ence of PST coverage on the availability of the system
system with different detection and maintenance
 Wang et 1

Figure 16. Effects of failure rates on the availability of HIPPS (a) with SDFT and (b) with SDPSFT.

Figure 17. Effects of coverage factor on reliability and

availability of HIPPS.

Figure 19. Effect of the PST strategy.

Effect of the PST strategy. Functional testing needs to be

done when the device is down. With the introduction
of PST, the performance of HIPPS is improved signifi-
cantly, and the frequency of functional testing is
reduced. Thus, equipment downtime can be reduced,
the cost can be reduced, and the production efficiency
of offshore oil and gas resources can be improved.
However, too much PST will accelerate the wear and
tear of HV and reduce the life span of HV. Therefore,
it is necessary to analyze the PST strategy. In this arti-
cle, four different PST strategies such as without PST,
monthly PST, quarterly PST, and biannually PST were
analyzed, respectively. The purpose of this analysis is
to reduce the production cost while improving the per-
Figure 18. Effects of PST coverage on the availability of HIPPS formance and service life of the equipment.
and its subsystem. As shown in Figure 19, it is found that extending the
test interval of PST reduced the performance improve-
is more obvious. The availability of HIPPS improves as ment effect of the system after 1 year. But there is still
PST coverage increases. To improve the availability of an obvious improvement effect compared with the sys-
the system, increasing PST coverage is also an tem without PST. The analysis of the PST strategy can
effective means. provide a theoretical basis for selecting the frequency
of
14 Proc IMechE Part O: J Risk and Reliability 00(0)

PST and FT interval in actual projects, which can not Funding

only guarantee the performance of the equipment but
also control the production cost. The author(s) disclosed receipt of the following finan-
cial support for the research, authorship, and/or publi-
cation of this article: This work was supported by
Conclusion National Natural Science Foundation of China
(51704254), National Key Research and Development
In this article, considering the incomplete coverage as Program of China (2018YFC0310200) and
well as various fault detection methods, and the faults (2018YFC0810401), and Key Research and
that can be detected by self-diagnostic test, functional Development Project in Key Technical Field of
test, and partial stroke test technology, a DBN model Sichuan Province (19ZDZX0104).
is proposed to classify the failure efficiency of the same
part according to fault detection types and different
repair methods. Bayesian network software is used to ORCID iD
build different models. The DBNs of subsea high integ- Chuan Wang https://orcid.org/0000-0002-4720-3273
rity protection system is established. These models can
also be used for other DBNs development systems that References
use diagnostic self-testing, functional testing, and par-
tial stroke testing. 1. Yang X, Peng Y, Hu M, et al. Application of HIPPS sys-
tem in compressor station of long distance pipeline. Pet-
rol Eng Cons 2019; 45: 56–59.
(1) Based on DBNs developed, the reliability of
2. Wang B. Discussion on application of High Integrity
HIPPS is obtained. Reliability decreases over Pressure Protection System. Automation in Petro-Chemi-
time. cal Industry 2015; 51(6): 28–31.
(2) Based on different fault detection methods, differ- 3. Wang W, Wang S, Guo Z, et al. HIPPS application for
ent maintenance methods are adopted, each of HZ25-3 development projection. Electronic. Instrumenta-
which can effectively improve the performance of tion 2016; 23(2): 44–46, 50.
HIPPS. After the introduction of PST, the perfor- 4. Theobeld MC. Subsea High Integrity Pressure Protection
mance of HIPPS can be improved better than the Systems for high pressure oil and gas developments. In:
traditional detection method. Offshore technology conference, Houston, TX, USA, 6–9
(3) Sensitivity analysis was conducted to evaluate the May 1996, p.9. Houston, TX: Offshore Technology
impact of failure rate, coverage factor, PST cover- Conference.
age, and PST strategy. In the subsystem of HIPPS, 5. Wu S, Zhang L, Lundteigen MA, et al. Reliability assess-
failure rates have the greatest impact on the relia- ment for final elements of SISs with time dependent fail-
ures. J Loss Prev Process Ind 2018; 51: 186–199.
bility of HV even if the maintenance mode is
6. IEC61508. Functional safety of electrical/electronic/pro-
different.
grammable electronic safety-related systems. Geneva:
(4) The influence of the coverage factor on the relia- International Electrotechnical Commission, 2010.
bility of the system without maintenance is greater 7. Torres-Echeverrı´a AC, Martorell S and Thompson
than that after maintenance. HA. Modelling and optimization of proof testing policies
(5) The better the repair effect, the less the impact of for safety instrumented systems. Reliab Eng Syst Safe
PST coverage. The increase of PST coverage is 2009; 94(4): 838–854.
beneficial to improve the reliability and prolong 8. Liu Y and Rausand M. Reliability effects of test strate-
the service life of HIPPS. gies on safety-instrumented systems in different demand
(6) Through sensitivity analysis, the correctness and modes. Reliab Eng Syst Safe 2013; 119: 235–243.
rationality of the DBN model are partially 9. Lundteigen MA and Rausand M. Partial stroke testing
verified. of process shutdown valves: how to determine the test
(7) According to different work requirements, the coverage. J Loss Prev Process Ind 2008; 21(6): 579–588.
maintenance method of HIPPS is also different. 10. Wu S, Zhang L, Zheng W, et al. Reliability modeling of
For systems requiring frequent action, SDPSFT subsea SISs partial testing subject to delayed restoration.
Reliab Eng Syst Safe 2019; 191: 106546.
should be used to detect and repair system fail-
11. Lundteigen MA and Rausand M. The effect of partial
ures. This method can not only reduce the cost,
stroke testing on the reliability of safety valves. In: Eur-
but also ensure the performance of the system. opean safety and reliability conference (ESREL 2007),
For systems that are not frequently used and have Stavanger, Norway, 25–27 June 2007.
low performance requirements, SDFT can be used 12. Lederer C, Altstadt S, Andriamonje S, et al. Introduction
to repair system faults. to partial stroke testing. In: SICE annual conference 2008
– international conference on instrumentation, control
and information technology, Tokyo, Japan, 20–22 August
Declaration of conflicting interests
2008. Tokyo, Japan: SICE.
The author(s) declared no potential conflicts of interest 13. Summers A and Zachary B. Variable function voting
with respect to the research, authorship, and/or publi- solenoid-operated valve apparatus and testing method
cation of this article. therefore. US20020091451 Patent, 2001.
 Wang et 1

14. Summers A and Zachary B. Partial-stroke testing of preventers in presence of imperfect repair. Expert Syst
safety block valves. Control Eng 2000; 47: 87–89. Appl 2013; 40: 7544–7554.
15. Innal F, Lundteigen MA, Liu Y, et al. PFDavg general- 29. Kim SJ, Seong PH, Lee JS, et al. A method for evaluat-
ized formulas for SIS subject to partial and full periodic ing fault coverage using simulated fault injection for digi-
tests based on multi-phase Markov models. Reliab Eng talized systems in nuclear power plants. Reliab Eng Syst
Syst Safe 2016; 150: 160–170. Safe 2006; 91: 614–623.
16. Jin H and Rausand M. Reliability of safety-instrumented 30. Dugan JB and Trivedi KS. Coverage modeling for
systems subject to partial testing and common-cause fail- dependability analysis of fault-tolerant systems. IEEE T
ures. Reliab Eng Syst Safe 2014; 121: 146–151. Comput 1989; 38(6): 775–787.
17. Brissaud F, Barros A and Be´renguer C. 31. Cai B, Liu Y, Fan Q, et al. Performance evaluation of
Probability of failure on demand of safety systems: subsea BOP control systems using dynamic Bayesian net-
impact of partial test distribution. Proc IMechE, Part O: works with imperfect repair and preventive maintenance.
J Risk and Reliability 2012; 226(4): 426–436. Eng Appl Artif Intel 2013; 26(10): 2661–2672.
18. Pascual R, Louit D and Jardine AKS. Optimal inspec- 32. Tor O. Reliability data for safety instrumented systems –
tion intervals for safety systems with partial inspections. PDS data handbook, 2010 edition. Trondheim: SINTEF
J Oper Res Soc 2011; 62: 2051–2062. Technology and Society, 2014.
19. Nelson-Bridgewater S, Hiez M, Caudin J, et al. High 33. Cai B, Liu Y, Zhang Y, et al. A dynamic Bayesian net-
Integrity Pressure Protection System for ESP activated works modeling of human factors on offshore blowouts.
wells. In: SPE international conference on health, safety, J Loss Prev Process Ind 2013; 26(4): 639–649.
and environment, Long Beach, California, USA, 17–19 34. Cai B, Liu Y, Zhang Y, et al. Dynamic Bayesian net-
March 2014, p.10. Long Beach, CA: Society of Petro- works based performance evaluation of subsea blowout
leum Engineers. preventers in presence of imperfect repair. Expert Syst
20. Langvik S and Aarebrot E. High Integrity Pressure Pro- Appl 2013; 40(18): 7544–7554.
tection Systems for production applications. Vol. 4. SPE 35. Jones B, Jenkinson I, Yang Z, et al. The use of Bayesian
Advanced Technology Series. Society of Petroleum network modelling for maintenance planning in a manu-
Engi- neers, 1996, pp. 155–159. facturing industry. Reliab Eng Syst Safe 2010; 95(3):
21. Hutchings V. Is the Subsea High Integrity Pressure Pro- 267– 277.
tection System (HIPPS) coming of age? In: Subsea Con-
trol and Data Acquisition (SCADA) conference,
Newcastle, UK, 2–3 June 2010, p.8. Newcastle: Society Appendix 1
of Underwater Technology.
22. Hu J, Zhang L, Ma L, et al. An integrated safety prog- Notation
nosis model for complex system based on dynamic Baye-
sian network and ant colony algorithm. Expert Syst Appl HIPPS High Integrity Pressure Protection System
2011; 38(3): 1431–1446. DBNs Dynamic Bayesian networks
23. Murphy KP. Dynamic bayesian networks: FT Functional test
representation, inference and learning. Doctoral PST Partial stroke test
Dissertation, University of California, Berkeley, 2002. SD Self-diagnosis
24. Yuan L and Cui Z. Reliability analysis for the consecu- SDFT Self-diagnosis and functional test
tive-k-out-of-n: F system with repairmen taking multiple SDPSFT Self-diagnosis, partial stroke test, and
vacations. Applied Math Modell 2013; 37(7): 4685–4697.
functional test
25. O’Connor PDT. An introduction to reliability and main-
tainability engineering, Charles E. Ebeling, McGraw- DD Self-diagnostic testing reveals
Hill, 1997. Number of pages: 489. Price: £22.99. Qual fault patterns
Reliab Eng Int 1998; 14: 295. DU Self-diagnostic tests cannot reveal
26. Liu Z, Liu Y, Cai B, et al. Dynamic Bayesian network fault patterns
modeling of reliability of subsea blowout preventer stack DU, PST Partial stroke test reveals fault patterns
in presence of common cause failures. J Loss Prev Pro- DU, FT Functional test reveals fault patterns
cess Ind 2015; 38: 58–66. DU, OUT Partial stroke test cannot reveals fault
27. Kohda T and Cui W. Risk-based reconfiguration of patterns
safety monitoring system using dynamic Bayesian net- PFDavg The average probability of on-demand
work. Reliab Eng Syst Safe 2007; 92(12): 1716–1723.
failure in low-demand mode
28. Cai B, Liu Y, Zhang Y, et al. Dynamic Bayesian net-
works based performance evaluation of subsea blowout