Method for assessing safety integrity level of offshore oil well control equipment

Abstract

The present disclosure belongs to the field of offshore oil, and in particular relates to a method for assessing the safety integrity level of offshore oil well control equipment. The method for assessing the safety integrity level of the offshore oil well control equipment comprises three major steps: creating a safety instrumented function evaluation module and dividing the related devices for performing the safety instrumented functions into a sensor subsystem; a controller subsystem and an actuator subsystem, establishing a dynamic Bayesian network model for respective subsystems for calculation; and integrating, analyzing and optimizing the safety integrity data of the subsystems.

Claims

1. A method for assessing the safety integrity level of an offshore oil well control equipment, comprising three major steps: creating a safety instrument function evaluation module and dividing system devices into subsystems, establishing a Bayesian network model for calculation, and performing integrated calculation and optimization analysis; the creating the safety instrument function evaluation module and dividing the system devices into subsystems specifically comprises: S101: according to assessment requirements, creating the safety instrumented function module; S102: dividing a plurality of the system devices into a sensor subsystem, a controller subsystem, and an actuator subsystem; wherein the division of the sensor subsystem, the controller subsystem, and the actuator subsystem is as follows: (1) the sensor subsystem includes at least one device capable of detecting and predicting blowout parameters and kick parameters, and at least one device for transmitting detected information; (2) the controller subsystem consists of a ground control part, an underwater control module and an operator as the operating subject, wherein the ground control part consists of a main panel, a drillers panel, a toolpushers panel, and a hydraulic power system; the underwater control module consists of a blue pod underwater control module, a yellow pod underwater control module, an underwater accumulator bottle group, and an emergency battery DC power supply; and (3) the actuator subsystem includes underwater solenoid valves, hydraulic control valves, and hydraulic valves; the establishing a Bayesian network model for calculation specially comprises: S201: establishing a dynamic Bayesian network model for configuration characteristics of the controller subsystem of the offshore oil well control equipment; wherein the dynamic Bayesian network for the controller subsystem consists of N static Bayesian network models of the same structure; the number N of the static Bayesian networks is calculated by the following formula:
N=TS/Δt wherein TS is the running time of system, and Δt is a self-inspection time interval; and the system performs the self-inspection each time after one self-inspection time interval Δt is elapsed, the inspection test is performed on the system, and the detected failure is repaired after the inspection test interval (TI) is elapsed; and the process of establishing the dynamic Bayesian network for the controller subsystem is as follows: (1) determining the static Bayesian network model structure of the controller subsystem according to structural configuration characteristics of the controller subsystem and a fault tree model of the controller subsystem; wherein the static Bayesian network model of the controller subsystem has four layers of nodes in total; the first layer is a failure factor node layer, the type of nodes includes single-channel independent failure nodes and common cause failure nodes each of which has five states including normal state (NS), detected safe failure state (SD), undetected safe failure state (SU), detected dangerous failure state (DD) and undetected dangerous failure state (DU), respectively; the second layer is a single-channel state node layer, the node represents the state of each channel in unit, and each node has five states including normal state (NS), detected safe failure state (SD), undetected safe failure state (SU), detected dangerous failure state (DD) and undetected dangerous failure state (DU), respectively; the third layer is a unit state node layer, the node represents the state of each unit, and each node has four states including normal state (NS), safe failure state (SF), detected dangerous failure state (DD) and undetected dangerous failure state (DU), and the unit has a safe failure when the unit is in the safe failure state (SF); and the fourth layer is a system state node layer, and the node represents the state of the controller subsystem and has three states including normal state (NS), safe failure state (SF) and dangerous failure state (DF), respectively; (2) determining a plurality of conditional probability tables within a single static Bayesian network; wherein the probability at which respective nodes of the failure factor node layer within a first static Bayesian network is in the normal state (NS) is 100%; the conditional probability table of the second layer nodes is determined according to the effect of failure factors on the single-channel state; the conditional probability table of the third layer nodes is determined according to the failure criterion of a redundant structure; and the conditional probability table of the fourth layer nodes is determined according to the syntagmatic relations among various units and the fault tree model; (3) determining at least one transition conditional probability of the dynamic Bayesian network at self-inspection; wherein the probability of the single-channel failure factor nodes of a next static Bayesian network is affected by the single-channel failure factor nodes and the unit state nodes of the previous static Bayesian network, and the probability of the common cause failure factor nodes of the next static Bayesian network is only affected by the common cause failure factor nodes of the previous static Bayesian network; and the probability of the failure factor nodes of the next static Bayesian network is determined according to the device degradation law and the self-inspection capability of the system; (4) determining at least one transition conditional probability of the dynamic Bayesian network at inspection test; wherein the probability of the failure factor nodes of the next static Bayesian network is affected by the failure factor nodes of the previous static Bayesian network; and the probability of the failure factor nodes of the next static Bayesian network is determined according to the inspection coverage rate and repair parameters of device; S202: determining failure probability parameters of each unit device in the controller subsystem; S203: determining time parameters of the controller subsystem device; wherein the time parameters includes mean time to repair (MTTR), mean time to system restoration (MTSR), inspection test interval period (TI), running time of a system (TS), and self-inspection time interval; S204: determining a structurally constraint type of the controller subsystem; wherein the structurally constraint type is divided into A type and B type, the A type subsystem includes instrument device with a simple structure such as switch, valve and relay, and the B type subsystem includes device with a complicated structure such as microprocessor and intelligent transducer; S205: determining inspection test parameters of devices in the controller subsystem; S206: performing a calculation by the established dynamic Bayesian network model to obtain safety integrity parameters of the controller subsystem; wherein the safety integrity parameters include a safe failure fraction (SFF) of the controller subsystem, an allowable maximum safety integrity level of the controller subsystem, the safety integrity level (SIL) of the controller subsystem, the probability of dangerous failure on demand (PFD) at respective time points in the controller subsystem operation, the probability of safe failure on demand (PFS) at respective time points in the system operation, and the average probability of dangerous failure on system demand PFDavg and the average probability of safe failure on system demand PFSavg are obtained by the following formula: ${PFD}_{avg} = \frac{{.Math.}_{t = 1}^{N} PFD (t)}{N}$ ${PFS}_{avg} = \frac{{.Math.}_{t = 1}^{N} PFS (t)}{N}$ S207: determining the safety integrity level ultimately by the average probability of dangerous failure on system demand PFDavg; wherein the four data of PFD, PFS, PFDavg and PFSavg calculated by the established dynamic Bayesian network model are four 1*N matrices, and the change process of the safety integrity parameters of the controller subsystem can be shown through image; S208: optimizing parameters affecting the safety integrity level by analyzing the safety integrity parameters of the controller subsystem; and S209: repeating steps of S201 to S208 to assess the sensor subsystem and the actuator subsystem, respectively; the performing integrated calculation and optimization analysis specifically includes: S301: integrating safety integrity parameters of the controller subsystem, the sensor subsystem, and the actuator subsystem to obtain the safety integrity parameters of one or more safety instrumented functions; wherein the average probability of dangerous failure on demand PFD.sub.Sys of the safety instrumented functions is calculated as follows:
PFD.sub.Sys=PFD.sub.S+PFD.sub.L+PFD.sub.FE wherein PFD.sub.S is the average probability of dangerous failure on demand of the sensor subsystem, PFD.sub.L is the average probability of dangerous failure on demand of the controller subsystem, and PFD.sub.FE is the average probability of dangerous failure on demand of the actuator subsystem; S302: obtaining weak link of subsystems by analyzing the safety integrity parameters and ratio of parameters of the controller subsystem, the sensor subsystem, and the actuator subsystem, and replacing device, optimizing device configuration, adjusting device inspection time, adjusting device repair parameters for the subsystem with high safety integrity requirements; and S303: generating a safety integrity assessment report.

2. The method for assessing the safety integrity level of the offshore oil well control equipment of claim 1, wherein according to the assessment requirements, the safety instrumented function module is created; according to the configuration of the offshore oil well control equipment, the initially set safety instrumented functions include opening function of an upper annular blowout preventer, closing function of the upper annular blowout preventer, opening function of a lower annular blowout preventer, closing function of the lower annular blowout preventer, opening function of a drill pipe shear seal ram blowout preventer, closing function of the drill pipe shear seal ram blowout preventer, opening function of a casing shear ram blowout preventer, closing function of the casing shear ram blowout preventer, opening function of an upper ram blowout preventer, closing function of the upper ram blowout preventer, opening function of an intermediate ram blowout preventer, closing function of the intermediate ram blowout preventer, opening function of a lower ram blowout preventer, closing function of the lower ram blowout preventer, opening function of a test ram blowout preventer, and closing function of the test ram blowout preventer.

3. The method for assessing the safety integrity level of the offshore oil well control equipment of claim 1, wherein failure probability parameters of each unit device in the controller subsystem are determined; the failure probability parameters are divided into a direct form and an indirect form; the failure probability parameters in the direct form include detected independent safe failure rate λ.sub.SDN, undetected independent safe failure rate λ.sub.SUN, detected independent dangerous failure rate λ.sub.DDN, undetected independent dangerous failure rate λ.sub.DUN, detected common cause safe failure rate λ.sub.SDC, undetected common cause safe failure rate λ.sub.SUC, detected common cause dangerous failure rate λ.sub.SDC, undetected common cause dangerous failure rate λ.sub.DUC; and the failure probability parameters in the indirect form include failure rate λ.sub.T, safe failure ratio R.sub.S, safe failure diagnosis coverage rate C.sub.S, dangerous failure diagnosis coverage rate C.sub.D, undetected common cause failure rate β and detected common cause failure rate β.sub.D of respective channels in units.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1a is a schematic diagram showing a method process for assessing the safety integrity level of offshore oil well control equipment;

(2) FIG. 1b is a schematic diagram showing establishing a Bayesian network model to calculate in the process method for assessing the safety integrity level of offshore oil well control equipment;

(3) FIG. 2 is a schematic diagram showing safety instrumented functions of the offshore oil well control equipment;

(4) FIG. 3 is a schematic diagram showing basic components of a sensor, a controller, and an actuator subsystem device;

(5) FIG. 4 is a schematic diagram showing a dynamic Bayesian network model of a control system of the offshore oil well control equipment;

(6) FIG. 5 is a schematic diagram showing a simplified fault tree model of the control system of an offshore oil well control equipment;

(7) FIG. 6 shows a static Bayesian network model of a control system of the offshore oil well control equipment;

(8) FIG. 7 is a schematic diagram showing state transition of a dynamic Bayesian network of a control system of the offshore oil well control equipment during self-inspection;

(9) FIG. 8 is a schematic diagram showing state transition of a dynamic Bayesian network of a control system of the offshore oil well control equipment during inspection test;

DESCRIPTION OF THE REFERENCE NUMBERS

(10) PCA1.sup.t independent failure of main panel in the t-th static Bayesian network PCA2.sup.t independent failure of drillers panel in the t-th static Bayesian network PCA3.sup.t independent failure of toolpushers panel in the t-th static Bayesian network PCCC.sup.t common cause failure of panel in the t-th static Bayesian network PCB1.sup.t state of main panel in the t-th static Bayesian network PCB2.sup.t state of drillers panel in the t-th static Bayesian network PCB3.sup.t state of toolpushers panel in the t-th static Bayesian network PC.sup.t state of panel unit in the t-th static Bayesian network ESA1.sup.t independent failure of Ethernet switch 1 in the t-th static Bayesian network ESA2.sup.t independent failure of Ethernet switch 2 in the t-th static Bayesian network ESCC.sup.t common cause failure of Ethernet switch in the t-th static Bayesian network ESB1.sup.t state of Ethernet switch 1 in the t-th static Bayesian network ESB2.sup.t state of Ethernet switch 2 in the t-th static Bayesian network ES.sup.t state of Ethernet switch unit in the t-th static Bayesian network PLCA1.sup.t independent failure of platform PLC1 in the t-th static Bayesian network PLCA2.sup.t independent failure of platform PLC2 in the t-th static Bayesian network PLCA3.sup.t independent failure of platform PLC3 in the t-th static Bayesian network PLCCC.sup.t common cause failure of platform PLC in the t-th static Bayesian network PLCB1.sup.t state of platform PLC1 in the t-th static Bayesian network PLCB2.sup.t state of platform PLC2 in the t-th static Bayesian network PLCB3.sup.t state of platform PLC3 in the t-th static Bayesian network PLC.sup.t state of platform PLC in the t-th static Bayesian network PODA1.sup.t independent failure of underwater control blue pod in the t-th static Bavesian network PODA2.sup.t independent failure of underwater control yellow pod in the t-th static Bavesian network PODCC.sup.t common cause failure of underwater control pod in the t-th static Bayesian network PODB1.sup.t state of underwater control blue pod in the t-th static Bayesian network PODB2.sup.t state of underwater control yellow pod in the t-th static Bayesian network POD.sup.t state of underwater control pod unit in the t-th static Bayesian network C.sup.t state of control system in the t-th static Bayesian network PCA1.sup.t+1 independent failure of main panel in the (t+1)-th static Bayesian network PCA2.sup.t+1 independent failure of drillers panel in the (t+1)-th static Bayesian network PCA3.sup.t+1 independent failure of toolpushers panel in the (t+1)-th static Bayesian network PCCC.sup.t+1 common cause failure of panel in the (t+1)-th static Bayesian network ESA1.sup.t+1 independent failure of Ethernet switch 1 in the (t+1)-th static Bayesian network ESA2.sup.t+1 independent failure of Ethernet switch 2 in the (t+1)-th static Bayesian network ESCC.sup.t+1 common cause failure of Ethernet switch in the (t+1)-th static Bayesian network PLCA1.sup.t+1 independent failure of platform PLC1 in the (t+1)-th static Bayesian network PLCA2.sup.t+1 independent failure of platform PLC2 in the (t+1)-th static Bayesian network PLCA3.sup.t+1 independent failure of platform PLC3 in the (t+1)-th static Bayesian network PLCCC.sup.t+1 common cause failure of platform PLC in the (t+1)-th static Bayesian network PODA1.sup.t+1 independent failure of underwater control blue pod in the (t+1)-th static Bayesian network PODA2.sup.t+1 independent failure of underwater control yellow pod in the (t+1)-th static Bavesian network PODCC.sup.t+1 common cause failure of underwater control pod in the (t+1)-th static Bayesian network

DETAILED DESCRIPTION

(11) As shown in FIG. 1a, a method for assessing the safety integrity level of an offshore oil well control equipment comprises three major steps: creating a safety instrumented function evaluation module and dividing system devices into subsystems, establishing a Bayesian network model for calculation, and performing integrated calculation and optimization analysis.

(12) The creating the safety instrumented function evaluation modules and dividing the system devices into subsystems specifically comprises:

(13) S101: according to the assessment requirement, creating the safety instrumented function modules; as shown in FIG. 2, according to the configuration of the offshore oil well control equipment, the initially set safety instrumented functions including opening function of an upper annular blowout preventer, closing function of the upper annular blowout preventer, opening function of a lower annular blowout preventer, closing function of the lower annular blowout preventer, opening function of a drill pipe shear seal ram blowout preventer, closing function of the drill pipe shear seal ram blowout preventer, opening function of a casing shear ram blowout preventer, closing function of the casing shear ram blowout preventer, opening function of an upper ram blowout preventer, closing function of the upper ram blowout preventer, opening function of an intermediate ram blowout preventer, closing function of the intermediate ram blowout preventer, opening function of a lower ram blowout preventer, closing function of the lower ram blowout preventer, opening function of a test ram blowout preventer, and closing function of the test ram blowout preventer;

(14) S102: dividing the relevant system devices into a sensor subsystem, a controller subsystem, and an actuator subsystem; wherein the sensor subsystem, the controller subsystem, and the actuator subsystem have the basic components as shown in FIG. 3, and the division of the sensor subsystem, the controller subsystem, and the actuator subsystem is as follows:

(15) (1) the sensor subsystem includes device capable of detecting and predicting blowout parameters and kick parameters, and device for transmitting detected information;

(16) (2) the controller subsystem consists of a ground control part, an underwater control module and an operator as the operating subject, wherein the ground control part consists of a main panel, a drillers panel, a toolpushers panel, and a hydraulic power system; the underwater control module consists of a blue pod underwater control module, a yellow pod underwater control module, an underwater accumulator bottle group, and an emergency battery DC power supply; and

(17) (3) the actuator subsystem includes an underwater solenoid valve, a hydraulic control valve, and a hydraulic valve.

(18) As shown in FIG. 1b, the establishing a Bayesian network model for calculation specially comprises:

(19) S201: establishing a dynamic Bayesian network model for the configuration characteristics of the controller subsystem of the offshore oil well control equipment. The structure of the dynamic Bayesian network model for the controller subsystem of the offshore oil well control equipment is shown in FIG. 4, the dynamic Bayesian network for the controller subsystem consists of N static Bayesian network models of the same structure; the number N of the static Bayesian networks is calculated by the following formula:
N=TS/Δt

(20) wherein TS is the running time of the system, and Δt is a self-inspection time interval; and

(21) the system performs the self-inspection each time after one Δt is elapsed. The inspection test is performed on system, and the detected failure is repaired after the inspection test interval TI is elapsed; and the process of establishing the controller subsystem dynamic Bayesian network is as follows:

(22) (1) determining the static Bayesian network model structure of the controller subsystem according to the structural configuration characteristics of the controller subsystem and the fault tree model of the controller subsystem; wherein the simplified fault tree model of the control system of the offshore oil well control equipment is shown in FIG. 5, the static Bayesian network model of the control system of the offshore oil well control equipment corresponding to the simplified fault tree model of the control system of the offshore oil well control equipment is shown in FIG. 6, and the static Bayesian network model of the controller subsystem has four layers of nodes in total; the first layer is a failure factor node layer, the type of nodes includes single-channel independent failure node and common cause failure node, each of which has five states including normal state NS, detected safe failure state SD, undetected safe failure state SU, detected dangerous failure state DD and undetected dangerous failure state DU, respectively; the second layer is a single-channel state node layer, the node represents the state of each channel in unit, and each node has five states including normal state NS, detected safe failure state SD, undetected safe failure state SU, detected dangerous failure state DD and undetected dangerous failure state DU, respectively; the third layer is a unit state node layer, the node represents the state of each unit, and each node has four states including normal state NS, safe failure state SF, detected dangerous failure state DD and undetected dangerous failure state DU, and the unit has a safe failure when the unit is in the safe failure state SF; and the fourth layer is a system state node layer, and the node represents the state of the controller subsystem and has three states including normal state NS, safe failure state SF and dangerous failure state DF, respectively;

(23) (2) determining the conditional probability tables within a single static Bayesian network; wherein the probability at which respective nodes of the failure factor node layer within a first static Bayesian network is in the normal state NS is 100%; the conditional probability table of the second layer nodes is determined according to the effect of failure factors on the single-channel state, the conditional probability table of the second layer nodes is shown in Table 1, in which w is the common cause weighting; the conditional probability table of the third layer nodes is determined according to the failure criterion of a redundant structure; and the conditional probability table of the fourth layer nodes is determined according to the syntagmatic relations among various units and the fault tree model;

(24) TABLE-US-00001 TABLE 1 Conditional probability table of B nodes of the redundant structure States of failure factor nodes States of node B Node A Node CC NS SD SU DD DU NS NS 1 0 0 0 0 SD NS 0 1 0 0 0 SU NS 0 0 1 0 0 DD NS 0 0 0 1 0 DU NS 0 0 0 0 1 NS SD 0 1 0 0 0 SD SD 0 1 0 0 0 SU SD 0 w 1-w 0 0 DD SD 0 w 0 1-w 0 DU SD 0 w 0 0 1-w NS SU 0 0 1 0 0 SD SU 0 1-w w 0 0 SU SU 0 0 1 0 0 DD SU 0 0 w 1-w 0 DU SU 0 0 w 0 1-w NS DD 0 0 0 1 0 SD DD 0 1-w 0 w 0 SU DD 0 0 1-w w 0 DD DD 0 0 0 1 0 DU DD 0 0 0 w 1-w NS DU 0 0 0 0 1 SD DU 0 1-w 0 0 w SU DU 0 0 1-w 0 w DD DU 0 0 0 1-w w DU DU 0 0 0 0 1

(25) (3) determining the transition conditional probability of the dynamic Bayesian network at self-inspection. As shown in FIG. 7, the probability of the single-channel failure factor nodes of a next static Bayesian network is affected by the single-channel failure factor nodes and the unit state nodes of the previous static Bayesian network, and the rules for the transition conditional probability is as follows:

(26) 1) the single-channel independent failure node is degraded exponentially to the detected safe failure state SD, the undetected safe failure state SU, the detected dangerous failure state DD and the undetected dangerous failure state DU at λ.sub.SDN, λ.sub.SUN, λ.sub.DDN, and λ.sub.DUN, respectively when the single-channel independent failure node is in the normal state NS; wherein, λ.sub.SDN is the detected independent safe failure rate, λ.sub.SUN is the undetected independent safe failure rate, λ.sub.DDN is the detected independent dangerous failure rate, and λ.sub.DUN is the undetected independent dangerous failure rate;

(27) 2) the single-channel independent failure node is converted into the normal state NS at μ.sub.SR according to the law of exponential distribution if the safe failure of the assessment unit is caused when the single-channel independent failure node is in the detected safe failure state SD or the detected dangerous failure state DD state, otherwise, the single-channel independent failure node is converted to the normal state NS at μ.sub.TR according to the law of exponential distribution;

(28) 3) the single-channel independent failure node is converted to the normal state NS at μ.sub.SR according to the law of exponential distribution if the parent node of the single-channel independent failure node causes the safe failure of the assessment unit when the single-channel independent failure node is in the undetected safe failure state SU; the single-channel independent failure node is converted to the normal state NS at μ.sub.TR according to the law of exponential distribution if the parent node of a single-channel independent failure node contains at least one detected failure, otherwise, the single-channel independent failure node maintains the undetected safe failure state SU unchanged;

(29) 4) the single-channel independent failure node is converted to the normal state NS at μ.sub.SR according to the law of exponential distribution if the parent node of the single-channel independent failure node causes the safe failure of the assessment unit when the single-channel independent failure node is in the undetected dangerous failure state DU; the single-channel independent failure node is converted to the normal state NS at μ.sub.TR according to the law of exponential distribution if the parent node of a single-channel independent failure node contains at least one detected failure, otherwise, the single-channel independent failure node maintains the undetected dangerous failure state DU unchanged;

(30) the probability of the common cause failure factor nodes of the next static Bayesian network is only affected by the common cause failure factor nodes of the previous static Bayesian network; the probability of the failure factor nodes of the next static Bayesian network is determined according to the degradation law of the device and the self-inspection capability of the system. The transition conditional probability table of the common cause failure node CC is shown in Table 2:

(31) TABLE-US-00002 TABLE 2 Transition conditional probability table of CC node Time point Time point t + Δt t NS SD SU DD DU NS e.sup.−λ.sup.C.sup.Δt $\frac{λ_{SDC}}{λ_{C}} (1 - e^{- λ_{C} Δ t})$ $\frac{λ_{SUC}}{λ_{C}} (1 - e^{- λ_{C} Δ t})$ $\frac{λ_{DDC}}{λ_{C}} (1 - e^{- λ_{C} Δ t})$ $\frac{λ_{DUC}}{λ_{C}} (1 - e^{- λ_{C} Δ t})$ SD 1 − e.sup.−μ.sup.SR.sup.Δt e.sup.−μ.sup.SR.sup.Δt 0 0 0 SU 1 − e.sup.−μ.sup.SR.sup.Δt 0 e.sup.−μ.sup.SR.sup.Δt 0 0 DD 1 − e.sup.−μ.sup.TR.sup.Δt 0 0 e.sup.−μ.sup.TR.sup.Δt 0 DU 0 0 0 0 1

(32) Wherein λ.sub.C=λ.sub.SDC+λ.sub.SUC+λ.sub.DDC+λ.sub.DUC, λ.sub.SDC is the detected common cause safe failure rate, λ.sub.SUC is the undetected common cause safe failure rate, λ.sub.DDC is the detected common cause dangerous failure rate, λ.sub.DUC is the undetected common cause dangerous failure rate; μ.sub.SR=1/MTSR, MTSR is a mean time to system restoration; μ.sub.TR=1/MTTR, MTTR is the mean time to repair;

(33) (4) determining the transition conditional probability table of the dynamic Bayesian network at inspection test. As shown in FIG. 8, the probability of the failure factor nodes of the next static Bayesian network is affected by the failure factor nodes of the previous static Bayesian network; and the probability of the failure factor nodes of the next static Bayesian network is determined according to the inspection coverage rates and repair parameters of device; the conditional state transition probability table of the failure factor nodes at the inspection test period is shown in Table 3 in which the different combinations of values of the inspection test parameter variables ξ, δ, θ, σ, α, ϵ, μ, γ represent different inspection coverage rates and repair parameters;

(34) TABLE-US-00003 TABLE 3 State transition conditional probability table of the failure factor nodes at the inspection test period Before inspection After inspection test test NS SD SU DD DU NS 1 − γ αγ(1 − σ) αγσ (1 − α)γ(1 − σ) (1 − α)γσ SD ξ 1 − ξ 0 0 0 SU δ (1 − δ)(1 − ε) (1 − δ)ε 0 0 DD μ 0 0 1 − μ 0 DU θ 0 0 (1 − θ)(1 − ε) (1 − θ)ε

(35) S202: determining failure probability parameters of each unit device in the controller subsystem; wherein the failure probability parameters are divided into a direct form and an indirect form. The failure probability parameters in the direct form include detected independent safe failure rate λ.sub.SDN, undetected independent safe failure rate λ.sub.SUN, detected independent dangerous failure rate λ.sub.DDN, undetected independent dangerous failure rate λ.sub.DUN, detected common cause safe failure rate λ.sub.SDC, undetected common cause safe failure rate λ.sub.SUC, detected common cause dangerous failure rate λ.sub.DDC, undetected common cause dangerous failure rate λ.sub.DUC; and the failure probability parameters in the indirect form include failure rate λ.sub.T, safe failure ratio R.sub.S, safe failure diagnosis coverage rate C.sub.S, dangerous failure diagnosis coverage rate C.sub.D, undetected common cause failure rate β and detected common cause failure rate β.sub.D of respective channels in units;

(36) S203: determining time parameters of the controller subsystem device; wherein the time parameters includes mean time to repair MTTR, mean time to system restoration MTSR, inspection test interval period TI, running time of a system TS, self-inspection time interval Δt;

(37) S204: determining the structurally constraint type of the controller subsystem; wherein the structurally constraint type is divided into A type and B type, the A type subsystem includes instrument device with a simple structure such as switch, valve and relay, and the B type subsystem includes device with a complicated structure such as microprocessor and intelligent transducer;

(38) S205: determining inspection test parameters of devices in the controller subsystem;

(39) S206: performing accurate calculation by the established dynamic Bayesian network model to obtain safety integrity parameters of the controller subsystem; wherein the safety integrity parameters include a safe failure fraction SFF of the controller subsystem, an allowable maximum safety integrity level of the controller subsystem, the safety integrity level SIL of the controller subsystem, the probability of dangerous failure on demand PFD at respective time points in the controller subsystem operation, the probability of safe failure on demand PFS at respective time points in the system operation, and the average probability of dangerous failure on system demand PFDavg and the average probability of safe failure on system demand PFSavg are obtained by the following formula:

(40) ${PFD}_{avg} = \frac{{.Math.}_{t = 1}^{N} PFD (t)}{N}$ ${PFS}_{avg} = \frac{{.Math.}_{t = 1}^{N} PFS (t)}{N}$

(41) S207: determining the safety integrity level ultimately by the average probability of dangerous failure on system demand PFDavg; wherein the four data of PFD, PFS, PFDavg and PFSavg calculated by the established dynamic Bayesian network model are four 1*N matrices, and the change process of safety integrity parameters of the controller subsystem can be shown through the image;

(42) S208: optimizing the parameters affecting the safety integrity level by analyzing the safety integrity parameters of the controller subsystem; and

(43) S209: repeating steps of S201 to S208 to assess the sensor subsystem and the actuator subsystem, respectively.

(44) The performing integrated calculation and optimization analysis specifically includes:

(45) S301: integrating safety integrity parameters of the controller subsystem, the sensor subsystem, and the actuator subsystem to obtain the safety integrity parameters of a safety instrumented functions; wherein the average probability of dangerous failure on demand PFD.sub.SYS of the safety instrumented functions is calculated as follows:
PFD.sub.SYS=PFD.sub.S+PFD.sub.L+PFD.sub.FE

(46) wherein PFD.sub.S is the average probability of dangerous failure on demand of the sensor subsystem, PFD.sub.L is the average probability of dangerous failure on demand of the controller subsystem and PFD.sub.FE is the average probability of dangerous failure on demand of the actuator subsystem;

(47) S302: obtaining the weak link of the subsystems by analyzing the safety integrity parameters and the ratio of parameters of the controller subsystem, the sensor subsystem, and the actuator subsystem, and replacing device, optimizing device configuration, adjusting device inspection time, adjusting device repair parameters for the subsystem with high safety integrity requirements; and

(48) S303: generating a safety integrity assessment report.

Method for assessing safety integrity level of offshore oil well control equipment

Assignee

Inventors

Cpc classification

Classification Explorer

G05B9/02

PHYSICS

Classification Explorer

G06N7/01

PHYSICS

Classification Explorer

Y02P90/02

GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS

Classification Explorer

G05B23/024

PHYSICS

Classification Explorer

G05B19/406

PHYSICS

Classification Explorer

G05B2219/31304

PHYSICS

Classification Explorer

G05B2219/24008

PHYSICS

International classification

Classification Explorer

G05B19/406

PHYSICS

Classification Explorer

G06N7/00

PHYSICS

Abstract

Claims

Description