Dynamic risk assessment approach of riser recoil control failure during production test of marine natural gas hydrate

The marine natural gas hydrate is considered to have huge resource potential in the South China Sea, and a sixty‐day production test has been successfully conducted in 2017. As the crucial and most vulnerable connection of floating platform and subsea wellhead, the risers are of paramount importance in safe production test of the hydrate. Due to harsh environment and the possible drive off and drift off events induced by failure of dynamic positioning system of the platform, the unplanned emergency disconnect of risers is an integral preventive measure to avoid accidents and secure the well. Once the disconnect occurs, the huge potential energy stored in the riser column will release and consequently cause violent axial recoil, which will cause serious consequences if the recoil control fails. This paper presented a quantitative risk assessment approach on the basis of dynamic Bayesian networks to dynamically predict the risk of riser recoil control failure during production test of hydrate. By using the proposed method, the dynamic failure risk of the riser recoil control was figured out, and the most contributory factors were identified. The practical application of the proposed methodology was demonstrated through a case study. Results indicated that the probability of riser recoil control failure can be significantly decreased within one year through equipment repair, and the failure and repair rates of shutoff valves and main air isolation valves are the most contributory factors. Some corresponding safety control measures were proposed to further mitigate the risk of riser recoil control failure during the production test of hydrate.


| 1809
CHANG et Al. area in 2017. From 10 May to 9 July, the production test lasted for 60 days, and the cumulative gas volume produced during the sixty-day test was approximately 309 000 m 3 , which holds the new record for the longest production time and the highest cumulative volume in the world's offshore gas hydrate production test, which is essential to the future global energy supply. 2 However, the environmental conditions in the South China Sea are harsh, the frequent typhoons, internal solitary waves, and local unanticipated rapid-developing seastates would threaten the safety and induce huge risk to hydrate production test. 3 Besides, drive off and drift off events due to failure of dynamic positioning of the floating platform are likely to occur during the production test of hydrate. Under these circumstances, once the offset of the floating platform exceeds the predetermined red alert circle, the risers with Lower Marine Riser Package (LMRP) must be immediately disconnected from blowout preventer (BOP) to prevent the potential accidents and secure the well and subsea equipment. Subsequently, the huge potential energy stored in the riser column will release and consequently cause violent axial recoil to the riser column, and the recoil of the riser column must be controlled by the recoil control system of tensioners in order to avoid serious accidents, for example, buckling of the risers, damage of slip joint and tensioners, and damage of other equipment along the recoil path. [3][4][5] Various factors will lead to riser emergency disconnect and the resultant recoil. According to the existing literature, the occurrence probabilities of drift off and drive off events are 2 × 10 −3 per year and 1.6 × 10 −5 per dynamic positioning hour, respectively. [6][7][8] Besides, a large number of measurements and remote-sensing observations have shown that internal solitary waves occur frequently and exist widely in the South China Sea, 9 and local rapidly developing storm has been identified as the most contributory factors to riser emergency disconnect. 3 Recoil control of the tensioners has been an integral preventive measure to the safe production test of hydrate in deepwater.
Many researchers have investigated the axial recoil dynamics of the risers. Grønevik 10 and Li et al 11 adopted different computation methods to analyze the frictional forces resulting from the internal flow of riser during riser recoil. Lang et al 12 developed a one-dimensional finite volume discharging flow model, and the calculated fluid pressure and velocity fields were used to determine drag loading and the effective tension distribution along the risers. Ma et al 13 demonstrated the great sensitivity of water depth on the recoil performance of the riser. Meng et al 14 proposed two notable fluid column models to analyze the discharging flow effect in riser recoil during an emergency disconnect scenario. Tan et al 15 proposed a comprehensive risk management methodology for drilling in gas hydrate-bearing sediments, which was used to reduce risk and uncertainty associated with gas hydrates and associated shallow gas geohazards in deep water. Gao et al 16 developed a wellbore/formation heat-transfer model to analyze the hydrate dissociation risks caused by the wellbore temperature during hydrate drilling and proposed effective methods to control the hydrate dissociation. Wei et al 17 analyzed the mechanisms of risks caused by hydrate decomposition during hydrate drilling and provided drilling parameters optimization strategies to address potential drilling risks. However, up to present, research on riser recoil control (RRC) during production test of marine hydrate from risk perspective can be found sporadically in related literatures.
Bayesian networks (BN) is a widely used probabilistic method in the risk analysis of offshore operations. Khakzad [20][21][22][23] and it therefore cannot be used to represent the system's temporal evolution as it is time-independent. As an extension of ordinary static BN, dynamic BN (DBN) not only can model the dynamic behavior of a system by introducing temporal dependencies in the network, but also can use the previous states for the reasoning process under present conditions. [24][25][26] Cai et al 27 presented a quantitative reliability and availability evaluation method for subsea BOP system by translating fault tree (FT) into DBN. Chang et al 28 proposed a DBN-based approach for dynamic fatigue failure risk analysis of the subsea wellhead during service life.
With respect to the dynamic risk assessment approaches, many researchers have done much work on it. Meel et al 29,30 developed a complete dynamic risk assessment methodology for process facilities, termed as dynamic failure assessment, which aimed at estimating the dynamic probabilities of accident sequences. Kalantarnia et al 31 developed a dynamic risk assessment methodology by integrating Bayesian failure mechanisms with consequence assessment, which was further applied to the risk assessment of Hoeganaes metal dust accidents by Paltrinieri et al 32 Besides, Yuan et al 33 proposed a risk-based optimal allocation of safety measures to avoid or prevent dust explosions based on dynamic risk analysis, and a data-driven dynamic methodology for dynamic risk assessment of offshore drilling operations was proposed by Adedigba et al. 34 In quantitative risk assessment, it is notoriously difficult to obtain the precise probability of the basic events in advance when the objective data available to estimate probabilities of the specific event are scarce. Recently, deep learning techniques have been developed and gained great success in industrial processes. Yuan et al 35,36 proposed a deep learningbased variable-wise weighted stacked autoencoder for hierarchical output-related feature representation layer by layer and developed a supervised long short-term memory network to learn quality-relevant hidden dynamics for soft sensor application. Shang et al 37 exploited deep belief network to build soft sensor for a crude distillation unit and discussed the unique advantages of deep learning for industrial processes. Chojaczyk et al 38 presented a survey on the development and use of artificial neural network (ANN) models in structural reliability analysis. Adedigba et al 39 presented a data-driven dynamic failure assessment methodology to estimate process accident probability and predict the risk. Shi and Chang et al 40,41 proposed the frameworks regarding Bayesian regularization artificial neural network (BRANN)-based models for the CFD-based explosion risk analysis procedure and optimized the BRANN approach with the integration of the Artificial Bee Colony algorithm.
However, available and massive data samples are needed in deep learning. For riser recoil control during production test of hydrate, the objective data available to estimate probabilities of basic events are scarce, and there are some events which have unknown failure data, due to less frequency of occurrence. For those reasons, the expert judgment and reference reviews have become an appropriate approach to obtain the occurrence probabilities of events. Although the quantitative risk obtained may be subject to a margin of error as part of the input data are obtained by expert judgments and reference reviews, it is a first step in making a decision on probable preventive measures for RRC failure, and it has been widely used in risk assessment fields. 3,28,42,43 The objective of the present paper is to propose a DBNbased methodology to predict the dynamic risk of RRC failure over time during production test of marine hydrate. In this methodology, DBN model is developed by mapping FT and considering repair of the equipment. By using the proposed method, the dynamic failure risk of the RRC could be achieved, and the most contributory factors could be identified. Eventually, some preventive measures are proposed to further mitigate the failure risk of RRC.
The rest of the paper is structured as follows: Section 2 introduces the composition and function of the RRC system in direct acting tensioner. A DBN-based risk assessment methodology with imperfect repair is proposed in Section 3. Section 4 is a case study regarding the application of the proposed methodology in dynamic risk assessment of RRC failure during production test of marine hydrate. Finally, the conclusions are summarized in Section 5.

SYSTEM
The RRC system ( Figure 1) is a complicated mechanical, electrical, and hydraulic coupled system, which mainly consists of tensioner hydraulic cylinders, shutoff valves, control skids, accumulators, air pressure vessels (APVs), and signal monitoring system, et al, which are introduced detailedly as follows: 1. Tensioner hydraulic cylinders. The tensioner system consists of six pulling tensioner hydraulic cylinders which are directly attached to the tensioner ring of the marine risers and the drill floor by a flexible link. Each cylinder is connected to a high-pressure accumulator bank by a shutoff valve, and the piston side on all cylinders is connected to a common nitrogen vessel.
In high-pressure side, the oil flows from the cylinder to the accumulator when the cylinder extends and opposite when the cylinder retracts. In low-pressure side, the nitrogen gas protects the inside surface of the cylinders from corrosion and provides a nearly constant pressure. In addition, a cylinder rod position system is connected to each cylinder to monitor the rods position and is also used by the PLC to calculate accumulator oil level and to monitor riser disconnect.
2. Shutoff valves. The shutoff valve installed for each cylinder is located between the cylinder and the accumulator. All the shutoff valves are assembled on two skids, and there is an external power pack as the primary source of pilot oil to the valves on each skid. The pilot oil is stored in a set of precharged bladder accumulators and maintained by an air-driven pilot pump, which starts and stops automatically by the pressure in the blather accumulators controlled by PLC.
During riser emergency disconnect, as the cylinder piston rods retract, the RRC system proportionally controls the shutoff valves opening to choke the flow out of the accumulators, thus reducing the cylinder speed as well as controlling the force applied to the riser. When the tensioner hydraulic cylinder piston rods are fully retracted, the shutoff valves opening will be closed to approximately 83%, almost locking the tensioner hydraulic cylinders and consequently controlling the riser recoil.
3. Air pressure vessels. The APVs are the pressure source in the tensioners, which contain a large volume of compressed air used to pressurize the riser tensioner hydraulic cylinders that generates a pull on marine risers. There are three different types of vessels, including working APVs, standby APVs, and low-pressure nitrogen pressure vessel (NPV). The working APVs are the pneumatic spring for the tensioner hydraulic cylinders, the standby APVs are used to provide quick accessible air for pressure rise in working APVs, and the low-pressure NPV is used to keep a nearly constant pressure on the cylinder piston side to prevent the "empty" piston side of the cylinder from corrosion. 4. Air control skids. The air control skids are located on the piping between the oil accumulators and the APVs, and they are interfaced to the compressor filled by standby APVs. Each air control skid consists of main air isolation valve, bypass valve, APV fill valve, APV vent, and tensioner vent valves, which provides a centralized control of the pressure for tensioners. The main air isolation valve is used to open APVs, the bypass valve is used to bypass main air isolation valve, the APV fill valve is used to increase APV pressure, the APV vent valve is used to reduce APV pressure, and the tensioner vent valve is used to reduce accumulator pressure.
In addition, the main air isolation valve equipped with a visual and electric indicator is a detent valve that will remain in any given position and stay even if electric power or the rig air system is lost, and the position feedback switch is connected to the PLC and is also used to indicate whether a tensioner hydraulic cylinder is in use or not.

5.
Oil/air accumulators. The oil/air accumulators without piston or blather are the interface between the oil in the cylinder and the air in the APVs. Two by two, accumulators are piped together in top and bottom, forming an accumulator pair which works for three cylinders. The bottom manifolds are for hydraulic fluid supply to the cylinders, and the top manifolds are for high-pressure air supply.
For oil level monitoring, each pair of accumulator has a differential pressure transmitter that measures the static pressure of the oil column. This level is then calculated together with cylinder rod position to verify correct fluid level in each of the six cylinders.

| Dynamic Bayesian networks
BN is a graphical and inference method, which describes the relationship between causes and consequence. 44 BN is composed of nodes, arcs, and conditional probability tables (CPTs) to represent a set of random variables and the conditional dependencies among them. Meanwhile, BN takes advantage of Bayes' theorem to update the prior probabilities of variables given the new observations, called evidence event, 3,28 rendering the updated or posterior probabilities as represented in Equation (1)45 DBN represents a graphical structure on the basis of the Markov model, which is a long-established extension of static BN by introducing concept of change over time. In the practice engineering application, it is better to deal with complex dynamic system by the introduction of time factor. Figure 2 illustrates a process of DBN development where the current time step is represented by t 0 , and the next time step by t 1 . In DBN, intraarc represents the development relationship

Intra-slice arcs Inter-slice arcs
between different factors at the same time, X 1 → Y, and interarc represents the development relationship between same factors at the different time, After DBN model is established, CPTs and transition probability tables need to be specified.

| Imperfect repair modeling
The failure and repair can be considered in DBN model by assuming that each parent node is a multi-state degraded system. Four assumptions are made 27,46 : 1. The component may have many levels of degradation, corresponding to discrete performance rates, which vary from perfect function to complete failure. 2. The system might fail randomly from any operational state. 3. All transition rates are constant and exponentially distributed.
4. The current degradation state is observable through some system parameters, and the time needed for inspection is negligible.
Each root node of DBN involves four states, that is, D0, TR1, TR2, and F, as shown in Figure 3. D0 refers to perfect function state. TR1 and TR2 refer to the first and the second degraded states, respectively. F refers to failed state. Each root node is initially in D0. As time progresses, it can either go to TR1 or TR2 even F, which conforms to Markov model. When the component reaches the failed state, a repair is needed. If it can either only go to the perfect functioning state, it is considered to be perfect repair. If it can go to the perfect functioning state as well as the degraded states, it is considered to be imperfect repair. 27 The failure rate λ and repair rate μ of the component are assumed to be in an exponential distribution.
According to the provided state transition diagram and exponential distribution assumption of failure and repair rates, from the current time to the next, t → t + τ, the transition relationships among consecutive nodes without repair, with perfect repair, and with imperfect repair are presented in Tables 1-3, respectively. 47

| Proposed methodology for the dynamic risk assessment of riser recoil control failure
The proposed dynamic risk assessment methodology framework for RRC failure is shown in Figure 4, which involves the following five main steps 26,28,48 : 1. Defining system and collecting necessary information.
In this step, prior safety-based knowledge resources, including the accepted knowledge from existing codes, empirical knowledge from research papers, and the tacit knowledge from domain experts, should be collected first to provide a basis for predicting the potential risk. 2. Hazard identification and relation determination. The potential risks variables, which represent system safety condition and performance states, and the explicit relationships and interdependencies among the variables can be determined, respectively, by FT.
(2) P(X 1:  The relationships between components are determined by analyzing the operation principle of recoil control of tensioners, and the potential hazards are identified by the prior safety-based knowledge. Eventually, a FT is constructed in Figure 5. In the FT, there are 30 basic events and the relationships between events are either AND gate or OR gate.

| DBN model development
The DBN model of the RRC failure could be obtained by mapping FT, and the mapping algorithm includes graphical and numerical tasks. 3 In order to perform probabilistic analysis, prior probabilities of all basic events are assigned with values derived from three main sources. Most of these failure probabilities are obtained from the expert judgments and fuzzy set theory using mathematical aggregation techniques. Five related experts from the drilling contractor, oil company, research institute, and university as listed in Table 4 were invited to judge the fuzzy number based on their experiences. Using fuzzy set theory, the probability values of components will be characterized by fuzzy numbers, and then, the obtained (1 − e −( 2 + 6 ) ) TR2 0 0 T A B L E 3 Transition relationships among consecutive nodes with imperfect repair fuzzy number can be transformed into fuzzy failure probability of basic events. 3,28,[50][51][52] Another source of probability, as well as the failure and repair rates of equipment in the RRC system, is obtained from the literature, handbook, and failure database, such as OREDA, HSE, and OGP. 3,28 With respect to the CPTs of different factors, the invited domain experts discussed and determined the possible data based on their expertise. The conditional dependencies among elements of DBN were assigned in CPTs. The logical gate of FT and experience-based judgment were used to determine CPTs in DBN model. The logical gate of FT represents deterministic relationship between primary events and intermediate events. For example, if X8 and X9 succeed, the monitor system fails inevitably. Actually, for a DBN with n root nodes and m states for each root nodes, it requires m n independent parameters to completely specify the CPT. Assume that there are n causes X 1 , X 2 , … and X n of Y, the probability of X j is P j , and the noisy OR gate model can be expressed as follows 27 : Similar considerations can be made for variables in the parallel system, by taking into account the noisy AND gate as follows: By using Equations (3) and (4), the CPT for series and parallel system can be calculated, for example, the degradation probabilities of root nodes X8 and X9 in the series, P("Monitor system failure" = Yes|TR1 × 8 = Yes) = 0.048, P("Monitor system failure" = Yes|TR2 × 8 = Yes) = 0.089, P("Monitor system failure" = Yes|TR1 × 9 = Yes) = 0.049, and P("Monitor system failure" = Yes|TR2 × 9 = Yes) = 0.091. One of X8 and X9 failure can cause the "Monitor system failure," which means they have n = 2 root nodes, and for each root node, it has m = 4 states; therefore, the CPTs have m n = 16 states. The CPT among root nodes "X8" and "X9" and intermediate node "Monitor system failure" in DBN is shown in Table 5.
The DBN of RRC failure was developed using graphical network interface (GeNIe 53 ) software as shown in Figure  ( 6. The failure and repair rates of dynamic nodes were determined and listed in the 3th and 4th columns of Table 6, and the prior probabilities of static nodes were given in the 5th columns of Table 6. Using the failure and repair rates of dynamic nodes, the transition probability tables between two time slices are established by Tables 1-3.

| Dynamic risk analysis
Based on the established DBN model, it is now possible to predict the probability of RRC failure within one year (52 weeks) through casual inference of DBN. The prior probabilities of the contributory factors and their conditional probabilities, as well as transition probabilities, were input into the DBN model. The output was the probabilities of RRC failure with repair of equipment and without repair of equipment as presented in Figure 7, and the prior probabilities of dynamic nodes at the last time slice with imperfect repair were determined as shown in the 7th column of Table 6. It can be seen from Figure 7, the probability of RRC failure increased continuously. In the 52nd week, the failure probability of RRC was 0.233 without repair of equipment, and the failure probabilities of RRC were approximately 0.077 and 0.084 with perfect and imperfect repair of equipment, respectively. The results suggest that the success probability of RRC will be improved significantly within one year with repair of equipment, whereas the imperfect repair of equipment does not degrade the success probability of RRC significantly in comparison with the perfect repair of equipment, as the failure rates of the components in the RRC system are far less than their repair rates, and the transition probabilities of dynamic nodes in the DBN model with perfect and imperfect repair are relatively small.

| Diagnostic inference
Diagnostic inference is a backward inference method, which aims to determine the most possible direct causes that have great impacts on the occurrence of the top event by using the diagnostic analysis technique in the DBN inference. 26 calculated, which would provide meaningful information to avoid RRC failure. When the basic event has a high posterior probability and a high increasing probability, it is the critical event which is the most probable factor to cause RRC failure. 28 The posterior probabilities of basic events at last time slice with imperfect repair are determined and listed in the 8th columns of Table 6. As shown in Figure 8, by comparing the prior probabilities with posterior probabilities of input basic events, the critical events can be identified. From Figure 8, it can be found that a posterior probability and an increasing probability of the basic event "shutoff valves (X10)" are highest, followed by "main air isolation valves (X13)," "solenoid valves (X16),", "pressure transmitters (X8)," "displacement transmitters (X9)," and "air-driven pilot oil pumps (X27)," denoting that they are the most contributory factors leading to the possible failure of RRC during riser emergency disconnect. That means more attention should be paid to the failure and repair rate of the critical events.
Based on diagnostic inference, some active preventive measures could be taken to further mitigate the risk of RRC failure, which are as follows: (a) making detailed maintenance plan for the important valves to avoid the possible failure; (b) selecting the high quality hydraulic oil for pump and substituting them in time; (c) selecting the high quality sensor and making the sensor parallel connection to enhance the system redundancy; and (d) building an fault diagnosis system to identify the faulty components, to distinguish the fault types, and to alert the operators.

| Sensitivity analysis
When a new methodology is developed, a careful validation is required to ensure its robustness. A sensitivity analysis was carried out in this study to test the proposed model. If the model is robust, the obtained result would be sensitive, but would not show abrupt variations to any minor change of the input parameters. 42,52,54 Because the critical events are all dynamic, it is assumed that the failure rates of critical events are subjected to a change of ±10%. The effects of changes in failure rates of influencing factors on probability of RRC failure with imperfect repair of equipment are shown in Figure 9.
Seen from Figure 9, with the assumption of the failure rate of critical event X10 being increased to 110%, the probability of RRC failure increased from 8.39% to 8.53%. When both of the failure rates of critical events X10 and X13 were increased to 110%, the probability of RRC failure increased from 8.53% to 8.75%. When the failure rates of critical events X10, X13, and X16 were increased to 110%, the probability of RRC failure increased from 8.75% to 8.95%. Furthermore, when the failure rates of critical events X10, X13, X16, and X8 were increased to 110% simultaneously, the probability of RRC failure increased from 8.95% to 9.16%. Similarly, the decrease of failure rates of the critical events will reduce the occurrence probability of top event in the same way. Figure 10 shows the effects of changes in failure rates of influential factors on probability of RRC failure without repair of equipment. When the failure rate of critical event X10 was increased to 110%, the probability of RRC failure increased from 23.34% to 24.01%. In comparison with imperfect repair of equipment, when the failure rates of critical events increase, the probability of RRC failure has similar variation tendency but increases faster. As expected, in both cases of imperfect repair and without repair of equipment, a slight change of the failure rate for critical events induce the variation of probability of RRC failure in a reasonable way, thus giving a validation of the developed model.

CONCLUSIONS
In this paper, a DBN model of RRC failure was developed by mapping FT, which is established by the identification of influential factors and analysis of the relationships between The dynamic risk analysis indicates the probability of RRC failure can be decreased significantly within one year through equipment repair, whereas the imperfect repair of equipment does not degrade the success probability of RRC significantly by comparison with the perfect repair of equipment, as the failure rates of the components in the RRC system are far less than their repair rates, and the transition probabilities of dynamic nodes in the DBN model with perfect and imperfect repair are relatively small.
By diagnostic inference, the critical events, including X10 (shutoff valves), X13 (main air isolation valves), X16 (solenoid valves), X8 (pressure transmitters), X9 (displacement transmitters), and X27 (air-driven pilot oil pumps), are identified as the most contributory (critical) factors leading to the possible failure of RRC. In addition, some corresponding safety control measures were proposed to F I G U R E 7 Risk analysis with respect to perfect and imperfect repair of equipment within 1 y 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 50  Due to the deficiency of available data in RRC of offshore operations, the limitation of proposed method is that the quantitative risk obtained may be subject to a margin of error as part of the input data are obtained by expert judgments and reference reviews. However, it is a first step in making a decision on probable preventive measures for RRC failure. Future research is planned to investigate and collect massive and available data of marine hydrate production test and to apply parameters learning and optimization method to achieve a more precise estimation of the dynamic failure risk of the RRC.