OTC-27814-MS

Qualitative Fault Tree Analysis of Blowout Preventer Control System for

Real Time Availability Monitoring

Mete Mutlu, University of Houston; Zev Arnold, Accenture, LLP; Dr. Matthew A. Franchek, University of Houston;
Jose Meraz, Shell International Exploration and Production Inc.

Copyright 2017, Offshore Technology Conference

This paper was prepared for presentation at the Offshore Technology Conference held in Houston, Texas, USA, 1–4 May 2017.

This paper was selected for presentation by an OTC program committee following review of information contained in an abstract submitted by the author(s). Contents of
the paper have not been reviewed by the Offshore Technology Conference and are subject to correction by the author(s). The material does not necessarily reflect any
position of the Offshore Technology Conference, its officers, or members. Electronic reproduction, distribution, or storage of any part of this paper without the written
consent of the Offshore Technology Conference is prohibited. Permission to reproduce in print is restricted to an abstract of not more than 300 words; illustrations may
not be copied. The abstract must contain conspicuous acknowledgment of OTC copyright.

Abstract
This paper deals with the dynamic availability of a subsea blowout preventer (BOP) with respect to regional
and industrial requirements. The study aims to reduce the non-productive time on drilling rigs due to
complex propagation of failures within the BOP and BOP control system. In this development, fault tree
analysis updated with near real time failure database is implemented into operational decision-making
process. First, the system is defined with specifications, boundaries and assumptions. Failure modes of each
component are stated. The requirements on the BOP control system are determined with respect to API
Standard 53. Fault trees are constructed to address each requirement, and cut sets are produced. For dynamic
analysis, a database on BOP state and failure component is created using reports from drilling contractor
and operator. Upon detection of a failure, the cut sets are updated. With this application, impact of newly
discovered failure in combination with the existing set of failures over BOP availability and compliance is
determined in a standardized manner allowing consistent and efficient judgment.

Introduction
A blowout preventer (BOP) is pressure control safety equipment that is used during the drilling and
completion of oil and gas wells. Installed directly on the wellhead for the duration of drilling or completion
operations, the BOP enables auxiliary access to the wellbore via choke and kill lines, and assists with control
of the drillstring. In the event of a loss of well control, the BOP serves as the final safeguard by shearing
the drillstring and sealing the wellbore.
Subsea BOP's used in deepwater operations typically utilize a hydraulic control system that employs high
power-to-weight ratios to shift large rams or preventers to close across the wellbore. Hydraulic fluid is routed
from a source reservoir, typically stored in local accumulator bottles or delivered through a conduit from
surface, to individual functions via a hydraulic control pod [1]. On modern subsea BOP's, a single hydraulic
control pod may contain over one hundred hydraulic valves to route control fluid to dozens of functions.
Hydraulic control systems have many advantages, including ease of power transfer, maintainability, self-
lubrication, and reliability.
2 OTC-27814-MS

BOP designs include many layers of redundancy to ensure sealing capability and controlled access to
the wellbore. Multiple pipe rams, shear rams and annular preventers increase operational flexibility and
ensure well containment capabilities even in the event of component or hydraulic failure. API mandated
control pod redundancy allows preventers to be controllable even if a control pod fails. Dedicated subsea
accumulators provide a redundant source of control fluid. Deadman and auto-shear sequences perform
autonomous containment of the wellbore and disengagement from the rig should there be loss of hydraulic
and/or electrical power to the subsea BOP. ROV control ports allow direct preventer actuation in the case
of a total loss of control pods or hydraulic power to the BOP. These redundant systems increase process,
personnel, and environmental safety.
Several studies have been done on assessing the reliability and availability of a BOP. Fowler has presented
application of fault tree analysis (FTA) and fault mode and effects analysis (FMEA) over a simplified BOP
control system [2]. Liu et al. has analyzed the reliability of a BOP using Petri Nets and dynamic Bayesian
networks [3, 4]. Effects of failures within a BOP control system over drilling safety are investigated by
Abimbola [5]. A quantitative study has been presented by Cai et al. on the real time reliability evaluation
of a pipe ram [6]. Cai has further top-level studies on performance evaluation of BOPs with common cause
failures and reliability of the BOP in the presence of error shocks [7,8]. Holand has published data about
subsea BOP failures and estimated availability with respect to availability of rams and annulars using fault
tree analysis [9]. Mckay et al. has discussed architecture for presenting health of a BOP using dashboard
[10].

Problem Statement
Increased redundancy of the BOP control system has resulted in increased design complexity. The impact
on the availability of functions due to a combination of component failures requires expert review of the
BOP's system design. The time required to assess a BOP's health when a component failure is detected can
incur significant costs from idle rig time.
Although redundancy ensures the availability of critical functions, individual component failures are not
uncommon in the extreme environment in which subsea BOP's operate. BOP equipment failures are one
of the leading causes of non-productive time on deepwater drilling rigs. [11] Awareness of the qualitative
impact of existing component failures can lead to operational guidance on which BOP functions to use for
normal well control and drillstring operations to reduce wear on vulnerable systems.
Availability of the BOP's functions should be monitored with respect to known failures to reduce BOP
related non-productive downtime. Monitoring the availability of the redundant preventers, control paths, and
control methods requires a translation of component failures to systemic impact. In this study, a system level
analysis of failure propagation of every individual component to overall system availability is introduced
via qualitative fault tree analysis.

Fault Tree Analysis

Fault tree analysis (FTA) is a deductive method for determining all possible combinations of basic events that
can cause an unwanted system state. A basic event is any individual failed component and accompanying
failure mode, e.g. the failure of a valve to shift or the external leakage of a regulator. FTA is widely used to
evaluate system reliability, design defects, critical components, safety hazards, and required testing regimes
[12,13]. The steps of an FTA include assessment of the system and mission, description of the assumptions,
drawing the boundaries of analysis, determination of components and failure states, and finally creation of
the fault tree by combining failure modes and top events via Boolean logic. In FTA, a top-down approach
is employed, where potential unwanted system states with respect to safety, requirements, or mission are
evaluated against an observed state or probability of occurrence. Starting from the top event, the intermediate
events that can contribute to an unwanted system state are progressively detailed until the sources of the
OTC-27814-MS 3

failures, or basic events, are reached at the desired level of detail as shown in Fig. 1. A completed fault
tree can be assessed in a qualitative manner, i.e. against an observed set of known failures, to determine
current availability, or in a quantitative manner, i.e. against the failure rates of processes and components,
to determine reliability and projected mission availability.

Figure 1—Example Fault Tree

Development of Dynamic BOP Availability Analysis

In this paper, a study on the dynamic availability of the BOP with respect to system and operational
requirements is presented using qualitative fault tree analysis. First, the specifications and the boundaries
of the BOP and assumptions of the study are defined. The assumptions made during the analysis are stated.
Components within the boundary are uniquely identified with a component type and possible failure modes.
Then, the system and operational requirements of a BOP are selected from regional rules, standards, and
best practices. Each requirement is converted into a top event, which reflects the state that the BOP must
comply with given the requirement. The defined top events are connected to component failures and external
events via intermediate events and logic gates in a deductive manner to construct the fault trees. Then, each
fault tree is qualitatively assessed against component failures from a tracking database to determine the
propagation of failures within the trees and assesses the dynamic availability of the BOP with respect to
defined requirements. The output, which is a determination of system availability with respect to the given
requirements, is used for operational guidance and failure risk assessment. The level of detail within the
system level fault tree analysis allows more thorough understanding of fault propagation within the BOP
and early identification of future faults that can cause a loss of function availability. Implementation of the
methodology across the drilling rig fleet creates a common knowledge base and standardization of decision
making processes

Specifications of the Analyzed System

In this study, a subsea BOP with a dual pod multiplex control system is analyzed. The BOP has two annular
preventers, one lower marine riser pack (LMRP) connector, two blind shear rams, one casing shear ram,
three pipe rams, one test ram and a wellhead connector. A schematic of the BOP and the connections
of kill & choke lines are shown in Fig. 2. The hydraulic control fluid is pressurized on the rig, and two
rigid conduits and a hotline are used to transfer the hydraulic control fluid to the BOP. The two control
pods, blue and yellow, include regulators and directional valves to control the pressure and direction
4 OTC-27814-MS

of flow. Due to the size and hydraulic forces of the valves, hydraulically piloted valves are employed
widely within the system. Small accumulators are used for retaining pressure within the pilot manifolds.
The outputs of main stage valves for the same operation in different pods are joined with shuttle valves.
Piping, tubing, and hoses transfer fluid between equipment. Two umbilical cables contain electric power
and communication channels, and they are connected to each control pod independently. The BOP is also
equipped with a deadman auto-shear system, acoustic pod, and ROV intervention ports as well as dedicated
subsea accumulators to power secondary and emergency systems.

Figure 2—Layout of the BOP Big Iron Equipment

System Boundaries
The focus of the study is the dynamic availability of the BOP during the drilling and completion operations.
The hydraulic and mechanical upstream bounds are drawn at the conduit valve package with connections
to the rigid conduits, hotline and auxiliary lines. Failures due to surface hydraulic power unit (HPU), rigid
conduits, or hotlines are manifested as loss of hydraulic power at rigid conduit or hotline. From this point
on, all of the piping, connections, valves, regulators, and other hydraulic or mechanical equipment including
annulars and preventers are considered in the study.
Boundaries of electric and communication domains are also drawn at the junction to the subsea electronic
module (SEM). Electrical failures within the surface control system and umbilicals are manifested as loss
of electric power supply to the SEM and loss of communications with the SEM, respectively.
Failures due to wellhead assembly, drill bit assembly and wellbore have been kept outside of the boundary
of analysis.
OTC-27814-MS 5

Assumptions
Several assumptions are defined in this study to state the background information of the system. These
assumptions are listed below.

• The BOP that is being analyzed is a subsea BOP of a dynamically positioned drilling rig.

• The BOP is designed such that it is able to withstand the forces, flows and operating conditions
created by the well to be drilled at any stage of the drilling process.
• Members of the operation and maintenance teams are professionally trained.

• The BOPs all meet regulatory requirements.

In addition to the given assumptions, several events are excluded from the analysis. These events are
highly improbable to occur and their implementation would introduce significant added complexity beyond
the usefulness of the analysis, such as:

• A confluence of events where two or more component failures occur in series. These situations
are considered on a case-by-case instance to determine whether the value added by including them
in the model outweighs the additional complexity they would introduce. For example, consider a
situation where a tubular leak exposes a manifold to depressurization only if a solenoid fails to
close. This requires two specific, unrelated, and extremely unlikely failures to occur concurrently.
If they were to occur, this would become immediately evident to the subsea engineer, and therefore
of a limited value to include in the model. If this situation were to be accounted for in the model,
the inclusion of all such combinations would create an exponential growth in the number of
intermediate events to consider in the fault tree.
• The blockage of components due to debris other than those components downstream of an ROV
port. This assumes that the filters in the HPU and control pod are unlikely to fail in such a way as
to allow significant debris into the control pod.
• A hydraulic lock caused by supplying both pods simultaneously.

• A check valve failing to check so severely that a function is depressurized.

• An ROV port that cannot be plugged should its isolation valve fail.

Indirect degradation modes of components are also excluded from the analysis. Only failures with a direct
impact on the system that would result in it failing to meet requirements are considered. Examples of root
cause failures that are excluded are:

• A regulator failing to reduce pressure resulting in excessive wear on a downstream component.

• Seawater ingress into the solenoid dielectric fluid circuit resulting in a malfunctioning solenoid
valve.
A No Miracle Rule is also employed in the analysis. This rule stipulates that a failure that would normally
propagate to the top of the tree cannot be blocked because of the failure of equipment that would normally
allow failure propagation [12].

Identification of Failure Modes

An industry standard BOP taxonomy is used to comprehensively categorize each individual component of
the BOP as identified from the design process and instrumentation diagrams (P&ID's) of the hydraulic and
mechanical systems. Failure modes for each component are assigned from the BOP taxonomy based on
6 OTC-27814-MS

the categorization of the component. Subject matter experts and records of historical failures are used to
elaborate the BOP taxonomy where needed to add or remove components and failure modes.
Tubulars, piping, or hoses are identified as single components where they run in-between two other
components, such as a solenoid valve and a hydraulic valve. This simplifies the bends and connectors
evidenced in the construction drawing into a single functional component. While connectors are identified
as a separate component from the tubular, piping, or hose section, no distinction is made between connectors
on either end of the functional tubular, piping, or hose component.
Electrical failures unique to specific solenoid valves are categorized as valve state failures, not electrical
failures. An example is a failure of the electrical system that would prevent the transmission of a signal to
a particular solenoid valve. Though this would correctly be identified as a failure of the electrical system,
the functional impact on the BOP system is identical to that of the solenoid valve failing to open.
Leakage failure modes are identified as one of three degrees of significance. A No Functional Impact
leakage does not preclude the system from being considered available. An example would be a leakage
detected during an ROV dive but not evidenced in flow counts or detectable through casual observation
of the HPU. These failures are explicitly excluded from the FTA. A Function Specific leakage assumes
that there is insufficient pressure delivered downstream of the component to successfully meet the system
requirements, and hence a reduction of availability is possible. A Catastrophic Failure leakage assumes that
the leakage of the component is sufficiently severe that the upstream manifold is depressurized and unable
to deliver required pressure to any other functions.
For all components, a Damage – No Failure failure mode is identified to allow for the identification of
mechanical damage to the component that does not preclude it from working correctly. These failures are
explicitly excluded from the FTA.
As the purpose of the FTA is to analyze the availability of the BOP equipment, no failure modes associated
with people or processes are considered in scope.

Requirements on Subsea BOP's During Drilling Operations

Local regulations, industry standards, and Shell mandates are reviewed and assessed for inclusion in this
study as top events. These include:

• Bureau of Safety and Environment Enforcement (BSEE) 30 CFR 250 Supart D and sources
referenced by it
• API Standard 53 (API S53): Blowout Prevention Equipment Systems for Drilling Wells

• Shell internal standards

As both BSEE 30 CFR 250 and the Shell PCM reference API S53, the scope of analysis is restricted
to requirements given by this standard on operational readiness of a subsea BOP. To address operational
compliance with respect to API S53, all the requirements stated by API S53 need to be addressed with one
or more fault trees.
API S53 includes requirements on design, functionality, operation, testing and maintenance of BOPs.
These requirements are analyzed to select those that directly or indirectly address operational availability
with respect to the specifications of a given BOP. The selected requirements give statements on:

• Number of rams and annulars

• Availability of pods and working sensors

• Operational and functional capabilities

• Secondary control systems

OTC-27814-MS 7

• Autoshear system

The table below shows brief requirement descriptions that are selected along with their API S53 reference
number.

Table 1—Selected BOP Requirements from API Standard 53

System Requirements Ref. Required Operations Ref.

One Annular, Two Pipe Rams, and Two Shear Rams 7.1.3.1.6 A) Close and Seal on Drill Pipe, Tubing, Casing, and 7.1.3.1.1.a
Available Circulate

Deadman and Autoshear Systems Available 7.4.15/16 B) Close and Seal on Open Hole and Control the Wellbore 7.1.3.1.1.b

Rigid Conduits and Hotline Available to Control Pods 7.4.11 C) Strip the Drill String 7.1.3.1.1.c

Control System Measurement Devices 7.4.8 D) Hang-off the Drill Pipe and Control the Wellbore 7.1.3.1.1.d

Toolpusher, Driller, and Subsea Control Panels Available 7.4.9 E) Shear the Drill Pipe and Seal the Wellbore 7.1.3.1.1.e

Both Control Pods Available for Operational Functions 7.4.12 F) Disconnect the Riser from the BOP Stack 7.1.3.1.1.f

ROV Intervention Available for Class 5 Components 7.4.16.1 G) Circulate the Well After the Drill Pipe Disconnect 7.1.3.1.1.g

Acoustic System Available 7.4.16.2 H) Circulate Across the BOP Stack to Remove Trapped Gas 7.1.3.1.1.h

Construction of Fault Trees

The requirements on the BOP system and operations are addressed by 16 individual fault trees. Each fault
tree has a top event associated with one of the requirements. The top event of the fault tree is decomposed
to intermediate events by defining the immediate causes and immediate mechanisms with accompanying
Boolean Logic. This process is repeated until the source of the failure is defined with a component level
failure. With this approach all the failure paths in a complex system from source to failure of the system
with respect to requirements are charted. Figure 3 shows the top event and the first level intermediate events
of a fault tree analysis of API S53 7.1.3.1.6, which dictates that a subsea BOP should have a minimum of
one operational annular, two pipe rams and a minimum of two shear rams with at least one of them being
able to seal a well. All the sub-requirements are shown with intermediate events that are connected with
an OR gate to the top of the fault tree.

Figure 3—Top Section of Fault Tree Addressing Requirements of API S53 7.1.3.1.6

The BOP and BOP control system consist of hydraulic and mechanical components working in parallel,
series and in feedback loops. Failure propagation in this complex system must account for the interrelation
of these components. A substantial leak due to a failure to close a valve in a fluid supply rail can result in
inadequate supply pressure to other hydraulic paths that share that supply. Similarly, the failure to open a
8 OTC-27814-MS

main stage valve that is connected in series with a shuttle valve and ram can result in being unable to control
a single ram. Despite being co-located, the propagation of the failure and affected area may differ from
similar failed components. Common and function specific sub-trees are created to handle this difficulty in
a systematic and modular way.
The common sub-trees cover the failures that affect a wide area and functionality of the BOP at the same
time. These trees include the failures related to the supply of fluid from rigid conduits or hotline to the
control pods, leakages that can be seen at the manifolds, failures in the stack mounted accumulator system
and similar common groups of failures.
The function specific sub-trees represent the failures within a pod that affect the operation of a specific
function. An example of a function specific sub-tree is failure to close a pipe ram. This sub-tree includes the
failures due to components needed to perform that function and common trees that relate to the function.
The function specific sub-trees also include the failures that can be caused by functions that perform an
opposing or cancelling operation. An example of an opposing function is the circuit that opens the ram
while the desired operation is to close the ram. Should this function fail to depressurize, a hydraulic lock
may prevent the directional control valve from shifting correctly.
After the construction of the fault trees, the fault trees are qualitatively validated using hypothetical
scenarios and historical events. Hypothetical events are created using common combination of failures and
what-if scenarios by subject matter experts (SME). The trees are also validated using reports coming from
the field to validate coverage, resolution and ability to use in real time. If the requirements on the BOP
change, the fault trees are modified to extend the coverage on the new requirements.

Dynamic Availability Analysis of a BOP

With a completed set of constructed fault trees, a dynamic availability analysis is conducted on the BOP
using qualitative fault tree analysis. The analysis is dynamic with respect to the current condition of the
BOP, updating in near-real-time to reflect the best understanding of the state of component failures. The
output of this analysis is used as part of the decision workflow to address component failures. This decision
workflow includes four primary actors: the drilling contractor's subsea engineering department, the Shell
BOP Reliability Group, third-party surveyor organizations, and regulators from BSEE.
BOP's are maintained and operated by a subsea engineer and his assistants on the drilling rig. They
are responsible for ensuring the BOP's availability during operations, maximizing reliability through
maintenance activities, and responding to observed failures through risk assessments, management of
change (MOC) procedures, and regulatory reporting.
The Shell BOP Reliability Group (Shell BOP) provides oversight for all drilling contractors engaged
by Shell for deepwater operations. Composed of engineering, operations, and compliance specialists, the
BOP Reliability Group tracks compliance of the BOP's with government regulations and Shell standards,
provides support for tracking component failures, identifies operational and design root-cause for recurring
failures, deploys new operational technologies, and acts as an advisor to the Shell drilling superintendents.
Third party surveyors are government licensed organizations that certify the correct functioning of the
BOP during testing and testify to its availability during operations.
The Bureau of Safety and Environment Enforcement (BSEE) enforces compliance with government
regulations concerning oil and gas exploration, development, and production operations on the Outer
Continental Shelf.
When a component failure is encountered, the subsea engineer performs troubleshooting steps as
necessary to determine the specific component that has failed. These steps may include isolating individual
functions by placing them in ‘block,’ monitoring pump activity from the reservoir of hydraulic control
fluid, and observing the results of pressure testing of the wellbore. Once the subsea engineer is satisfied
that he has identified the source of the failure, that failure is reported to the Shell BOP Reliability Group.
OTC-27814-MS 9

Together the subsea engineer and Shell BOP assess the potential risk of continued drilling introduced by the
failed component and, if necessary, create a management of change (MOC) document to identify necessary
procedure changes. The MOC is submitted to a third-party surveyor organization to certify with a Statement
of Fact (SoF) document. Shell is responsible for submitting a certified SoF to BSEE regulators for any
failure requiring an MOC.
The dynamic availability analysis is consulted immediately after the failure is identified, before submittal
of the MOC to the third-party surveyor. The failure is added to the list of existing known failures on the
BOP and used in a qualitative assessment of the 16 fault trees that define the availability of the BOP. The
output from the dynamic availability analysis is considered when deciding whether to create an MOC and,
if so, how the procedures should be adjusted.
By using the dynamic availability analysis, the subsea engineer and Shell BOP are able to more quickly
and thoroughly understand the impact of the newly discovered failure in combination with the existing
set of failures. Reporting of failures to the third-party surveyor organization is standardized, allowing for
consistent and efficient SoF's. Subjective judgment is replaced with objective observation.

Overview of Enabling Technology

Performing a dynamic availability analysis requires several integrated technologies. A failure database
tracks current and historical observed failures for each BOP in the fleet. A reliability engineering program
stores, manages, and assesses fault trees. A user interface (UI) platform displays the results of the
analysis in an easily understandable way. And an integration service orchestrates data between the different
technologies.
The failure database used in this study is implemented using Microsoft SharePoint. Custom forms and
workflows manage the input of new failures, provide analysis of historical failures, and display the current
state of the BOP's for any drilling rig in the fleet. Each failure is associated with a ‘Status’ field that indicates
whether it has been resolved or is still outstanding. Any failure registered in the failure database that is
outstanding is considered for the dynamic availability analysis. The data stored in the failure database is
maintained by Shell BOP on the basis of daily reports from the subsea engineers and surveillance of real-
time sensor reading.
Realisoft BlockSim was selected for this study as the reliability engineering program for managing fault
trees. A single project is created to store all fault trees associated with the dynamic availability analysis.
Individual trees are organized by top-level event, function, or sub-system via a folder structure and naming
conventions. When completed, the fault tree is exported as an XML database to a shared virtual file system
with redundant hard drives.
The UI is created using standard HTML5 programming techniques and the Telerik JavaScript library.
Development follows an Agile methodology to ensure that the resulting output is optimized for the users'
needs. The state of the BOP is summarized with a user interface dashboard. In Fig. 4, a simple UI dashboard
that summarizes the ability of the BOP to satisfy system and operational requirements is shown. When the
state of the BOP satisfies a requirement, the requirement is marked as green. If a fault tree indicates a failure
to comply with a requirement, the requirement is marked with red.
10 OTC-27814-MS

Figure 4—Dashboard that Shows the State of the BOP with Respect to Requirements

The integration service facilitates data transfer between the failure database, fault tree database, and UI.
On a timed period, it queries the failure database for failures associated with each BOP. These failures
constitute the ‘cut set’ of failures to apply to the fault tree. The most recent fault tree database is analyzed
by setting each of the failure conditions in the ‘cut set’ to true and resolving the binary logic to calculate a
True/False value for each top-level event. The integration service finally updates the UI database by writing
the analysis output to a table that maps analysis results to UI elements. The integration service also provides
an ‘on demand’ feature which allows the integration process to be triggered from the UI by a user.
During the execution of the integration service, a database is generated on the states and failures
commonly observed in the system. As a necessity for the development itself, keeping this database current
and free from human interference allows better handling of the BOP maintenance logs. The resulting
systematically built knowledge database from the undesired states of the BOP can be used to diagnose
failures of another BOP and assist planning preventive maintenance of a fleet.

Conclusion
In this paper, a methodology is introduced for analyzing dynamic availability of a subsea BOP with respect
to regional laws and industrial standards. The dynamic availability analysis is performed using fault tree
analysis methodology. A BOP with two annular preventers, three pipe rams and three shear rams with
multiple kill and choke lines is selected as a candidate. Assumptions, boundaries and failure modes are
defined to keep the focus of the study on hydraulic and mechanical components of the BOP and BOP control
system. The top events of the fault trees are defined to address operational availability and compliance with
API S53. Fault trees are constructed to find cut sets that reflect the complex combinations of failure modes
resulting with incompliance with the requirements. Dynamic availability analysis of the BOP is achieved
by updating the binary values of the cut sets using a database on the system and component states of the
BOP. Impacts of recently added failures with the combination of existing failures on the system availability
are determined. Reporting of failures to the third-party surveyor organization is standardized, allowing for
consistent and efficient Statement of Facts. Subjective judgment is replaced with objective observation.

Acknowledgements
The authors would like to acknowledge the following people who supported this program through
sponsorship, implementation, or engineering consultation.
Kenneth Dupal, Sebastian Boegershausen, John Pruitt, Jason Curtiss, Ashray Kulageri, Luis Trejo, Tedi
Widjaja, Alex O'Day, Chris Bailey

References
[1] Vujasinovic, A. N., McMahan, J. M., 1988, Electrohydraulic Multiplex BOP Control Systems for
Deep Water, Offshore Technology Conference, OTC 5880.
OTC-27814-MS 11

[2] Fowler, J.H., Rocher, J. R., 1993, System Safety Analysis of Well Control Equipment, Offshore
Technology Conference, OTC 7249.
[3] Liu, Z., Liu, Y., Cai, B., Li, X., Tian, X., 2015, Application of Petri Nets to Performance
Evaluation of Subsea Blowout Preventer System, ISA Transactions, 54, p. 240–249
[4] Liu, Z., Liu, Y., Cai, B., Zhang, D., Zheng, C., 2015, Dynamic Bayesian network modeling of
reliability of subsea blowout preventer stack in presence of common cause failures, Journal of
Loss Prevention in Process Industries, 38, pp.58–66.
[5] Abimbola, M., Khan, F., Khakzad, N., 2014, Dynamic Safety Risk Analysis of Offshore Drilling,
Journal of Loss Prevention in Process Industries, 30, pp. 74–85.
[6] Cai, B., Liu, Y., Ma, Y., Liu, Z., Zhou, Y., Sun, J., 2015, Real-time reliability evaluation
methodology based on dynamic Bayesian networks- A case study of a subsea pipe ram BOP
system, ISA Transactions, 58, pp. 595–604.
[7] Cai, B., Liu, Y., Liu, Z., Tian, X., Zhang, Y., Liu, J., 2012, Performance Evaluation of Subsea
Blowout Preventer Systems with Common-cause Failures, Journal of Petroleum Science and
Engineering, 90-91, pp. 18–25.
[8] Cai, B., Liu, Y., Liu, Z., Tian, X., Li, H., Ren, C., 2012, Reliability Analysis of Subsea Blowout
Preventer Control Systems Subjected to Multiple Error Shocks, Journal of Loss Prevention, in
the Process Industries, 25, pp. 1044–1054.
[9] Holand, P., March 2001, Reliability of Deepwater Subsea Blowout Preventers, SPE Drilling and
Completions, pp. 12–18.
[10] McKay, J., Simmons, C., Hogg, T., Starling, G., Doty, M., 2012, Blowout Preventer (BOP)
Health Monitoring, IADC/SPE Drilling Conference and Exhibition, San Diego, California, 6-8
March 2012, IADC/SPE 151182.
[11] Hiesh, L., 2010, Rig NPT: The Ugly Truth, Drilling Contractor, http://
www.drillingcontractor.org/rig-npt-the-ugly-truth-6795, Retrieved on: January 11, 2017.
[12] Vesely, W. E., Goldberg, F. F., Roberts, N. H., Haasl, D. F., 1981, Fault Tree Handbook, U.S.
Nuclear Regulatory Commision, Washington D.C.
[13] Vesely, W., Stamatelatos, M., Dugan, J., Fragola, J., Minarick, J., Railsback, J., 2002, Fault
Tree Handbook with Aerospace Applications, NASA, Washington D.C.