ASSESSMENT OF THE AVAILABILITY OF AN OFFSHORE INSTALLATION BY STOCHASTIC PETRI NET MODELING ASSESSMENT OF THE AVAILABILITY OF AN OFFSHORE INSTALLATION BY STOCHASTIC PETRI NET MODELING

process. This test case includes a great number of the difficulties encountered when dealing with probabilistic studies related to production processes. The complexity of the plant with the realistic conditions of the corrective and preventive maintenance policies and production priorities of the system render unfeasible an analytical approach. A Monte Carlo (MC) simulation approach for this test case was successfully applied in [9]. The research brings a continuation and extension of the original work in [10]. The paper deals with a PN model for the availability evaluation of a multi-state, multi-output offshore installation with operational loops. New extension is given by adding a new cold standby component which thoroughly modifies the basic SPN model both with and without the preventive maintenance. The purpose of this article is to illustrate the combination of stochastic Petri nets and Monte Carlo simulation approach for the evaluation of the production availability of a multi-state, multi-output offshore installation with operational loops. The presented test case comprises a great number of the problems encountered when dealing with probabilistic studies. The reason for using Petri net modeling is that it provides the necessary flexibility to describe the complexity of the plant and the realistic aspects of system behavior, such as a degradation and standby of components, maintenance, etc. Different production levels of the system are assessed and evaluated from both reliability and production efficiency point of view. Four selected configurations of the system are analyzed to investigate how the production efficiency and average availability are influenced by applying a preventive maintenance and an additional cold standby of component.


Introduction
In many industries such as the power industry, chemical and oil ones, there is felt the need of realistic models to evaluate the availability of the multi-state and multi-output plants [1]. The complexity of the plant and of its maintenance and reconfiguration policies is such to render unfeasible its availability evaluation by analytical models. Production availability studies are more difficult to perform than classical reliability studies [2]. Combinatorial models as reliability block diagram, fault trees and reliability graphs are commonly used for system reliability and availability analysis. These models are not really adapted for production availability. Markov approach can be used to some extent but only for small systems. Thus the simulation method is employed when the analytical techniques have failed to provide a satisfactory mathematical model. The Monte Carlo simulation gives good results, but this simulation may be even very extensive if highly reliable and accurate results are required.
Petri nets [3] are a graphical paradigm for the formal description of the logical interactions among parts or of the flow of activities in complex systems. The growing importance of Petri nets (PNs) is related to their usefulness in the modeling and analysis of concurrent systems, distributed processing, workflow systems, communication and control systems, all of whose dynamical behavior can be easily expressed as movement of tokens in PN. Stochastic Petri nets (SPNs) [4 and 5] represent an extension of the basic PNs obtained by addition timing and stochastic information. The advantages of PN for the modeling of systems are well-known [6]. The dynamic behavior of complex systems can be modeled by using only a few numbers of graphical elements. PNs are very flexible. It is possible to find a way to model almost any new constraint. The graphical aspect of PN allows us to design automatic or step by step hand simulators necessary for an efficient debugging of the models. The size of a PN model is linear with the number of components.
This paper tries to solve one test case [7] of the European thematic network SAFERELNET (EU project number GTC2-2000-33043) dealing with the dependability [8] of an industrial production process. This test case includes a great number of the difficulties encountered when dealing with probabilistic studies related to production processes. The complexity of the plant with the realistic conditions of the corrective and preventive maintenance policies and production priorities of the system render unfeasible an analytical approach. A Monte Carlo (MC) simulation approach for this test case was successfully applied in [9].
The research brings a continuation and extension of the original work in [10]. The paper deals with a PN model for the availability evaluation of a multi-state, multi-output offshore installation with operational loops. New extension is given by adding a new cold standby component which thoroughly modifies the basic SPN model both with and without the preventive maintenance.

Radim Bris *
The purpose of this article is to illustrate the combination of stochastic Petri nets and Monte Carlo simulation approach for the evaluation of the production availability of a multi-state, multi-output offshore installation with operational loops. The presented test case comprises a great number of the problems encountered when dealing with probabilistic studies. The reason for using Petri net modeling is that it provides the necessary flexibility to describe the complexity of the plant and the realistic aspects of system behavior, such as a degradation and standby of components, maintenance, etc. Different production levels of the system are assessed and evaluated from both reliability and production efficiency point of view. Four selected configurations of the system are analyzed to investigate how the production efficiency and average availability are influenced by applying a preventive maintenance and an additional cold standby of component.
Keywords: Oil production, operational dependencies, production availability.
MW. The electricity is used to power the TEG unit (consumes 6 MW), the Electro-Compressor (EC, 6 MW), the oil pumping unit (7 MW) and water injection pumping unit (7 MW). In the system there is a loop because the gas produced by the TEG unit is used to produce, through the connection with the TGs, the electricity consumed by the TEG unit itself. Turbo-compressors and turbo-generators are powered by "fuel gas". The fuel gas is taken from the export gas at the output of the TEG unit and then distributed to the two turbo-compressors and the two turbo-generators. Each of them consumes 0.1⋅10 6 Sm 3 per day. A second loop appears because compressed gas from the turbo-compressors is needed to produce fuel-gas and conversely fuel gas is needed to run the turbo-compressors.
The well is activated by using the so-called "gas-lift" that means the gas is taken from the TEG unit output then it is compressed by an electro-compressor (EC). Finally it is injected at bottom of the well in order to improve the production. When the EC fails, the gas lift is taken directly from the TEG unit output and injected at a lower pressure. The consumption is 1.0⋅10 6 Sm 3 of compressed gas for "gas-lift" per day and, therefore, the well has 3 levels of the production: the full production (gaslift at a pressure of 100 bars) as is shown in Table 1; medium production of 80% of the maximum (60 bars); low production of 60% of the maximum (no gas lift). The failures of the well are not taken under consideration.

Component failures and repairs
In the proposed test case, only the failures of the TCs, TGs, EC and TEG are taken into account. All the other components are assumed to be in their faultless state. The TCs and TGs can be in three different states: 0 = As good as new; 1 = Degraded; 2 = Failed. The TEG and the EC can be in two states: 0 = As good as new; 2 = Failed.
The component is in the "Failed" state when a critical failure occurs. The critical failure is that which brings about immediate functionality loss of the component. The "Degraded" state is such that the component is still working but it has higher probability of going into the "Failed" state. Therefore, the corrective maintenance of the degraded failure can be delayed but, of course, at the end they must be repaired. In the model, we assume for simplicity that the times of the degradation and failure transitions are exponentially distributed with values of the rates shown in Table 2.

Production configurations
When a failure occurs, the system is reconfigured in order to minimize, firstly, the impact on the export oil production, and secondly, the impact on export gas production. It is supposed

System description and functioning
The test case represents the problem of an offshore installation in which different kinds of production processes are carried out. The installation is designed for the extraction of flow from a well and the following separation of the incoming flow in three different flows: gas, oil and water. The basic functions of the modeled system are shown in Fig. 1. The oil coming from the well is separated by a separating unit into three different flows: gas, oil and water. The gas is compressed by two 50% capacity Turbo-Compressors (TCs), then dehydrated by a Tri-Ethylene Glycol (TEG) unit and then exported. The nominal capacity of the gas exported is 3.0⋅10 6 Sm 3 /d at the pressure of 60 bar. A flare is used for safety purpose and to burn the gas when it cannot be exported, i.e. the gas is not compressed. After treatment, the oil is exported through a pumping unit. The pumping unit and the oil treatment system can process all the oil coming from the separation unit. The water separated by the separation unit is, after treatment, re-injected in addition with sea water in the field in order to maintain the pressure.
The maximum capacities of the components for the oil, gas and water production are shown in Table 1. In the typical production case the well can produce maximum 26500 m 3 of oil, 5.0⋅10 6 Sm 3 of gas, and 8000 m 3 of field water per day. The capacity of the separation unit limits these flows to 4.4⋅10 6 Sm 3 of gas, 23300 m 3 of oil and 7000 m 3 of water. Each TC is able to process at its maximum 2.2⋅10 6 Sm 3 of gas. The TEG unit is able to process 4.4⋅10 6 Sm 3 of gas at its maximum. Each TC uses 0.1⋅10 6 Sm 3 of "fuel-gas" and 1.0⋅10 6 Sm 3 of compressed gas is needed for "gas-lift ". Therefore, in the perfect case 23300 m 3 of "export oil" and 3.0⋅10 6 Sm 3 of "export gas" are produced. 7000 m 3 of field water is extracted which, after treatment, will be re-injected in the field or in the sea if the water injection is not available.
Most of the components need to be powered by electricity. Two 50% capacity electrical Turbo-Generators (TGs) are installed in order to provide electricity to the system. Each TG produces 13

Maintenance policy -corrective maintenance
There is available only a single maintenance team to perform repairs of components. Only one component at a time can be repaired. When more components fail simultaneously, the maintenance team starts to repair the component which has a higher repair priority and which is most important with respect to the system production. The repair priority of each component is dependent on the system state, as shown in Table 3. The repair levels of production components are defined in this way: Utmost priority level (level 1) pertains to failures leading immediately to the total loss of the process (TEG, both TGs, both TCs), Medium priority level (level 2) is used when only a part of the export oil is lost (single TC or EC failure), Lower priority level (level 3) includes the failures when no export oil is lost (single TG failure).

Maintenance policy -preventive maintenance
The TGs, TCs and EC are subordinated to the periodical preventive maintenance. It is supposed that the preventive maintenance is realized by a single team which is not the same as the corrective maintenance team. In order to keep up the production level as high as possible, no preventive maintenance operation can be started if the system is not in a perfect state of operation. Of course, when a preventive maintenance is in progress on one component, the other components can fail, then corresponding corrective maintenance is immediately started. Four different types of the preventive maintenance actions are considered. Each of them is characterized by a different frequency and different mean duration, see Table 4.
Repair priority levels of production components for the basic model Table 3 Priority that the impact on water injection does not matter. The different component failures have different effects on the three types of system production. TEG failures. When the TEG is disabled, "Export Gas", "Gas-Lift" and "Fuel Gas" are lost. Therefore, the 2 TGs stop. The whole system is shutdown because it is not possible to use gas which has not been dehydrated.
EC failures. When the EC is lost, the "Gas-Lift" pressure is decreased (60 bars), therefore, the well production is reduced, too. At the end "Export Oil" and "Export Gas" are declined. "Fuel Gas" is maintained.
TCs failures. When one TC is broken, "Export Oil", "Water Injection", "Fuel Gas" and "Gas-Lift" are maintained. The two TGs are running. The non-compressed part of the gas is flared, therefore, the quantity of "Export Gas" is reduced. When both TCs are lost, all production (oil, gas, water) is stopped.
TGs failures. When one TG is damaged, the "Export Oil", "Export Gas", "Fuel Gas" and "Gas-Lift" are maintained. The EC and "Water Injection" are stopped due to lower level of electricity production. As a result of this situation the "Export Oil" and the "Export Gas" decrease because of lower production of the well due to the unavailability of the "Gas lift" high pressure. When both TGs are lost, all production is stopped because the TEG is not powered and it is not possible to use not dehydrated gas.
Maximum capacities of the components of the oil, gas and water production process

Fig. 3 SPN models of EC and TEG components
The SPN model is divided into smaller ones which represent sub-processes of the system. Figures 2-3 show a stochastic behavior of all considered system components expressed as single SPNs. The SPN model of the TC unit contains three places representing individual states in which this component can occur. The place TC 0 represents such case that the TC unit is in the state 0. The place TC 1 represents the state 1 and the place TC 2 denotes the state 2. Similarly it is applied for the TG unit. The system under consideration contains two TGs and two TCs -in following text they are marked as TGa, TGb and TCa, TCb. The TEG and EC units can be in two states so that their SPN models contain two places (Fig. 3). The actual state of the component is specified by the token position (a black dot). All transitions of these SPN models are exponential with failure or repair rates in Table 2 (marked here by Greek letters l and µ.). To study the effect of the preventive maintenance and the effect of the cold standby the following four modifications of the plant have been taken into account: Case A. The plant is operated without the preventive maintenance; Case B. The components TG, TC and EC are preventively maintained with the predefined policy in Table 4; Case C. The system is operated without the preventive maintenance, but the third TG is added to the system and it is normally used in a cold standby configuration;

Stochastic Petri nets
A PN is a bipartite directed graph consisting of two kinds of nodes: places and transitions. In a graphical representation, the places are depicted by circles and the transitions by rectangles, see Fig. 2. The directed edges (arcs) connect places to transitions and transitions to places, never an arc from a place to a place or from a transition to a transition. The tokens, depicted by dots, are associated with places and the movement of these token represents the dynamic behavior of the system. The marking of a PN is the distribution of tokens in the set of places. Each marking defines a state of the system. A token in a given place indicates that the associated feature is active. The tokens move based on the firing of transitions. A transition is enabled to fire only if all its input places contain tokens. Upon firing, one token from each input place is removed and one token is deposited in each of the output places. It is important to note that the execution of a PN is non deterministic.
Formally, a PN is a four-tuple (P, T, I, O), where P is a finite set of places, T is a finite set of transitions, I is an input function and O is an output function. The input function I and the output function O define for each transition t j the set of input places I(t j ) and output places O(t j ). If places can contain more than one token, the 4-tuple can be extended by the marking vector m = (m 1 , m 2 , …, m i , …, m p ), where m i is the number of tokens in the place p i .
SPN is an extension of the basic PN obtained by addition timing and stochastic information to the transitions. A firing rate is associated with each timed transition. Real process modeling requires the further extensions of the SPN framework. For our purpose it is advisable to add guards to some transitions (for example Mess_TC or Mess_TG in Fig. 2). A transition guard (so-called "message") is an annotation of a transition, which specifies additional requirements for enabling of a transition. A transition can only be enabled if the value of its guard is true.
The messages are very useful to synchronize the behavior of subnets which can work separately. The message received by transitions is indicated by a "question mark" ("?") and the message emitted by a transition is indicated by an "exclamation mark" ("!"). The same message can be both received and emitted by the same transition. When the component is in the state Failed and it is waiting for repair, the "repair" transition checks if a given condition is true. The message "?RA" is true when the team for the repair is available and false if the repair team is unavailable. The messages of some components are more complicated because logical operators (logical conjunction, logical sum and negation) can be used to formulate them.
The system (Fig. 1) is composed by four components (2 TGs and 2 TCs) that may be in 3 different states, and two components (TEG and EC) that may be in 2 states. The number of possible system configurations is then 3 4 × 2 2 = 324.
having to be fulfilled in the PN model of the system in order to be said that the plant is in a given production level. The full production level 0 is defined as a state when no tokens are in the places TCa2, TCb2, TGa2, TGb2, EC2 and TE2. In the initial, nominal state of the system, all components are functional (the tokens are in the places TCa0, TCb0, TGa0, TGb0, EC0 and TE0) and the maintenance team is waiting (RA=1).

Cases B, C and D
The SPN model of Case A was extended and modified by proper parts ensuring both preventive maintenance of selected components (B), and adding the third TG used in a cold standby configuration (C), as well as combination of B, C (Case D). Detailed SPN models for all the cases are described in [11].

Numerical results and discussion
Basic calculations of average availabilities were performed by MOCA-RP software [12]. The software allows the construction of PNs with advanced graphic interface, the net validation by tokens game and the evaluation of some basic availability characteristics by Monte Carlo simulation. The number of MC trials used in all the calculations is 10 5 . The numerical results of the average availability of each production level for all the simulated cases are reported in Table 8. The results are given for the mission time 5⋅10 5 hours. The expected values of gas, oil and water production for all the cases are demonstrated in Table 9.
Case A -the definition of seven production levels Table 7 Level Case D. The components TG, TC and EC are preventively maintained with predefined policy in Table 4 and the third TG is added to the system model as a cold standby.
Physical analysis of the system detected that the system produces 6 different quantities of gas and 3 different quantities of oil and water. From the combination of these productions, it turns out that the plant can be in 7 different levels of production, one full and 6 reduced production levels as shown in Table 5.

Case A -system without preventive maintenance
The basic SPN model of the considered system comprises 6 components (TGa, TGb, TCa, TCb, TEG, EC) using a common repair team (RA). The messages of all transitions representing individual component repairs are defined in Table 6. The definitions of production levels of the plant are demonstrated in Table 7 for this case. Each definition determines a condition Seven production levels with values of produced gas, oil and water Table 5 Production level Oil m 3 Case A -conditions for an activation of repairing transitions Table 6 Messages Conditions Expected values of the gas, oil and water production Table 9 Case Oil km 3 /d Gas kSm 3

Conclusions
This work focuses on the problem of the availability assessment of a multi-state, multi-output plant. A PN approach is used because it has proved to be an useful modeling tool for complex systems like offshore installation. One of PN advantages lies in the fact that they allow to integrate various deterministic and stochastic processes.
The numerical results presented in Section 4 are comparable with those published in [9] where the solution was based on minimal cut sets and MC simulation approach (only basic plant configuration, i.e. without extensions). On the basis of the results obtained from both these papers, the following conclusion may be formulated: both approaches may easily take into account very complex and realistic aspects of the system under consideration giving the comparable results.

Acknowledgement
This work was supported by the European Regional Development Fund in the IT4Innovations Centre of Excellence project (CZ.1.05/1.1.00/02.0070).

Case A -system without preventive maintenance
Basic configuration of the plant includes only the corrective maintenance. A computing time was 2 minutes on Pentium4@3.40GHz. The system is highly available (92.4%) at the full production level 0.

Case B -system with preventive maintenance
The computing time increased to 35 minutes. The system is highly available (90.3%) at the full production level 0. Figure 4 brings comparison between cases A and B. It clearly shows how the average availability of different production levels increased, when the preventive maintenance is applied. On the other hand, Table 9 shows that the preventive maintenance slightly decreases the production.
Comparison of the availability of the production levels in the four cases simulated Table 8 Production Case C-system without preventive maintenance and with standby Computing time was 40 minutes. The system is highly available (96.4%) at the full production level 0. Table 9 demonstrates that the presence of standby TG maximizes the production.

Case D -system with preventive maintenance and with standby
The computing time increased to almost 1.5 hours. The plant is highly available (94.3%) at the full production level 0. Seeing Table 9 the plant production capacity of D (as well as B) appears reduced with respect to the case of no preventive maintenance of C (A). Comparing B and D we can see the effect of the cold standby component under preventive maintenance -the standby component decreases the probability of no production level 6 to half.