Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173

Contents lists available at ScienceDirect

Process Safety and Environmental Protection

journal homepage: www.elsevier.com/locate/psep

Quantitative risk analysis on leakage failure of

submarine oil and gas pipelines using Bayesian
network

Xinhong Li, Guoming Chen ∗ , Hongwei Zhu

Centre for Offshore Engineering and Safety Technology (COEST), Mechanical and Electrical Engineering College,
China University of Petroleum (East China), No.66, Changjiang West Road, Qingdao, China

a r t i c l e i n f o a b s t r a c t

Article history: Submarine pipeline is the major transportation way of subsea oil and gas production. Due
Received 28 February 2016 to the internal and external factor, the failure probability of submarine pipeline is increas-
Received in revised form 26 May ing, which could lead to the spill accidents of oil and gas. Efficient risk analysis is vital
2016 for preventing and mitigating such potential accident. This paper presents a risk-based
Accepted 6 June 2016 accident model to conduct quantitative risk analysis (QRA) for leakage failure of subma-
Available online 16 June 2016 rine pipeline. Firstly, we employ bow-tie method to model the causal relationship between
pipeline leakage and potential accident scenarios. Subsequently, in order to overcome the
Keywords: difficulties of bow-tie in modeling uncertainties and conditional dependency, a Bayesian
Quantitative risk analysis network model for pipeline leakage is developed through mapping from the former bow-
Leakage failure tie. Meanwhile, an object-oriented Bayesian network that has a smaller and more clarified
Submarine oil and gas pipeline structure is also constructed by modularizing the primary Bayesian network. Eventually,
Bow-tie model the probability updating is implemented in risk analysis using Bayesian network when a
Bayesian network new evidence or observation occurs, and an experience learning from accident precursor
Accident precursor data data is also conducted through Bayesian approach. The proposed accident model based on
Bayesian network can provide a more case-specific and realistic analysis consequence com-
pared to bow-tie method, since it could consider the common cause failures and conditional
dependency in accident evolution process of pipeline leakage.
© 2016 Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.

1. Introduction
The rising demand of energy accelerated the oil and gas explo-
ration from ocean, countries like American, Canada, China or
Japan have made exploration work in deep water area which
reached 3000 m water depth. Submarine pipeline is the major
transportation way of subsea oil and gas after exploration
and exploitation. However, because of scouring caused by cur-
rent and wave, third-party damage and seaquake, or design
defect, submarine pipelines has a relative high probability
of leakage failure (Zhang et al., 2011). As per the UK Health
and Safety Executive (HSE UK, 2011), there are about 1978
leakage incidents of oil and gas pipeline between 2001 and
2011 in the UK continental shelf. According to International
Association Oil and Gas Producer (OGP UK, 2010), the alloca-
tion of failure mechanisms for submarine pipeline is as shown
in Table 1. Once a leakage occurs, it may cause severe fire
and explosion due to accident escalation, and pose a threat
to human safety, environment, asset, and reputation (Fang
et al., 2014). For instance, the leakage accidents of submarine
pipeline of China Zhuhai and BP as shown in Fig. 1 are two
representative examples.
The leakage failure risk of submarine pipeline is unable to
be eliminated, but preventive and mitigative measures can be

∗
Corresponding author.
E-mail address: offshore@126.com (G. Chen).
http://dx.doi.org/10.1016/j.psep.2016.06.006
0957-5820/© 2016 Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
164 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173

Fig. 1 – Leakage accident of submarine oil and gas pipeline.

and Operability Analysis (HAZOP) but also include relatively

Table 1 – Allocation of Failure Mechanisms for
submarine pipelines (OGP UK, 2010). new technologies, such as Markov chain, petri network and
Bayesian network (Bhandari et al., 2015). The conventional risk
Failure mechanism Distribution
analysis methods are known as static, it is unable to capture
Corrosion 36% the variation of risk as the change occurs in the operation and
Material 13% environment (Abimbola et al., 2014). In addition, conventional
External loads causing damage 38%
technologies use generic failure data, which makes them to be
Construction damage 2%
non-case-specific and introduce uncertainty into the results.
Other 11%
Bayesian network is a popular tool for conducting quantita-
tive risk analysis in offshore oil and gas industry (Khakzad
taken to reduce the occurrence probability and consequence
et al., 2013). BN is a probabilistic inference technology for
severity of leakage accident. Risk analysis is an efficient tool
reasoning under uncertainty, and can relax the limitation of
for identifying risk factors and developing strategies to prevent
conventional methods, also consider conditional dependency,
accident. It includes three steps, i.e. hazard identification, fre-
common cause failures and various states of the primary
quency analysis and consequence analysis (Rausand, 2013).
events in accident modeling process (Yuan et al., 2015). The
This study conducts a quantitative risk analysis on leak-
BN can also perform a probability updating and experience
age failure of submarine oil and gas pipeline, which mainly
learning in risk analysis, the dynamic nature of leakage fail-
focuses on the former two steps, i.e. hazard identification and
ure accident of submarine pipelines is considered through this
frequency analysis of leakage failure.
way.
In recent years, several studies have contributed to fail-
The present work is aimed at building a dynamic risk-
ure risk analysis of submarine pipelines. DNV-RP-F107 (2010)
based model for leakage accident of submarine pipeline. A
presented a primary risk analysis method for submarine
dynamic risk analysis of leakage failure for submarine pipeline
pipelines, and lists the possible external hazards that may
is conducting through this model, and the evolution process
cause damage to submarine pipelines, meanwhile, the rele-
of leakage failure accident from causes to consequences is
vant preventive measures, acceptable criteria, probability and
also presented explicitly. Essentially, the study can provide a
consequence degree of failure are also defined. Finally, the fail-
powerful support for critical decision-making of submarine
ure risk is evaluated through a qualitative risk matrix method.
pipelines operators.
In addition, an integrated risk-based assessment method
The rest of paper is organized as follows: A brief description
developed by Aljaroudi et al. (2015) is used to predict fail-
of risk analysis technologies including bow-tie and Bayesian
ure probability and consequence of submarine oil pipelines,
network is presented in section 2. A proposed methodology
and it mainly focuses on corrosion failure of pipelines. In
framework of risk analysis is as shown in section 3. The
this method, the probabilities of different failure mecha-
accident evolution process modeling of leakage failure for
nisms are calculated by limit state function and Monte Carlo
submarine oil and gas pipelines using bow-tie approach is
method while the consequence of failure is measured by
as presented in section 4. Section 5 gives the application of
financial losses. Kawsar et al. (2015) developed a probabilistic
Bayesian network in risk analysis on leakage failure of subma-
and numerical model for the dropped object risk assessment
rine oil and gas pipelines while the conclusion is as presented
of submarine pipeline, in which the collision probability of
in section 6.
dropped object is estimated by scenario sampling while the
accident consequence is simulated through finite element
approach. However, the above studies mainly adopt traditional 2. Foundation of risk analysis method for
risk analysis methods or focus on the risk of single cause, and pipeline leakage
the risk analysis involving comprehensive causes and conse-
quences of submarine pipeline leakage is not mentioned. In 2.1. Safety barrier
light of above, it is necessary to use an integrated approach to
conduct risk analysis of leakage failure for submarine oil and Safety barriers are physical or non-physical means that are
gas pipeline. implemented to prevent, control or mitigate undesired events
In the field of risk analysis methods, quantitative risk or accidents (Sklet, 2006). In the definition of safety barrier,
and reliability analysis technologies are widely applied in prevent means reducing the likelihood of undesired event,
chemical process and offshore oil and gas industries in order control means limiting the extent or duration of the event
to develop a preventative and mitigative strategy (Abimbola escalation, and mitigate means reducing the consequence
et al., 2015). Some of these technologies not only include con- severity of undesired event (Skogdalen and Vinnem, 2012).
ventional methods, such as fault tree (FT), event tree (ET), The similar terms expression of safety barrier include defense,
bow-tie (BT), Failure Mode and Effects Analysis (FMEA), Hazard protection layer and safety critical element, etc. In the offshore
 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173
Fig. 2 – Swiss Cheese model adopted from Reason et al.
(2001).
oil and gas industry, all of them mean the function to pro-
tect human, environment and assets from a leakage incident
or blowout. The safety barrier is generally intended to work
before a specific undesired event happened. The safety bar-
rier can be divided into passive or active, physical, technical
or human operation (Xue et al., 2013).
The early safety barrier model is the classical “Swiss
Cheese model” shown in Fig. 2 is developed by Reason (Reason,
1990). In this model, each slice is a barrier while the hole rep-
resents the weakness or failure of system. If all of holes align,
the accident will occur, otherwise, the accident does not occur.
The “Swiss Cheese model” is a classical accident model that
is widely applied in many different industries and sectors.
A new safety barrier model based on “Swiss Cheese model”
for oil and gas process is developed by Kujath et al. (2010),
which includes five categories barriers: release prevention,
ignition prevention, escalation prevention, harm prevention
and loss prevention. Rathnayaka et al. (2011) extended the
safety barrier of Kujath by adding a safety analysis procedure,
i.e. system hazard identification, prediction and prevention
(SHIPP). The safety barrier model after extending is shown in
Fig. 3, and represents the process accident sequence.
2.2. Bow-tie method
Bow-tie is a graphical method that is widely used in process
industry accident modeling, is able to present a complete acci-
dental scenario starting from the causes and ends with the
consequence (Khakzad et al., 2012). Bow-tie include two parts,
the left of bow-tie is a FT that describes the latent causes for
an initial event, the right of bow-tie is an ET which describes
the sequential failure of safety barriers and presents the evo-
lution process from initial event to final latent consequence.
The FT and ET is linked through a pivot node that is the top
event of FT and the induced event of ET.
Fig. 3 – SHIPP conceptual accident model (adapted from Rathnayaka et al., 2011).
165
In the stage from construction, laying, operation and aban-
donment of submarine pipeline, relevant risk factors possess a
dynamic nature. Meanwhile, common cause failures and con-
ditional dependencies among primary events in FT and safety
barriers in ET should be considered. However, due to the static
characteristic, the bow-tie model is limited to model com-
mon cause failures and conditional dependencies. Currently,
three approaches are used to overcome the static characteris-
tic of bow-tie. Physical reliability model is used to model real
time predictive failure probability of components in bow-tie
(Khakzad et al., 2012). Also the Bayesian theory is coupled
with bow-tie model in order to use new accident precursor
data update the prior failure probability of primary events and
safety barriers (Kalantarnia et al., 2009). The last approach is
mapping bow-tie into Bayesian network (Khakzad et al., 2011).
Current work adopts the last approach.
2.3. Bayesian network
Similar to bow-tie method, Bayesian network is also a graph-
ical technology that describes the relationships between
causes and consequences, which consists of nodes, arcs and
condition probabilistic table (CPT) (Yuan et al., 2015). The
nodes represent the random variables, the arc represents
dependency relationship between two linked nodes, and the
CPT represents transition of mathematical logic from one
random variable to others. Fig. 4 shows a simple Bayesian net-
work. The nodes of A and B are called parents node of C while
the C is called the child node of A and B, the parent node and
child node is connected by arcs L1 and L2. It is worth noting
that one node is called root node if it has no parent node.
Different from bow-tie method, the Bayesian network is an
inference probabilistic method, which can overcome the static
limitation of bow-tie method due to its updating mechanism,
can also implement a forward and backward linear prediction
as well as diagnosis analysis (Bhandari et al., 2015). Based on
the above advantages, the Bayesian network is often used for
failure modeling or risk analysis of complex system. As the
conditional dependency among variables and chain rules, the
joint probability distribution P (U) of a set of variables U = A (A1 ,
A2 , A3 ,. . ., An ) in the Bayesian network can be described as Eq.
(1) (Khakzad et al., 2013).

n
P(U) = P(Ai |Pa(Ai )) (1)
i=1
Where Pa (Ai ) is the parent set of variables Ai .
The main advantage of Bayesian network is probability
updating. Prior probabilities of variables is updated using
Bayesian theory when new observations or evidences of
166 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173

(ii) Hazard identification, the potential hazards may lead to

Fig. 4 – A simple example of Bayesian network.
variables E are given, then posterior probabilities of variables
are also obtained (Khakzad et al., 2013). The new observa-
tions or evidences of submarine oil and gas pipelines usually
become available during full life-cycle of pipelines, including
occurrence or non-occurrence of some major accidents or pri-
mary events.
P(U, E) P(U, E)
P(U |E ) = = 
P(E) U
P(U, E)
3. Proposed risk analysis methodology
framework for pipeline leakage
In a typical conventional quantitative risk analysis method-
ology, four steps are involved, i.e. hazard identification,
frequency analysis, consequence analysis and risk quantifica-
tion (Rausand, 2013). The proposed risk analysis methodology
based on SHIPP is an extension of conventional method, is able
to conduct probability updating and experience learning using
Bayesian network and accident precursor data. Note that con-
sequence analysis is not mentioned in current methodology
framework, and only accident probability analysis is involved.
As the major accidents are rare to occur, and enough data are
usually not available to model accident. Therefore, it is impor-
tant to use near misses and incidents data to predict system
performance and evaluate accident likelihood.
The proposed methodology framework of risk analysis
shown in Fig. 5 involves the following six main steps. (i) Define
system and collect necessary information, in this step, the
necessary information of objective submarine pipeline are col-
lected, including design stage data, historical accident data,
inspection and maintenance data, environment condition etc.
a leakage occurrence are identified using fault tree analysis.
(iii) Accident scenario modeling, the accident scenarios after
leakage occurrence is modeled through an event tree analysis
that is based on the sequential failure of relative safety bar-
riers. A complete accident model is presented after (ii) and
(iii) are integrated into bow-tie, the reason why bow-tie is
chosen as the modeling approach is that it has more appar-
ent visual effect from the accident causes to consequence
than others. (iv) Failure probability analysis, the failure prob-
abilities of primary evens and end-state consequences are
calculated by Bayesian network that is mapped from the above
bow-tie. Probability analysis includes two parts, i.e. probability
updating and experience learning. The probability updating is
based on the backward inference function of Bayesian net-
work, the Bayesian network implements probability updating
using Bayesian theory when a new observation or evidence
(2) is given. The experience learning is a process that learning
from information of near misses, incidents and post acci-
dents. In this process, the prior failure probabilities of primary
events and safety barriers are estimated using the data of
system in design stage or historical accidents statistic, fur-
thermore, expert opinion is also an available approach for
prior probability calculation. Then near misses and incidents
data are used to form likelihood function, which is later used
to update prior probability. Finally, both prior probability and
likelihood function are used to estimate posterior probabil-
ity through Bayesian theory. (v) Risk prediction, the risk of
pipeline is predicted used posterior probability after probabil-
ity updating and experience learning. In terms of above steps,
the calculation results can provide a reference for (vi) risk
decision-making, and (vii) the relative preventive measures
are also needed to be implemented.
4. Accident evolution process of pipeline
leakage modeling with bow-tie
4.1. Hazard identification of leakage failure
A FT shown in Fig. 6 is developed to identify the poten-
tial hazards that may cause pipeline leakage. The leakage

Fig. 5 – Flow chart of proposed risk analysis methodology.

 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173
Fig. 6 – Fault tree of submarine oil and gas pipeline leakage.
failure of submarine oil and gas pipeline may occur due to
either internal or external factors. External factors include
corrosion, damage caused by external loads, fatigue damage
caused by suspended span and natural disaster, while internal
factors include material defect, weld-seam defect and auxil-
iaries failure (Jin et al., 2004). Corrosion is a main hazard factor
that can lead to leakage, the corrosion may occur in internal
or outer surface of a pipeline, the reasons of corrosion include
not removing the corrosion gas and impurities, not adding
corrosion inhibitor, not pigging regularly, anticorrosive coat-
ing failure and Cathodic protection failure (Fang et al., 2014).
The external loads damage is also an important risk factor
when pipeline locates in offshore area, the dropped objects
from passing ships, Anchoring work of ships and fishing gear
interaction etc. may cause serious damage to pipeline. In addi-
tion, if burial depth of pipeline is not enough, the suspended
span will appear due to a harsh subsea environmental con-
dition, in this case, fatigue failure may happen because of
vortex-induced vibration of high frequency (Zhu and Chen,
2009). Natural disaster including subsea earthquake, seabed
movement and typhoon is also not a negligible factor for caus-
ing pipeline leakage. The material and weld-seam defect are
inherent defect caused by design or operation factor during
designing and constructing stages of pipeline, also a vulner-
able spot that may lead to pipeline leakage when there are
external forces existing. Besides, failure of pipeline auxiliaries
such as flange, valve etc. due to design fault or aging may also
lead to a leakage occurrence or out of control. The primary
events of FT shown in Fig. 6 and their probabilities (OGP UK,
2010; Participants, 2002; Hu et al., 2012) are as listed in Table 4.
In the present study, the probabilities in Table 4 are referred
for educational purpose and only used to demonstrate the
proposed methodology.
4.2. Safety barrier of pipeline leakage
Based on SHIPP conceptual accident model (Rathnayaka et al.,
2011), as well as considering the characteristics of submarine
167
pipeline system, a safety barrier model for pipeline leakage
shown in Fig. 7 is developed. The occurrence of catastrophic
accident is usually due to failure of safety barriers succes-
sively, not failure of single barrier (Skogdalen and Vinnem,
2012). In this case, there are six main safety barriers preventing
escalation of a leakage event. The monitor and alarm barrier
is able to perceive the change of flux and pressure of pipeline
in normal work condition, and send alarm signals. The leak-
age detection system based on fiber optic is widely gaining
acceptance in oil and gas industries (Aljaroudi et al., 2015b),
and has two kinds of failure modes, one is that it does not per-
ceive when a leakage really occurs, the other is that it sends
false alarm when a leakage does not occur. The emergency
shutdown is implemented when the leakage is detected suc-
cessfully, this process includes stopping pump and cutting
off globe valves, this process failure may involve no stopping
pump, no stopping pump timely, no cutting off globe valves or
no cutting off globe valves timely. Negative pressure protection
system of submarine pipeline locates between ashore valve
chamber and outlet of pipeline, which is used in submarine
pipeline of hangzhouwan in china presently (Fang, 2014). It
can pump the crude oil in pipeline into storage tanks or trans-
portation station of oil, and keep internal pressure of pipeline
lower than pressure of ambient seawater in order to prevent
crude oil spill into seawater after emergency shutdown. The
remaining crude oil in pipeline after emergency shutdown
will spill into seawater once the negative pressure protection
system fail to work. Note that the spill volume of crude oil
depends on the volume of pipeline in the case of failure of
negative pressure protection system. When a spill accident
of oil and gas happens, the emergency response barrier must
work, which includes plugging leakage hole of pipeline, main-
tenance of pipeline and cleaning up spill oil. In the process
of cleaning up spill oil and gas, an ignition prevention bar-
rier is necessary for preventing ignition sources and detecting
concentration of flammable gas.
It is worth noting that the human factor, management and
organization serve as a special barrier which affect the whole
168 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173

Fig. 7 – Safety barrier model for submarine pipeline leakage.

Fig. 8 – Bow-tie model of leakage failure of submarine oil and gas pipeline.

process of leakage accident evolution (Rathnayaka et al., 2013).
In this paper, for modeling conveniently, keeping it common to
other barriers, which are in sequential order. During the above
process, the function of human, management and organiza-
tional factor is more prominent between monitor and alarm
and emergency shut down, including finding alarm signals,
judging and verifying the leakage occurrence. Consequently,
the independent barrier of human response shown in Fig. 8
is located between monitor and alarm and emergency shut
down. In the above safety barriers model, failure of different
barriers leads to different consequences. The all above safety
barriers and corresponding failure probabilities are as shown
in Table 5 (PSA NO, 2014; Abimbola et al., 2014).
4.3. Bow-tie model of pipeline leakage
An ET is developed based on the sequential failure of safety
barriers shown in Fig. 7. It is assumed that the human response
barrier is able to work successfully once monitor and alarm
barrier work correctly. If the human response barrier fails to
work, the emergency shutdown barrier will fail at the same
time, and once the emergency shutdown barrier fails, the
 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173 169

Fig. 9 – Bayesian network mapping from bow-tie in Fig. 8.

negative pressure protection will not be activated. The end

Table 2 – CPT corresponding to OR gate in BT.
states shown in Fig. 8 consist of five conditions (A) safety sate,
X4 success failure
(B) vapor cloud or oil spill in a small area, (C) Vapor cloud explo-
sion or pool fire in a small area, (D) vapor cloud or oil spill in a X5 success failure success failure
big area, (E) vapor cloud explosion or pool fire in a big area.
External corrosion success 1 0 0 0
Using the FT and ET developed in the previous section, the
failure 0 1 1 1
bow-tie model of pipeline leakage failure is developed and
shown in Fig. 8. With the probabilities listed in Tables 4 and 5,
the probability of leakage failure of pipeline is estimated as external corrosion will fail inevitably, this relationship is as
1.49E-02, and the probabilities of end states are also calculated described by a CPT in Table 2. Actually, both X4 and X5 fail,
shown in Table 6. Note that the A probability is far greater than the external corrosion may not fail, similarly, although the X4
other consequences, in other words, the probability of safety and X5 do not fail, the failure occurrence of external corrosion
state is dominant compared to dangerous states. is possible. This scenario can be modeled through an amend-
ing CPT shown in Table 3. The amending values in CPT can be
5. Quantitative risk calculation of pipeline determined based on expertise or historical data.
leakage with Bayesian network The Bayesian network of leakage failure for subma-
rine pipeline is developed using graphical network interface
(GeNIe) software (U.O. Pittsburgh, 2014). With the CPT without
5.1. Mapping from bow-tie
amending, the probability of leakage failure is estimated as
1.49E-02 that is same with fault tree calculation, which is due
In order to conduct a case-specific quantitative risk analysis, a
to the CPT of Bayesian network is mapped according to logical
Bayesian network on leakage failure of submarine pipeline is
gate of fault tree rigidly. When with the CPT after amend-
as developed shown in Fig. 9 through mapping from the bow-
ing, the probability of leakage failure increases to 1.71E-02. For
tie model shown in Fig. 8, the mapping algorithm in Khakzad
illustrative purpose, the estimated value using the CPT with-
et al. (2013b) is adopted here. The FT is mapping according
out amending i.e. 1.49E-02 is used to calculate the occurrence
to the casual relation between primary events and interme-
probabilities of consequences. The probabilities of end-states
diate events. In the ET mapping process, the safety barriers
are calculated in Table 6, note that the occurrence probabilities
are represented as safety nodes, the conditional dependen-
of consequences have a little different from result of bow-tie,
cies between safety barriers are also considered, and the
consequence node with five states is corresponding to the
end-states of ET. Table 3 – Amending CPT corresponding to OR gate in BT.
The conditional dependencies among elements of Bayesian
X4 success failure
network are assigned in CPT. The logical gate of fault tree and
experience-based judgment are used to determine CPTs in X5 success failure success failure
Bayesian network model. The logical gate of fault tree repre- External corrosion success 0.96 0.08 0.08 0.02
sents deterministic relationship between primary events and failure 0.04 0.92 0.92 0.98
intermediate events, for example, either X4 or X5 fail, the
170 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173

Table 4 – Components of the pipeline leakage FT in Fig. 6

and their probabilities (OGP UK, 2010; Participants, 2002;
Hu et al., 2012).
Symbol Description Prior Posterior
probability probability

X1 Not removing the 1.0E-03 6.72E-02

corrosion gas and
impurities
X2 Not adding corrosion 1.1E-03 7.4E-02
inhibitor
X3 Not pigging regularly 2.0E-04 1.34E-02
X4 Anticorrosive coating 5.0E-04 3.36E-02
failure
X5 Cathodic protection 2.7E-04 1.82E-02
failure
Fig. 10 – Object-oriented Bayesian network by X6 Dropped objects hit 1.5E-04 1.0E-02
modularizing Fig. 9. X7 Anchoring work 2.0E-04 1.34E-02
X8 Fishing gear interaction 2.5E-04 1.68E-02
the reason is that the conditional dependencies among top X9 Man-made drilling oil 3.0E-03 2.02E-01
event of fault tree and safety barriers are considered while stolen
bow-tie has a limitation in this aspect. X10 Offshore construction 5.0E-05 3.37E-03
X11 Design burial depth is 6.4E-04 8.95E-04
The Bayesian network shown in Fig. 9 does not have a
not enough
clear structure due to numerous nodes, from which we may
X12 Operation of burial 4.0E-05 5.59E-05
not see the evolution process of a pipeline leakage accident depth is not enough
easily. Therefore, an object-oriented Bayesian network shown X13 Failure of treatment 3.3E-04 4.61E-04
in Fig. 10 is developed through modularizing the primary timely
network shown in Fig. 9, which consists of instance nodes X14 Strong current and wave 2.0E-05 2.13E-05
and usual nodes (Khakzad et al., 2013a). In object-oriented X15 Seabed soil are eroded 6.0E-03 6.41E-03
easily
Bayesian network, an instance node represents a sub-network,
X16 Subsea earthquake 6.3E-06 4.24E-04
and a complex Bayesian network can be divided into several X17 Seabed movement 2.3E-03 1.55E-01
instance nodes and usual nodes. The instance node of leak- X18 typhoon 3.7E-05 2.49E-03
age failure is corresponding to FT in Fig. 7, and the barriers X19 Design defect of 8.4E-04 5.65E-02
instance node includes monitor and alarm, human response, material
etc. In addition, an instance node of common causes fail- X20 Construction defect of 9.7E-04 6.52E-02
material
ures is also involved, in this case, the primary events as not
X21 Design defect of 2.3E-04 1.55E-02
pigging regularly, failure of treatment timely and auxiliaries
weld-seam
aging are caused due to lacking of efficient supervision while X22 Construction defect of 6.5E-04 4.37E-02
safety barriers of human response and emergency response weld-seam
share incomplete emergency plan as a common cause failure. X23 Auxiliaries aging 3.2E-03 2.15E-01
The nodes in dotted circles serve as interface nodes between X24 Design defect of 1.0E-05 6.72E-04
instance nodes, and represent the information inputting or auxiliaries

outputting from an instance node to others. In this scenario,

the probabilities of lacking of efficient supervision and incom-
plete emergency plan are 1.0E-03 and 2.6E-03, respectively,
then the probability of leakage failure considering common
causes failure is estimated as 1.59E-02. It has an increase
compared to not involving common cause failure. The con-
sequence occurrence probabilities after considering common
cause failure are also shown in Table 6. It is apparent to see
that consequence probabilities have an obvious increase due
to common cause failure, which may more accord with engi-
neering practice.
evidence for calculating posterior of safety barriers, the pos-
terior probability of event Xi and safety barriers Si are the P (Xi
|leakage) and P (Si |end-state E)shown in Tables 4 and 5.
According to Table 4, the probabilities of partial primary
events have an obvious increase compared to their prior prob-
abilities. The most probable causes for leakage occurrence
are man-made drilling oil stolen, Seabed movement and aux-
iliaries aging whose probabilities increase from 1.0E-03 to
1.0E-01. Improving safety management, maintaining regularly

5.2. Probability updating Table 5 – Safety barriers of event tree in Fig. 7 and their
probabilities (PSA NO, 2014; Abimbola et al., 2014).
Once the Bayesian network is mapped from bow-tie, the prob- Symbol Safety barriers Prior Posterior
ability updating can be conducted using Bayesian network probability probability
through introducing a evidence. The probability after updating S1 Monitor and alarm 3.0E-03 1.01E-01
is in terms of posterior probability, for example, when a cer- barrier
tain state event E is given, the posterior probability of event Xi S2 Human response 1.0E-02 9.84E-02
is calculated as P (Xi | E). The most common evidence used in S3 Emergency shutdown 2.0E-02 1
probability updating is the knowledge about top event or con- S4 Negative protection 4.0E-02 1
system
sequences (Khakzad et al., 2013a). In this paper, the top event
S5 Emergency response 5.5E-03 1
leakage failure is adopted as evidence for estimating posterior S6 Ignition protection 3.0E-02 1
probability of root nodes while the E end-state is adopted as
 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173 171

failure probabilities distribution and likelihood function of

Table 6 – Occurrence probabilities of consequences
calculated with different methods.
Symbol BT method BN BN considering
approach common cause
failures
A 1.49E-02 1.49E-02 1.58E-02
B 3.12E-06 3.11E-06 3.36E-06
C 9.64E-08 9.62E-08 1.04E-07
D 1.59E-06 1.76E-06 3.28E-05
E 4.92E-08 5.44E-08 1.01E-06
and selecting line of paving reasonably can avoid the occur-
rence or reduce the likelihood of above three primary events.
The posterior probabilities of safety barriers also have an obvi-
ous increase compared to prior probabilities, from Table 5,
the safety barriers S3, S4, S5, S6 must be failure state when
end-state E occurs.
The GeNIe software can also implement strength of
influence, through which the probable development paths
are found, the width of arc represents the likelihood of patch
(U.O. Pittsburgh, 2014). The most probable accident evolution
paths are follows: (i) X5→external corrosion→leakage
failure; (ii) (X15→harsh environment) and (X11→lack
of burial depth)→suspended span→leakage failure; (iii)
X23→auxiliaries aging→leakage failure; (iv) X21 or X22→weld
seam defect→leakage failure; (v) X19 or X20→material
defect→leakage failure. Note that the internal factors include
three evolution paths of high probability while external
factors include two evolution paths of high probability. In
addition, according to strength of influence, the emergency
response barrier has the widest arc connecting to conse-
quence node, which indicates emergency response barrier
has a big effect on accident consequence. Hence, reasonable
emergency plan and efficient emergency exercises must be
taken for improving the reliability of emergency response
barrier in order to prevent catastrophic accident.
Table 6.
5.3. Experience learning
To get a case-specific estimating value, the near misses and
incidents must be involved which are known as accident pre-
cursors that are not characterized as accident but indicate the
increasing likelihood of an accident occurrence (Kalantarnia
et al., 2009). Experience learning is an ability that present
accident model can adapt the failure probabilities of safety
barriers and occurrence probabilities of consequences using
accident precursor data (Yuan et al., 2015). In this paper, the
casual relationship of leakage failure for pipeline has already
been as depicted through Bayesian network, once the prior
safety barriers are determined, the experience learning for
failure probabilities of safety barriers can be implemented
based on Bayesian updating mechanism shown in Eq. (3) (Tan
et al., 2013). Finally, the experience learning for occurrence
probabilities of consequences is also calculated.
 P(data |Si )Si
P(Si data ) =  (3)
P(data |Si )Si
Where Si is the prior failure probability distribution of ith
safety barrier, P (data|Si ) is likelihood function obtained from
accident precursor data.
The prior failure probability distribution represents the
prior knowledge about system starting design or operation
while the likelihood function is a reflection of precursor
information (Kalantarnia et al., 2010). The real time accident
precursor data of submarine oil and gas pipeline are used to
form likelihood function, which often are obtained from the
history statistics of pipeline or safety expert feedback. In the
present study, the hypothetical cumulative occurrence num-
ber of consequences (i.e. accident precursor and accident data)
observed and reported over the course of 10 years are used
for illustrative purpose, as shown in Table 7. In application
process, a conjugate pair is often chosen for prior probability
distribution and likelihood function (Meel and Seider, 2006). In
this case, the prior probability distribution is called a family of
conjugate prior to corresponding likelihood function, and the
posterior probability distribution obtained from updating is in
the same family.
In the present study, it is assumed that all safety barriers
failure probability follow Beta distribution while correspond-
ing likelihood functions are represented using a binomial
distribution. Consequently, the posterior failure probability
obtained using Eq. (4) also follows beta distribution due to
Beta and binomial distributions are conjugate pairs. The expe-
rience learning can consider accident precursor information
that are recorded over time, the safety barriers failure prob-
abilities obtained from experience learning are also dynamic
over time. Fig. 11 shows the dynamic failure probabilities of
safety barriers, which is estimated using experience learning
method. In this figure, year 0 represents the prior probabil-
ities of safety barriers. As is depicted in Fig. 11, the failure
probabilities of safety barriers are increasing over time. Note
that the failure probabilities of negative protection system,
emergency shutdown and ignition protection have a sharp
increase with the time while failure probabilities of monitor
and alarm, human response and emergency response increase
to a small extent. Hence, the attention of pipeline operators
should mainly focus on the state of safety barriers of neg-
ative protection system, emergency shutdown and ignition

Table 7 – Cumulative number of precursor events and accidents of a submarine oil and gas pipeline.
T/year 1-A 2-A 3-B 4-C 5-A 6-D 7-E 8-A 9-A 10-B 11-C 12-A 13-D 14-E 15-A 16-D 17-E

1 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0
2 2 1 1 0 2 0 0 0 0 1 0 1 0 0 0 0 0
3 4 2 2 1 2 0 0 0 1 1 1 2 0 0 0 0 0
4 4 2 2 1 3 1 0 1 1 2 1 3 1 0 0 0 0
5 5 3 3 1 3 1 0 1 1 2 2 3 1 0 1 0 0
6 7 3 4 1 4 1 0 2 1 2 4 5 1 0 1 0 0
7 8 4 5 2 4 2 1 3 2 3 4 5 1 0 1 0 0
8 8 4 6 2 5 2 1 3 2 4 5 5 2 0 1 1 0
9 10 5 8 3 6 2 1 3 2 5 5 6 2 1 2 1 0
10 12 6 10 3 7 3 2 4 3 6 7 8 3 1 2 1 0
172 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173

0.30 decreases with severity increases, as the occurrence probabil-

S1 ity of catastrophic accident E is smallest while the occurrence
0.25 S2 probability of general accident B is biggest compared to others.
Probabilities of safety barriers

S3
S4 Fig. 13 illustrates that the probability of consequence of safe
0.20 S5 state decrease gradually during ten years, this case indicate
S6 risk decision-making and preventive measures must be taken
0.15 for improving safe status of pipeline.
As a result of considering accident precursor data, the
0.10 probabilities of safety barriers and consequences are more
case-specific. Hence, the estimated outcome with posterior
0.05 probabilities is more accurate than prior probabilities. More-
over, dynamic change of these failure probabilities is also
0.00 represented using experience learning. Thus, the develop-
0 2 4 6 8 10 ment trend of safety status for pipeline can be predicted
Time-year
efficiently.
Fig. 11 – Dynamic failure probabilities of safety barriers.

protection. A regular work of inspection and maintenance 6. Conclusion

should be conducted for these three safety barriers in order
to improve reliability of them and prevent the occurrence of
major accident.
Figs. 12 and 13 show the dynamic occurrence probabili-
ties of consequences of dangerous and safe state, respectively,
which are also estimated using experience learning method.
As is depicted in Fig. 12, the occurrence probabilities of con-
sequences of dangerous types have a same change trend with
failure probabilities of safety barriers shown in Fig. 11, which
increase with time from year 0 to year 10. In addition, the
occurrence probability of consequences of dangerous state
0.00012
B
Probabilities of consequence
This paper demonstrated the application of coupled bow-tie
and Bayesian network in risk analysis of submarine oil and gas
pipeline. The hazard identification and escalation process of
pipeline leakage are modeled with bow-tie approach. Consid-
ering the limitation of bow-tie in conditional dependencies
and common cause failures, a Bayesian network mapping
from bow-tie is developed for relaxing this limitation. For
simplifying structure of Bayesian network, an object-oriented
Bayesian network is constructed by modularizing the pri-
mary Bayesian network. Present work illustrated that bow-tie
is more intuitive in accident modeling than Bayesian net-
work, however, the estimated outcome of bow-tie is static due
to its inherent limitation. In modeling process, the Bayesian
network with amended CPT can model accident practically.

0.00010 C
D Meanwhile, based on backward inference, the probability
0.00008 E updating is implemented when a new evidence is consid-
ered. In addition, an experience learning is also conducted
0.00006 with recorded accident precursor data, and dynamic failure
probabilities of safety barriers and consequences are obtained
0.00004 through this method.
In present study, when CPT is not amended, conditional
0.00002
dependency and common cause failures are not considered
simultaneously, Bayesian network had the same estimating
0.00000
0 2 4 6 8 10 value with bow-tie method. Otherwise, the Bayesian network
Time-year approach had a more big estimating value due to considering
more factors. In Bayesian network analysis, probability updat-
Fig. 12 – Dynamic probabilities of consequences in
ing indicated man-made drilling oil stolen, Seabed movement
dangerous state.
and auxiliaries aging are most probable factors for lead-
ing to a leakage occurrence. In addition, five most probable
0.01590 development patches of pipeline leakage are also identi-
fied through strength of influence of GeNIe software. The
A
probability updating also indicated that emergency response
0.01585
Probabilities of consequence

barrier has a big effect on accident consequence. A experi-

ence learning is also implemented in this paper, it indicated
0.01580
that the failure probabilities of negative protection system,
emergency shutdown and ignition protection have a sharp
0.01575 increase with the time. In addition, the occurrence proba-
bilities of consequences of dangerous states increased over
0.01570 time while consequence probability of safe state decreases
gradually.
Present study indicated that Bayesian network is an effi-
0.01565
0 2 4 6 8 10 cient tool in risk analysis on leakage failure of submarine oil
Time-year and gas pipeline, the estimating outcome of probability updat-
ing and experience learning could provide a strong support for
Fig. 13 – Dynamic probability of consequence in safe state.
risk decision-making and preventive measures implementing.
 Process Safety and Environmental Protection 1 0 3 ( 2 0 1 6 ) 163–173 173

Furthermore, the study could provide an educational refer- Kujath, M.F., Amyotte, P.R., Khan, F.I., 2010. A conceptual offshore
ence for risk analysis of other ocean oil and gas equipment. oil and gas process accident model. Journal of Loss Prevention
in the Process Industries 23 (2), 323–330.
Meel, A., Seider, W.D., 2006. Plant-specific dynamic failure
Acknowledgment
assessment using Bayesian theory. Chemical Engineering
Science 61 (21), 7036–7056.
The authors gratefully acknowledge the financial support pro- OGP UK, 2010. Risk assessment data directory: Risers and pipeline
vided by science and technology development projects of release frequencies, http://www.ogp.org.uk/pubs/434-04.pdf.
Shandong province in China (Project No: 2014GSF120014) and Participants, O., 2002. OREDA Offshore Reliability Data Handbook,
postgraduate innovation engineering projects of china univer- DNV, PO Box.
PSA NO, 2014. Trends in risk level in the petroleum activity,
sity of petroleum (East china) (Project No: YCXJ2016057). The
http://www.psa.no/getfile.php/PDF/RNNP%202014/RNNP
first author also would like to express his gratitude to lecturer
2014 ENG.pdf.
Xiuquan Liu for providing help during preparing this paper. Rathnayaka, S., Khan, F., Amayotte, P., 2013. Accident modeling
and risk assessment framework for safety critical
References decision-making: application to deepwater drilling operation.
Proceedings of the Institution of Mechanical Engineers. Part O:
Journal of Risk and Reliability 227 (1), 86–105.
Abimbola, M., Khan, F., Khakzad, N., Butt, S., 2015. Safety and risk
Rathnayaka, S., Khan, F., Amyotte, P., 2011. SHIPP methodology:
analysis of managed pressure drilling operation using
Predictive accident modeling approach. Part I: Methodology
Bayesian network. Safety Science 76, 133–144.
and model description. Process safety and environmental
Abimbola, M., Khan, F., Khakzad, N., 2014. Dynamic safety risk
protection 89 (3), 151–164.
analysis of offshore drilling. Journal of Loss Prevention in the
Rausand, M., 2013. Risk assessment: theory, methods, and
Process Industries 30, 74–85.
applications. John Wiley and Sons.
Aljaroudi, A., Khan, F., Akinturk, A., Haddara, M., Thodi, P., 2015a.
Reason, J.T., Carthey, J., De Leval, M.R., 2001. Diagnosing
Risk assessment of offshore crude oil pipeline failure. Journal
“vulnerable system syndrome”: an essential prerequisite to
of Loss Prevention in the Process Industries 37,
effective risk management. Quality in health care 10 (suppl 2),
101–109.
ii21–ii25.
Aljaroudi, A., Khan, F., Akinturk, A., Haddara, M., Thodi, P., 2015b.
Reason, J., 1990. The contribution of latent human failures to the
Probability of Detection and False Detection for Subsea Leak
breakdown of complex systems. Philosophical Transactions of
Detection Systems: Model and Analysis. Journal of Failure
the Royal Society B: Biological Sciences 327 (1241), 475–484.
Analysis and Prevention.
Sklet, S., 2006. Safety barriers: Definition, classification, and
Bhandari, J., Abbassi, R., Garaniya, V., Khan, F., 2015. Risk analysis
performance. Journal of Loss Prevention in the Process
of deepwater drilling operations using Bayesian network.
Industries 19 (5), 494–506.
Journal of Loss Prevention in the Process Industries 38, 11–23.
Skogdalen, J.E., Vinnem, J.E., 2012. Combining precursor incidents
DNV-RP-F107, 2010. Risk Assessment of Pipeline Protection. Det
investigations and QRA in oil and gas industry. Reliability
NorskeVeritas.
Engineering and System Safety 101, 48–58.
HSE UK, 2011. Offshore Safety Statistics Bulletin,
Tan, Q., Chen, G., Zhang, L., Fu, J., Li, Z., 2013. Dynamic accident
http://www.hse.gov.uk/offshore/statistics/stat1011.htm.
modeling for high-sulfur natural gas gathering station.
Kalantarnia, M., Khan, F., Hawboldt, K., 2009. Dynamic risk
Process Safety and Environmental Protection 92 (6), 565–576.
assessment using failure assessment and Bayesian theory.
Pittsburgh, U.O., 2014. GeNIe 2.0. G. 2.0 (Ed.) 2.05219.0. University
Journal of Loss Prevention in the Process Industries 22 (5),
of Pittsburgh.
600–606.
Xue, L., Fan, J., Rausand, M., Zhang, L., 2013. A safety barrier-based
Kalantarnia, M., Khan, F., Hawboldt, K., 2010. Modelling of BP
accident model for offshore drilling blowouts. Journal of Loss
Texas City refinery accident using dynamic risk assessment
Prevention in the Process Industries 26 (1), 164–171.
approach. Process Safety and Environmental Protection 88 (3),
Yuan, Z., Khakzad, N., Khan, F., Amyotte, P., 2015. Risk analysis of
191–199.
dust explosion scenarios using Bayesian networks. Risk
Kawsar, M.R.U., Youssef, S.A., Faisal, M., Kumar, A., Seo, J.K., Paik,
analysis 35 (2), 278–291.
J.K., 2015. Assessment of dropped object risk on corroded
Fang, N., 2014. Study on risk analysis and emergency measures of
subsea pipeline. Ocean Engineering 106, 329–340.
submarine pipeline leakage accidents. China university of
Khakzad, N., Khan, F., Amyotte, P., Cozzani, V., 2013. Domino
petroleum, Qingdao.
Effect Analysis Using Bayesian Networks. Risk Analysis 33 (2),
Fang, N., Chen, G., Zhu, H., Meng, H., 2014. Statistical analysis of
292–306.
leakage accidents of submarine pipeline. Oil and Gas Storage
Khakzad, N., Khan, F., Amyotte, P., 2011. Safety analysis in
and Transportation 33 (01), 99–103.
process facilities: Comparison of fault tree and Bayesian
Hu, X., Duan, M., Guan, Y., 2012. Quantitative risk assessment of
network approaches. Reliability Engineering and System
deepwater submarine pipeline based on fuzzy bow-tie model.
Safety 96 (8), 925–932.
China Safety Science Journal 22 (03), 128–133.
Khakzad, N., Khan, F., Amyotte, P., 2012. Dynamic risk analysis
Jin, W., Zhang, E., Shao, J., Liu, D., 2004. Cause Analysis and
using bow-tie approach. Reliability Engineering and System
Countermeasure for Submarine Pipeline Failure. Bulletin of
Safety 104, 36–44.
Science and Technology 20 (06), 529–533.
Khakzad, N., Khan, F., Amyotte, P., 2013a. Quantitative risk
Zhang, X., Xie, L., Chen, G., 2011. Integrity management
analysis of offshore drilling operations: A Bayesian approach.
technique for submarine pipeline. Oil Field Equipment 40 (12),
Safety Science 57, 108–117.
10–15.
Khakzad, N., Khan, F., Amyotte, P., 2013b. Dynamic safety
Zhu, H., Chen, G., 2009. Integrated reliability assessment on
analysis of process systems by mapping bow-tie into Bayesian
VIV-induced fatigue failure for submarine pipeline system
network. Process Safety and Environmental Protection 91
due to span. China Offshore Oil and Gas 21 (2), 133–137.
(1–2), 46–53.