Journal Title

XX(X):1–14
Formal Reliability Analysis of Oil and c The Author(s) 2016
Reprints and permission:
Gas Pipelines sagepub.co.uk/journalsPermissions.nav
DOI: 10.1177/ToBeAssigned
www.sagepub.com/

Waqar Ahmed1 , Osman Hasan1 , Sofiène Tahar2 and Mohamed Salah Hamdi3

Abstract
Depending upon the operational environment, installation location and aging of the oil and gas pipelines, they are
subjected to various degradation mechanisms, such as cracking, corrosion, leaking and thinning of the pipeline walls.
Failure of oil and gas pipelines due to these degradation mechanisms can lead to catastrophic events, which in the
worst case scenario may result in the loss of human lives and huge financial losses. Traditionally, paper-and-pencil
proof methods and Monte Carlo based computer simulations are used to perform the reliability analysis of oil and
gas pipelines in order to identify the potential threats and thus avoid the unwanted failures. However, paper-and-pencil
proof methods are prone to human errors, especially when dealing with large systems, and simulation techniques, on
the other hand, are primarily based on the sampling based methods, i.e., all possible scenarios of the given systems
are not tested, which compromises the accuracy of the results. As an accurate alternative, we propose to use a higher-
order-logic (HOL) theorem proving for the reliability analysis of oil and gas pipelines. In particular, this paper presents
the higher-order-logic formalization of commonly used Reliability Block Diagrams (RBDs), such as series, parallel,
series-parallel and k-out-of-n, and provides an approach to utilize these formalized RBDs to asses the reliability of
oil and gas pipelines. For illustration purposes, we present the formal reliability analysis of a pipeline transportation
subsystem used between the oil terminals at Port of Gdynia and Debogorze.

Keywords
Reliability Block Diagrams (RBDs), Higher-order Logic Theorem Proving, Probability Theory, Oil and Gas Pipelines

1 Introduction the Pipeline Safety Improvement Act of 2002 4 , the natural

gas transmission companies must conduct risk analysis of
Oil and gas pipelines are indeed the most pivotal part of pipeline segments at high consequence areas (HCAs), i.e.,
the present-age energy-delivery system 1 and thus one of the areas where a failure in the gas pipeline would have a
the foremost requirement of oil and gas industries and significant impact on public safety or the environment.
their supply chain is to ensure that the pipelines continue Reliability Block Diagrams (RBDs) 7 , i.e., a graphical
to function risk free. Oil and gas pipelines are known technique to analyze the impact of the individual reliabilities
for their susceptibility to leaks and catching fire, which of system components on the overall reliability of
may lead to an explosion and thus may be responsible the system, provide an efficient tool to conduct PIM.
for catastrophic events. For instance, a big explosion was This pipeline reliability analysis involves three major
caused by the Methane gas leakage 2 , on April 20, 2010, steps 6 : (i) partitioning the given pipeline into segments
at the Deepwater Horizon oil rig operated by Transocean, and constructing its equivalent RBD 6 , (ii) assessing the
which is a subcontractor of British Petroleum (BP). Due to reliability of the individual segments and (iii) evaluating the
this incident, which was caused by the loss of platform’s reliability of the entire pipeline based on the RBD and the
well control system, not only 11 workers died instantly, reliability of its individual segments. The reliability of the
but the rig also sank and was completely destroyed, which individual pipeline segments is usually expressed in terms
caused millions of gallons of oil to spill out at the Gulf of of their failure rates λ and a time-to-failure random variable,
Mexico. This is considered as one of the largest accidental such as exponential 8 or Weibull 6 . A single oil or gas pipeline
marine oil spill, in the history of the petroleum industry, can be modeled by using a series RBD configurations 9
and it continues to damage the marine and wildlife habitats
as well as the Gulf’s fishing and tourism industries even
now 2 . There are tens of thousands of miles long oil and gas 1 School of Electrical Engineering and Computer Science

pipelines around the world and they are becoming more and National University of Sciences and Technology, Islamabad, Pakistan
2 Department of Electrical and Computer Engineering
more susceptible to failures due to aging. Hence, it is very
important to do rigorous reliability and failure analysis of oil Concordia University, Montreal, Canada
2 Information Systems Department
and gas pipelines to minimize the chances of disasters, like
Ahmed Bin Mohammed Military College, Doha, Qatar
the BP one.
Corresponding author:
Pipeline Integrity Management (PIM) 3 is a process to School of Electrical Engineering and Computer Science
evaluate the risks posed to the pipelines with the objective National University of Sciences and Technology, Islamabad, Pakistan
to improve their reliability. According to the regulations of Email: waqar.ahmad@seecs.nust.edu.pk

Prepared using sagej.cls [Version: 2015/06/09 v1.01]

2 Journal Title XX(X)

1 2
S3
362
of oil and gas pipelines. Thus, just like paper-and-pencil
S2
1 2 719 1 2 362 proof methods, the analysis results of computer simulations
1 2 719 1 2 362
cannot be completely trusted since there is always some risk
A B C of missing a corner case from the test vectors used for the
simulation. The above-mentioned analysis inaccuracies are a
TERMINAL DEBOGORZE
severe limitation in the case of oil and gas pipelines as an
PIRS
uncaught system bug may endanger human and animal lives
PORT GDYNIA
or lead to a significant financial loss.
(a) Formal methods 14 , which are computer based mathemat-
ical reasoning techniques, have been used to overcome the
inaccuracy limitations of paper-and-pencil proof methods
and simulation and thus can be used to play a vital role
in developing dependable systems 15 . The main idea behind
the formal analysis of a system is to first construct a math-
ematical model of the given system using a state-machine
or an appropriate logic and then use logical reasoning
(b) and deduction methods to formally verify that this system
exhibits the desired characteristics, which are also specified
Figure 1. Pipeline Systems (a) RBD of Oil Terminal in mathematically using an appropriate logic. Formal methods
Debogroze 5 (b) Cross Section View of M-80-200-10 Steel are mainly categorized into two mainstream techniques:
Rope 6
model checking 16 and theorem proving 17 . Model checking is
a state-based technique in which system behavior, specified
as a state-machine, is analyzed by verifying the temporal
but complex pipeline networks can be modeled by using properties exhaustively over the entire state-space of the
a combination of series and parallel RBD configurations 5 . formal model of the given system within a computer. While,
For example, Figure 1 depicts some portions of a real- theorem proving allows using logical reasoning to verify
world pipeline system. Figure 1(a) presents the RBD of relationships between a system and its properties as theo-
the oil terminal pipeline network at Debogroze 5 . Based rems, specified in an appropriate logic, using a computer.
on the redundancy structure and operational state of this Both model checking and theorem proving have been used
pipeline, its reliability can be evaluated by using the series- for probabilistic analysis of systems (e.g. 18–20 ), which is
parallel and k-out-of-n RBDs 5 . The cross section of three- the foremost requirement for conducting reliability analysis.
stranded Steel Rope of M-80-200-10, in Figure 1(b), is However, due to the state-based nature of model checking, it
composed of 36 strands: 18 outer, 12 inner and 6 more inner suits the Markov chain based reliability analysis quite well.
strands. The reliability of this steel rope can be evaluated by Whereas, in the context of RBD based reliability analysis,
considering it as a parallel system and utilizing the parallel model checking can be used to analyze the properties of
RBD configuration 6 . dynamic RBDs (DRBDs) only 21 . On the other hand, theorem
The above-mentioned three-step process commences by proving based on expressive higher-order-logic (HOL) 22 ,
gathering data from in-line inspection tools to detect which is a system of deduction with a precise semantics
cracks, corrosion or damage 10;11 and selecting suitable and can be used to formally model any system that can be
failure models for the individual segments of the pipeline. described mathematically, allows working with a variety of
This gathered data, along with the failure model, is then data types, such as lists and real numbers, and can be used
analyzed either using paper-and-pencil methods or computer to verify generic mathematical expressions. Thus, leveraging
simulations to assess the failure probability or reliability of upon the probability theory formalization in higher-order-
the complete oil and gas pipelines 5;8 . However, the paper- logic 23 , theorem proving technique has the potential to
and-pencil based analytical methods are prone to human provide an accurate and rigorous alternative for the reliability
error when it comes to the analysis of large systems, analysis of oil and gas pipelines.
such as the transmission network of oil and gas pipelines. Theorem proving has been recently used for the
It is of common occurrence that many key assumptions, formalization of RBDs, such as series 9 , parallel 24 , parallel-
which are in the mind of mathematicians, are not properly series 24 and series-parallel 25 , to conduct formal reliability
documented and hence not all reliability constraints can be analysis of many applications including simple oil and gas
entirely passed to the reliability assurance engineers. These pipelines with serial components 9 , wireless sensor network
undocumented assumptions or constraints may become the protocols 24 and logistic supply chains 25 . However, many
primary cause of catastrophic events. On the other hand, real-world pipelines 5 have some operational states that
numerous software tools, provided by software companies, required only some of its redundant subsystems to be
such as DNV-GL 12 and ReliaSoft 13 , are available for the operational. These kind of pipeline operational behaviours
reliability assessment of oil and gas pipelines. These tools have been modeled by using k-out-of-n RBD configuration.
are mainly based on Monte-carlo simulation, which is a Thus, we also need to formalize the k-out-of-n RBD
sampling based method, since the exhaustive testing for all configurations along with other RBD configurations in order
possible scenarios is not computationally feasible given the to facilitate the accurate analysis of a wide range of oil and
large size of the system models and the involvement of so gas pipelines.
many variables of continuous nature in the reliability analysis The main novel contributions of the paper are as follows:

Prepared using sagej.cls

Waqar et. al 3

• An improved formalization approach for commonly is supported by these approaches, i.e., we cannot verify
used RBDs, in particular series-parallel RBD, that generic reliability relationships for the given system using
is much more compositional in nature compared to the approaches, presented in 21;30 .
existing formalizations of RBDs 24;25 and can be easily A number of higher-order-logic formalizations of proba-
extended to model any kind of complex RBDs within bility theory are available in higher-order logic (e.g. 23;32;33 ).
the HOL theorem prover. Hurd’s formalization of probability theory 32 has been uti-
• Formalization of k-out-of-n RBD configuration and its lized to verify sampling algorithms of a number of com-
variants, which is essentially required along with other monly used discrete 32 and continuous random variables 34
RBD configurations in order to facilitate the accurate based on their probabilistic and statistical properties. More-
reliability analysis of a wide range of real-world over, this formalization has been used to conduct the reli-
systems, including oil and gas pipeline networks 5 . ability analysis of a number of applications, such as mem-
• Formal reliability analysis of a complex pipeline ory arrays 34 and electronic components 35 . However, Hurd’s
network used in the oil terminal in Debogorze 5 , which formalization of probability theory only supports having the
is designated for the reception from ships and the whole universe as the probability space. This feature limits
storage and transportation of oil products by carriages its scope and thus this probability theory cannot be used to
or cars. formalize more than a single continuous random variable.
The rest of the paper is organized as follows: Section 2 Whereas, in the case of reliability analysis of pipelines,
presents a review of the related work. Section 3 provides an multiple continuous random variables are required. The
overview of the proposed methodology that has been used recent formalizations of probability theory by Mhamdi 23
to conduct formal reliability analysis of oil and gas pipeline and Hölzl 33 are based on extended real numbers (including
system. To facilitate the understanding of the paper for non- ±∞) and provide the formalization of Lebesgue integral to
experts in theorem proving, we present a brief introduction reason about advanced statistical properties. These theories
about theorem proving, the HOL theorem prover and the also allow using any arbitrary probability space, a subset
HOL probability theory formalization in Section 4. This of the universe, and thus are more flexible than Hurd’s
is followed by the description of our formalization of the formalization.
RBD configurations in Section 5. The RBD-based formal Leveraging upon the high expressiveness of higher-order-
reliability analysis of oil and gas pipelines is presented in logic and the inherent soundness of theorem proving,
Section 6 and finally Section 7 concludes the paper. Mhamdi’s formalized probability theory 23 has been recently
used for the formalization of RBDs, including series 9 ,
parallel 24 , parallel-series 24 and series-parallel 25 . These
2 Related Work formalizations have been used for the reliability analysis
Many computer software tools, such as DNV-GL 12 , of many applications including simple oil and gas
ReliaSoft 13 and ASENT Reliability analysis tool 26 , support pipelines with serial components 9 , wireless sensor network
RBD-based reliability analysis and also provide powerful protocols 24 and logistic supply chains 24 . Moreover, the
graphical editors which can be used to construct the RBD probability theory in the HOL theorem prover 23 has also
models of the oil and gas pipelines. These tools generate been used to conduct Fault Tree-based formal failure analysis
samples from the exponential or Weibull random variables of a satellite’s solar array 36 and availability analysis 37 .
to model the reliabilities of the system components. These However, to the best of our knowledge, no higher-order-
samples are then processed by using computer arithmetic and logic formalization of the k-out-of-n RBD configuration,
numerical techniques in order to compute the reliability of which is frequently used to capture the behavior of complex
the complete system. Although, these software tools provide oil and gas pipelines, has been reported in the literature
more scalable and quick analysis as compared to paper-and- so far. In this paper, we overcome this limitation by
pencil based analytical methods, but they cannot ascertain presenting a higher-order-logic formalization of the k-out-
the absolute correctness of the system because of their of-n RBD configuration that in turn is used, along with the
inherent sampling based nature, the involvement of pseudo series-parallel RBD configuration, to formally verify generic
random numbers and numerical methods. reliability expressions for an oil and gas pipeline network
Formal methods, such as Petri nets (PN), have also been used in the oil terminal of Debogorze 5 .
used to model RBDs 27 as well as dynamic RBDs 21 that
are used to describe the reliability behavior of systems.
PN verification tools, based on model checking principles, 3 Proposed Methodology
are then used to verify behavioral properties of the
RBD models to identify design flaws 21;27 . Similarly, the The proposed methodology for the formal reliability analysis
probabilistic model checker, PRISM 28 , has been used for of oil and gas pipeline systems, depicted in Figure 2,
the quantitative verification of various safety and mission- allows us to formally verify the reliability expressions
critical systems, such as failure analysis for an industrial corresponding to the given pipeline system description and
product development workflow 29 , an airbag system 30 and thus formally check that the given pipeline system satisfies
the reliability analysis of a global navigation satellite system its reliability requirements. The core component of this
(GNSS) that enables an aircraft to determine its position methodology is the higher-order-logic formalizations of the
(latitude, longitude, and altitude) 31 . However, due to the notions of probability, reliability and RBDs.
state-based models, only state related property verification, The given oil and gas pipeline system is first partitioned
like deadlock checks, reachability and safety properties, into segments and the corresponding RBD model is

Prepared using sagej.cls

4 Journal Title XX(X)

Oil and Gas Pipeline System

Description
Higher-order Logic
Probability Partitioning of Pipeline Systems
into Segments
Reliability
Formal RBD
Reliability Block Pipeline RBD Model
Diagrams (RBDs) Model
Formalization
of Failure Assigning the Failure Distributions
Distributions
Proof Goal Reliability Requirements

Theorem Prover

Formally Verified
Proof Goals
Reliability YES NO
Discharged?
Expressions

Figure 2. Methodology for Formal Pipeline Reliability Analysis

constructed. This model can then be formalized in higher- 4.1 Theorem Proving
order logic using the above-mentioned core formalizations,
Theorem proving 22 is a widely used formal verification
particularly the formalization of commonly used RBD
technique. The system that needs to be analysed is
configurations. The next step is to assign failure distributions,
mathematically modeled in an appropriate logic and the
like exponential and Weibull, to individual components
properties of interest are verified using computer-based
of the given pipeline system. These distributions are also
formal tools. The use of formal logic as a modelling medium
formalized by building upon the formalized probability
makes theorem proving a very flexible verification technique
theory and are used, along with the formal RBD model,
as it is possible to formally verify any system that can
to formalize the given reliability requirements as a proof
be described mathematically. The core of theorem provers
goal in higher-order logic. The user has to reason about
usually consists of some well-known axioms and primitive
the correctness of this proof goal using a theorem prover
inference rules. Soundness is assured as every new theorem
by building upon the core formalizations of probability
must be created from these basic or already proved axioms
and reliability theories. If all the sub-goals are discharged
and primitive inference rules.
then we obtain formally verified reliability expressions,
which correspond to the reliability requirements of the given The verification effort of a theorem in a theorem
pipeline system. Otherwise, we can use the failing sub- prover varies from trivial to complex depending on the
goals to debug our formalizations of the model (Formal underlying logic. For instance, first-order logic 38 utilizes
RBD Model) and requirements (Proof Goal) or the originally the propositional calculus and terms (constants, function
specified model and requirements, as depicted by the red- names and free variables) and is semi-decidable. A number
colored line in Figure 2. of sound and complete first-order logic automated reasoners
are available that enable completely automated proofs. More
expressive logics, such as higher-order-logic 39 , can be used
to model a wider range of problems than first-order logic, but
theorem proving for these logics cannot be fully automated
and thus involves user interaction to guide the proof tools.
4 Preliminaries For reliability analysis of pipelines, we need to formalize
(mathematically model) random variables as functions and
In this section, we give a brief introduction to theorem their distribution properties are verified by quantifying over
proving and the HOL theorem prover in particular. This random variable functions. Henceforth, first-order logic does
will be followed by an overview of the formalization of not support such formalization and we need to use higher-
probability theory 23 and the notion of reliability in HOL that order logic to formalize the foundations of reliability analysis
we build upon to formalize RBD configurations. The intent of pipelines. Consequently, the proofs of the properties of
is to introduce the main ideas behind these foundations to these definitions require human guidance, which can be quite
facilitate the understanding of the paper for the reliability time consuming and requires a deep understanding of the
analysis community. mathematical reasoning behind the proof.

Prepared using sagej.cls

Waqar et. al 5

4.2 HOL Theorem Prover termed as a discrete random variable otherwise it is called a
HOL is an interactive theorem prover developed at the continuous one.
University of Cambridge, UK, for conducting proofs in The probability that a random variable X is less than
higher-order logic. It utilizes the simple type theory of or equal to some value t, P r(X ≤ t) is called the
Church 40 along with Hindley-Milner polymorphism 41 to cumulative distribution function (CDF) and it characterizes
implement higher-order logic. HOL has been successfully the distribution of both discrete and continuous random
used as a verification framework for both software and variables. The CDF has been formalized in HOL as follows 9 :
hardware as well as a platform for the formalization of pure
` ∀ p X t. CDF p X t =
mathematics. distribution p X {y | y ≤ Normal t}
The HOL core consists of only 5 basic axioms and 8
primitive inference rules, which are implemented as ML where the variables p, X and t represent a probability
functions. Soundness is assured as every new theorem space, a random variable and a real number respectively.
must be verified by applying these basic axioms and The function Normal takes a real number as its inputs
primitive inference rules or any other previously verified and converts it to its corresponding value in the extended-
theorems/inference rules. real data-type, i.e, it is the real data-type with the
We utilized the HOL theories of Booleans, lists, sets, inclusion of positive and negative infinity. The function
positive integers, real numbers, measure and probability in distribution takes three parameters: a probability space
our work. In fact, one of the primary motivations of selecting p, a random variable X and a set of extended-real numbers
the HOL theorem prover for our work was to benefit from and outputs the probability of a random variable X that
these built-in mathematical theories. Table 1 provides the acquires all the values of the given set in probability space
mathematical interpretations of some frequently used HOL p.
symbols and functions, which are inherited from existing Now, reliability R(t) is stated as the probability of a
HOL theories, in this paper. system or component performing its desired task over certain
interval of time t.
Table 1. HOL Symbols and Functions
HOL Symbol Standard Symbol Meaning
∧ and Logical and
∨ or Logical or R(t) = P r(X > t) = 1 − P r(X ≤ t) = 1 − FX (t) (1)
v not Logical negation
:: cons Adds a new element to a list
++ append Joins two lists together where FX (t) is the CDF. The random variable X, in the
HD L head Head element of list L
TL L tail Tail of list L above definition, models the time to failure of the system
EL n L element nth element of list L and is usually modeled by the exponential random variable
MEM a L member True if a is a member of list L
LENGTH L length Length of list L with parameter λ, which corresponds to the failure rate of
λ x.t λx.t Lambda abstraction function that maps x to t(x)
SUC n n+1 Successor of a num
the system. Based on the HOL formalization of probability
lim(λ n.f(n)) lim f (n)
n→∞
Limit of a real sequence f theory 23 , Equation (1) has been formalized as follows 9 :
{x|P (x)} {λx.P (x)} Set of all x that satisfy the condition P

` ∀ p X t. Reliability p X t = 1 - CDF p X t

The series RBD, presented in 9 , is based on the notion

4.3 Formalization of Probability and Reliability of mutual independence of random variables, which is one
in HOL of the most essential prerequisites for reasoning about the
mathematical expressions for all RBDs. If N reliability
Mathematically, a measure space is defined as a triple
events are mutually independent then
(Ω, Σ, µ), where Ω is a set, called the sample space, Σ
represents a σ-algebra of subsets of Ω, where the subsets N
\ N
Y
are usually referred to as measurable sets, and µ is a P r( Ai ) = P r(Ai ) (2)
measure with domain Σ. A probability space is a measure i=1 i=1
space (Ω, Σ, P r), such that the measure, referred to as the
probability and denoted by P r, of the sample space is 1. This concept has been formalized as follows 9 :
In the HOL formalization of probability theory 23 , given a
` ∀ p L. mutual indep p L =
probability space p, the functions space, subsets and
∀ L1 n. PERM L L1 ∧
prob return the corresponding Ω, Σ and P r, respectively. 1 ≤ n ∧ n ≤ LENGTH L ⇒
This formalization also includes the formal verification of prob p (inter list p (TAKE n L1)) =
some of the most widely used probability axioms, which play list prod (list prob p (TAKE n L1))
a pivotal role in formal reasoning about reliability properties.
A random variable is a measurable function between a The function mutual indep accepts a list of events L
probability space and a measurable space. The measurable and probability space p and returns T rue if the events in
functions belong to a special class of functions, which the given list are mutually independent in the probability
preserves the property that the inverse image of each space p. The predicate PERM ensures that its two lists as its
measurable set is also measurable. A measurable space refers arguments form a permutation of one another. The function
to a pair (S, A), where S denotes a set and A represents a LENGTH returns the length of the given list. The function
nonempty collection of sub-sets of S. Now, if S is a set with TAKE returns the first n elements of its argument list as a
finite elements, then the corresponding random variable is list. The function inter list performs the intersection

Prepared using sagej.cls

6 Journal Title XX(X)

of all the sets in its argument list of sets and returns the
probability space if the given list of sets is empty. The 1
function list prob takes a list of events and returns a
list of probabilities associated with the events in the given
list of events in the given probability space. Finally, the
I O
function list prod recursively multiplies all the elements
in the given list of real numbers. Using these functions, the
function mutual indep models the mutual independence
condition such that for any 1 or more events n taken
TNfrom any I M
1 N O
permutation of the given list L, the property P r( i=1 Ai ) =
QN
i=1 P r(Ai ) holds. (a) (b)

5 Formalization of the Reliability Block

1 N
Diagrams
Reliability Block Diagrams (RBDs) 42 are graphical struc- I O

tures consisting of blocks and connector lines. The blocks

usually represent the system components and the connection M
of these components is described by the connector lines.
The system is functional, if at least one path of properly (c)
functional components from input to output exists otherwise
it fails.
1
An RBD configuration can follow any of these three
basic patterns of component connections: (i) series (ii) 2
active redundancy or (iii) standby redundancy. In the series I O
connection, shown in Figure 3(a), all the components should K/N
3
be functional for the system to be remain functional.
Whereas, in active redundancy all the components in at least
one of the redundant stages must be functioning in fully N
operational mode. The components in active redundancy, (d)
in Figure 3, might be connected in a parallel structure
(Figure 3(b)) or a combination of series and parallel Figure 3. Reliability Block Diagrams (a) Series (b) Parallel (c)
structures as shown in Figures 3(c). In standby redundancy, Series-Parallel (d) k-out-of-n
all components are not required to be active as shown in
Figures 3(d). This type of RBD is known as k-out-of-n
RBD where at least k components must be in active state Definition 1: ` ∀ p X t.
out of n system components. Three types of information are rel event p X t =
PREIMAGE X {y | Normal t < y} ∩ p space p
necessary to build the RBD of a given system: (i) functional
interaction of the system components, (ii) reliability of each
The function PREIMAGE takes two arguments, a function f
component, and (iii) mission times at which the reliability
and a set s, and returns a set, which is the domain of the
is desired. This information is then utilized by the design
function f operating on a given range set s. The function
engineers to identify the appropriate RBD configuration
rel event accepts a probability space p, a random variable
(series, parallel or series-parallel) in order to determine the
X, representing the failure time of a system or a component,
overall reliability of the given system.
and a real number t, which represents the time index at which
The most commonly used RBD configurations used for
the reliability is desired. It returns an event representing the
the reliability analysis of oil and gas pipelines include series,
reliable functioning of the system or component at time t.
parallel and a combination of both, and are depicted in
Similarly, a list of reliability events is derived by mapping
Figure 3. In this paper, we present their formalization, which
the function rel event on each element of the given
can then be used in turn to formally model the structures
random variable list in HOL as follows:
of oil and gas pipelines in HOL and reason about their
reliability, availability and maintainability characteristics. Definition 2: ` ∀ p L t.
rel event list p L t =
5.1 Higher-order Logic Formalization of MAP (λa. rel event p a t) L
Reliability Event
where the HOL function MAP takes a function f and a list
In this paper, we have verified the reliability expressions for and returns a list by applying the function f on each element
the commonly used RBD configurations by using reliability of the given list.
event lists, where a single event represents the scenario when In the subsequent sections, we present the HOL
the given system or component does not fail before a certain formalization of RBDs on any reliability event list of
time: arbitrary length 24;25 . The notion of reliability event is then
incorporated in the formalization while carrying out the

Prepared using sagej.cls

Waqar et. al 7

reliability analysis of oil and gas pipelines, as described in

Section 6. N N
[ Y
Rparallel (t) = P r( Ai (t)) = 1 − (1 − Ri (t)) (4)
5.2 Formalization of Series Reliability Block i=1 i=1
Diagram
In order to formally verify Equation (4), we first define the
The reliability of a system with components connected in parallel RBD configuration in HOL as follows :
series is considered to be reliable at time t only if all of its
components are functioning reliably at time t, as depicted Definition 4: ` (parallel struct [] = {}) ∧
in Figure 3(a). If Ai (t) is a mutually independent event that (∀ h t. parallel struct (h::t) =
represents the reliable functioning of the ith component of h ∪ parallel struct t)
a serially connected system with N components at time t,
then the overall reliability of the complete system can be The function parallel struct accepts a list of
expressed as 7 : reliability events and returns the parallel structure reliability
N N event by recursively performing the union operation on the
\ Y
Rseries (t) = P r( Ai (t)) = Ri (t) (3) given list of reliability events or an empty set if the given list
i=1 i=1 is empty.
Now, using above definition, we can formally verify
We formalized the serial RBD configuration as follows 9 : Equation (4) as follows:

Definition 3: ` (∀ p. Theorem 2: ` ∀ p L. prob space p ∧ ¬NULL L ∧

series struct p [] = p space p) ∧ mutual indep p L ∧ in events p L ⇒
(∀ p h t. series struct p (h::t) = (prob p (parallel struct L) =
h ∩ series struct p t) 1 - list prod
(one minus list (list prob p L)))
The above function takes a list of events L corresponding to
The above theorem is verified under the same assumptions
the failure of individual components of the given system and
as Theorem 1. The conclusion of the theorem represents
the probability space p and returns the intersection of all of
Equation (4) where, the function one minus list, which
the elements in a given list L and the whole probability space,
accepts a list of real numbers [x1 , x2 , x3 , · · · , xn ] and
if the given list is empty. Based on this function definition,
returns the list of real numbers such that each element of
the result of Equation (3) is formally verified as:
this list is 1 minus the corresponding element of the given
Theorem 1: ` ∀ p L. prob space p ∧ ¬NULL L ∧
list, i.e., [1 − x1 , 1 − x2 , 1 − x3 , · · · , 1 − xn ]. The proof of
mutual indep p L ∧ in events p L ⇒ Theorem 2 is primarily based on Theorem 1 along with the
(prob p (series struct p L) = fact that given the list of n mutually independent events, the
list prod (list prob p L)) complement of these n events are also mutually independent.

The first assumption ensure that p is a valid probability space 5.4 Formalization of Series-Parallel Reliability
based on the probability theory in HOL 23 . The next two Block Diagram
assumptions guarantee that the list of events, representing
If in each serial stage the components are connected in
the reliability of individual components, must have at least
parallel, as shown in Figure 3(c), then the configuration
one event and the reliability events are mutually independent.
is termed as a series-parallel structure. If Aij (t) is the
The predicate in events ensures that each member of
event corresponding to the proper functioning of the j th
the given event list L must in be in event space p. The
component connected in an ith subsystem at time index t,
conclusion of the theorem represents Equation (3). It is
then the reliability of the complete system can be expressed
important to note that, our series struct definition
mathematically as follows 7 :
accepts a list of reliability events and it is thus different
from the corresponding formalization, presented in 9 , which
N [
M
accepts a list of random variables and is not general enough \
Rseries−parallel (t) =P r( Aij (t))
to cater for nested RBDs. i=1 j=1
(5)
N
Y M
Y
5.3 Formalization of Parallel Reliability Block = (1 − (1 − Rij (t)))
i=1 j=1
Diagram
The reliability of a system with parallel connected sub- By extending the RBD formalization approach, presented
modules, depicted in Figure 3(b), mainly depends on the in Theorems 1 and 2, we formally verify the generic
component with the maximum reliability. In other words, reliability expression for series-parallel RBD configuration,
the system will continue functioning as long as at least one given in Equation (5), in HOL as follows:
of its components remains functional. If the event Ai (t) Theorem 3: ` ∀ p L. prob space p ∧
represents the reliable functioning of the ith component of a (∀z. MEM z L ⇒ ¬NULL z) ∧
system with N parallel components at time t, then the overall in events p (FLAT L) ∧
reliability of the system can be mathematically expressed mutual indep p (FLAT L) ⇒
as 7 : (prob p

Prepared using sagej.cls

8 Journal Title XX(X)

(series struct p of parallel struct) L = x ∧ x < SUC n}. The function IMAGE takes a function f and
(list prod of an arbitrary domain set and returns a range set by applying
(λa. 1 - list prod (one minus list the function f to all the elements of the given domain set. The
(list prob p a)))) L) function BIGUNION returns the union of all the element of
given set of sets.
The first assumption in Theorem 3 is similar to the one
To verify Equation (6), we first define a function
used in Theorem 2. The next three assumptions ensure that
bino dist rand in HOL, which ensures that the random
the sub-lists corresponding to the serial sub-stages are not
variable X is exhibiting the binomial distribution, as follows:
empty and the reliability events corresponding to the sub-
components of the parallel-series configuration are valid Definition 6: ` ∀ p X R n.
events of the given probability space p and are also mutually bino dist rand p X R n =
independent. The HOL function FLAT is used to flatten the (∀x. distribution p X Normal (&x) =
two-dimensional list, i.e., to transform a list of lists, into (&binomial n x)*(R pow x)*
a single list. The conclusion models the right-hand-side of (1 - R) pow (n-x))
Equation (5). The infixr function, of, connects series and
parallel RBD configurations by using the HOL function MAP Similarly, we define a function in events k|n to make
and thus facilitates the natural readability of complex RBD sure that all the corresponding events that are associated with
configurations. It is formalized in HOL as follows: the binomial random variable X are drawn from the events
space p.
` ∀ g f. f of g = (f o (λa. MAP g a))
Definition 7: ` ∀ p X R n.
The proof of Theorem 3 uses the results of Theorems 1 and in events k|n p X n =
(λx. PREIMAGE X Normal(&x) ∩ p space p) ∈
2 and also requires a lemma that given the list of mutually ((count (SUC n)) → events p)
independent reliability events, an event corresponding to
the series or parallel RBD structure is independent, in Now, we verified Equation (6) in HOL as follows:
probability, with the corresponding event associated with the
series-parallel RBD configurations. Theorem 4: ` ∀ p n k X R. prob space p ∧
k ≤ n ∧ in events k|n p X n ∧
5.5 k-out-of-n Reliability Block Diagram bino dist rand p X R n ⇒
(prob p (k out n struct p X k n) =
A n-component system is said to be in the k-out-of-n sum (k, SUC n - k)
configuration if we need at least k components out the total (λx. (&binomial n x)*(R pow x)*
n components to be functional for the overall functionality (1- R) pow (n-x)))
of the system 7 . The RBD for a k-out-of-n configuration is
depicted in Figure 3(d). This behaviour can be modeled by The first and second assumptions ensure that p is a valid
utilizing the concept of binomial trials, which are used to probability space and the number of successes of trails k
find the chances of at least k success in n trials. Now, if R must be less than or equal the total number of trials n.
is the reliability of the k-components that are functioning In third assumption, the function in events k|n takes
correctly among n-components then the reliability of the a probability space p, time-to-failure random variable X
overall system system can be expressed mathematically as and natural number n and makes sure that all the n
follows 7 : corresponding events that are associated with the random
variable X are drawn from the events space p. The
n
[
function bino dist rand, in the last assumption, takes
Rk|n (t) = P r( {exactly i components functioning properly}) the probability space p, the time-to-failure random variable
i=k X, the success probability R and the natural number n and
n ! ensures that the random variable X is exhibiting a binomial
n
X
= ( Ri (1 − R)n−1 ) distribution with success probability R, which in our case
k
i=k is the reliability of each of the n-identical components
(6) connected in a k-out-of-n structure. The conclusion of the
theorem represents Equation (6).
The HOL formalization of k-out-of-n RBD is as follows: An interesting property of Equation (6) is that if we put k
= 1 then the structure reduces to a simple parallel structure
Definition 5: ` ∀ p X k n.
k out n struct p X k n =
with components having identical reliabilities. This can be
BIGUNION (IMAGE expressed mathematically as follows:
(λ x. PREIMAGE X {Normal (&x)} ∩ p space p)
{x | k ≤ x ∧ x < SUC n}) R1|N (t) = 1 − (1 − R)N (7)

The function k out n struct accepts a probability space This property can be formally verified in HOL as follows:
p, a binomial random variable X and two variables, k Theorem 5: ` ∀ p n X R. prob space p ∧
and n, which represent the number of successes and total (1 ≤ n) ∧ in events k|n p X n ∧
number of trials, respectively. It then returns the union of the bino dist rand p X R n ⇒
corresponding events that are associated with the binomial (prob p (k out n struct p X 1 n) =
random variable X which takes values from the set {x | k ≤ 1 - (1 - R) pow n)

Prepared using sagej.cls

Waqar et. al 9

Similarly, if the number of successfully functioning • The operation state z3 is used to transport oil from the
components is equal to the total number of components terminal part B through part A to part at Port of Gdynia
in the k-out-of-n configuration, i.e., k = n, then the using 1-out-of-2 pipelines in subsystem S2 and 1-out-
structure reduces to the series configuration of the system of-2 pipelines in subsystem S1.
with components having identical reliabilities R. The HOL • The operation state z4 represents the state when the
formalization of this property is as follows: system is idle, i.e., no oil is transported. At this state,
the system can be modeled as three series-parallel
Theorem 6: ` ∀ p n X R. prob space p ∧ RBD structures.
(1 ≤ n) ∧ in events k|n p X n ∧
bino dist rand p X R n ⇒
(prob p (k out n struct p X n n) = R pow n)
6.1 Formalization of Exponential Failure
Distribution
The above-mentioned formalization of the RBD config- We consider that each pipeline segment is exhibiting the
urations provides the basis for conducting the RBD-based exponential failure distribution, which can be formalized in
formal reliability analysis of real-world oil and gas pipeline HOL as follows:
networks. The distinguishing feature of this formalization is
that the variables are quantified for all values and also the Definition 8: ` ∀ p X l. exp dist p X l =
theorems are verified for n-component RBD configurations. ∀ t. (CDF p X t = if 0 ≤ t then
This feature enables us to provide the reliability analysis 1 - exp (- l * t) else 0)
for large oil and gas pipelines by catering any arbitrary
number of pipeline segments, which is a feature that cannot The function exp dist guarantees that the CDF of the
be provided by Model Checking and simulation tools. random variable X is that of an exponential random variable
with a failure rate l in a probability space p. We classify a list
of exponentially distributed random variables based on this
6 Formal Reliability Analysis of an Oil definition as follows:
Pipeline Network
Definition 9: ` ∀ p L. list exp p [] L = T ∧
In this section, we illustrate the practical effectiveness of ∀ p h t L. list exp p (h::t) L =
the formalization, presented in the previous section, for exp dist p (HD L) h ∧ list exp p t (TL L)
analyzing real-world oil and gas pipeline systems. For
this purpose, consider the pipeline system depicted in The function list exp accepts a list of failure rates, a
Figure 1(a). It has three pipeline subsystems S1, S2 and S3 list of random variables L and a probability space p. It
which connect the oil terminals A, B and C in the serial guarantees that all elements of the list L are exponentially
order starting from oil terminal at Port of Gdynia 5 . The distributed with the corresponding failure rates, given in the
unloading of oil trucks is performed at port of Gdynia, other list, within the probability space p. For this purpose,
which is connected by a pipeline subsystem S1 to oil it utilizes the list functions HD and TL, which return the
terminal A. The pipeline subsystem S2 provides a path of head and tail of a list, respectively. Next we model a
oil transportation between oil terminals A and B. Similarly, two-dimensional list of exponential distribution functions
the pipeline subsystem S3 connects oil terminals B and C. to model failure characteristic of pipeline segments in the
At oil terminal C, the wagons transport the oil to the Port operational states z2, z3 and z3 in HOL as follows:
of Gdynia railway station and then to the interior regions of
Definition 10: ` (∀ p L.
the country. There are two identical pipelines in subsystem
list list exp p [] L = T) ∧
S1 and both of them are partitioned into 178 pipe segments ∀ h t p L. list list exp p (h::t) L =
of length 12 m. The identical pipelines in subsystem S2 are list exp p h (HD L) ∧
partitioned into 717 pipe segments of length 12 m. Similarly, list list exp p t (TL L)
the subsystem S3 is composed of three identical pipelines,
which are partitioned into 360 pipe segments of either 10 m The list list exp function accepts two lists, i.e., a two
or 7.5 m in length 5 . dimensional list of failure rates and random variables L. It
In order to conduct the reliability analysis of the above- calls the function list exp recursively to ensure that all
mentioned oil pipeline subsystems, one of the effective elements of the list L are exponentially distributed with the
methods is to consider the operational state of these pipeline corresponding failure rates, given in the other list, within the
subsystems while transporting the oil from one oil terminal probability space p.
to the other. This method enables us to select an appropriate
RBD structure and thus leads to trustworthy reliability 6.2 Formal Reliability Assessment of Pipeline
analysis results. There are four main operational states of Subsystems at Various Operational States
these pipeline subsystems 5 : At the system operational state z1, the system is composed
of the subsystem S3, which is a series 2-out-of-3 system
• The operation state z1 is used to transport oil from containing three series partitioned pipelines as shown in
the oil terminal B to C using 2-out-of-3 pipelines in Figure 4. The reliability of the pipeline system operating in
subsystem S3. z1 can be expressed mathematically as follows:
• The operation state z2 is used to transport oil from the N N

terminal part C to part B using 1-out-of-3 pipelines in Rpipeline z1 =3 exp−2Σi=1 λi t ∗(1 − exp−Σi=1 λi t )+
N
(8)
subsystem S3. 3 exp−3(Σi=1 λi )t

Prepared using sagej.cls

10 Journal Title XX(X)

S3 S3
1 2 362 1 2 362

1 2 362 1 2 362

1 2 362 1 2 362

B C B C

TERMINAL DEBOGORZE TERMINAL DEBOGORZE

Figure 4. Port Oil Transportation System at Operation State z1 Figure 5. Port Oil Transportation System at Operation State z2

We model the RBD configuration, as shown in Figure 4, in variables have the same length. The list exp function
HOL as follows: accepts a list of failure rates C, a list of random variables
L and a probability space p. It guarantees that all elements
Definition 11: ` ∀ p X R n. of the list L are exponentially distributed with corresponding
rel pipeline z1 p X 2 3 = failure rates given in the list C within the probability space
prob p (k out n struct p X 2 3)
p. The conclusion of the theorem evaluates the reliability of
Based on the above definition, we have formally verified this configuration by utilizing Theorem 4.
Equation (8) in HOL as follows: At the system operational state z2, the system is composed
of a series-parallel subsystem S3, which contains three
Theorem 7: ` ∀ p p’ X C L t. pipelines with the structure as shown in Figure 5. The
(A1): prob space p ∧ prob space p’ reliability of the pipeline system operating in state z2 can
(A2): in events k|n p X 3 ∧ be expressed mathematically as follows:
(A3): bino dist rand p X
(pipeline p’ (rel event list p’ L t)) 3 ∧ N
Y 3
Y
(A4): 0 ≤ t ∧ Rpipeline z2 = (1 − (1 − expλij t )) (9)
(A5): ¬NULL (rel event list p’ L t) ∧ i=1 j=1
(A6): mutual indep p’ We model the reliability of RBD configuration represent-
(rel event list p’ L t) ∧ ing the pipeline system operating at state z2, as shown in
(A7): list exp p’ C L ∧
Figure 5, in HOL as follows:
(A8): (LENGTH C = LENGTH L)⇒
(rel pipeline z1 p X 2 3 =
Definition 12: ` ∀ p L t.
3*exp (2 * -list sum C * t) *
rel pipeline z2 p L t =
(1 - exp (-list sum C * t)) +
prob p ((series struct p of parallel struct)
3*exp (-3*list sum C * t))
(List rel event list p L t))
The assumptions A1, A2 and A3 are similar to the ones
where L is a two dimensional list, which contains the list
used in Theorem 4 except that the variable n is specified
of random variables associated with the three pipelines. The
with the natural number 3 and the reliability R, in the
function List rel event list accepts a probability
assumption A3, is replaced by the reliability of the series
space p, a list of random variables, representing the failure
partitioned identical pipelines, which was described in 9 .
time of individual components, and a real number t, which
The function rel event list accepts a probability space
represents the time index at which the reliability is desired.
p0 , a list of random variables L, representing the failure
It returns a two dimensional list of events by mapping
time of individual components, and a real number t, which
the function rel event list on every element of the
represents the time index at which the reliability is desired.
given two dimensional list of random variables, which
It returns a list of events, representing the proper functioning
in turn models the proper functioning of all individual
of all the individual components at time t. It is to be noted
components at time t. To exactly model the three pipeline
that the probability space p for binomial random variable
system operating in state z2 modeled by series-parallel RBD
X is different than the probability space p0 for time-to-
configuration, it is necessary that each member list of this
failure random variables, which are assigned to each pipeline
two dimensional list L must have length no more than
segment. The next two assumptions (A4 and A5) ensure
three. For this purpose, we have formally defined a function
that the time index must be positive and the length of the
len mem list le, which takes a natural number n and a
corresponding events constituted by the random variables
two dimensional list L and makes sure that the length of each
in the list L should not be empty, respectively. The is
member of given list L must not be greater than n, in HOL
followed by the assumption (A6) that all events are mutual
as follows:
independent and the last two assumptions (A7 and A8) assign
the failure rates to the exponentially distributed random Definition 13: ` ∀ n L.
variables, which are associated with the pipeline segments, len mem list le n L =
and also make sure that the list of failure rates and random (∀x. MEM x L ⇒ (LENGTH x ≤ n)

Prepared using sagej.cls

Waqar et. al 11

S2
1 2 719

1 2 719
N
Y 2
Y
Rpipeline z3 = (1 − (1 − expλij t ))∗
A B i=1 j=1
(10)
M 2
TERMINAL DEBOGORZE
Y Y
(1 − (1 − expλkl t ))
PIRS k=1 l=1

PORT GDYNIA
where the arbitrary variables N and M represents the
Figure 6. Port Oil Transportation System at Operation State z3
number of segments in the pipelines S1 and S2, respectively.
The first part in the right-hand-side of the above equation
corresponds to the reliability of the pipeline system S1 and
Theorem 8: ` ∀ L C p t. the second part to the pipeline system S2, shown in Figure 6,
(A1): (0 ≤ t) ∧ (A2): (prob space p) ∧ respectively. The HOL formalization of reliability of pipeline
(A3): in events p system at operation state z3 is as follows:
(FLAT (List rel event list p L t)) ∧
(A4): (mutual indep p
(FLAT(List rel event list p L t)) ∧
Definition 14: ` ∀ p L1 L2 t.
(A5): (∀z. MEM z
(List rel event list p L t) ⇒ ¬NULL z) ∧ rel pipeline z3 p L1 L2 t =
(A6): (∀n. n < LENGTH L ⇒ prob p ((series struct p of parallel struct)
(LENGTH (EL n L) = LENGTH (EL n C)) ∧ (List rel event list p L1 t) ∩
(A7): list list exp p C L ∧ (series struct p of parallel struct)
(A8): len mem list le 3 L ⇒ (List rel event list p L2 t))
(rel pipeline z2 p L t =
list prod (one minus list
(list exp func list C t))) where the two dimensional lists L1 and L2 contains
the time-to-failure random variables that are associated
where the two dimensional list C represents the with the pipelines S1 and S2, modeled by series-parallel
corresponding failure rates of exponentially distributed RBD configuration at operation state z3, respectively. Now,
random variables in the list L. The assumption (A1) of based on Definition 14, we formally verified the reliability
the above theorem makes sure that the time index is expression, given in Equation 10, in HOL as follows:
always positive. The next three assumptions (A2-A4) are
similar to the ones used in Theorem 3. The assumption
(A5) ensures that the list of random variables associated Theorem 9: ` ∀ L1 L2 C1 C2 p t.
with the reliabilities of pipeline segments is not empty. (A1): 0 ≤ t ∧ (A2): prob space p ∧
(A3): in events p
The assumptions A6 and A7 guarantee that the length of (FLAT(List rel event list p (L1++L2) t)) ∧
the list of random variables and the corresponding list (A4): (mutual indep p
of failure rates for pipeline segments is the same and (FLAT(List rel event list p (L1++L2) t)) ∧
the exponential distributions of the pipeline segments, (A5): (∀z. MEM z
connected in the series-parallel structure, are associated (List rel event list p (L1++L2) t) ⇒
with their corresponding failure rates, respectively. The ¬NULL z) ∧
last assumption (A8) ensures that the length of the (A6): (∀n. n < LENGTH (L1++L2) ⇒
(LENGTH (EL n (L1++L2) =
member list of two dimensional exponentially distributed LENGTH (EL n (C1++C2))) ∧
random variables list L must not be greater than three (A7): list list exp p (C1++C2) (L1++L2) ∧
that allows us to model the behaviour, which is discussed (A8): len mem list le 2 L1 ∧
in the description of Definition 13. The conclusion of len mem list le 2 L2 ⇒
Theorem 7 models the reliability of the series-parallel (rel pipeline z3 p L1 L2 t =
pipeline system in the operational state z2. The function list prod (one minus list
list exp func list accepts a two dimensional (list exp func list C1 t)) *
list prod (one minus list
list of failure rates and returns a list with products (list exp func list C2 t)))
of one minus exponentials of every sub-list. For example,
list exp func list[[c1; c2; c3]; [c4; c5]; [c6; c7; c8]]x =
[(1 − e−(c1)x ) ∗ (1 − e−(c2)x )∗ The assumptions are similar to the ones used in Theorem 7
(1 − e−(c3)x ); (1 − e−(c4)x ) ∗ (1 − e−(c5)x ); (1 − and the conclusion models the reliability of the system, as
e−(c6)x ) ∗ (1 − e−(c7)x ) ∗ (1 − e−(c8)x )]. At the system given in Equation (10). At the system operational state z4,
operational state z3, the series configuration is composed of the system is formed by a series RBD and composed of three
two series-parallel subsystems S1 and S2, each containing pipeline subsystems S1, S2, S3 and thus covers the complete
two pipelines with the structure shown in Figure 6. The pipeline system as shown in Figure 7. The reliability of the
reliability of the pipeline system at operating state z3 can be pipeline system at operation state z4, as shown in Figure 7,
expressed mathematically as follows: can be expressed mathematically as follows:

Prepared using sagej.cls

12 Journal Title XX(X)

h The assumptions of the above theorem are similar to the

S3
S2 1 2 362 ones used in Theorem 9 and the conclusion of the theorem
1

1
2

2
719

719
1

1
2

2
362

362
evaluates the reliability of the pipeline system shown in
Figure 7. The proofs of Theorems 7-10 are primarily based
A B C on induction and verified by utilizing RBD configuration
TERMINAL DEBOGORZE theorems, that are presented in Section 5, along with some
PIRS fundamental axioms of probability theory.
PORT GDYNIA
The above-mentioned theorems provide a comprehensive
Figure 7. Port Oil Transportation System at Operation State z4 RBD-based formal reliability analysis by considering
different operational states of the given pipeline system.
The distinguishing features of the formally verified results,
presented in this section, include their generic nature, i.e.,
N
Y 2
Y all the variables are universally quantified and thus can be
Rpipeline z4 = (1 − (1 − expλij t ))∗ specialized to obtain the reliability of the given pipeline
i=1 j=1 network for any given parameters. The correctness of the
M 2 results is guaranteed due to the involvement of a sound
Y Y
(1 − (1 − expλkl t ))∗ (11) theorem prover in their verification. This fact ensures that
k=1 l=1 all the required assumptions for the validity of the result are
R
Y 3
Y accompanying the theorems, which was not the case with the
(1 − (1 − expλpq t )) corresponding paper-and-pencil based proofs for the same
p=1 q=1 relations for the give pipeline network 5 .

where the first part of the R.H.S of the above equation The formally verified reliability expressions, which are
corresponds to the reliability of the pipeline system S1 and presented in Theorems 7-10, provide useful insights to the
the second part to the pipeline system S2, shown in Figure 7, system design engineers and can be used to certify reliability
respectively. The HOL formalization of reliability of pipeline results obtained by using traditional techniques, such as
system at operation state z3 is as follows: paper-and-pencil and simulations. For instance, it is very
handy to know the pipeline segment with the least reliability
Definition 15: ` ∀ p L1 L2 L3 t.
and how it can effect the reliability of overall pipeline
rel pipeline z4 p L1 L2 L3 t = system. So, by keeping this in mind, our formalization
prob p ((series struct p of parallel struct) enables reliability design engineers to accurately analyze
(List rel event list p L1 t) ∩ the effect of pipeline segments with low reliability upon
(series struct p of parallel struct) the overall pipeline system due to the involvement of a
(List rel event list p L2 t) ∩ mechanized reasoning process within the sound core of
(series struct p of parallel struct) the HOL theorem prover. Moreover, the individual failure
(List rel event list p L3 t))
rates of the pipeline segments can be easily provided to the
The reliability expression, given in Equation 11, can be above theorems in the form of a list, i.e., C. Another worth
formally verified in HOL as follows: mentioning novelty is that the function len mem list le
can be utilized to model any number of parallel pipeline
Theorem 10: ` ∀ L1 L2 L3 C1 C2 C3 p t. systems, for instance, in pipeline system S1 and S2, the
(A1): 0 ≤ t ∧ (A2): prob space p ∧ function takes value 2 to model two parallel pipelines and
(A3): in events p (FLAT in pipeline system S3, it takes the natural number 3 to model
(List rel event list p (L1++L2++L3) t)) ∧
three pipelines.
(A4): (mutual indep p (FLAT
(List rel event list p (L1++L2++L3) t)) ∧
(A5): (∀z. MEM z These benefits are not shared by any other computer
(List rel event list p (L1++L2++L3) t) ⇒ based reliability analysis approach for oil and gas pipelines
¬NULL z) ∧ and thus clearly indicates the usefulness of the proposed
(A6): (∀n. n < LENGTH (L1++L2++L3) ⇒ approach. These added benefits are attained at the cost
(LENGTH (EL n (L1++L2++L3) =
of the explicit guidance required to formalize the results,
LENGTH (EL n (C1++C2++C3))) ∧
(A7): list list exp p (C1++C2++C3) presented in this and the previous section. Our proof
(L1++L2++L3) ∧ script for these formally verified results is composed of
(A8): len mem list le 2 L1 ∧ more than 7000 lines of code and took about 250 man-
len mem list le 2 L2 ∧ hours of effort 43 . Most of the effort was put in the
len mem list le 3 L3 ⇒ formalization of RBD configurations and the verification of
(rel pipeline z4 p L1 L2 L3 t = their corresponding generic reliability expressions, which
list prod (one minus list is presented in Section 5. This formalization facilitated the
(list exp func list C1 t)) *
list prod (one minus list formalization of the oil and gas pipeline system, considerably
(list exp func list C2 t)) * as the analysis only took about 2500 lines of HOL code
list prod (one minus list and far little manual interaction compared to the theorems,
(list exp func list C3 t))) presented in Section 6.

Prepared using sagej.cls

Waqar et. al 13

7 Conclusion and Future Work 6. Kołowrocki K. Reliability of Large Systems. Wiley Online
Library, 2008.
Many probabilistic reliability assessment techniques have
7. Narasimhan K. Reliability Engineering: Theory and Practice.
been developed during the last two decades to assess the
The TQM Magazine 2005; 17(2): 209–210.
reliability of oil and gas pipelines. However, the analysis
8. Zhang Z and Shao B. Reliability Evaluation of Different
based on these probability theoretic approaches have been
Pipe Section in Different Period. In Service Operations and
carried out using informal system analysis methods, like
Logistics, and Informatics. IEEE, pp. 1779–1782.
simulation or paper-and-pencil, and thus do not ensure
9. Ahmed W, Hasan O, Tahar S et al. Towards the Formal
accurate results. The accuracy of the pipeline reliability
Reliability Analysis of Oil and Gas Pipelines. In Intelligent
assessment results is very critical for oil and gas pipelines
Computer Mathematics, LNCS, volume 8543. Springer, 2014.
since even minor flaws in the analysis could trigger the
pp. 30–44.
loss of many human lives or cause heavy damages to the
10. Pipeline Integrity Solution GE-Energy. http://www.ge-
environment. In order to achieve this goal and overcome
energy.com/products and services/services/pipeline integrity services/,
the inaccuracy limitation of the traditional probabilistic
2015.
analysis techniques, we propose to build upon our proposed
11. Pipecheck - Pipeline Integrity Assessment Software.
formalization of RBDs to formally reason about the
http://www.creaform3d.com/en/ndt-solutions/pipecheck-
reliability of oil and gas pipelines using higher-order-logic
damage-assessment-software, 2015.
theorem proving. For illustration purposes, we also formally
12. DNV-GL. http://www.dnvgl.com/oilgas/, 2015.
verified the reliability expressions of the oil pipeline system
13. ReliaSoft. http://www.reliasoft.com/, 2015.
between the oil terminals at Port of Gdynia and Debogorze.
14. Hasan O and Tahar S. Formal Verification Methods. In
To facilitate the utilization of our proposed approach, we Encyclopedia of Information Science and Technology. IGI
plan to build a GUI that can be used to capture any RBD Global, 2014. pp. 7162–7170.
model, like oil and gas pipeline system RBD, from the 15. Thomas M. The Role of Formal Methods in Achieving
user and return the formally verified reliability expression, Dependable Software. Reliability Engineering & System Safety
by using HOL theorem prover that is running seamlessly 1994; 43(2): 129–134.
underlying this GUI, of the given system. This would bring 16. Clarke E, Grumberg O and Peled D. Model Checking. The
great benefits to the non-HOL users, like industrial reliability MIT Press, 2000.
engineers, in many respects. For instance, it can be used to 17. Harrison J. Handbook of Practical Logic and Automated
certify the results estimated by the design engineer and then Reasoning. Cambridge University Press, 2009.
provide an opportunity at the design stage to correct this 18. Hasan O and Tahar S. Performance Analysis of ARQ
estimated result, if incase, not validated by HOL theorem Protocols using a Theorem Prover. In International Symposium
prover. We are also planning to formalize the multistate on Performance Analysis of Systems and Software. IEEE
reliability theory 44 , which is based on semi-markov process, Computer Society, pp. 85–94.
and can be used to reason about the impact of change 19. Kwiatkowska M, Norman G and Parker D. Symbolic Systems
in time on reliability of the system. This formalization Biology, chapter Probabilistic Model Checking for Systems
would require the formalization of semi-markov chain and Biology. Jones and Bartlett, 2010. pp. 31–59.
its associated concepts. 20. Elleuch M, Hasan O, Tahar S et al. Formal Analysis of
a Scheduling Algorithm for Wireless Sensor Networks. In
Formal Engineering Methods, LNCS, volume 6991. Springer,
Acknowledgments
2011. pp. 388–403.
This publication was made possible by NPRP grant # [5 - 813 21. Robidoux R, Xu H, Xing L et al. Automated Modeling
- 1 134] from the Qatar National Research Fund (a member of Dynamic Reliability Block Diagrams Using Colored Petri
of Qatar Foundation). The statements made herein are solely Nets. IEEE Transactions on Systems, Man and Cybernetics,
the responsibility of the author[s]. Part A: Systems and Humans 2010; 40(2): 337–351.
22. Gordon M. Mechanizing Programming Logics in Higher-
Order Logic. In Current Trends in Hardware Verification and
References Automated Theorem Proving. Springer, pp. 387–439.
1. VERESENINC. http://www.vereseninc.com/our- 23. Mhamdi T, Hasan O and Tahar S. On the Formalization of the
business/pipelines/alliance-pipeline/, 2015. Lebesgue Integration Theory in HOL. In Interactive Theorem
2. Water D. The Gulf Oil Disaster and the Future of Offshore Proving, LNCS, volume 6172. Springer, 2011. pp. 387–402.
Drilling. Report to the President [of the USA] 2011; . 24. Ahmed W, Hasan O and Tahar S. Formal Reliability Analysis
3. Wenman T, Dim JC et al. Pipeline Integrity Management. of Wireless Sensor Network Data Transport Protocols using
In Abu Dhabi International Petroleum Conference and HOL. In Wireless and Mobile Computing, Networking and
Exhibition. Society of Petroleum Engineers. Communications. IEEE, pp. 217–224.
4. Parker CM. Pipeline Industry Meets Grief Unimaginable: 25. Ahmad W, Hasan O, Tahar S et al. Towards Formal Reliability
Congress Reacts with the Pipeline Safety Improvement Act of Analysis of Logistics Service Supply Chains using Theorem
2002. Nat Resources J 2004; 44: 243. Proving. In International Workshop on the Implementation of
5. Soszynska J. Reliability and Risk Evaluation of a Port Logics, EPiC Series in Computing, volume 40. pp. 1–14.
Oil Pipeline Transportation System in Variable Operation 26. ASENT. https://www.raytheoneagle.com/asent/rbd.htm, 2015.
conditions. International Journal of Pressure Vessels and 27. Signoret JP, Dutuit Y, Cacheux PJ et al. Make your Petri nets
Piping 2010; 87(2-3): 81–87. Understandable: Reliability Block Diagrams Driven Petri nets.

Prepared using sagej.cls

14 Journal Title XX(X)

Reliability Engineering & System Safety 2013; 113: 61–75.

28. PRISM. www.cs.bham.ac.uk/∼dxp/prism, 2015.
29. Herbert L and Hansen Z. Restructuring of Workflows
to Minimise Errors via Stochastic Model Checking: An
Automated Evolutionary Approach. Reliability Engineering &
System Safety (In Press) (2015) 2015; .
30. Norman G and Parker D. Quantitative Verification: Formal
Guarantees for Timeliness, Reliability and Performance. Tech-
nical report, The London Mathematical Society and the Smith
Institute, 2014. http://www.prismmodelchecker.
org/papers/lms-qv.pdf.
31. Lu Y, Peng Z, Miller AA et al. How Reliable is Satellite
Navigation for Aviation? Checking Availability Properties with
Probabilistic Verification. Reliability Engineering & System
Safety 2015; 144: 95–116.
32. Hurd J. Formal Verification of Probabilistic Algorithms. PhD
Thesis, University of Cambridge, UK, 2002.
33. Holzl J and Heller A. Three Chapters of Measure Theory in
Isabelle/HOL. In Interactive Theorem Proving, LNCS, volume
6172. Springer, 2011. pp. 135–151.
34. Hasan O, Tahar S and Abbasi N. Formal Reliability Analysis
using Theorem Proving. IEEE Transactions on Computers
2010; 59(5): 579–592.
35. Abbasi N, Hasan O and Tahar S. An Approach for Lifetime
Reliability Analysis using Theorem Proving. Journal of
Computer and System Sciences 2014; 80(2): 323–345.
36. Ahmed W and Hasan O. Towards Formal Fault Tree Analysis
Using Theorem Proving. In Conferences on Intelligent
Computer Mathematics, LNCS, volume 9150. Springer, 2015.
pp. 39–54.
37. Ahmed W and Hasan O. Formal Availability Analysis using
Theorem Proving. In International Conference on Formal
Engineering Methods, LNCS, volume 10009. Springer, 2016.
pp. 226–242.
38. Fitting M. First-Order Logic and Automated Theorem Proving.
Springer, 1996.
39. Brown C. Automated Reasoning in Higher-order Logic.
College Publications, 2007.
40. Church A. A Formulation of the Simple Theory of Types.
Journal of Symbolic Logic 1940; 5: 56–68.
41. Milner R. A Theory of Type Polymorphism in Programming.
Journal of Computer and System Sciences 1977; 17: 348–375.
42. Bilintion R and Allan R. Reliability Evaluation of Engineering
System. Springer, 1992.
43. Ahmed W. Formal Risk Analysis of Oil and Gas Pipelines.
http://save.seecs.nust.edu.pk/projects/frogp, 2016.
44. Natvig B. Multistate Reliability Theory. Encyclopedia of
Statistics in Quality and Reliability 2007; .

Prepared using sagej.cls