STF38 Reliability Data for Control and Safety Systems 1998

@$t'LiEF

STF38 A98445

Classif ication: Unrestricted

ReliabilitY Data for Control andSafetY SYstems

1998 Edition

SINTEF Industrial ManagementSafetY and ReliabilitYJanuarY 1999

;'ifiV}f ,'l';-15KEMIRAKIRJASTO

)

@s[Nr,,imSINTEF lndustrial ManagementSafety and ReliabilitY

Address: N-7034Trondhem'NORWAY

Latin; Strindveien 4Tefephone: +47 73 59 27 56fa: +47 73 59 28 96

EnterPrise No.: NO 948 007 029 MVA

SINTEF REPORT

Reliability Data for Control and Safety Systems'

L998 Edition.

Geir Klingenberg Hansen and Jm Vatn

BSTBACT

eliability data estimates for components of control and.safety systems are provided in this report'

D

r both fietd devices (senso;; .nuor rogi. (etectronic.ar" n::"-T:l Data dossiers I

iven for these components, based on various sources, ..g.'oRr,oe and expert judgements' The level

etail of the data is adapted t#;f"rm;t suired for ,"liiuiiitv anaiyses applying the PDS method'

t999-01-l I

reliabilitydataestimatesareessentiallybasedonthepreviouslyrecommendeddataforusewithmethod, updated with OREDA Phe IV data'

Also,amethodforobtainingapplication^specificreliabilitYdataestimatesisgiven.Asacase'*",irtJ t

"ppfied to TIF probablities for IR gas detectors'

srGN.).

It. Lk^1

iltrol and SafetY SYstems

Feliability Data for Control and Safety Systems'

1998 Editon )

PREFACEThePDsForumisaforumofoilcomparries,vendorsandlesearcherswithaspecialintefestln;it";,ryr,*:,g"lt'::.."f f T'Jf t:#:H#,''-Tiif:'i:":3"i:i"T'oHi1,J:ir}ill,,ll iiJffiir'.,i"i,y. ror inrormatiJi-'"J*a"e the PDS Forum

please visit

if"il* ft tp://www'sintef 'no/sipaa/prosjekt/pds-forum'html

TheresultsinthePlesenlreportistoagreatextendtasedonworkSlNlEFcarriedoutonrequestfrom Norsk Hydro in 1ee5 ffi"]i, ff;siEf ;"I;':'sinzs

Fe40s6 - Reliabilitv Data for

Control and Safety Systems" t13l' We appreciate ttfttttt that Norsk Hydro ailowed using

these '95 results in the present report'

TheoREDAprojectisalsoacknowiedgeclfor.allowingOREDAphaselVdata.tobeusedinpreDaration of the present';d;;.-* iiformation ,"g.iAne-REOA

please visit the web site

t,,t-. ""tri.nloni

tslindman/sipaa/prosjektioreda'/

Trondheim, 1999-01-1 I

Geir Klingenberg Hansen

PDS Forum ParticiPants 1998

Oil ComPanies. mocoNorwaY Oil ComPanY. BP Norgeo ElfPetroleumNorgeAJSe Norsk HYdro ASA. Phillips Petroleum Company Norwayo SagaPetroleumASA. A"/S Norske Shell. Den norske stats oljeselskap (Statoil) a's'

Control and Safety Systems Vendors

. ABB Industio Auronicao BaileY Norge. Boo Instrument ASo HoneYwello ICS GrouPo Kongsberg Sirnrad. Norfass (Yokogawa). SAASASA. Siemens

Engineering ComPanies nd Consultnts

o Aker Engineertng. Det Norske Veritas. Dovre Safetec ASo Kvrner Oil and Gas A'S. NORSOC. Umoe Olje og Gass

OREDA ParticiPants 1998

Eni S.p.A./AGIP Exploration & Production

Amoc ExPloration ComPanY'fp'Biol"ti"" operating company Ltd'

1"*n p"ttot"u* Technology company

Elf Perroleum Norge A'/S

Esso Norge a.s'

Norsk HYdro ASAPhillips euoleum ComPanY Norway

bln t*.rc r,uo oljeselskap (Statoil) a's'

Sas Petloleum ASAii"""". Exploration and Production B

V'

TOTAL S.A.

Reliability Data for conlrol and Safety Syslems'

l eea Edition. )

TABLE OF CONTENTS

LIST OF TABLF,S

LIST OF FIGURF,S

t.I

INTRoDUcrIoN......""'

Rrsul,rSutt1t14RY""""""""' ' """' rr

Hil:H*ir*i:'ffi :::: r+Z. Summury Table of PDS Input Data """""""

"""""""' 17

2.3.1 Tprobabilities"" """""""""'17

2.3.2 Cotterages """"""""""' """""" 18

2.3.3 P-factors """""" 18

2.4 FufherVork """""""'23

2.4.1 Variability of the ?IF probability"""'-':"""""""""""1"":"""' :' ::: '

|""'T3

2.4.2Distinguon*.*.*u".*i'*i'"*anellofsduringtesttng......'''ANIETHoDFoROBTAININGAPP"'"o",o*,""orrcTIFrnosILITIES.......'.'..''............25lll.trnlllntion......'.......''...........'.

3. A NIETHoD

a^1a ',

3.i

I

I

k

Relability Dala for Conlro and Safety Systems

1998 Edition. )

2. RnsulrSulrulnY

2.1 Parameter Definitions

The following parameters are quantified for each component:

",=Totalcriticalfailurerateofthecomponent.Rateoffailuresthatwillcauseeithertriporunavailability ";*#.r,

-n

".ii* (unless cletected and prevented from causing such

failure).

.=RateoffailurescausingFail-To.operate(,FTo)failures,ndetectablebyautomaticself-test.The,FlofailurescontributetotheCriticalSafetyUnavailability(csu)ofthecomPonenlsYstem' * \,\,,.

li,=RateofSpuriousoperaon(So)failures,undetectablebyautomaticself-test.TherateofSpuriousoperation(So)failuresofacomponentcontributestotheSlRofthesystem1a.p"nO"ntofoptrtionpbllosophy)' l\+'"

ndet = Total rate of rdetectable failures' i'e' /ffi?t * 2i10"

lFTO/het = Rate of failures causing FaiJ-To'Operate (-FIO) failures' detectable by automatic self-

test. t\\

=RateofspuriousOperation(So)failures,detectablebyautomaticself-test'Theeffectofthese failures on tne spuriou trip Rate (S7R) depends

on the operation philosophy'

= Totalrateofdetectablefailures,i'e' W+ ftf'

= Total rate of critical FTO failures of the component' Causes loss of safety function

(unless detected and prevented from causing critical failure)' i'"' + m''

lso'"er

it

h",

TFTO/brit

y* = Total rate of critical so failures of the component. causes loss of production regularity

(unlessdetectedandpreventedfromcausingcriticalfaitur,i.e.,i,fl+,{f0"..

,no--Lw|^F[ll=Coverageoftheautomaticself-test+controlloomoperatoronFTo- fu-lor.r. ih"o',atiL t'?$'r{,,\r : '}kl\"

,So=1r.t^n=Coverageoftheautomaticself-test+controlroomoperatolonSofailures.

nF-Theprobabilitythatacomponentwhichhasjustbeenfunctionallytestedwillfailoneman (applies for FTO failures only)'

The relation between tbe different -values is shown in Table l '

:i. xr ...: : ,\\:*- * '."$.I INSTRIIMENTATION AND ELECTRICAL TECHMCAL AND

ENGINEERING SERVICES

::. '. .

Phase 4

Overall SafetY Requirements

Specification comprised of the overall safety Function Requirements and the overan safety Integnty

Requ'ements

Incrudes. for each safety function trre necessary risk reduction required to achieve the target

level and the required safeqv

Integri(y of the components' r r,^_^r^^1 peds to be maintainedThis documentation forms part of the Ezard and

Risk Management Description, which r

tluoughout the EUC's Safety Liferycle'

Risk Reduction

T'e required Risk Reducon can be determined either qualitatively or quantitatively- Bs EN IEC 61508-5

contains

examples of both methods'

The quantitative melhod reads to rather laborious calcurations and is not u.idery used- The

quaritative method using a

.calibrated' Risk Graph is significantly less laborious' (It is also possible to use a Risk Matrix)'

T'e proposed method of this guide is a cornpromise between the quantitative and qualitative methods,

and should alleviate

some of the non-linearity probt"* of the Risk Graph approach'

Neither the qualitative nor the semiquantitative method requires the numericar exact determination

of the risk reduction

facror for each safetv finction. However, ,fd;;;;-"-;*i, nu.r. u""n erermined and the required sIL been found' the

risk reduction factor (RRF) is simply the inverse oithe PFD",= as in this table for the sIL'

For example. if the determined SiL is 2. rhe range of pFD""=of the safeqv function is between 0'01 and

0'001' The

corresponding range of RRF is then from 100 to 1000-

Safetv tntegrit-v Levels (SIL)

targetfailureforasaferyfunction.allocatedtoanEiPEsafery"-relateds]_Stem

Phase 5

Safeqv Requirements Allocaon

It is expected rhat the normar engineering procedure of a EUC operator w't take into account the requirements for

t'e

erlernal risk reduction facilities like fire walls. drainage and vent sy;s. so other safety related systems zuch as relief

'alves and nrpt*re disks. therefore. tey are. in tltit g" considered

as prt of the EUC'

The remaining Risk reducon required to achieve the As Low As Reasonabry

praccal (ALARP) value is that required of

the SIS.

Tlre functioning of the sIS needs to be verified as meeting the required Safetv Integritv Le'el (sIS) for each component

forming the qYstem architecture'

In this gride, the risk assessmentand sIL determination are then based on the remaining risk after the

external risk

reduction facilities and oter safetv related s-vstems have been implemented' i'' ttre leftmost box in the figure

The fo'owing figure illustrates the generar concept of safetv requirement allocation to the three safegv s-vstems'

10.000 to 100.000> t0-5 to < 10*1000 to 10.000> lo4 to < 1o-3100 to 1000> l0-3 to < 10-t0 to 100> to-' to < to-'

I.R llitchen BA(TIons) C.Eng" MIEE' Profit Through Loss Control (BS EN IEC 61508) Part One

t1 of23

t2

Table 1 Relation between different 2 _ values

Undetectable

Detectable

Sum

Some of these parameters, in particular the rlf probability, and partry the coverage q are sessed byexpert judgements, see /13l. A essential element of this expert judgement is-to clariff preciselywhich failures conhibute to ?7F and l., respectively. Figure I was used an aid to crarify this. rnparticular the following is stressed conceming the iterpretation of these .on."p,r-* used in thepresent report.

Spurious operation}so

so'"d

7sotudt

Fail to operate

@ STNTEF

lFTO/tndr

I "t

2FrOtriet

FTOh.

2FTO'nr

SOhd"t

il

{ro'!undet

l,o",

2'"det

nSo4undet

Detected by automatic self-test, or byoperator/maintenance personnel(inespective of funcrional testing).

Loss of safety failures. Detected bydemands only.

Trip failure, immediatelyrevealed. Nol prevented by arytest.

Design enorst softwae. degreeofdiscrimination'Wrong

LocationInsufficient fct. testptocedureHuman error during test if. forget to test' wong calibration' damage detector. leave in by-pass

A^,

Coveragec= lool*,

Belability Data t^- Contro and Safety Syslems'

1998 Edtion. )

E}

Thus,notethatifanimperfectsrlngprinciple^isadoptedforthefunctional.testing,thiswillconribure to rhe IIF prouuffi.-n- niun.", if a

procss switch is nar tested by introducing a

change in rhe pro""r. itr"tt u'oir,". "i""ty i*prirg u "icated test signal, there is no

perfect

functional testing, ttre test wil'not """t a blocking of the sensing line'

The contributions of the T/F probability and x.-o to the cridcal safe{ unavailabiliw

(cs are

illustrated in Figure 2. I' S"rt,rtil.* t"n*"q io tt" ftut" rate are phvsical faIures'

ComDonents with physical fJ;;; ;q** ,o*. t ind.ot r"p; ,o ,"* to an operational state' The

contfiburion to csu ao* pri*i"i;.il,.i ,u';d "li";" bv tunctional iesting' on the other

hand, failures contributing -iJtir"tutry ; *o*ol nrs. No repair is required but

suchfailureswi]]occurrepeatedlyifthesamescenariorepeatsitself,unless.modificationsareiniated. The contribution ,iiffi"n;:Ji;; ir'utto*t

constant' independent of the

frequencY of functional testing'

Figure 1 Interpretation of reliability parameters

TIF probabilityThi.s

1s t!1obability that acomponent, which has just been tesred, will fail on demand. This wilinclude failures caused e'g. by-improper/wrong loc"ation or inadequate design (software error orinadequate detection principle). tmperrct functind testg pnnciplerocedure will a.lso contribute.Finally' the possibility that the maintenance crew perform an erroneous functional testing (which isusually not detected before the next test) also contribute to the ?IF probabilitv.

10'2

103

10{

Figure 2 Contributions to CSU

CoveraReThecoverageisthefractionofthecritica]failures,whichisdetectedbytheautomaticself-testorbyrn operaror. Thus, we include as part of

the ":Yiq:.; t;ure that in s91e way is detected in

betwien functional tests. Analo! r"nro, t..g. t *r*itt"rj ti,i "tto"r" will have a critical failure'

but this failure is assumd ,"^#ffi;,i. t*.t "p"*t - thus contribute to "' Any trip

"* ;i; derector, eiui,,e"" "r;i:"d

:T:l ' ::J:'Jiil#,l:,i:."Jii;::fi;: #uuto*uti" activation (trip) to occur is also

part ol r an ' r the operauoninclude in ", failures f"; ;hi;h a np coutd be

prevented by specifying so tt

philosophy'Thismeans rh^rb:';; ffi* Zffu' cancontributetothespurioustriprate'

TTTFunctional test interval

IRevealed n

functional lesl, lrl2(physical failures)

Unrevealed in

funclonal test, TIF(luncional lailures)

AlineRealce

AlineRealce

t4

)2.2 pproach and Data Sources

Failure rate dnta in the 95 edition is mainly bed on the oREDA phe Itr database, which _ in thepresenr report - is updated wirh rhe OREDA phase IV data.

The idea is to let the estimates from the 95 edition form the so-called pnar diskibution, and nextupdate this prior distribution to the posteior distribution using oREDA rv jurin." the 95 editiononly presents point estimates, _it is not possible to establish u "o,rrpr*-pior distribution.Pragmaticaily we therefore use the point estimate as the mean vaiue of the prior distribution, admake an implicit argument about the variation in the prior distribution *dcb".- in the following.It is assumed that the true fail*" t:l:.f":i given e4ripment type is a random variable with a priordistributed Gamma(q, p), see e.g. /16/. This distrituin will be updated with the observed failuresand calenda times from OREDA phase rV and used to give the new fa*..*" ,i*u*r.

'we.need t: specify the parameters of the prior dishibution by speciffing its mean ad standaddeviation' To simplify matters we assume that the mean in ttre gamma prior is the previous failurerate estimate,L. Furthermoe, it is assumed that = 1 which r.do"* trr. g**n art rbution to anexponenrial distribution. This implies that the standd deviation "f

rh. ;;;;; and is equal tothe mean, l. Note that this assumption need not always be approp.iute, th; ae not enoughdata to validate the sumption.

Now the new failure rate is given by

1t ^

t I

'nw -l]i-tlAoD + t

where / is the number of failues obsewed in OREDA phase rv, and r is the equipment,s totarcalendar time in OREDA phase rv. Nore rhar this method can r" useo repeateay irn.".The following should be noted about the update of the reriabiliry dara esrimates:

o For some equipment types additional data was registered in the oREDA phe Itr database afierthe finishing of the 95 edition . lvhen this is-the ce the previous estimates are updatedsequentially with the complete OREDA Phase Itr data and rhe OREDA phase data, using theapproach described above.o Also, for some types of equipment, there are no inventories registered in phase rv (r = 6. ,r"r"are additional data in phase rr, the OREDA phase III uta ar us"a io;pd;;; reriabiriry datagstimates' If this is not the case, the previousy recommended estimates still apply. (Note that ifthere are no,faitures registered in phase rV(f = 0) tlri. i.;;;;;';J"., updare theestimates).o There h been no new expert judgements in this project, except for those related to the themethod described in chapter 4. Thii means that no iIF variu, ,ir"pi o'-i- g detectors, havebeen changed since the 95 edition.t

Th" covemge updates are taken as a weighted average between the previous estimates and theobserved coverage in the OREDA phase IV databe. The previous stimates are given doubleweight since they include expert judgements arid the dat material is s"oc", "ven

with theOREDA Phase IV dara.

@s5|LiiulllF Relabitily Dala for Conlrol and Safety Systems

1998 Edition

For the sake of comparison, the previously recommended estimates - along with the source

tisting - e included in the data dossiers'

Notethatintheg5etlition,thedatawerepresente-in.asliehtlydifferentway.Insteadofusingacomrnon coverage for both iO nfCj types of frurel

tn coverage is in the present repofl

split into its FTO -a so purt ]rJ"i."iin j. rni, l, on.o " comiatible with the PDS Tool'

SomefiltersusedinthepreviousstudywithearlierversionsoftheOREDAsoftweaenot"r"oiUf" *itf, the later versions' Thus new

filters have to be set'

WheretheoREDAPhelllorlVdatabasedoesnotcontaindata,ordataisscace,thefailurerateesdmate is beil on other releai;;;;;;-t'n" in

*'"t"'i*: *dl:lTl:*liduat reliabiLiry

data dossiers give informatirr; th" il sources for the uario,rs components'-The previous

estimates in the ss .auon *'ie;; ;;;;;;xt*bi9,:" o'ht' 'o*t"t than the OREDA database'

;;i;v.J;w of all the failure tutt dutu to*tts are given below'

OEDA - Olfshore Retiabit Datq rel' /1/' /2/' /3/' /15/' /17/

Hll;:;;;' oREDA Particants' distributed bv DNV rechnica' Hvik' Norwav

';;;1.;r'r, rs84,1se2'.ree3andree'I

"#:"1;:"'"'H"iff,'i"'f i,,3i-:""i.:"lilff ',,iii.'ffi "iliexpenence, installations, collected from installation'".i" "nn

Sea and in the Adriatic Sea'

OREDA has publishecl tlrce handbgg;tl 'i "iiti"t

rt9ry- T8: (ref ' l3t)' 2nd

edition ftom tbgz Get' t2) r'fld: "ilon frqT l?e1 !'"j''11-%:**r'

there are

threeversionsoftheOREDAdatabase,ofwhichthelatestversion.isthemaindatasourceinthisrepoft,denotedtheoneplpr'*"d"tab"s"(ref./15/).Thedatainte Onep pnle fV database was collected

in 1993-96'

Oseberg C 'Experience Dat on Fire anil Gas Detecton' ref' /4/

;;":ri Jon Arne Grammeltvedt';:;u;rt Norsk Hydro' Research Centre' Porsgnrnn'

Norway

Publ.war: 1994

";:::;:::"' if:"tJ;i::ents rerd "-ry.-".:i- data on catatvtic gas detectors' IR name

detectors an smoke detectors from the Oseberg C patform in the North

Sea'

WLCAN - A Vulnerability Calculation Methoil for Process Safety Systems' ref' /5/

Author: Lars Bodsberepublisher: Nor*"giirirtituteofTechnology,Trondheim, Norway

Publ.Year: 1993

';':r:;i::"?'' i#l;ffiT:serration incrudes experience railure data on fire and sas detectors

rrom"J;,il;;;iglrlr:^.: jl,;:;,gl*:m:,*:lJJff l1"i:"1:very comprehensive with respect to ra

,nu,,n"

"iiit

t" rt"i't in the oREDA Phase III data'

l)

l6

NPRD-9L: Nonelectronic parts Reliability Data 1991, ref. /9/Authors: william Denson, Greg chandler, william crowelr and Rick wannerPublisher: Reliability Analysis Center, Rome, New york, USAPubI. year: 1991Data based on: Field experienceDescription: The handbook provides failure rate data for a wide variety of component types

incruding mechanicar, electromechanical, and discete erectronic parts andassemblies. Drta.represents a compilation of field experience in military andindustrial applicarions, and concenrraies on irems nor.o";.J;t '--HDBK 2r7,"Reliability hediction of Erectonic Equpment". outu u1., include partdescriptions, quarity levers, apprication erwiionments, point .rti*ut", of failue.^il^l:r:^**.es, number of failures, rotal operaring.toun, an detailed partchaacteristics.

ne\bilitl Datafor Computer-Based process Safety Systems, re!. /g/Authos: LarsBodsbergPublisher: SINTEF Safety and Reliability, Tondheim, NorwayPubI.year: 1989Data based on: Field experience/expert judgementDescriprton: The report Presents field data and guide figures for prediction of reliability of

computer-based process safety systems. Data is based n eview of oil comiaaydata files, workshop with technical experts, interviews with technical ;p"*;questionnaires.

T-boken: Reliability Dat of componen in Nordic Nucrear power pran, ref. /6/Authors: ATV-kansliet and Studsvik ABPublisher: Vattenfall, SwedenPubl. year: Version 3, 1992Data based on: Field experienceDescripton: The handbook_ (in swedish) provides failue rate estimates for pumps, varves,'

instruments and electropower components in Nordic nuclear power flants. The dataare presented as constant failure ates, with respect to the most significant failuremodes. Mean active repair times ae also ecorded.

F ARADI P.TH REE, ref. /7/Author: David J. SmithPublisher: Butterworth-HeinemannLtd.,Oxford,EnelandPubl. year: Fourth edition, 1993Data based on: Mixture of field experience and expert judgement ,Description: The rextbook "Reliabil, uatntanaw[ity and Risk - practical Methods for,: Engineers" (ref. lZt) have a specific chaptr and an appendix on-iailue,rate data:

The data presented are mainly compiled from varius sources, such as MIL-HDBK-217, NpRD-r985 (i.e. rhe 85 vrsion of MRD-91) an opGoe Handbook' 1984. The failure rate data presented in the textbook is an extract.from the databaseFARADIP.THREE.

,@stltllllEm

Reliability Data for Control and Salety Systems

1998 Edtion.

2.3 Summary Table of PDS Input Data !

Table 24summaise the recommended input data to pDS analysis. The definition of the

column

fr*aingr r.tut", to the parameter definitions given in Chapter 2'1

Somecomments'basedontheexpertjudgementsessionperfolle]:nngthe^previousandpresent;i;;dbelow, in partiuhr onihe given values for l/F

and coverage' i

11'l'r"r'- t''''-'"" i-\lo"-*' ilr';"'"' ;1 Y\r'rr'i--! ")\r.i

2.3.1 rrFprobabilities i;;{ tr-i:-1.1.:l),,:r, .n ,".\-;1\, ",.,;..,,, ..,,;.-,,r." ,,;*t},.-,\.,. .^ " {,,.t,s 'rt--tt-o''-t ' - {.,.,:;r) ..Process

tffinrra probability, 10-3, is assigne io I switch itsJlf,

essentiatly caused by human

interyention (" g' "*t";tat n"*O' ny it"i"A;ttc the sensing line (piping)' he TIF

probabiliry *uy lnr*" ,o 5.10-3, uniess u p"i"", funconal testing is carried out' which

also detects blocking of the sensing line'

Processtmdre"rs have a "live signal"' Thus' bloc-king "f

th".1:i:T^i linesdetectecl bY the

operator - is ln.t," ,n "U,.ao

a significa;t part of failures of the transmitter itself

(all ,,stuck,, failures) are detected by the operator anicontribute to 2",. Thus' the lIF prob-

ability is less thr'th of the switch. smat and field bus tansmitters are, due to mole

"o*pl"t"'"tng, expected to have even smaller lIF'

Gas detectorsNotethatanewexpertjudgemensessionlgasperformeddurngthelggSstudy,givingTIFvalues for g* a.t"ior. dfferentiated *itt r"sp""i to detectoitype S

point or line)' the

size of the leakage, and other .onaition*p"ja inflo"n." ihe TIF probability for IR

detectors. s". cri"pto i, "t"1.. a, 1at-probability for catalic gas detectors was not

evaluated * tfo' t"n"ology is considered to be old and less relevant'

Fire detectorsItisassumedthata.detectorwiththe,,right,'detectiorrP'il"'Pl:is.applied(Smokedetectors are applied where smoke fires t" "*p"tt"J*a

d: *-i::nt^where

flame ftres

e expected') Even so' there s a.possibility tiat a fue may occur which gives a very low

orobabilityofdetectionbythedetectornuro"".i*.bo"tothisfactanintervalisprovided for

"^.h ";:Th; ir uu. *u1n ;dt,i"; to the size of the fire,

essentially

depend on tne tocaor/envionmenr "r *t li""t"t (indoor/outdoorl qrocess area/living

quarter). n", *"i"""' '*"t" detecto ttt"-tJ* 19:t -pt:^l^"jtilt"ctors

generally

serve as " ,".onu iuri"., and the value is sigrrificantly grelter'

Flame detectors are

reliabte untess "f "t" ir J;"n4_t""imalted ,IF = 3'104), but oil fues

in process

e will d*"1;il;ir*"r.", * u ?Lprouuuiliry as high as 0.5, could apply'

PLC systems , - ^^ ^^+",'a .*^'q For dedic^---"'T;;rIF for the rogics is.essent4lt *:j.','J"::il""::rff:.t"#fiithlTHI :*i,':"n::fff J l"ilii r'Jffi *md;;;,r,**" ""o's Fo'

standard

systems, the estimate /F = 5{0- appxes'

11

AlineRealce

AlineSublinhado

AlineRealce

18

ValvesThe zIF probabiliry for ESVs witl depend on the type of functional resring. If the ESV isshut in completely and pressure teste, iryF = 10-6'ithis """ ir al*"* because of rhepossibility of human elrors' e'g. related to bypass and improper testing). If the ,,functionaltesting"just involves a check that the valve moves lstarts closng on dman, the value 10r is suggested. This.?IF val,re also applies ioi

"ont ol valves. AII these values include thepilot valve. The major contibution to the llF probabiJity for psVs is wrong set point dueto enor of the maintenance crew, and the same TIF vaJue used for switches is suggested(sensing line nor included).

2.3.2 Coverages

SensonLine testing gives a coverage of 20vo for switches, conventional transmjtters and ESD pushbuttons' In addition operato detect a significant p* of p.o"".r-tanimitter failures(transmitter being stuck), giving a total coverage foi transrnitters which is significantlyhigher. For gas detectors also drift are detected (low alarm) an trris *-uy

"uur" trips to be

prevented. The given covefage for smoke detecrors applies for analog sensors.

Control logicFor bus coupler and communication unit 1007o of rip tailures actually gives trip. Further, itis estimated that 957o of loss of safety failures e detected, and a Fr iailure is prevented.

ValvesNo automatic self-test for valves. It is estimated that o-pgqlo"rs detect 6^5/9 of criticalfailures (stuck railures) for B-q9l-ygJ=v^es. There ." ..ffiia so failures on valvesdetected by continuous condition miorl,ng in the ORED phase fV data It is assumedthat these failures are detected by operators and thus included in the So coverage.

Note that these values are partially updated with the TREDA phase IV data, see also thecomments in Section 2-2-

23.3 p-factors _r.1,r,rn flq\a

When quantifying the reliability of.systems elnploying redundancy, e.g., duplicated or triplicatedsystems, it is essential to distinguish between indepentlent and, dependint foior"r. Normal ageingfailures (see /141) are usually considercd as independenl failues. However, both physical failuresdue to excessive stresses/human interaction and alt firnctional failures are by nture depend.ent(common cause) failures. Dependent failues can lead to simultaneous failur of more than onemodule in the safety system, and thus educe the advantage of redundancy.

In PDS dependent failures ae accounted for by introdu cing a multiplicity ttisibution. Them-ultiplicity distribution specifes the probability that - given that a failure has ccurred - exactly ftof the n redundanr modules fail. Here, & equals r,2, ... , n. The probability of k modures failingsimultaneously is denoted p.

@)stlNTEF Reiability Data for Conlrol and Safety Systems'

1998 Edirion. ]

As an exampre, consider the murtipricitv,gt-:'b:i:.^1":li:i'liltih::IJJJ;5':;:;;; H+ r' : 0 ?0_Tfj"';3,.i;Ti'i:ffi:h',"i"in'iv ir'" uoth modures haveprobabilitY that just one mo(

failed is 0.10'

Figure 3 Example of multiplicity distribution for iluplicated components

Table6plesentsrecommendedp.factordistributionsadoptedfrom/11/.Thedistributionsarepr"il"i ,tte following degrees of dependency

Lowr Mediumr Highr ComPlete

Table5pfesentsguidelinesforselectingappropriatedegreeofdependency(adoptedfrom/11.

Feliability btk diagrm otthe redundant modules

lo

Unit A single SimultanousYfailure lalure ol A and B

B singlelailure

20

Table 2 Failure rates, coverage and TIF probabilities for input devices

Gomponent

. InpfficeProcess Switch,Conventional l)

-i;Pf{ 106

hs

Pressure

Tansmitte

Co

cFrQ

Level (displace)Tansmitter

verage

':.t .: 'i, :..| .so

TemperatueTransmitter

3.4

FlowTransmitte

1 FlQ"ndd;:'1SO : ,,Ln |

l.J

90Vo

Gas detector,catalytic

)@ sullilem

3.1

'I-.r.iIff"

9Vo

20Vo

Gas detector IRpoint

per 10lrs

t| So| ^'nr

I

90Vo

.8

20Vo

2.1

Gas detector IRline

60Vo

50Vo

1.6

lL'*

Smokedetector

0.2

2.3

60Vo

60Vo

0.9

Heatdetecto

0.1

J

0.9

60Vo

.6

5jVo

0.6

Flamedetector

0.t

3.6

0.4

80Vo

l.lo3 - 5.10r 2)

4OVo

0.7

ESD Pushbutton

Reiability Data for Control and Saf ety Systems

1ee8 Edtlon. )

0.3

0.8

80Vo

3'104 - 5.104 3)

7Vo

0.6

2.4

0.4

40Vo

3.104 _ 5.104 3)

7jVo

Table 3 Failure rates' coverage and TIF probabilities for control logic

t1 .0

0.6

8.2

1.1

50Vo

)

2)

3)

4)

6)

1)

8)

3.104 - 5.104 3)

507o

11.0

Daa primarily apply for pressure swrtchesWilhout/with the sensine lineFor smarlconventional,iespectivelyThe rangc,gives values for lge ro smalt gas leaks (large gas leala ae leak> I kg/s)For smoke and flame fres, respectivelylherange represents the occurence ofdifferent types of fires (different locations)Forflame and smoke frres, respectivelyAverage over ventilation type and besl,/worsr conditions, see Chaoter 3

0.7

1.0

0.4

5OVo

3.i0" - 5.104 3)

5OVo

0.5

0;l

0.1

20Vo

5OVo

3.104 - 0.1 4)

0.6

0.8

6.10-3 _ l.l0_3 4,8)

0.1

2OVo

1.0

0.5

6.10-2 _ 7.70-2 4.8)

1.2

0.3

Field buscouPler

2.1

1.3

lo-3 - o.o5 5)

0.2

2.1

0.05 - 0.5 6)

Control logic units

0.6

3.10* - 0.5 7)

l) Note that the value for one signal path is somewhat less than this valuet) por ftfv ceruned and standud system' respectively

Table 4 Failure rates' coYerage an'l TIF probabilities for output devices

l0-5

Component

21

ESVX-Mas

,E

per 106'hrs

5.10-s - 5.104 2)

Other ESV lmainvalve+actuator)

COYeraBe

crro..l cso

Pilot valve

Control valve,small

I .6

Control val-ve,lge

j IilO,.,"ndr

--l so'-

,,ffi'

Outpul

1.6

OVo

.a" Per 10ohrs

Pressure reliefvalve, PSV

4 .2

devices

30To

OVo

7.6

rff., I rf...

20Vo

For complete and incomPlete functional testing' respectively

ttote tna tnp of fSV does not necessarily lead to system [aP

Vo

1.1

,R

604o

3O7o

+-3

0.8

1.2

'107o

6O1o

0.7

TU'

1.3

0.5

'7j%o

07o

17.8

I A

0.3

1O6 _ 10-s r)

0Vo

3.0

2.8

t.8

lo{-105r)

5

0-8

.0

0.1

u-

1.0

10-s

o.z2)

t0-

10-3

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

AlineRealce

22

Table 5 p-factors of various components

Component'.

, =hlFire/gasdetector

te'rm p-factol:disfribution

mo

.so

Pressure switch

Ttr0.2

3: Highdependence

,@ SINTEF

ut devices

Field bustransmitters

4: Completedependence

Same manufacturer, environment and maintenancecontribute to CCFs

atl

"iO

Same location and design give high fraction ofCCFs

all

2: Mediumdependence

PLC

Almost complete dependence when the detectorse applied in scenarios which they are not de_signed to handle

1: [wdependence

all

Ouut devices/Valves

Same manufacturer, medium location and main_tenance contribute to CCFs

Pilot valves onsame valve

1: Lowdependence

all

Field data shows a significantly lower faction ofcommon cause failures for transmitters ascompared to srilitches

Pilot valves ondifferent valves

2: Mediumdependence

Reliability Data for Conlrol and Safety Syslems

\1998 Edition. 1

ESV

Application software has a lower fraction of CCFsthan the system software

aIl

Couplers

Table 6 Recommended p-factor tlistributions

all

2: Mediumdependence

System software errors gives a rather high contri_bution to CCFs. Other fr:nctonal failures alsoconibute.

all

1: Lowdependence

r) specifies which failure rate/probability rhe given distribution appries for

1: Lowdependence

all

Same design, location, contol fluid and main_tenance contribute to CCFs

Lower fraction of CCFs when pilots activatesdifferent ESVs

l: Lowdependence

Same design, medium ard maintenance conhibuteto CCFs. Field data indicate a relatively smallfraction of CCFs..

Application software has a lowe faction of CCFsthan system software

2.4 Further Work

Boththeg5editionandthepresentstudyi]lustates,thatfurtherworkshouldbecarriedoutonfailufedata definitions/cf*rifr"ution io inir".rJ tn"

cr"iility and validity of reliabiliry analyses:

2.4.1 Variability of the TIF probability

Forseveralcomponents(e.g.sensors)thereisobviouslyawiderarrgeofTlFvaluesthatmayapply'depending on various factors such

as

- location (e'g' indoor/outdoor' process arealliving quarter)

- detecdonPrinciPle- ;;;;s"(e'!'anaiogue/diqil4'Pginqn'].-,^^,,-- svstem boundary it'g' *ittt/*itttout impulse line)- fype of functional testing erfecVtncomptere't- u*ount of self{esVmonitoring

Anefforthasbeenmadetomeetthischallenge,b.ytyfaronlyforgasdetectofs.However,itisanobuiou, need to quantirv *":"t'+;;"':"t:::t:i*l'r":*;mt"?ii:ttr#t'or.* ,vp.t, so that an appropriate T/F value'

rerlecung

for actual studies'

2.42 Distinguish between design errors and human errors during testing

ItissuggestedthattheTlFprobabiityshouldberestrictedtoaccountforfac.*:'ll,arepresentfromday l, and which are ".""i';;#

in-ly uuto*utl"f"".,1"J "tt' These are failures caused by

design enors, e.g' including *'" r""r* "f d".:t:'.t:-t-t';;i;-suggested th-i|1{ errors

introduced bv

the maintenance crew upoi testing (e.g. by;pals ruilu,", -J iniquate testing) should

be defined as

a separate category of f"ifor"s,--ar;d'no't U inctue i" ili'-p't"ility' u"Jprov"d

models should

;;t.a 6r fitures inuouced during tunctional testing'

-"er.. "f

d"pendenceruium I Irigh

r.'t.r.,..

0.98000.01800.0015

23

24

)

The above suggestions will make analyses more credible and accurate (ptant specifrc), and it willfacilitate the communication.between analysts and maintenance/operational personnel. It wili alsomake analyses more informative with respet to identifying factos that "rr""

ri" i""-iliry, and rhusidentifuing means of improving system dpendability.

\g tlNULqf Beliability Data for Control and Saf ety Systems'1998 Edition' )

3. A unrgoo roR oBTAINING PPLIcMIoN sPEcIFIc TIF pnosnnIr.rrIps

3.1 Introduction

In most RAMS analyses generic data are used as input parameters in quantitative

dependability

assessments. These generic ;;;;;;i ;uu"'ug"

"*i;unJ it is theiefore desired to establish

a method for adjusting th"'"-;;;;g;;alues to tut'

'pt"int conditions into account' In this report

vr'e present a merhod f", "urrJt;r;; "a-unut t^git-iirryrrs. In future repofts we aim

at

;.:";ffi;;iit""l"gv i oter parameters and equipment classes'

Firstthemethodisestab]ishedandcalibatedbasedontheresultsfromanexpertseminar.Themain resulrs *. *urn**i." ir S".,.. :.S. N.*t tt"

orJoi ift *ttito is described by a step by

step procedure, and an example is given' see Sections 3'7-3'8'

3.2 ConcePtual aPProach

A.conceptualhierarchicalmodelhasbeenestablishedrelatinginfluencin.gconditionstodirectfailure causes and the "rJ;-Tf;;"U,liry

u, if*rt ui" irifig*" 4' This conceptual model

contains a set of baseline zJr.r'* r"tutiu" i,npo,iult t*tig"1 of the various direct failure

causes.

25

Figure 4 Conceptual hierarchical structure

Thetotall/FprobabilityisthesumofTlF-contributionsfromthefollowingcontributingclassesGA:

r Design enors (CCr) giving TIF'. Wroig Iocation (CC glvingTlFz. Insufficient functional 't po""ao'" or human errors

(CC) giving ?lF:'

..Behind,,eachcontributingclassasetofdirectfailurecauses(DC)are.defined,forexample"forset to test" and "*'o'l' ""t" t-"sign" The

impottun"" of each direct failure cause

within a contributing "r"""i'#"y a

"v'eight (wn' ninty the direct failure causes are

Generic baselne

TIF values from

expert Tminar

\

-( DC,, IV

High

-

APplication specific scores (S)

Generic weights from

expert semlnar

High

26

influenced by a set of influencing conditions (1Q. These are conditions that are controllable bythe operator/designer of the installation.

These beline /F values and the weights wee established during an expert seminar. In apractical study the TIF probability is adjusted according to the staL of a set of influencingconditions..A "check list" procedure is applied, where for each pre-defined influencing condition,l t"of tl given representing the state for the particular applicatin. A scoe is a number between -I Td 1l' A score of -l represents the "worst "us"", rhLt u, +1 represents ttre

;est case,,. See

Table7 for an example.

Table 7 Example of check list for TIF evaluation

3.3 Definitions

The following definitions will be used throughout this presentation:

o A contributing class (CO is a class of direct failure causes that contribute to the TIFprobability.

o A direct failure cause (DQ is a specific and clearly defined cause within one contributingclass, influencing the IIF probability.

' An Wuencing condition (1Q is a condition that influences the probability of failures due tothe relevant direct failure cause.

c A score (.f) denote the state of a specific influencing condition for a given application.

3.4 Method

The main idea is to establish rheTIF contribution from each of the contributing classes, and thennext evaluate the diect causes within each contributing class. The following cntributing classeshave been defined for gas detectors:

. Design enors (CC1).

. Wrong location (CCz)

. Insufficient functional test procedure or human enors (CC3);

In the expert seminar baseline numerical T/F-values were established for each contributing class,CC, i = l;,'.,3. These baseline numercal /F-values represent the anticipated range for TIFvalues for vious conditions on an offshore installation. Notational we leT TlFto*conesponds tothe "best case" and rlF,s cofiesponds to the "wost ce" for contributing clasi.

.A set of direct failure causes are defined for each contributing class. For example for thecontributing classwrong location the following diect failure

"ous"i u.e,- Wrong location by design

- Wrong documentation at installation

,@srNTEFReliabiily Data for Control and

Safely Syslems'

19eB Edition. )

- Modifications

For each conrributins crass:, iii;,il 1,r.;ff::,:.:1t li;flft,l; l;; i:th*Iof these direct causes a retiltillu*;; to 1007o for each contributins class'

Notethatadirectfailurecausedoesnotdirecdycorrespondtotheconditionsthatafecontrollableby a designer. Therefore *;;;Jt*ically focuses

i.,r'""i,i"ns inJluenc.ing on a direct

ra'ur" caus". For example,r'.'i""'"i*,1"' "r l"::* 1;Lj;l=*il.:T::"*:,t:?:tl';odi'":;

lii"i,ffi: ;:i,::iliiin 'fi{*4;l r" ' p'""ir" -arvsis a score w'r

be

assigned to each of 'h"";;;'i;;' 1irre -] I:t:'ii"ff.#:f:;#''Jgli:"i *;

rrri.Jlffi:il.f:"T'":fi i"Jlffi;;;;i' r' possibre to estabrish an

application specrllc llr'

Thereisnostraightforwdmannertoestablishafe]ationbetweenthescore.sandThreTlF.values'rt

" r"iu,ioo p.";*"u * tti"i t"d;;;;" on

tt'" following principles:

t TIFshould equal TIF,on\f all S= 1'T1,' ir' Ji""ia equal 1/F,,n3r'

if all 'fu = 1,lurthll'---.n, *.* o f the low ardhighrlF-vaiues'- ;.11;;'; tqt o tne flF strould equal the Seometr

Figure 5 i'ustrates the implications of this principle (TIFnign= 10

r' and rIF' = lo'3)'

27

:-+-

Figure 5 TTF values as a function of score values

The formula for acljusting the IF for contributing class i is given

by:

- .l+S, / al-S,

T, =iwDc, (TIF,,," )T (TIF,, J'

and the total TIF for all contnbuting classes is given by:

o 0.5Sco

rrn = irq ='oc,fr","" h*''.'

Note that average scores on all influence conditions gives:

(l)

(z)

28

rj--TIF, = ) JTF, r-' T.o,ro

That is, 71Fa is the sum of geometric means for each of the contributing classes.

3.5 Results from the expert seminar

The objective of the expert seminar was too Establish a set of "Contributing Classes" CC Establish a set of "Direct Causes" DC for each CCr Establish a set of "Influencing Conditions" .tC fo each DCo Establish TIF and TIFrfor each CC Establish elative weights wDCwithin each CC

Two diffeent detection systems wee considered:

o Infrared (IR) point detector lnfrared line detector

ln addition the following 8 different scenarios were considered:

o Small gas leakage in open areao Small gas leakage in naturally ventilated area. Small gas leakage in mechanically ventilated aea. Small gas leakage in ventilation intaker Large gas leakage in open area. Large gas leakage in naturally ventilated areao Large g leakage in mechanically ventilated arear Large gas leakage in ventilation intake

where Smail gas leakage, release ate

30

Table 9 TIF for CC2"V,lronglocation", IR point detector

Ventilationtype

Open

Naturallyventilated aeaMechanicallyventilated area

Small sas leakaseBest

Ventilationintake

0.5

Table 10 TIF for CCz r\ilrong location",IR line detector

0.1

Worst

VentilatlontvDe

5.10-3

104

0.9

{(P st]l,lulsF

Open

Naturallyventilated area

0.3

Large gas leakaeeBest

Mechanicallyventilted area

0.1

small ss leal(seBest

0.01

lo'2

Ventilationntake

5.10-3

0.05

'Worst

3.6 The relation between TIF and detector densitv

Note that when the values in Table 9 and Table l0 were established the following question wereasked:

"Assume that there is only one detector installed to detect a gas leakage. What s the TIF-probability of not detecting such a leakage related to contributing class 'wrong location'?"

The f,rgures given therefore contain two types oflocation enors:

r "local" effects related to a detector in an area containing gasr "global" effects related to the fact that there might not be gas at all in the area where the

detector is placed.

For a specific analysis where only one detector is considered, the TIF values may be used asstated in Table 9 and Table 10. However, in the situations whee several detectors ae used, it isnot straight forward to use these results. When the total CSU is calculated, the "T1F-contribution"from each detector depends on the dependency, or so-called '-factors", and it is reasonable toassign different dependency factors for the "local" and the "global" l/F-contribution.

l0-3

0.01

Wrst

5.10-4

104

0.1

5.102

104

0.09

Beliability Data for Control and Saf ety Systems

10-2

0.03

Larse sas leakaseBest

1998 Edtion' )

During the.expert se\ffipaiJffi;:i,H:iir'iil::,:'1'i":r',ii';ilYl;and "global" effects' surr

{c, lo"' eff ect, and'l 57o "global" effect

It is reasonable to assume that the "local" f/F-contribution

does not depend on-the density of

derectors. How ever,,n" ..

g r "

'i' !p:ll *rifu:itf"mi"uiT ;r"1triff";;;;,i.: 1",,",jifii*lg'iJffJ,i",:i: fi: ffii;;; procedure suggested berow

a

l'"'#"r:"i":i" ?.,:* assumed

TIF10r

0.01

0.002

7o'2

1.10-3

Worst

2.lf

104

0.02

l.1o-2

2.10-3

r n-3

'Local"

Figure 6 TIF versus detector density

ro simp,irv *j,p:'f-::iiJii,:lfr ,yi*Uk* :ffffi":lJ$

number per detector' try i::i"" *tr, o:t:t"^ot ro..uure is pragmatic, ano is as follows:new TIF number i:,p::::.hr'ciu formurus. Te Ibe used as usual with the

slanoarus uev v^..'---- o. Denote this

r. For a given scenario,,ro:i",ff"j:,",:,:,*iiyjfffif:tm;:it'*ratreastonenumber /

Step 3: Identification of type of areaData is available for the following types of ea:t OPenr Naturally ventilated arear Mechanically ventilated area Ventilation intake

Step 4: Establishing correct TlF.values for,.ocation errors,,Based on the specifications.in s-teps r-3 it is possible to look-up the corect values for TIF2,. artdTIF2,. fom Table 9 or Table 10.

Step 5: Gas leakage scenarioAs discussed in chapter 3.,6 the TIFz,tow and TlF2,rvalues in Table g or Table 10 represent theTIF for a "single detecror". T\.Tr-c:ntriuution f derector i, tr",mlu* r.**y derectorswin be less than rhese values indicare. To adjust the TrF_varue th; ;.d;t*;;rnr,,, o, shourd beidentified' we now define such that k = ioovo = 1 means that .,it is likely,, the gas cloud willreach at least one detector. & less than I mears it is likely that there ir no'"t."to, in that areawhere the gas cloud will pas.

Now calculate new /F-values

TIF2,bn = TI Fz nn(1 - 03 5k)TIF2s= TIF2,g(7 - 0.75k)

These numbers ae then to be inserted in Tabre r2,see discussion in Step 6.

Step 6: Identilication ofstate ofinfluencing conditionsEach influencing condition which h been identified should be evaluated with respect to the statefor- the particular analysis. Table 12 may be used as a starting point for this evaluation. In therightmosr corumn of rable 12 the apprication specific ..r"or"^" ,hr"ld ;; iiri.o, ,"r" tt"following coding shategy may be used:

S = -1 - Worst state, i.e. no specific means has been identifiedS = -Vz - Bad states = 0 - Average state, or no information about this condition availabreS = Yz - Good stateS = 1 - Best state, i.e. specific means have been implemented

An example how the scores are entered is shown in Table I l.

Step 7: Calculation ofaverage scores for each direct failure causeThe average score for each influencing condition relevant for that cause should be calculated andplaced in column 3 of rabre 12- Tabre I r shows an example of such average calcuation.

9suNTEFReliability Data for Control and Safely

Syslems'

\1998 Edilon. I

Step 8: Calculation of adjusted TIF for each contributine class (CC)

Foieach contributing tl^t .,- =-l'"''l the ''F contribiution is calculated by the

formula:

'l+S' / ,l-S"

T, =iw DC u(Tr,.,," F (Tr'0, J'

where the weights (wDC)and scores (S';) are ead from column 2 and 3 in Table

12'

Step 9: Calculation oftotal adjusted TIF

The TIF contributlons "o* "ut contributing class are sumnied up:

TIF=TIFr +TIFz+TIF

3.8 CalculationexamPle

A calculation example is given to highlight the content of each step'

il1J;l*lrr3:iJ.i':ilii.':" a inrrared point detector' hence rabre e is

Step 4.

$i,3iJi:Xt'Iii:,"[tflT.t:"tiT,u," . lksls using rhe "rert" part or rabre e

Step 3: Identifcation of tvoe of area

We assume that the gas'"utug" is in a mechanically ventilated area

Step 4: Establishing correct TIF-values for '.calion errord'

B ased on the specification; il; ;;" Jtuin TIF z r* = 5' 1 0-3 and rIF 2's = o'r'

Step 5: Gas leakage scenario

:"d#;;;;;;:ti' '"z' = 0'33 (relativelv low densitv)' hence

TIF z ton = TIF 2.e*(1 - 0.7 5k) = 3 ] 1']y-'

liF ri, ;:;^ = TI Fz.eQ - o.?sk) = o'075

These values are used in Table I 1'

Step 6: Identification of state of influencing conditions

Th scores are shown in Table I I'

Step 7: Calculation of average scores for each direct failure cause

See Tabe 1 I for calculation of avetage scores

Step 8: Calculation of adjusted TIF.for.each^contributinB class (CC)

The TIF contribution from-each contributing class inTable Il is based on the formula:

33

following

used in

34

lL , .l+s,/, ,l-srT, =\wDCr(rm,.,,")' 1rm,,* ;

Step 9: Calculation oftotal adjusted TIFThe T1F contributions from each contributing class are summed up:

TIF = TIFI + T + TIF3 = 36.9. lO-3

@srNTEF Reiability Data for Control and Saiety

Systems'

1998 Edition. )

TablellExamplecalculation;adjustingtheTlFprobability

35

rj

36

Table 12 Check list for influencing conditions

r@srNTEF

and quaitatively/vely differentdemand

Reliabilty Data for Control and Saf ety Systems

1998 Ediion. )

4. DemDossrnns

The following pages presents the data dossiers of the control

*d Y -sy-stem components'

These are the input to Tab; 2-Table 4, summarising the "recomended"

generic input data to

PDS-II anaiYses'

Thedatadossiersarebasedonthoseintheg5edition/13/,whichcontainsfailuremodeabbreviations no longer or.irn oREDA.

Definitions of these abbreviations e given in /13/ and

l1'7 | .

FollowingthedefinitionusedinoREDA,severaiseverityclassrypesarereferredtointhedatadossiers. The various types

are defined as follows:

Critical failure

Afailurewhichcausesimmediateandcompletelossofasystem,scapabilityofprovidingitsoutPut.

Degradedfailure i-:^^r L,rr.which orevents the system from providing its output within

:"';li:l;l*:ii:J'i:::i'T;l'ili'ili";^,;"'n'' o" gradual or partiar' and mav

dru"lop into a critical failure in time'

,;,tfo"' no'immediatelv causes ross-ora svstem's:'t*tl:tl1::viding

ts output'

but which, if not utt"n" t].""* rrU t" a critical or egraded failure

in the nea future'

Unknown

Failure severiry was not recorded or could not be deduced'

Notethatonlyfailuresclassifiedascritica]arepresentedandincluderltheestimatesofthe93edition.

Bypass not removed

I TIF3 r"- = 0.001; 1R "'", 0.02I Total all contribution classes

31

TIF = TIFI +

38

Component: Process Switch' Conventional

DescrtPfion

Pressure switch including sensor and

pneumatic switch

. :Retiability:DuhDjI!4 : PPQ&

Recommenileil Vlues for Calcultion

*) snmunr

Total rate

FTO 2.3 Per 106 hrsSO 1.1 Per 106 hrs

Overall 3.4 Per 106 hrs

Dte of Revion

1999-01-1 I

Previously Recomtneniled' Values for Calculntion (95 edition)

h", = 1.0 Per 106 hrsl,FTo = 2.5 per 106 hrs Coverage

Iso = 2'5 Per lo6 hrs

L, = 6.0 per 106 hrs ag-pobability

Reliablity Data for C ) and Safety Systems'

1998 Edition.

r) Withoulwith the sensing line

F ailur e Rate As s ess ment

Thegivenfailurerateessentiallyappliestopressure_switches.Thefailurerateestimateisanupdate of the previous "ui*"*

- *uinfy Uu'"a on OREDA-84 and PDS I - with the complete

oREDAphaseIIIdata(phaserVcontainsnodataonprocessswitches).Theestimatedcoverage

is based on expert judgement lassuming ZOVo coverage)and the observecl

coverage (1007o in

oREDAphaseIII).TherateofFTofailuresisestimatedassumingacoverageol90vo(previousiy assumed

'o O"'i*''observed in OREDA Phase III was IOO

7o)' The rate of SO

failures is estimated assuming a coverage of z0 7o (previous estimate, expert

juclgcment)'

lJndetected

0.2 per 106 hrs

0.9 per 106 hrs

103 - 5 . 103 r)

Component: Process Switch, Conventional

TheTlF-probabilityisentirelybasedonexpertjudgements.Detailsontheexpertjudgementare

foundintheappendix.AsummaryofsomeofthemainargumentsisprovidedinSection2'3.

Reliabitity rDri'Dossier:' PDS'ilata

Overall

failure rate(per 106 hrs)

FTO: 1.39

SO: 0.00

Observed:

cfro = 100 Vo

39

Data relevant for conventional process switches'Phase IV Softwe /15/.

Filter:Inv. Equipment Class = PRocEss SENsoRs AND

iiv. Dsiln Class = PressureInv.Att.iype-processsensor=Switch ANDInv Phase=

4 aNn(nv. System = Gas Processing ORil processingl NDFail. SeveritY Class = Critical

No. of inventories = 12No. of critical FTO failures = 1

No. of critical SO failures = 0

FTO: 0.61SO: 1.15Other: 032

Cal. time ='l19 I

T-boken /6/: Pressure switch

FTO: 2.28SO: 0.32Other: 0.37

T-boken /6/: Pressure differential switch

For FTO: e=0'149 Per 10' demands

T-boken i6l: Flow switch

0.61

0.15

2.O4

T-boken /6/: Level switch

40

Module: Input Devices

Component: Process Switch, Conventional

' Fniilui e Rl e R ler e n c e s

Overall

failure rate

er 1 hrs)

Reliability Data Dossier - PS.data

Lo Me Hi1540

Failure modedistributon

In Med. Hi2520

FTO:

SO:

V uNUBLT

Lo Med. Hi440

I Med. Hi320

Data source/comment

0.25

0.15

T-boken /6/: Temperature switch

5.6

FARADIP.THREE /7/: Pressure switch

FARADIP.THREE /7/: Level switch

FTOhys. 0.1FTOunct. 2.0FTOlrorru 2.1

Reliabiily Data lor Control ano aIety y5tErr1'

1e98 Edition. )

5;

FARADIP.THREE i7l: Flow switch

5.2

FARADIP.THREE /7/: Temperarure switch

SOhys.

SOunct.

SO/roret

6.8

PDS I /8/: Pressure switch (normally energized)

Note! Both physical andfunctional failures areincluded.

Only criical failures are included.1.5

2.0

3.5

Co*poo.nt, Pressure Transmitter' Conu entional

DescriPtion

The pressure transmitter includes the

;;i"t element, local electronics and the

process isolation valves'

RetiabilitYDaDo*t* t M

OREDA-84 /3i: Pressure switch, Pneumatic, Iowpressure (less than I 500 psig)

OREDA-84 /3/: Pressure switch; Pneumatic, highpressure (1500 psig or grearer)

OREDA-84 /3/: Pessure switch, Electric

OREDA IY - /l3l: Pressure switch. total

Tol rate

FTO 0'8 Per 106 hrsSO 0'5 Per 10" hrs

Overall 1'3 Per 106 brs

Dte of Revson

1999-01-11

Previously Recommendeil Values for Calculation

(95 eiliton)

ho = 0.9 Per 106 hrs Coverage = 0'60

F o = 0.1 per 106 hrs

Iso = 0.5 Per 106 hrs

--^L^Lilit\' = 5'10'L, = 1'5 per 106 hrs

TlF-probability

-smartansm.= 3'104

Undetected

0.1 Per 106 hrs

0.4 Per 106 hrs

= 5. 104

F ailur e Rate Ass es sment

The failure rate estimate is an update of the previous

estimate - mainly based on oREDA iII -

with .REDA phase lV u^tJni" ;;;' * '"ei'tt'". ;*o

nn^e Iv' The rate of FTo

failures is estimated """*;;;-';;""' t no *f"*l;t*;X"tl-*n:'Ti":lt'

.'

* ^" "t to failures is estimated assuming

a coverag

o.porr.nt, Pressure Transnitteyy

lts' Details on the expert judgement are

rherlF-probabilitv is entireivbasedon *o"i1,'-u11i::;;,*;t".""t""

''''found in the appendix' O 'o'o**

of some of the main arguments is provided in Sec

RetiabiiitY Data Dossigl!!$e

Qsnmuur

ffi Phase-Iv s"ftwae lr5l'Data relevant fof conventtonal

pressure transmit-

Reliability Data for C' ,and

Saf etY Systems

1998 Edtion.

Filter:inil"equip*"'" cls: = T:cEss

SENsoRs AND

Inv. Dsign Clas = k"ttY -,.unrrnitter D Inv. Phase =

Inv. Att. Typeprocess sensor= lr

AND

ftn". sy.t"t = c's Processing *"Oil Drocesslng,Fail. SeveritY Class = Crtical

Module: InPut Devices

Component: Pressure Transmitter, Conventonal

FTO:

SO:

Obsertted:

No. of inventories = 205^r. .i"ti i. frO failures = oo. of "ti"

SO failures = 0

Overall

failure rate

@er I hrs)

fto = 100 Vo(Calculated'

including

tansmitters having

some kind of self'

rc$ arranEement

onlY,)

OREDA Phe III /1/ Database PS3l-'

i" ,"n"*, "r

conventional pressure transmit'

ters.

f ifl, .t"rlu' TAxcoD=sPR''Al'{D' FuNcrN='oP'

No- of inventories - 186Total no. of failures - 89

Cal. time = 4 680 182 hs

i r- i "'

*, "tlure s cla s s ifi e d as " c r itc al" ar e

inclwletl n the faIure rate esttmates'

43

f-Uot* lOl, Ptessure transmitter

OREDA IV- /13/: Pressure switch' total

M


Component: l*vel (Disptacement) Transmitter' Conventional

Description

The level transmitter includes the sensing

element, local electronics and the process

isolation valves.

Reliability Data Dossier -. P.'DS-91!

Re c onnenile il Value s for C alculation

Total rate

FTO 1.4 Per 106 hrsSO 1.5 Per 106 hrs

Overall 3.1 Per 106 hrs

snmrur

Date of Revision

1999-01 -1 1

Remarlts

Only displacement level transmitters are included in

Previoasly Recommeniled' Values for Calculaton (95 edition)

h", = 4.5 per 106 lrs Coverage = o'is

l,Fro = 0.5 per 106 hrsl,so = 1.0 per 106 hrs

L, = 6.0 per 106 hrs TlF-probability = : l:1smarttransm' - 3'10-

the OREDA Phase III and [V data

Coverage

0.90

0.50

TIF-probabItY

Relabilty Data for ( Jr and Safety Systems.1998 Edtion.

Undetected

0.1 per 106 hrs

0.8 per 106 hrs

= 5' 104

Falure Rate Assessment l

Thefailurerateestimateisanupdateofthepreviousestimate-mainlybasedonoREDAIII.withoREDAphaselVoata.TherateofFTofailuresisestimatedassumingacoverageof9ovo(observedinOREDAPhaseIIIwasl00To).Therateofsofailuresisestimatedassumrngacoverageof50To(previouslyassumedtobe2}Vo'observedinOREDAPhaselVwasl00T)'


Component: I*vel (Dplacement) Transmitter, Conventinal

TI F -probablily Ass essment

The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is

found in the appendix. A summary of some of the main arguments are provided in Section 2.3.

Reliabilitf,Data'Dossier - PDSdata

F alur q' Rt ii::Rifp r enc e s

Overall

falure rate(per 106 hrs)

1.89

Failure mode

distribution

FTO: 0.00

SO: 1.89

Observed:

,so = t00 Vo

Data source/commenl

OREDA Phase fV Software /15/.Data relevant fo conventional dhplnc ement leveltransmitters.

FIter:Inv. Equipment Class = PRocESs SENsoRs ANDInv. Design Class = Level ANDInv. Att. Type process sensor = Transmitter ANDlnv. Att. Level sens. princ. = Displacement ANDInv.Phase=4 AND(Inv. System = Gas processing OROilprocessing) ANDFail. Severity Class = Critica.l

No. of inventories = l7No. of critical FTO failures = 0No. of critical SO failues = ICal. time = 530 208

6.17 FTO: 4.94SO: 1.23

Observed:

cno = 100 7o(CaIcuIated

including

transmitters having

some kind of selfiest

arrangement only,)

OREDA Phase III /1/ Database PS31-.Data relevant for conventional dplncement leluel

transmitters.

Filter criteria: TAxcoD=?sLE'.AND' FUNCTN='oP'

.OR,,GP'

No. of inventories = 65

Total no. of failures = 50

Cal. time = | 620 l7'7 tttsNote! OnIy failures classified as "critical" are

included in the failure rdte esftmates'

FTO: 0.21 T-boken /6/: Level tansmrtter

o*porr"rrtt l*vet (Displncement) Transmitter' Conuentional

tRetiabifitvDallPcrssier' PDSer l hrg

L,o Med. Hi10 20

SilMTEF

irlng tZ' t-*el transmitter

OREDA IV- /13/: Pressure switch' total

Reliability Data f or C )and

Safetv Systems'

1998 Edition.


Component: Temperature Transmitter, Conventional

Description

The temperature transmitter includes the

sensing element, Iocal electonics and the

orocess isolation valves.

Rliability Dta Dossier - PDS-data "

Rec ommendeil V alues for C alculntion

Total rate

FTO 0.7 Per 106 hrsSO 1.1 Per 106 trs

OveraII 1.8 Per 106 hrs

Date of Revision

1999-01-1 1

Remarks

Note that the data material for temperature

ftansmitters is scarce, i e', the failure rate estimate

Previously Recommendeil Values for Calcultion (95 edition)

h* = 3.0 per 106 hrs Coverage

Fro = 0.5 per 106 hrstrso = 1.5 Per 106 hrs

Lr,, = 5.0 per 106 hrs TlF-probability- smart tfansm'

Coverage IJndetected0.60 0'3 Per 106 hrs0.60 0'4 Per 106 hrs

TlF-probabilitY = 5' lOasmaftansm' - 3'10-

F ailure Rat e As s e s s ment

Thefailurerateestimateisanupdateofthepreviousestimate-basedonoREDAPhaseIIIincluding some expert judg"*"nt do" to scarce data -

with OREDA phase fV data' The

distribution between (undetected) FTO- and so-failures is based on the distribution for pressure

andflowtransmitters.Theoverallcovelagegivenaboveisestimatedmainlybasedonexpert

= 5'104= 3'104

Component: Temperature Transmtter' lconveily

TIF -Prob ab ilitY As s es stne nt

The TlF-probability is entirely based on expert judgements' Details

on the expert judgement is

foundintheappendix.asunlmaryofsomeofthemainargumentsareprovidedinSection2.3.

Reliability Data Dossier :.PD!:dat

QsumunrReliability Data for Con'

,nd SafetV Systems'

"1998 Edition.

ffiFh*" Iv software /15/'ui"l"u-t ror conventional temperature

Filter:inu. equip**, Class = PRocEss SENsoRs

Inv. Design Class = TemPerarure

il;. u' itp" pt*ess sensor = TransmitterInv. Phase = 4

(Inv. SYstem = Gas ProcessrngOil processing)Fail. SeveritY Class = Critical

No. of inventoriss = 19

| o. of critic FTO failures = 0

I No. of critical SO failures = 0

FTO: 5'06

Component: Temperature Transmtter' Conventional

Obsented:

cfro = 100 7o( C alc ulate il includin g

ff ansmitter s hav in g s ome

kind of self-test

arrangement onlY,)

Reliability Eat'Dossier - PDS'qala

OREDA Phase III /l/ Database PS31-'

Data relevant for conventional temperature

transmitter.

Filter criteria: TAxcoD=srE'AND'

FUNCTN='OP'.OR' 'GP'


Total no. of failures = 7

Cal. time = 197 808 hrs

lr", on, oilures classifietl as "critical"are included in the Jailure rate

esti'

mdIes.

T-boken /6/: Temperarure transrru$er

FARADIP.THREE /7/: Temperature uars-

50


Component: Flow Transmitter, Conventional

Descrption

The flow transmitter includes the sensing

element, local electronics and the process

isolation valves.

Reliability Data Dossier ' PDS:ilat

Recommeniled Values fot Calculttion

)sumrun

FTO

so

Date of Revision

1999-01-l I

Total rate

1.5 per 106 hrs

2.2 per 106 hrs

Overall 3.7 per 106 hrs

Remarks

Previonsly Recommended Values for Calculation (95 edition)

L",},FTO

l.so

Coverage

0.60

0.50

TIF-probability

- smaft transm

\Reliability Data for Co, 'd Safety Systems.1998 Editon.

1.5 per 106 hrs

0.1 per 106 hrs

1.4 per 106 hrs

3.0 per 106 hrsL,

Failure Rate Ass es srnent

The failure rate estimate is an update of the previous estimate - based on oREDA III - with

oREDAphaselVdata.TherateofFTofailuresisestimatedassumingacovelageof60vo(observedinoREDAPhaseIIIandIVwas 10070 ando4o,respectively).TherateofFTO

failures is estimated assuming a coverage of 60 vo (observed in OREDA Phase III and IV was

100 7o and 0 7o, respectively). The rate ofso failures is estimated assuming a coverage of 50 7o

(previouslyassumedtobe}}vo,observedinOREDAPhaselVwasl00To).lheSofailurerate includes 'Erratic output' failures.

Undetected

0.6 per 106 hrs

1.1 per 106 hrs

5.1043.104


Coverage


T I F -pro b abilify As s e s sment

The TlF-probability is entirely based on expert judgements. Details on the expert judgement is

found in the appendix. A summary of some of the main arguments are provided in Secton 2.3.

TIF-probability

- smart transm.

0.50

ReliabilityData'Dossier,' -,, PDS-.data

F ailare :Rate Refere nc e s

OveraII

failure rate

er 1 hrs)

5.1043 . l0-4

5.70

Failure mode

distribution

FTO: 2.85

SO: 2.85

Obsemed:

cfro = 7Vo

"so = 100 Vo

51

Data source/comment

OREDA Phase IV Software /15/.Data relevant for conventional flow transmit'ters.

Filter:Inv.EquipmentClass =PRocEssSENsoRs ANDInv. Design Class = Flow ANDInv. Att. Type process sensor=Transmitter NDInv.Phase=4 AND

(Inv. System = Gas processing OROil processing) ANDFail. Severity Class = Critical

No. ofinventories = 10No. of critical FTO failures = INo. of critical SO failures = 1Cal. time = 350 640

2.89 FTO:

SO:

Obsertted:

cno = 100 lo(Calculated including

transmitters having

some kind of self-test

arrangement only,)

1.24

1.5

OREDA Phase III /1/ Database PS3l-.Data relevant for conventional flow transmit-

ters.

Filter criteria: TAXcoD=sFL' .AND. FUNcTN=L

oP'.oR.'GP'


Total no. of failues = 92

Cal- time =2422200hsNote! Onlyfailures classified as "critical" are

included in the failure rate estimates.

52

Module:


Fatre: na Refere nc g s

Input Devices

Overall


Reliability Data Dossier - PDS.data

Lo Med. Hl5zu

Failure mode

distribution

FTO: 0.25

rsrNTEF

Data source/comment

T-boken /6i: Flow transmitte

FARADIP.THREE /7 | : Flow transmitter

Reliabilty Data for Con ,iO S"t"ty Systems.1998 Edition.

Component: Catalytic Gas Detector, Conventionl

Description

The detector includes the sensor and localelectronics such as the address/interfaceunit.

.:il

Reliability.:Data Dossier r PDS.data

Total rate

1.6 per 106 hrs0.7 per 106 fus

2.3 per 106 hrs

Date of Revision

1999-01-1 I

Previously Recommended Valaes for Cahalation (95 edition)

53

Coverage Llndetected0.60 0.6 per 106 hrs0.40 0.4 per 106 hrs

TlF-probability see secrion ...

3.0 per 106 hrs

1.5 per 106hrs1.0 per 106 hrs

I., = 5.5 pe 106 hs TlF-probability = 3 . lO4 - 0.1 r)

Falure Rate Assessment

Due to dditional phase III data the failure rate esrimate is updated iterative. The previousestimate is updated with rhe final phase IrI data, and this estimate is finally updare using theOREDA phase IV data. The rate of FTo failures is estimated assuming a coverage of 60 To(previously assumed to be 90 7, observed in OREDA phase III was 38 vo). The rate of sofailures is estimated assuming a coverage of. 4O Vo (previously assumed to be 20Vo, observed inOREDA phase III was 1007o). The FTO failure rate includes ,No output' and .Very lowoutput' failures.

') Lurge to small gas leaks

54

Component: Cafalytic Gas Detector, Conventonal

TI F -probabil As s e s s me nt


found in the appendix. A summary of some of the main aguments are provided in Section 2.3.

Reliability:Data Dossier - PDS-data

F ailure Rat e Refere nc e s

SINTEF

OREDA Phase IV Software /15/.Data relevant for conventional catalytic gasdetectors.

Fher:

Reliability Data for C J and Safety Systems.'| 998 Edtion.

Inv. Eq. Class = FIRE& CAs DETECToRSInv. Att. Sensing principle = CatalyticInv. Phase = 4Fail. Severity Class = Critical

No. of inventories = 24No. of critical FTO failures = 0No. of critical SO failues = 0

NOO: 3.62SHH: 0.79Sum FTO: 4.41


Component: Catalytic Gas Detector, Conventonal

OREDA Phase III /1/ Database FG31-.Data relevant for conventional catalytic gas

detectors. More than 97 Eo of the detectors

have automatic loop test.

Filter criteria: TAXCoD=FGHC',

SENSPRI=TATALYTIC'

No. of inventories = 2 046

Total no. of failures = | 749Cal. time = 49 185 5'72hrs

Note! Only failures classfied as "critical" areincluded in the faiLure rate cstimates.

''Falur e Rate Refer enc es

Observed:

cno = 64 ?o(Calculated including

detectors having some

kind of self+est

arrangement only)

Overall


Reliability:Da Dossier - PDS-data

c i"

lg | b5Fs '.'-:r

Failure mode

distribution

Frod"t: 0.5Irl'Oundet; 1.4 i" t

SOo"t: 0.2S6und"t: 0.4 e"t

r.4, lt

5.09

55

Data source/comment

OsebergC 14/.

Data elevant fo conventional catalytic gas

detectors.


No. of failues = 85 (25 critical)

Time = 10 215 888 hrsNote! OnIy failures classified as "critical" are


FTOA{at.aging 3.83FTO/Stress 0.06FlOntervent. 0.1'7FTOh)TAL 4.06

SO/lrlat.aging 0.74SO/Stress 0.06SOllntervent. 0.06SOllnput 0.17Solrort 1.03

VI.LCAN /5/:

Failure rates are splitted into, in addition to

failure modes, failure categories, following the"PDS-model".

FTOlPhys. IFTOunct, 2FTO/T}TAL 3

SOhys.

SOunct.

SO/roTAL

Note! Onlyfailures classiJed. as "critical" areincluded in the failure rate estimates.

PDS I /8/: Gas detector

I3

/

Note! Both physical and functional failuresare included.

OnIy critical failures are included.

56


Component: IR Gas Detector, Conventional

Description

The detector includes the sensor and

loca.l electronics such as the address/-

interface unit.


Recotnmended Values for C alculation

FTOso

snmrnr

Date of Revision1999-01- 1 1

Total rate

3.3 per 106 tus

0.3 per 106 hrs

Overall 3.6 per 10o hrs

Remarks

Previously Recommended Values for Calculation (95 edtion)

14",

2rFTO

so

Coverage

0.80

0.70

2.9 per 106 hrs

1.0 per 106 hrs

0.1 per 10 hrs

L, = 4.0 per 106 hrsl) Large to small gas leaks

TlF-probablity seesection

Reliability Data for ( ),1

and Safety Systems

1998 Edtion.

Failure Rate Ass essment

The failure ate estimate is an updte of the previous estimate - essentially based the Oseberg C

data j with OREDA phase fV data. The rate of FTO failures is estimated assuming a coverage

of 8O 7o (previously assumed tobe70Vo, observed in OREDA Phase IV was 100 Vo).The rate

of S O failures is estimated assuming a coverage of 70 Vo (previous estimate). The FTO failure

rate includes 'No output' failures.

Undetected

0.7 per 106 hrs

0.1 per 106 hrs

Coverage


Component: IR Gas Detector, Conventional

TI F -probahlity Ass es sment

The TlF-probability is entirely based on expert judgements. Details on the expert judgement isfound in the appendix. A summary of some of the main arguments are provided in Section 2.3.

TIF-probability

0.70

Reliabilify,ata Dossier - PDS.data

'F ail ur e,: Rat e, Rfer e n c e s

Overall

failure rate

@er 1 hrs)

3.lo4-o.lr)

3.49

Failure mode

distribution

FTO: 3.49SO: 0.00

5l

Observed:

,nocso

Data source/comment

= I00Vo= }Vo

OREDA Phase IV Software /15/.Data relevant for conventional IR gas de-tectors.

Filter:Inv.Eq.Class =FrRE&GAsDETEsroRs AND(Inv.Att. Sensingprinciple=IR ORInv.Att. Sensingprinciple=lR/W) ANDInv.Phase=3 ANDFail. Severity Class = Critical

No. of inventories = 54No. of critical FTO failures = 4No. of critical SO failures = 0Cal. time = | 147 176

4.1 FIOdd: 2.9FIOUn&r: , 1.2SO"'': 0soono.r: 0

Oseberg C /4/.

Data relevant for conventional IR gas de-tectors.

No. ofinventories = 4lTotal no. of failures = 26 (4 critical)

Time=977 472lusNote! Only failures classified as "critical" are


Modufe: InPut Devices

Component: Smoke Detector, Conventional

Description

The detector includes the sensor and local

electronics such as the address/interface

unit.

'' ':|: .Reliability Dat.Dos5ier. - PDSdata

Recommended Values for Calculation

Total rate Coverage lJndetectedFTO 1.3 per 106 hrs 0.40 0.8 per 106 hrsSO 2.4 per 106 hrs 0.50 1.2 per 10'hrs

overall 3.7 per 106 hrs TlF-probability = 10-3 - 0'05 r)

Qsnmrum

Dte of Revision

1999-01-1 I

') The range represents the occurrenee of different tYPes of fires (smok

Previously Recommended Values for Calculntion (95 edfion)

L* = 1.5 per 106 hrs CoverageFro = o-5 Perlo6hrsfso = 2.0 Per 106 hrs

L, = 4.0 per 106 hrs TlF-probability = lO3 - 0'05 r)

r)The range represents the occurence ofdifferelttypes offires (smoke/fl

Reliability Data for C and Safety Systems.1998 Edition.

Failure Rate Asses sment

The failure rate estimate is an update of the previous,estimate - based on OREDA Phase Itr data

- with complete OREDA IU data (no inventories in phase tV). The rate of FTO failures is

estimated assuming a coverage of.4O Vo (observed in OREDA incomplete and complete Phase

lllwas 29Vo and50 Vo,respectively). The rate of SO failures is estimated assuming a coverage

of 60 7o (previously assumed robe2\Vo, observed in OREDA (complete) Phase III was 98 7o)'

Module:

Component: Smoke Detector, Conventional

TI F -probabil Ass essment



Input Devices

Reliability,,D Ds:sier- -. PDj da

,F alur,Rte Referenc e s

Overall

failure rate

@er I hrs)3.70

Failure mode

distribution

FTO: 1.31SO: 2.39

59

Obsemed:

"no = 50 Vo,to = 98 7o

Data source/comment

OREDA Phase IV Software /15/.Data relevant for conventionalsmokdcombustion detectors.

Filter:Inv.Eq.Class =FIRE&GAsDE'rEcroRs ANDInv. Att. Sens. princ. = Smoke/Combustion ANDInv.Phase=4 ANDFail. Severity Class = Critical

No. of inventories = 2389No. of critical FTO failures = 80No. of critical SO failures = 146Cal. time = 61 11098/.

3.73 FTO:

SPO:

Observed:

cno = 29 Vo(Calculated including

deteclors having some

kind of self-test

arrangement only)

1.01

2.72

OREDA Phase trI /1/ Database FG31-.Data relevant for smoke/combustion detec'

tors. Both conventional (65 7o) and addres'

sable (35 7o) detectors are included. 56 7o have

automatic loop test, 35 Vo have a combination

of loop and built.in self-test, rest (97o) have

no self-test feature.

Filte criteria: TAXCoD=FGFS'

No. of inventories = i 897Totat no. of failures = 218

Cal. time = 50 374 800 hrs

Note! OnIy failures classified as "critical" areincluded in the failure rate estmates'

60

Component: Smoke Detector, Conventonl

t.., ..., :::..' F ailuie,Rate Rlpr enc e s,

Overall

failure rate

er l hrs)


.QsrNTEF

Oseberg C /4/.

Data relevant for smoke detectors.


No. of failures = 4 (l critical)Time= 12'l8528husNote! OnIy falures classified as "critical" are

included in the faIure rate estimates-

FTO/1.{at.aging 0.8i

FTO/Stress 0.13FTO/Intervent.0.03

FTO/ror,t 0.97

SO{at.aging 0.87SO/Stress 0.43SOllntervent. 0.03SO/Input 4.39SOlrorAL 5.72

Reliability Data for' l

and SafetV Systems.

1998 Edton.

VULCAN/5/:Failure rates are splitted into, in addition to

failure modes, failure categories' following the

"PDS-model".

FTO/Phys. 0.4FTOunct. 0.4FTOlrorAL 0.8


Note! OnIy failures classified as "critical" are


Component: Het Detector, Conventional

SO/Phys.

SOlFunct.

SOlror,r

Description


iocal electronics such as the address/-

interface unit.

PDS.I /8/: Smoke detector

Reliability,Data,Dossier - PDS.data


Only critical failures are included.

Recommended Values for Calculntion

Date of Revision

1999-01-1 1

Total rate Covrage Undetected0.9 per 10 hrs 0.50 0.5 Per 106 hrs1.5 per 106 hrs 0.50 1.3 per 106 hrs

Overall 2.4 per 106 hrs TlF-probabitity = 0-05 - 0.5 r)t) The range represents the occurence of different types of fires (smoke/flame)

Previously Recommended Values for Calcalation (95 edition)

L., = 1.0 per 106 hrs Coverage = 0.40IFro = 0.5 per 106 bs?rso = 1.0 per lo6hrs

L, = 2.5 per 106 hrs TlF-probability = 0.05 - 0'5 r)

o_t

l) The range represents the occulrence of different types of fires (smoke/flame)

F ailur e Rate As s e s srnent

The failure rate estimate is an update of the previous estimate - based on OREDA Phase IIIdata - with complete OREDA trI data (no inventories in phase IV). The late of FTO failures is

estimated assuming a coverage of 50 Vo (observed in OREDA incomplete and complete Phase

III was 50 Vo and36 7o, respectively). The rate of SO failures is estimated assuming a

coverage of 50 Vo (previously assumed to be 2OVo, obsewed in OREDA (complete) Phase III

was 98 Vo).

Module:

Component: Heat Detector, Conventional

TI F -pro bability As s es s me nt

The TlF-probabiliry is entirely based on expertjudgements. Details on the expertjudgementis found in the appendix. A summary of some of the main arguments are provided in section

Input Devices

Reliability Data Dossier : PDS-data

F ailur e Rate Relerenc e s

Overall

failure rate

@er ld hrs)

snmrer

2.35

Failure mode

distibution

FTO: 0.88SO: 1.47

Observed:

"fro = 36 Vocso = 98 Vo

Data source/comment

OREDA Phase IV Softwae /15/.Data relevant fo conventional het detec-tons.

Filter:lnv. Eq. Class = FIRE & GAs DETEcroRs ANDInv. Att. Sens. princ. = Hear ANDInv.Phase=4 AND

Fail. Severity Class = Critical

No. of inventoies = 994No. of critical FTO failures = 24No. of critical SO failures = 40Cal. time = 27 260 832

Reliability Data for ,)rl and Safety Systems.1998 Editon.

a t FTO: 0.82SPO: 1.39

Observed:

: cno=50Vo(Calculated including

deteetors having some

kind of self+est

arrangement only)

Component: Heat Detector, Conventional

F ailure Rate lieferences

OREDA Phase III /i/ Database FG3l_.Data elevant for conventional heat detec-tors. Both rate-ofrise (23 7o) andrate-compensated (71 7o) detecfors are included.

Of the detectors,S9 Vohave automatic looptest, rest (llVo) have no self-test feature.Further, 77 Vo e reported as "normally de-energized", 29 Vo as "normally energized"Filter criteria: TAXCoD=FGFH'No. ofinventories = 865Total no. offailures = 79Ca.l. time = 24 470 588 hrsNote! Only failures clussifietl a.r "t:ritical" are

itcluled in thc ftLiLure r( tina!$.

Reliability,Data Dossier -,PDS.data

FTO/Irlat.aging 1.28FTO/Stress 0.14FTOllntervent.0.05

FTo/rorer 1.47

SO/l.lat.aging 0.49SO/Stress 0.32SO/ftrtervent. 0.14SO/Input 0.51SOh'orAL 1.46

OJ

VULCAN /5/:Failure rates are splitted into, in addition tofailure modes, failure categories, following the

"PDS-model".

FTOhys. 0.1FTOlFunct. 0.2FTO/1rAL 0.i

SO/Phys.

SOlFunct.

SO/rort

Note! Onlyfailures clnssifi.ed as "critical" areincluded.

PDS I /8i: Heat detector


Onlv critical failures are included.

o+


Component: Flnme detector, Conventional

Description


local electronics such as the addressi-

interface unit.

Reliability:Data Dossier - PDS:iIata

Recomtnended Vlues for Calculation

Total rate Coverage UndetectdFTO 4.2 per 106 hrs 0.50 2.1 per 106 hrsSO 4.1 per 106 hrs 0.50 2.1 per 106 hrs

Overall 8.3 per 106 hrs TlF-probabitity = 3 ' 104 - 0.5 r)l) The range represents the occunence of different types of fires (smoke/flame)

@snmunm

Date of Revion

1999-01-1 1

Previously Recomtnended Values for Cbulation (95 edition)

Remarks

L", =Fro

7"so

Lr, = 7.0 per 106 hrs TlF-probability = 3 ' 104 - 0'5 r)

l) The range represents the occuence of different types of fires (smoke/flame)

2.5 per l0 hrs

1.5 per 106 hrs

3.0 per 106 hrs

Failure Rate Ass es sment

The failurp rate estimate is an update oi the previous estimate - based on OREDA Phase IIIdata - with complete OREDA III data (no inventories in phase IV). The rate of FTO failures is

estimated suming a coverage of 40 7o (observed in OREDA incomplet and.complete Phase

III was 48 Vo and 50 Vo, respectvely). The rate of SO failures is estimated assuming a

coverage of50 Vo (previously assumed tobe2OVo, observed in OREDA (complete) Phase IIIwas 100 7o).

Reliabrlity Data fr \trol and Safety SystemsI/

1998 Edtion.

Coverage


Component: Flame detector, Conventional

TI F -probability Asses sment

The TlF-probability is entirely based on expef judgements. Details on the expert judgement is


0.40

Reliability Data Dossier - PDS-data

' ''. : _:ir :F ailu e :Rat e: R.efq r e l9 s .

65

Obsened:

,oo = 50 7ocso = 100 Vo

OREDA Phase fV Software /15/-Data relevant for conventional flame detectors'

Filter:Inv.Eq.Class =FIRE&GAsDETEcroRs ANDInv. Ait- Sens. princ. = Flame ANDInv. Phase=4 ANDFail. Severity Cls = Critical

No. of inventories = 1256No. of critical FTO failures = I 19No. of critical SO failures = 116

FTO: 3.20SPO: 3.98

Observed:

cfro = 48 Vo(Calculated including

detectors having some

kind of self-test

Lrrangemenr only)

Cal. time =28 5l'1

OREDA Phase trI /1/ Database FG31-'Data relevant for conventional flame detectors'

Both IR (52 %o),W (13 Vo) and combined

IR/IIV (35 7o) detectors are included' Ofthe

detectors, 'r-5 Tohave automatic loop test, 3 7o

have built-in self'test, 15 Tohave combination

of automatic loop anil buitt-in self-test' rest

(ll%o) have no self-test feature.

Filter criteria: TAXcoD=FGFF

No. of inventoris5 = 1 010

No. of failures = 292

Cal. time =23 136820hrsNote! Only failures classified as "critcal" are

included in the failure rate est'mates'

66


Component: Flame iletector, Conventional

Reliability'Data Dossier - PDS'data

@er 1 hrs)

@snmrnr

Oseberg C /4/.

Data relevant for IR flame detectors'

No. of inventori es = 162

No. of failures = 30 (18 critical)

Time = 3 978240hrsNote! It is assumed that only failures classified

as "critical" are included in the failurerate estimates.

FTO/t{at.aging 1.77

FTO/Stress O.l2FTO/Intervent.0.12

FTOftort 2.01

SO{at.aging 0.16SO/Stress O.l2SO/Intervent. 0.12SO/Input 2.9'7SO/rorAL 3.37

Reliability Data for ' {rol and Safety Systems')

1998 Edition.

VI.JLCAN/5/:

Failure rates are splitted into, in addition to

failure modes, failure categories, following the

"PDS-model".

FTO/PhYs. 1.1

FTOunct. 0.2FTolrorer 1.3

Component: ESD Push button

Description

Pushbutton including wiring

SO/PhYs.

SO/Funct

SO/ror't

Note! OnIy failures classified as "critical" are

included.

Reiability Data DO$liei . PDSdata

Reconmended Values for Calculaion

N ot e ! B oth physic aI and functional failures ar eincluded'

O nLy c ritic al failure s ar e include d'

Total rate

FTO 0.3 Per 106 hrsSO 0.8 per 106 brs

OveraII 1.0 Per 106 fus

Date of Revion

1999-01-l I

i

l

I

iI

I

III

I

I

I

II

I

I

II

II

II

I

II

II

I

iIIII

II

III

Remarks

No data available in OREDA Phase fV'

Previously Recommendeil Valaes for Calculation (1995)

o/

h., =r FTO

rSO

Coverage

0.20

0.20

TIF-probabilitY

0.2 per 106 hrs

0.2 per 106 hrs

0.6 per 106 hrs

= 1.0 per 106 hrsL,

F ailur e Rt e As s es sment

The failure rate is estimated based on all listed data sources, taking into account thexpert

judgements.Theoverallcoveragegivenaboveisestimatedasiheaverageforbothfaiiure

modes, also taken into account the expef judgement'

lJndetected

0.2 per 106 hrs

0.6 per 106 hrs

10-5

Coverage

TI F - prob abilitY As s es sm ent

The TlF-probability is entirely based on expert judgements' Details on

found in the appendix. A tu*^ury of to*" of th" -dn *g

TlF-probabilitY

= 0.20

= lOs

provided in Section 2'3'

68


Component: ESD Push button

Faihe Rate R_efuqences

Overall

failure rate

er I hrs)

Reliability Data Dossier .. PDS-data

In Med. Hi0. r 0.5 10

Failure mode

dstribution

@snmunm

5.8

0.13

Data source/comment

FARADIP.THREE /7/: Pushbutton

NPRD-9l: Switch, Push button, ground fixed,commercial quality

Reliability Data fc )rtrot

and Safery Systems

1998 Edition.

NPRD-91: Switch, Push button, ground fixed,military qualiry

Component: PLC System

Description

PLC system includes input/output cards,CPU incl. memory and watchdog,controlles (int. bus, comm. etc.), systembus and power supply.

Reliability Data Dossier . PDS-data

Recommended Values for Calculation

Total rate CoverageFTO 16 per 106 hrs 0.90SO l6per 106hrs 0.90

OveraII 32 per 106 hrs TlF-probablityl) For TV certified and standard system, respectively

Date of Revion

1999-01-1 1

Previoasly Recommended Values for Calculation (95 edition)

69

L,i, = 80.0 per 106 hsr) For TV certified and standad svstem.

72.0 per 106 hrs

2.0 per 106 hrs

6.0 per 106 hrs

F ailure Rate As s ess ment

The failure rate estimate,is an update of the previous estimate - based on OREDA Phase III data- with complete OREDA III data (no inventories in phase IV), taking into account t

STF38 Reliability Data for Control and Safety Systems 1998

Documents

Transcript of STF38 Reliability Data for Control and Safety Systems 1998