sintef stf38 reliability data for control and safety systems (1998)

@$t'LiEF

STF38 A98445

Classif ication: Unrestricted

ReliabilitY Data for Control and

SafetY SYstems

1998 Edition

SINTEF Industrial Management

SafetY and ReliabilitYJanuarY 1999

;'ifiV€}f ,'l';-15KEMIRAKIRJASTO

)

@s[Nr,,imSINTEF lndustrial Management

Safety and ReliabilitY

Address: N-7034Trondhe¡m'NORWAY

Læatiôn; Strindveien 4

Tefephone: +47 73 59 27 56

fa: +47 73 59 28 96

EnterPrise No.: NO 948 007 029 MVA

SINTEF REPORT

Reliability Data for Control and Safety Systems'

L998 Edition.

Geir Klingenberg Hansen and Jøm Vatn

BSTBACT

eliability data estimates for components of control and.safety systems are provided in this report' D

¡r both fietd devices (sensoäïäîö;; .ãnuor rogi. (etectronicÐ.ar" n::"-T:l Data dossiers I

iven for these components, based on various sources, ..g.'oRr,oe and expert judgements' The level

etail of the data is adapted t#;f"rm;t suired for ,"liiuiiitv anaiyses applying the PDS method'

t999-01-l I

reliabilitydataestimatesareessentiallybasedonthepreviouslyrecommendeddataforusewithmethod, updated with OREDA Phæe IV data'

Also,amethodforobtainingapplication^specificreliabilitYdataestimatesisgiven.Asacase'*",irtJ t

"ppfied to TIF probabìlities for IR gas detectors'

srGN.).

It. Lk^1

iltrol and SafetY SYstems

Feliability Data for Control and Safety Systems'

1998 Edit¡on )

PREFACEThePDsForumisaforumofoilcomparries,vendorsandlesearcherswithaspecialintefestln;it";,ryr,*:,g"lt'::.."üf f äïT'Jf t:#Ë:H#,'äî'-Tåiif:'i:":3"ìi:i"T'åoHi1,J:ir}ill,,ll iiJffiir'ã.,i"i,y. ror inrormatiJi-'"J*a"e the PDS Forum please visit

ifäî"il* ft tp://www'sintef 'no/sipaa/prosjekt/pds-forum'html

TheresultsinthePlesenlreportistoagreatextendtasedonworkSlNlEFcarriedoutonrequestfrom Norsk Hydro in 1ee5 ffi"]i, ff;sÑiEf ;"I;':'sinzs Fe40s6 - Reliabilitv Data for

Control and Safety Systems" t13l' We appreciate ttfttttt that Norsk Hydro ailowed using

these '95 results in the present report'

TheoREDAprojectisalsoacknowiedgeclfor.allowingOREDAphaselVdata.tobeusedinpreDaration of the present';d;;.-ï* iiformation ,"g.iAne-óREOA please visit the web site

ütí,Ï¡,tï-. ""tri.nloni

tslindman/sipaa/prosjektioreda'/

Trondheim, 1999-01-1 I

Geir Klingenberg Hansen

PDS Forum ParticiPants 1998

Oil ComPanies. ÀmocoNorwaY Oil ComPanY

. BP Norgeo ElfPetroleumNorgeAJSe Norsk HYdro ASA

. Phillips Petroleum Company Norway

o SagaPetroleumASA. A"/S Norske Shell

. Den norske stats oljeselskap (Statoil) a's'

Control and Safety Systems Vendors

. ABB Indust¡i

o Auronicao BaileY Norge

. Boo Instrument AS

o HoneYwello ICS GrouP

o Kongsberg Sirnrad

. Norfass (Yokogawa)

. SAASASA

. Siemens

Engineering ComPanies ând Consultânts

o Aker Engineertng

. Det Norske Veritas

. Dovre Safetec AS

o Kværner Oil and Gas A'S

. NORSOC

. Umoe Olje og Gass

OREDA ParticiPants 1998

Eni S.p.A./AGIP Exploration & Production

Amocô ExPloration ComPanY'fp'Biol"täi"" operating company Ltd'

ã1"*ån p"ttot"u* Technology company

Elf Perroleum Norge A'/S

Esso Norge a.s'

Norsk HYdro ASAPhillips Þeuoleum ComPanY Norway

bln tï*.rc r,uo oljeselskap (Statoil) a's'

Sasâ Petloleum ASAËiãiì""ä"ä".¡ Exploration and Production B V'

TOTAL S.A.

Reliability Data for conlrol and Safety Syslems'

l eea Edition. )

TABLE OF CONTENTS

LIST OF TABLF,S

LIST OF FIGURF,S

t.I

INTRoDUcrIoN......""'

Rrsul,rSutt¡1t14RY""""""""' ' """' rr

äHil:H*ir*i:î'ffi :::: r+

Z.¡ Summury Table of PDS Input Data """"""" """""""' 17

2.3.1 Tßprobabilities"" """""""""'17

2.3.2 Cotterages """"""""""' """""" 18

2.3.3 P-factors """""" 18

2.4 FufherVÍork """""""'23

2.4.1 Variability of the ?IF probability"""'-':"""""""""""1"":"""' :' ::: ' |""'T3

2.4.2Distinguon*.*.*u"ö.*i'*¿i'"*anellofsduringtesttng......'''ANIETHoDFoROBTAININGAPP"'"o",o*,""orrcTIFrnosÆILITIES.......'.'..''............25lll.trn¡lllntion......'.......''...........'.

3. A NIETHoD

a^1a Á',

3.i

I

I

k

Relìability Dala for Conlroì and Safety Systems

1998 Edition. )

2. RnsulrSulrulnY

2.1 Parameter Definitions

The following parameters are quantified for each component:

À"¡,=Totalcriticalfailurerateofthecomponent.Rateoffailuresthatwillcauseeithertriporunavailability ";*#.r,

-n

".ii* (unless cletected and prevented from causing such

failure).

Æß.=RateoffailurescausingFail-To.operate(,FTo)failures,øndetectablebyautomaticself-test.The,FlofailurescontributetotheCriticalSafetyUnavailability(csu)ofthecomPonenlsYstem' * \,\,,.

ÌliÉ,=RateofSpuriousoperaúon(So)failures,undetectablebyautomaticself-test.TherateofSpuriousoperation(So)failuresofacomponentcontributestotheSlRofthesystem1åa.p"nO"ntofoptràtionpbllosophy)' l\+'"

Àndet = Total rate of ¡¿r¡detectable failures' i'e' /ffi?t * 2i10"

lFTO/het = Rate of failures causing FaiJ-To'Operate (-FIO) failures' detectable by automatic self-

test. t\\à

=RateofspuriousOperation(So)failures,detectablebyautomaticself-test'Theeffectofthese failures on tne spuriouì trip Rate (S7R) depends on the operation philosophy'

= Totalrateofdetectablefailures,i'e' W+ ftf'

= Total rate of critical FTO failures of the component' Causes loss of safety function

(unless detected and prevented from causing critical failure)' i'"' Æ + m''

lso'"ðer

it

h",

TFTO/brit

Ìy* = Total rate of critical so failures of the component. causes loss of production regularity

(unlessdetectedandpreventedfromcausingcriticalfaiturÐ,i.e.,i,fl+,{f0"..

,no--Lw|^F[ll=Coverageoftheautomaticself-test+controlloomoperatoronFTo- fu¡-lor.r. É ih¡"o',atiL t'?$à'ìr{,,\r : '}kl\òå"

,So=1r.t^n=Coverageoftheautomaticself-test+controlroomoperatolonSofailures.

nF-Theprobabilitythatacomponentwhichhasjustbeenfunctionallytestedwillfailon¿eman¿ (applies for FTO failures only)'

The relation between tbe different ¿-values is shown in Table l '

:i. xr ...: : ,¡\

\:*- * '."$.IÈì INSTRIIMENTATION AND ELECTRICAL TECHMCAL AND ENGINEERING SERVICES

::. '. .

Phase 4

Overall SafetY Requirements

Specification comprised of the overall safety Function Requirements and the overan safety Integnty Requ'ements

Incrudes. for each safety function trre necessary risk reduction required to achieve the target level and the required safeqv

Integri(y of the components' r r,^_^r^ñ^1 peds to be maintained

This documentation forms part of the Eâzard and Risk Management Description, which r

tluoughout the EUC's Safety Liferycle'

Risk Reduction

T'e required Risk Reducúon can be determined either qualitatively or quantitatively- Bs EN IEC 61508-5 contains

examples of both methods'

The quantitative melhod reads to rather laborious calcurations and is not u.idery used- The quaritative method using a

.calibrated' Risk Graph is significantly less laborious' (It is also possible to use a Risk Matrix)'

T'e proposed method of this guide is a cornpromise between the quantitative and qualitative methods, and should alleviate

some of the non-linearity probt"* of the Risk Graph approach'

Neither the qualitative nor the semiquantitative method requires the numericar exact determination of the risk reduction

facror for each safetv fi¡nction. However, ,fd;;;;-"-;*i, nu.r. u""n àerermined and the required sIL been found' the

risk reduction factor (RRF) is simply the inverse oithe PFD",= as in this table for the sIL'

For example. if the determined SiL is 2. rhe range of pFD""=of the safeqv function is between 0'01 and 0'001' The

corresponding range of RRF is then from 100 to 1000-

Safetv tntegrit-v Levels (SIL)

targetfailureforasaferyfunction.allocatedtoanEÆiPEsafery"-relateds]_Stem

Phase 5

Safeqv Requirements Allocaúon

It is expected rhat the normar engineering procedure of a EUC operator w't take into account the requirements for t'e

erlernal risk reduction facilities like fire walls. drainage and vent syï;s. Àso other safety related systems zuch as relief

'alves and nrpt*re disks. therefore. tïey are. in tltit gù¿" considered as pârt of the EUC'

The remaining Risk reducúon required to achieve the As Low As Reasonabry pracúcal (ALARP) value is that required of

the SIS.

Tlre functioning of the sIS needs to be verified as meeting the required Safetv Integritv Le'el (sIS) for each component

forming the qYstem architecture'

In this gr¡ide, the risk assessmentand sIL determination are then based on the remaining risk after the external risk

reduction facilities and otìer safetv related s-vstems have been implemented' i'ê' ttre leftmost box in the figure

The fo'owing figure illustrates the generar concept of safetv requirement allocation to the three safegv s-vstems'

10.000 to 100.000> t0-5 to < 10*1000 to 10.000> lo4 to < 1o-3100 to 1000> l0-3 to < 10-t0 to 100> to-' to < to-'

I.R llitchen BA(TIons) C.Eng" MIEE' Profit Through Loss Control (BS EN IEC 61508) Part One t1 of23

t2

Table 1 Relation between different 2 _ values

Undetectable

Detectable

Sum

Some of these parameters, in particular the rlf probability, and partry the coverage q are æsessed byexpert judgements, see /13l. A¡ essential element of this expert judgement is-to clariff preciselywhich failures conhibute to ?7F and l.¡¡, respectively. Figure I was used æ an aid to crarify this. rnparticular the following is stressed conceming the iterpretation of these .on."p,r-* used in thepresent report.

Spurious operation}so

îso'"d¿¡

7sotudt

Fail to operate

@ STNTEF

lFTO/tnd¿r

I "¡t

2FrOtriet

¡FTOh.

2FTO'Înr

¡SOhd"t

il

{ro'!undet

l,o¿",

2'"det

nSo4undet

Detected by automatic self-test, or byoperator/maintenance personnel(inespective of funcrional testing).

Loss of safety failures. Detected bydemands only.

Trip failure, immediatelyrevealed. Nol prevented by arytest.

Design enorst softwae. degreeofdiscrimination'Wrong

LocationInsufficient fct. testptocedureHuman error during test if. forget to test

' wong calibration

' damage detector. leave in by-pass

A^,

Coveragec= loolÀ*,

Belìability Data t^- Controì and Safety Syslems'

1998 Ed¡tion. )

E}

Thus,notethatifanimperfectÞsrlngprinciple^isadoptedforthefunctional.testing,thiswillconr¡ibure to rhe IIF prouuffi.-n- îniun.", if a procåss switch is nar tested by introducing a

change in rhe pro""r. itr"tt u'oirå,¡". "i""tãüy i*pårirg u ¿"¿icated test signal, there is no perfect

functional testing, æ ttre test wilì'not ¿"""t a blocking of the sensing line'

The contributions of the T/F probability and x.¡-¡o to the cridcal safe{ unavailabiliw (csÐ are

illustrated in Figure 2. I' Sí"rt,ïrtil.* t"üÙn*"q io tt" f¡tut" rate are phvsical faíIures'

ComDonents with physical fJ;;; ;q** ,o*. t ind.ot r"p; ,o ,"* to an operational state' The

contfiburion to csu ao* pri*i"i;.il,.i ü,u';d "li"í;"ã bv tunctional iesting' on the other

hand, failures contributing -iäJtiËîr"tãu¡try ; ¡*o¡*ol ¡å¡nrøs. No repair is required but

suchfailureswi]]occurrepeatedlyifthesamescenariorepeatsitself,unless.modificationsareiniúated. The contribution ,iåiäffi"ñn;ä:Ji;Ñ; ir'utto*t¿ constant' independent of the

frequencY of functional testing'

Figure 1 Interpretation of reliability parameters

TIF probabilityThi.s

1s t!1øobability that acomponent, which has just been tesred, will fail on demand. This wilìinclude failures caused e'g. by-improper/wrong loc"ation or inadequate design (software error orinadequate detection principle). tmperrèct functiãnd testÀg pnncipleþrocedure will a.lso contribute.Finally' the possibility that the maintenance crew perform an erroneous functional testing (which isusually not detected before the next test) also contribute to the ?IF probabilitv.

10'2

103

10{

Figure 2 Contributions to CSU

CoveraReThecoverageisthefractionofthecritica]failures,whichisdetectedbytheautomaticself-testorby¿rn operaror. Thus, we include as part of the ":Yiq:.î;

t;ure that in s91e way is detected in

betwien functional tests. Anãalo! r"nro, t..g. t *r*itt"rj ti,ìi ¡ "tto"r" will have a critical failure'

but this failure is assuméd ,"^#Ëffi;,i. t*.t "p"í*t -¿ thus contribute to À¿"¡' Any trip

ä"* ;i; derector, eiui,,e"" "r;i:"d

:T:l ' ::J:'Jiil#,låî:,i:."JiiÏ;::fi;:Ï #uuto*uti" activation (trip) to occur is also part ol À¿r an ' r the operauon

include in À¿", failures f"; ;hi;h a np coutd be prevented by specifying so tt

philosophy'Thismeans rh^rb:';; ffi*à Zffu' cancontributetothespurioustriprate'

TTTFunctional test interval

IRevealed ¡n

functional lesl, lrl2(physical failures)

Unrevealed in

funcl¡onal test, TIF(luncìional lailures)

t4

)2.2 Ãpproach and Data Sources

Failure rate dnta in the 95 edition is mainly bæed on the oREDA phæe Itr database, which _ in thepresenr report - is updated wirh rhe OREDA phase IV data.

The idea is to let the estimates from the 95 edition form the so-called pnar diskibution, and nextupdate this prior distribution to the posteior distribution using oREDA rv jurÑin." the 95 editiononly presents point estimates,

_it is not possible to establish u "o,rrpr*-pior distribution.Pragmaticaily we therefore use the point estimate as the mean vaiue of the prior distribution, a¡dmake an implicit argument about the variation in the prior distribution *dæcåb".-å in the following.It is assumed that the true fail*" t:l:.f":i given e4rìipment type is a random variable with a priordistributed Gamma(q, p), see e.g. /16/. This distrituìión will be updated with the observed failuresand calenda¡ times from OREDA phase rV and used to give the new faü*..*" À,i*u*r.

'we.need t: specify the parameters of the prior dishibution by speciffing its mean a¡d standa¡ddeviation' To simplify matters we assume that the mean in ttre gamma prior is the previous failurerate estimate,Lø. Furthermo¡e, it is assumed that ø= 1 which r.do"* trr. g**nì art rbution to anexponenrial distribution. This implies that the standæd deviation "f

rh. ñ;;;;; and is equal tothe mean, l¿¿. Note that this assumption need not always be approp.iute, ñ th; a¡e not enoughdata to validate the æsumption.

Now the new failure rate is given by

1t ¡^

tÎ I

'þnw -l]i-tlAoD + t

where / is the number of failu¡es obsewed in OREDA phase rv, and r is the equipment,s totarcalendar time in OREDA phase rv. Nore rhar this method can r" useo repeateay irnË.¿"¿.

The following should be noted about the update of the reriabiliry dara esrimates:

o For some equipment types additional data was registered in the oREDA phæe Itr database afierthe finishing of the 95 edition . lvhen this is-the cæe the previous estimates are updatedsequentially with the complete OREDA Phase Itr data and rhe OREDA phase Ñ data, using theapproach described above.

o Also, for some types of equipment, there are no inventories registered in phase rv (r = 6¡. ¡,¡r"r"are additional data in phase rr, the OREDA phase III ¿uta arã us"a io;pd;;; reriabiriry datagstimates' If this is not the case, the previousìy recommended estimates still apply. (Note that ifthere are no,faitures registered in phase rV(f = 0) tlri. i.¡;;;ìì;;î';J"ä., updare theestimates).

o There hæ been no new expert judgements in this project, except for those related to the themethod described in chapter 4. Thii means that no iIF variu, ,ir"pi ¡o'ì-iÃ- gÃ detectors, havebeen changed since the 95 edition.

t Th" covemge updates are taken as a weighted average between the previous estimates and theobserved coverage in the OREDA phase IV databæeì. The previous åstimates are given doubleweight since they include expert judgements arid the datá material is s"o¡c",

"ven with theOREDA Phase IV dara.

@s5|LiiulllF Relìabitily Dala for Conlrol and Safety Systems

1998 Edition

For the sake of comparison, the previously recommended estimates - along with the source

tisting - æe included in the data dossiers'

Notethatintheg5etlition,thedatawerepresente-in.asliehtlydifferentway.Insteadofusingacomrnon coverage for both iôäO nfCj types of f¡rurel tné coverage is in the present repofl

split into its FTO -a so purt ]rJ"i."iiãn áj. rni, l, ¿on.ìo ¡" comiatible with the PDS Tool'

SomefiltersusedinthepreviousstudywithearlierversionsoftheOREDAsoftwæea¡enotã"r"oæiUf" *itf, the later versions' Thus new filters have to be set'

WheretheoREDAPhæelllorlVdatabasedoesnotcontaindata,ordataissca¡ce,thefailurerateesdmate is bæeil on other releîai;;;;;;-t'ún"¿ in *'"ìt"'i*: *dl:lTl:*liduat reliabiLiry

data dossiers give informatirîrî; th" il sources for the uario,rs components'-The previous

estimates in the ss .auon *'ie;; ;;;;;;xt*bïi9,:" o'ht' 'o*t"t than the OREDA database'

ö;;i;v.J;w of all the failure tutt dutu to*tts are given below'

OÙEDA - Olfshore Retiabit¡Û Datq rel' /1/' /2/' /3/' /15/' /17/

Hll;:;;;' oREDA ParticÞants' distributed bv DNV rechnica' Høvik' Norwav';;;1.;r'r,

rs84,1se2'.ree3andree'I

"#:"1î;:"'"'H"iffË,'i"îîå'f i,,3îi-:""i.:åì"lilff å',,iåiïi.'ffi "ïiliåexpenence, installations, collected from installation'î".ãi" Ñ"nn Sea and in the Adriatic Sea'

OREDA has publishecl tlrce handbgg;tl ì'i "iiti"t rt9ry- T8: (ref ' l3t)' 2nd

edition ftom tbgz Get' t2) r'fld:¿ "¿ilon

frqT l?e1 !'"j''11-%:**r' there are

threeversionsoftheOREDAdatabase,ofwhichthelatestversion.isthemaindatasourceinthisrepoft,denotedtheoneplpr'*"Ñd"tab"s"(ref./15/).Thedataint¡e OnepÃ pnle fV database was collected in 1993-96'

Oseberg C 'Experience Datø on Fire anil Gas Detecton' ref' /4/

Á;;í":ri Jon Arne Grammeltvedt'ä;:;u;rt

Norsk Hydro' Research Centre' Porsgnrnn' Norway

Publ.war: 1994

";:::;:::"Ï' if:"ätJ;i::ents rerd "-ry.-".:i- data on catatvtic gas detectors' IR name

detectors anå smoke detectors from the Oseberg C pìatform in the North Sea'

WLCAN - A Vulnerability Calculation Methoil for Process Safety Systems' ref' /5/

Author: Lars Bodsbere

publisher: Nor*"giäirirtituteofTechnology,Trondheim, Norway

Publ.Year: 1993

';':r:;i::"?'' i#l;ffiT:serration incrudes experience railure data on fire and sas detectors

rrom"J;î,il;;;iglrlr:^.: jl,;:;í,gl*:m:,*:lJJff lìî1"i:ñ"1:very comprehensive with respect to ra

,nu,,n"

"äiiäiåìt

¿t" rt"i'¿t¿ in the oREDA Phase III data'

l)

l6

NPRD-9L: Nonelectronic parts Reliability Data 1991, ref. /9/Authors: william Denson, Greg chandler, william crowelr and Rick wannerPublisher: Reliability Analysis Center, Rome, New york, USAPubI. year: 1991Data based on: Field experienceDescription: The handbook provides failure rate data for a wide variety of component types

incruding mechanicar, electromechanical, and disc¡ete erectronic parts andassemblies. Drta.represents a compilation of field experience in military andindustrial applicarions, and concenrraies on irems nor.o";.J;t ú'--HDBK 2r7,"Reliability hediction of Erect¡onic Equìpment". outu ãu1., include partdescriptions, quarity levers, apprication erwiionments, point .rti*ut", of failu¡e.^il^l:r:^**.es, number of failures, rotal operaring.toun, an¿ detailed partcha¡acteristics.

ne\bilitl Datafor Computer-Based process Safety Systems, re!. /g/Authos: LarsBodsbergPublisher: SINTEF Safety and Reliability, T¡ondheim, NorwayPubI.year: 1989Data based on: Field experience/expert judgementDescriprton: The report Presents field data and guide figures for prediction of reliability of

computer-based process safety systems. Data is based ãn ¡eview of oil comiaaydata files, workshop with technical experts, interviews with technical ;p"*;áquestionnaires.

T-boken: Reliability Datø of componenß in Nordic Nucrear power pranß, ref. /6/Authors: ATV-kansliet and Studsvik ABPublisher: Vattenfall, SwedenPubl. year: Version 3, 1992Data based on: Field experienceDescriptíon: The handbook_ (in swedish) provides failu¡e rate estimates for pumps, varves,'

instruments and electropower components in Nordic nuclear power flants. The dataare presented as constant failure ¡ates, with respect to the most significant failuremodes. Mean active repair times a¡e also ¡ecorded.

F ARADI P.TH REE, ref. /7/Author: David J. SmithPublisher: Butterworth-HeinemannLtd.,Oxford,EnelandPubl. year: Fourth edition, 1993Data based on: Mixture of field experience and expert judgement ,Description: The rextbook "Reliabilþ, uatntanaw[ity and Risk - practical Methods for,: Engineers" (ref. lZt) have a specific chaptér and an appendix on-iailu¡e,rate data:

The data presented are mainly compiled from variãus sources, such as MIL-HDBK-217, NpRD-r985 (i.e. rhe 85 vìrsion of MRD-91) an¿ opGoe Handbook' 1984. The failure rate data presented in the textbook is an extract.from the databaseFARADIP.THREE.

,@stltìllllEm

Reliability Data for Control and Salety Systems

1998 Edìtion. Ì

2.3 Summary Table of PDS Input Data !

Table 24summa¡ise the recommended input data to pDS analysis. The definition of the column

fr*aingr r.tut", to the parameter definitions given in Chapter 2'1

Somecomments'basedontheexpertjudgementsessionperfolle¿¿]:nngthe^previousandpresent;öiäñ;à;dbelow, in partiËuhr onihe given values for l/F and coverage'

i11'l'r"r'- t''''-'¡"" i-\lo"-*' ilr';"'"' ;1 ìY\r'rr'i--! ")\r.i

2.3.1 rrFprobabilities i;;þ{ tr-i:-ì1.1.:l),,:r, .n ,¡".\-;1\, ",.,;..,,, ..,,;ì.ù-,,r." ,,;*t},.-

,\.,. .^ " {,,.t,s 'rt--tt-o''-t ' - {.,.,:;r) .

.Process tüffinrra

probability, 10-3, is assigne¿ io üI switch itsJlf, essentiatly caused by human

interyention (" g' ü"*t";ätatî n"*O' ny it"i"A;ttc the sensing line (piping)' ¡he TIF

probabiliry *uy lnårË*" ,o 5.10-3, uniess u p"i"", funcîonal testing is carried out' which

also detects blocking of the sensing line'

ProcesstmdreÉ"rs have a "live signal"' Thus' bloc-king "f

th".1:i:T^i lineìsdetectecl bY the

operator -¿ is ln.tì,¿"ä ,n "U,.aßo a significa;t part of failures of the transmitter itself

(all ,,stuck,, failures) are detected by the operator anicontribute to 2¿",. Thus' the lIF prob-

ability is less thær'thì of the switch. sma¡t and field bus t¡ansmitters are, due to mole

"o*pl"t"'"túng, expected to have even smaller lIF'

Gas detectorsNotethatanewexpertjudgemenîsessionlgasperformedduríngthelggSstudy,givingTIFvalues for g* a.tã"ior. dîfferentiated *itt r"sp""i to detectoitype S point or line)' the

size of the leakage, and other .onaition*p"íja inflo"n." ihe TIF probability for IR

detectors. s". cri"pto ã iã, ¿"t"1.. a¡, 1at-probability for catal¡ic gas detectors was not

evaluated * tfo' t"ãn"ology is considered to be old and less relevant'

Fire detectorsItisassumedthata.detectorwiththe,,right,'detectiorrP'il"'Pl:is.applied(Smokedetectors are applied where smoke fires t" "*p"tt"J*a

d: *-i::nt^îwhere

flame ftres

æe expected') Even so' there ìs a.possibility tiat a fue may occur which gives a very low

orobabilityofdetectionbythedetectornuîro"".i*.bo"tothisfactanintervalisprovided for

"^.h ää";:Th; i¡r u¡u. *u1n ;dt,i"; to the size of the fire, essentially

depend on tne tocaùor/envi¡onmenr "r *t ãli""t"t (indoor/outdoorl qrocess area/living

quarter). n", *"i"ä""' '*"t" detecto¡ ttt"-tJ* 19:t æ-ptï:^l^"jtilt"ctors generally

serve as " ,".onäuìì iuri"., and the value is sigrrificantly grelter' Flame detectors are

reliabte untess "ìîîåf îä"t" ir J;"n4_t""imalted ,IF = 3'104), but oil fues in process

æeæ will d*"1ö;il;ir*"r.", *¿ u ?Lprouuuiliry as high as 0.5, could apply'

PLC systems , - ^^ ^^ç+",ô'a .*^'q For dedic^---"'T;;rIF for the rogics is.essent4lt *:jî.','Jîï"::il""::rff:.t"#åfiiìthlTîHI :*i,':ï"n::Ïfff îJ l"iliåi r'Jffi *md;;;,år,**" ""o's

Fo' standard

systems, the estimate Î/F = 5{0- appxes'

11

18

ValvesThe zIF probabiliry for ESVs witl depend on the type of functional resring. If the ESV isshut in completely and pressure testeà, iryF = 10-6'ithis

"¿"" ir al*"*å because of rhepossibility of human elrors' e'g. related to bypass and improper testing). If the ,,functionaltesting"just involves a check that the valve moves lstarts closìng¡ on dãman¿, the value 10r is suggested. This.?IF val,re also applies ioi

"ont ol valves. AII these values include thepilot valve. The major contibution to the llF probabiJity for psVs is wrong set point dueto enor of the maintenance crew, and the same TIF vaJue æ used for switches is suggested(sensing line nor included).

2.3.2 Coverages

SensonLine testing gives a coverage of 20vo for switches, conventional transmjtters and ESD pushbuttons' In addition operatoß detect a significant p* of p.o"".r-t¡animitter failures(transmitter being stuck), giving a total coverage foi transrnitters which is significantlyhigher. For gas detectors also drift are detected (low alarm) an¿ trris *-uy

"uur" trips to be

prevented. The given covefage for smoke detecrors applies for analog sensors.

Control logicFor bus coupler and communication unit 1007o of Îrip tailures actually gives trip. Further, itis estimated that 957o of loss of safety failures æe detected, and a Fró iailure is prevented.

ValvesNo automatic self-test for valves. It is estimated that o-pgqlo"rs detect 6^5/9 of criticalfailures (stuck railures) for çB¡¡-q9l-ygJ=v^es. There ." ..ffiiãa so failures on valvesdetected by continuous condition mõñioìrl,ng in the OREDã phase fV data It is assumedthat these failures are detected by operators and thus included in the So coverage.

Note that these values are partially updated with the TREDA phase IV data, see also thecomments in Section 2-2-

23.3 p-factors _r.1,r,rn flq¡\a

When quantifying the reliability of.systems elnploying redundancy, e.g., duplicated or triplicatedsystems, it is essential to distinguish between indepentlent and, dependint foiìor"r. Normal ageingfailures (see /141) are usually considercd as independenl failu¡es. However, both physical failuresdue to excessive stresses/human interaction and alt firnctional failures are by nãture depend.ent(common cause) failures. Dependent failu¡es can lead to simultaneous failurå of more than onemodule in the safety system, and thus ¡educe the advantage of redundancy.

In PDS dependent failures a¡e accounted for by introdu cing a multiplicity ttis¡ibution. Them-ultiplicity distribution specifìes the probability that - given that a failure has ãccurred - exactly ftof the n redundanr modules fail. Here, & equals r,2, ... , n. The probability of k modures failingsimultaneously is denoted p¿.

@)stlNTEF Reìiability Data for Conlrol and Safety Systems'

1998 Edirion. ]

As an exampre, consider the murtipricitv,gt-:'b:i:.î^1":li:i'åliltih::IîJJJ;Ï5':;:;ä;; ã H+ r' : 0 ?0_Tfj"';3,.i;TÏi'i:ffiå:h'ü,"i"in'iv ir'" uoth modures have

probabilitY that just one mo(

failed is 0.10'

Figure 3 Example of multiplicity distribution for iluplicated components

Table6plesentsrecommendedp.factordistributionsadoptedfrom/11/.Thedistributionsarepårå"il"i ,tte following degrees of dependency

¡ Lowr Mediumr Highr ComPlete

Table5pfesentsguidelinesforselectingappropriatedegreeofdependency(adoptedfrom/11ô.

Fìeliability btæk diagrm ot

the redundant modules

lo

Unit A single SimultanìousìYfailure la¡lure ol A and B

B singlelailure

20

Table 2 Failure rates, coverage and TIF probabilities for input devices

Gomponent

¡. InpfficeProcess Switch,Conventional l)

À-i;Pf{ 106

h¡s

Pressure

T¡ansmitte¡

Co

cFrQ

Level (displace)

T¡ansmitter

verage

':.t .: 'i, :..

| .so

TemperatueTransmitter

3.4

FlowTransmitte¡

1 FlQ"ùndd;:'1SO : ,,Lnðà¡ |

l.J

90Vo

Gas detector,catalytic

)@ sulìlilem

3.1

'I-¿.r.iIff"

9ÙVo

20Vo

Gas detector IRpoint

per 10ó

lrst| ¡So| ^'n¿r

I

90Vo

.8

20Vo

2.1

Gas detector IRline

60Vo

50Vo

1.6

lL'*

Smokedetector

0.2

2.3

60Vo

60Vo

0.9

Heatdetecto¡

0.1

J

0.9

60Vo

.6

5jVo

0.6

Flamedetector

0.t

3.6

0.4

80Vo

l.lo3 - 5.10r 2)

4OVo

0.7

ESD Pushbutton

Reìiability Data for Control and Saf ety Systems

1ee8 Ed¡tlon. )

0.3

0.8

80Vo

3'104 - 5.104 3)

7ÙVo

0.6

2.4

0.4

40Vo

3.104 _ 5.104 3)

7jVo

Table 3 Failure rates' coverage and TIF probabilities for control logic

t1 .0

0.6

8.2

1.1

50Vo

¡)

2)

3)

4)

6)

1)

8)

3.104 - 5.104 3)

507o

11.0

Daa primarily apply for pressure swrtchesWilhout/with the sensine lineFor smarlconventional,iespectivelyThe rangc,gives values for læge ro smalt gas leaks (large gas leala a¡e leak> I kg/s)For smoke and flame fres, respectivelylherange represents the occurence ofdifferent types of fires (different locations)Forflame and smoke frres, respectivelyAverage over ventilation type and besl,/worsr conditions, see Chaoter 3

0.7

1.0

0.4

5OVo

3.i0" - 5.104 3)

5OVo

0.5

0;l

0.1

20Vo

5OVo

3.104 - 0.1 4)

0.6

0.8

6.10-3 _ l.l0_3 4,8)

0.1

2OVo

1.0

0.5

6.10-2 _ 7.70-2 4.8)

1.2

0.3

Field bus

couPler

2.1

1.3

lo-3 - o.o5 5)

0.2

2.1

0.05 - 0.5 6)

Control logic units

0.6

3.10* - 0.5 7)

l) Note that the value for one signal path is somewhat less than this value

t) por ftfv ceruned and standud system' respectively

Table 4 Failure rates' coYerage an'l TIF probabilities for output devices

l0-5

Component

21

ESVX-Mas

,E¡

per 106'hrs

5.10-s - 5.104 2)

Other ESV lmainvalve+actuator)

COYeraBe

crro..l cso

Pilot valve

Control valve,

small

I .6

Control val-ve,

læge

j IilO,.,"ùndr¡

--l so'-

,,ffi'

Outpul

1.6

OVo

À.¡a"¡ Per 10o

hrs

Pressure reliefvalve, PSV

4 .2

devices

30To

OVo

7.6

rff., I rf...

20Vo

For complete and incomPlete functional testing' respectively

ttote tnaì tnp of fSV does not necessarily lead to system [aP

ÙVo

1.1

,R

604o

3O7o

+-3

0.8

1.2

'107o

6O1o

0.7

TU'

1.3

0.5

'7j%o

07o

17.8

I A

0.3

1O6 _ 10-s r)

0Vo

3.0

2.8

t.8

lo{-105r)

5

0-8

.0

0.1

u-¿

1.0

10-s

o.z2)

t0-

10-3

22

Table 5 p-factors of various components

Component'.

, =hlFire/gasdetector

te'rmÐ p-factol:disfribution

Àmo

¡.so

Pressure switch

Ttr<0.2

2: Mediumdependence

Pressure

hansmitter

Comment

TIF>0.2

3: Highdependence

,@ SINTEF

ut devices

Field bus

transmitters

4: Completedependence

Same manufacturer, environment and maintenancecontribute to CCFs

atl

"iO

Same location and design give high fraction ofCCFs

all

2: Mediumdependence

PLC

Almost complete dependence when the detectorsæe applied in scenarios which they are not de_signed to handle

1: [¡wdependence

all

Ouþut devices/Valves

Same manufacturer, medium location and main_tenance contribute to CCFs

Pilot valves onsame valve

1: Lowdependence

all

Field data shows a significantly lower f¡action ofcommon cause failures for transmitters ascompared to srilitches

Pilot valves ondifferent valves

2: Mediumdependence

Reliability Data for Conlrol and Safety Syslems

\1998 Edition. 1

ESV

Application software has a lower fraction of CCFsthan the system software

aIl

Couplers

Table 6 Recommended p-factor tlistributions

all

2: Mediumdependence

System software errors gives a rather high contri_bution to CCFs. Other fr:nctìonal failures alsoconûibute.

all

1: Lowdependence

r) specifies which failure rate/probability rhe given distribution appries for

1: Lowdependence

all

Same design, location, cont¡ol fluid and main_tenance contribute to CCFs

Lower fraction of CCFs when pilots activatesdifferent ESVs

l: Lowdependence

Same design, medium a¡rd maintenance conhibuteto CCFs. Field data indicate a relatively smallfraction of CCFs..

Application software has a lowe¡ f¡action of CCFsthan system software

2.4 Further Work

Boththeg5editionandthepresentstudyi]lust¡ates,thatfurtherworkshouldbecarriedoutonfailufedata definitions/cf*rifr"ution io inir".rJ tn" cr"¿i¡ility and validity of reliabiliry analyses:

2.4.1 Variability of the TIF probability

Forseveralcomponents(e.g.sensors)thereisobviouslyawiderarrgeofTlFvaluesthatmayapply'depending on various factors such as

- location (e'g' indoor/outdoor' process arealliving quarter)

- detecdonPrinciPle- ;;;;s"(e'!'anaiogue/diqil4'Pginqn'].-,^^,,-- svstem boundary it'g' *ittt/*itttout impulse line)

- fype of functional testing þerfecVtncomptere't

- u*ount of self{esVmonitoring

Anefforthasbeenmadetomeetthischallenge,b.ytyfaronlyforgasdetectofs.However,itisanobuiou, need to quantirv *"Ï:îö"t'ü+;;"':"t:::tí:i*l'r":*;mt"?iiî:ttr#åtå'åor.* ,vp.t, so that an appropriate T/F value' rerlecung

for actual studies'

2.42 Distinguish between design errors and human errors during testing

ItissuggestedthattheTlFprobabiÌityshouldberestrictedtoaccountforfac.*:'ll,arepresentfromday l, and which are ".""i';ä;#

in-ly uuto*utl"¡f"".,1"ìJ "tt' These are failures caused by

design enors, e.g' including *'å"î r""ìr* "f d".:t:'.t:-t-t';;i;-suggested th-i|1{ errors introduced bv

the maintenance crew upoi testing (e.g. by;pals ruilu,", -J ini¿ãquate testing) should be defined as

a separate category of f"ifor"s,--ar;d'no't Ué inctu¿e¿ i" ili'üË-p't"äîility' u"Jprov"d models should

;ää;t.a 6r fäitures inuoáuced during tunctional testing'

ñ-"er.. "f

d"pendenceruã¿ium I Irigh

r.'t.r.,.À.¡

0.98000.01800.0015

23

24

)

The above suggestions will make analyses more credible and accurate (ptant specifrc), and it willfacilitate the communication.between analysts and maintenance/operational personnel. It wili alsomake analyses more informative with respeãt to identifying facto¡s that "rr""

ri" i"ü"-ùiliry, and rhusidentifuing means of improving system dèpendability.

\g ÐtlNULqf Beliability Data for Control and Saf ety Systems'

1998 Edition' )

3. A unrgoo roR oBTAINING ÀPPLIcMIoN sPEcIFIc TIF pnosnnIr.rrIps

3.1 Introduction

In most RAMS analyses generic data are used as input parameters in quantitative dependability

assessments. These generic ä;;;;;;i ;uu"'ug" "¿*i;unJ

it is theiefore desired to establish

a method for adjusting th"'"-;;;;g;;alues to tut' 'pt"int

conditions into account' In this report

vr'e present a merhod f", "urrJtî;ïr;; "aà-u¡nut øt^git-iirryrrs. In future repofts we aim at

;.:"ï;ffi;;iit"¿"l"gv iÀ otñer parameters and equipment classes'

Firstthemethodisestab]ishedandcalib¡atedbasedontheresultsfromanexpertseminar.Themain resulrs *. *urn**i."ä ir S".,.. :.S. N.*t tt" orJoi iftã *ttito¿ is described by a step by

step procedure, and an example is given' see Sections 3'7-3'8'

3.2 ConcePtual aPProach

A.conceptualhierarchicalmodelhasbeenestablishedrelatinginfluencin.gconditionstodirectfailure causes and the "rJ;î-T¡f;;"U,liry

u, if*rt ui"å irifig*" 4' This conceptual model

contains a set of baseline züìJr.r'*¿ r"tutiu" i,npo,iulît t*tigñ"1 of the various direct failure

causes.

25

Figure 4 Conceptual hierarchical structure

Thetotall/FprobabilityisthesumofTlF-contributionsfromthefollowingcontributingclassesGA:

r Design enors (CCr) giving TIF¡'

. Wroig Iocation (CCù glvingTlFz

. Insufficient functional å't pîo""ao'" or human errors (CC¡) giving ?lF:'

..Behind,,eachcontributingclassasetofdirectfailurecauses(DC)are.defined,forexample"forset to test" and "*'o'l' ì""îtä" ît-å"sign" The impottun"" of each direct failure cause

within a contributing "r"""i'ï#"åãïy a

"v'eight (wnö' nin¿ty the direct failure causes are

Generic basel¡ne

TIF values from

expert Tminar

\

-( DC,, IV

High

-

APplication specific scores (S)

Generic weights from

expert semlnar

High

26

influenced by a set of influencing conditions (1Q. These are conditions that are controllable bythe operator/designer of the installation.

These bæeline Î/F values and the weights we¡e established during an expert seminar. In apractical study the TIF probability is adjusted according to the staL of a set of influencingconditions..A "check list" procedure is applied, where for each pre-defined influencing condition,l t"of tl given representing the state for the particular applicatiôn. A sco¡e is a number between -I Td 1l' A score of -l represents the "worst

"us"", rhLt u, +1 represents ttre ;üest

case,,. SeeTable7 for an example.

Table 7 Example of check list for TIF evaluation

3.3 Definitions

The following definitions will be used throughout this presentation:

o A contributing class (CO is a class of direct failure causes that contribute to the TIFprobability.

o A direct failure cause (DQ is a specific and clearly defined cause within one contributingclass, influencing the IIF probability.

' An Wuencing condition (1Q is a condition that influences the probability of failures due tothe relevant direct failure cause.

c A score (.f) denote the state of a specific influencing condition for a given application.

3.4 Method

The main idea is to establish rheTIF contribution from each of the contributing classes, and thennext evaluate the di¡ect causes within each contributing class. The following cãntributing classeshave been defined for gas detectors:

. Design enors (CC1).

. Wrong location (CCz)

. Insufficient functional test procedure or human enors (CC3);

In the expert seminar baseline numerical T/F-values were established for each contributing class,CC¡, i = l;,'.,3. These baseline numerícal Î/F-values represent the anticipated range for TIFvalues for væious conditions on an offshore installation. Notational we leT TlF¡to*conesponds tothe "best case" and rlF¡,¡¡s¡ cofiesponds to the "wo¡st cæe" for contributing clasïi.

.A set of direct failure causes are defined for each contributing class. For example for thecontributing classwrong location the following di¡ect failure

"ous"i u.e,- Wrong location by design

- Wrong documentation at installation

,@srNTEFReliabiìily Data for Control and Safely Syslems'

19eB Edition. )

- Modifications

For each conrributins crassíÍ:, iii;,il 1,r.î;îff::,ï:.Îî:1ît li;flft,l; l;;ï i:th*I

of these direct causes a ret¿

ilätillu*;; to 1007o for each contributins class'

Notethatadirectfailurecausedoesnotdirecdycorrespondtotheconditionsthatafecontrollableby a designer. Therefore *;;;Jt*ically focuses äi.,r'"ä"¿i,i"ns inJluenc.ing on a direct

ra'ur" caus". For example,r'.'i""'"i*,1"' "r l"::* 1;Lj;l=*il.:îT::"*:,tÏ:?:tl';odi'"å:;

liäi"îi,ïäffi: ;:îi,::iläiiin 'fi{*4;l r" ' p'""ir"¡ -arvsis a score w'r be

assigned to each of 'h"";;;'i;;' 1iråre -] I:t¡:'ii"ff.#äï:f:;#''Jgli:å"Ïi *;

rräri.Jlffiäîä:ilî.f:"T'":ïfi i"Jlffi;;;;iî' ür' possibre to estabrish an

application specrllc llr'

Thereisnostraightforwædmannertoestablishafe]ationbetweenthescore.sandThreTlF.values'rt

" r"iu,ioo p.";*"u * tti"iää t"d;;;;"å on tt'" following principles:

t TIF¡should equal TIF¡,¡on\f all S¡¡= 1'T1,

' i¡r' Ji""ia equal 1/F,,n3r' if all 'fu = 1,lurthll'---.n, *.* o f the low ardhighrlF-vaiues'-

;.11;;'; tqtà o tne flF strould equal the Seometr

Figure 5 i'ustrates the implications of this principle (TIFnign= 10 r' and rIFø' = lo'3)'

27

:-+-

Figure 5 TTF values as a function of score values

The formula for acljusting the ÎIF for contributing class i is given by:

- .l+S, / al-S,

Tß, =iwDc, (TIF,,," )T (TIF,,ø J'

and the total TIF for all contnbuting classes is given by:

o 0.5

Scoæ

rrn = irq =ä'oc,fr",""Ë h*''.' Ë

Note that average scores on all influence conditions gives:

(l)

(z)

28

rj--TIF, = ) JTF, r-' Tß.o,ro

That is, 71Fa is the sum of geometric means for each of the contributing classes.

3.5 Results from the expert seminar

The objective of the expert seminar was too Establish a set of "Contributing Classes" CC¡ Establish a set of "Direct Causes" DC for each CCr Establish a set of "Influencing Conditions" .tC fo¡ each DCo Establish TIFø and TIF¡¡r¡for each CC¡ Establish ¡elative weights wDC¡within each CC

Two diffe¡ent detection systems we¡e considered:

o Infrared (IR) point detector¡ lnfrared line detector

ln addition the following 8 different scenarios were considered:

o Small gas leakage in open areao Small gas leakage in naturally ventilated area. Small gas leakage in mechanically ventilated a¡ea. Small gas leakage in ventilation intaker Large gas leakage in open area. Large gas leakage in naturally ventilated areao Large gæ leakage in mechanically ventilated arear Large gas leakage in ventilation intake

where¡ Smail gas leakage, release ¡ate <1 kgls i. Large gas leakage, release rate 2 | kgls

Note that such a scenario conside¡ation is only necessary for contributing class cc2 = .,wrong

location".

On the expert semina¡ focus was on the qualitative identification of direct failure causes andinfluencing conditions. In addition, Z/F-values were èstablished for each contributing class fordifferent detector types and scenarios. Based on the discussion on the expert semina¡ SINTEF hasproposed numerical values fo¡ the "weights" of each di¡ect failure cause, and performed agrouping of influencing conditions. The members of the "PDS-forum" have had this results forcomments. Table 8 summarises cci, DCs, ICs, wDC¡¡s and r/F-values established during theexpert seminar and the post processing of results.

psnmrnm Reliabilily Ort" to' çentrol and Saf ety Systems

1998 Edition. 'i '

Table 8 Overall results, TIF consiilerat"Ï t"t *

ËñãouiP.u*"t"rsettings .

(response time, sensitivitY etc'¡

Wrong ryPe ot detecror^

ioo"i."tioi "n"itonment2,

heavy/li ght

lns¡riion <¿tu*ings, taglists' air

@of weather

29

6äõlith h.^uY or light gasses

Giãe-mandqualitatitelY/ouantitâtively different from rue.

áemand (e'g., covered by plasuc oag'

wfong gas tyPe ând/of gas

ô'"äi.dEf C"'uã"t"ãor tesrcd'

forget to test" wfong documentatlon'

mis-understandings)

@odification

$Gt-. -a Pto""dures for

6Tvouss not t"mo"ed (wron g- derecro

úi'p"r*¿' forgel to remove bypass)

@uuitiry and

I No consideration of failure modes ae made

t T"moerature, pressure, flaring etc'

:i:m::ti;;!läation with respect to heavv/right gasses

Ëi@e' accessibilitv

Wpassed componens

ffidtitÑ(ti*t P*ssure' working

30

Table 9 TIF for CC2"V,lronglocation", IR point detector

Ventilationtype

Open

Naturallyventilated a¡ea

Mechanicallyventilated area

Small sas leakaseBest

Ventilationintake

0.5

Table 10 TIF for CCz r¡\ilrong location",IR line detector

0.1

Worst

VentilatlontvDe

5.10-3

104

0.9

{(P st]l,ìlulsF

Open

Naturallyventilated area

0.3

Large gas leakaeeBest

Mechanicallyventilâted area

0.1

small sâs leal(âse

Best

0.01

lo'2

Ventilationìntake

5.10-3

0.05

'Worst

3.6 The relation between TIF and detector densitv

Note that when the values in Table 9 and Table l0 were established the following question wereasked:

"Assume that there is only one detector installed to detect a gas leakage. What ís the TIF-probability of not detecting such a leakage related to contributing class 'wrong location'?"

The f,rgures given therefore contain two types oflocation enors:

r "local" effects related to a detector in an area containing gas

r "global" effects related to the fact that there might not be gas at all in the area where thedetector is placed.

For a specific analysis where only one detector is considered, the TIF values may be used as

stated in Table 9 and Table 10. However, in the situations whe¡e several detectors a¡e used, it isnot straight forward to use these results. When the total CSU is calculated, the "T1F-contribution"from each detector depends on the dependency, or so-called 'þ-factors", and it is reasonable toassign different dependency factors for the "local" and the "global" l/F-contribution.

l0-3

0.01

Wôrst

5.10-4

104

0.1

5.102

104

0.09

Beliability Data for Control and Saf ety Systems

10-2

0.03

Larse sas leakaseBest

1998 Edìtion' )

During the.expert se\ffipaiîJìffåi;:i,Hï:iir'iil::,:å'1'i":r',iïiî'ï;ilYïl;and "global" effects' surr¡

î{c, îlo"¡' eff ect, and'l 57o "global" effect

It is reasonable to assume that the "local" f/F-contribution does not depend on-the density of

derectors. How ever,,n" ..

g r

"¡ ¿ï'i' !Ãp:lîl *rifu:itf"mi"uiÏäT ;Ïrì"Ë1tr

iffïä";;;;,i.: 1",,",jifii*lg'iJffJ,i",:i: fi: ffii;;; procedure suggested berow a

l'"'#"r:"i":iÏ" ä?.,Ï:* assumed

TIF10r

0.01

0.002

7o'2

1.10-3

Worst

2.lf

104

0.02

l.1o-2

2.10-3

r n-3

'Local"

Figure 6 TIF versus detector density

ro simp,irv *j,p:'f-::iiåîJiîi,îï:lfr Ëä,yi*Uk* :ffîffi":löJ$å

number per detector' try i:äî:iÄ"" þ*tr, o:t:t"^ot

ro..uure is pragmatic, ano is as follows:new TIF number i:,p::::.här'ciu

formurus. T¡e Ibe used as usual with the slanoarus uev ¡v^..'----

o. Denote this

r. For a given scenario,,ååro:i",ff"j:,",:,ï:,*iiyjfffif:tm;:it'ä*ratreastonenumber /<, where - = läfi;; å-nly on" d.t."tot.detecror. /( = 0 means *,1iÏi::;#''_-,,'_

= TIF r^,"t¡n"(t - o ;1 5k)

z ää"ïä'¡" ":ri::li:; :,{}: I{'*;;,i[]Xi.'3. This is rePeatedboth ro

3.7 Using the methodologY

AstepbystepprocedureisproposedtoestablishTlF-probabilitiesforaspecificapplication.

Step 1: Identificationofdetection system

--:-r-^red line detector. This choice will determine

i'ti"t,.*g"^"t"::lîiîo',t#:å'o1"l,'J"ï';i:i';whether Table 9 or'l aole

Step 2: Itlentification of gas leakage size

ilirãil"*i"g definitions are used:

. Small gas leakage' release rate < ikgls

. ;;" las leatage' release rate 2 lkgis

3l

Step 3: Identification of type of areaData is available for the following types of æea:t OPenr Naturally ventilated arear Mechanically ventilated area¡ Ventilation intake

Step 4: Establishing correct TlF.values for,Í.ocation errors,,Based on the specifications.in s-teps r-3 it is possible to look-up the cor¡ect values for TIF2,¡¿. artdTIF2,¡¡.¡ f¡om Table 9 or Table 10.

Step 5: Gas leakage scenarioAs discussed in chapter 3.,6 the TIFz,tow and TlF2,¡¡r¡values in Table g or Table 10 represent theTIF for a "single detecror". T\.Tr-c:ntriuution fä derector i, tr",mlu* ãr.**y derectorswin be less than rhese values indicare. To adjust the TrF_varue th; ;.d;t*ñ;;rnr,,,

o, shourd beidentified' we now define È such that k = ioovo = 1 means that .,it is likely,, the gas cloud willreach at least one detector. & less than I mears it is likely that there ir no'¿"t."to, in that areawhere the gas cloud will pas.

Now calculate new Î/F-values

TIF2,bn = TI Fz nn(1 - 03 5k)TIF2¡¡s¡= TIF2,¡¡g¡(7 - 0.75k)

These numbers a¡e then to be inserted in Tabre r2,see discussion in Step 6.

Step 6: Identilication ofstate ofinfluencing conditionsEach influencing condition which hæ been identified should be evaluated with respect to the statefor- the particular analysis. Table 12 may be used as a starting point for this evaluation. In therightmosr corumn of rable 12 the apprication specific ..r"or"^" ,hr"ld ;; iiri.o, ,¡"r" tt"following coding shategy may be used:

S = -1 - Worst state, i.e. no specific means has been identifiedS = -Vz - Bad states = 0 - Average state, or no information about this condition availabreS = Yz - Good stateS = 1 - Best state, i.e. specific means have been implemented

An example how the scores are entered is shown in Table I l.

Step 7: Calculation ofaverage scores for each direct failure causeThe average score for each influencing condition relevant for that cause should be calculated andplaced in column 3 of rabre 12- Tabre I r shows an example of such average calcuÌation.

9suNTEFReliability Data for Control and Safely Syslems'

\1998 Edil¡on. I

Step 8: Calculation of adjusted TIF for each contributine class (CC)

Foieach contributing tl^t ì.,-¡ =-l'"''l the ''F

contribiution is calculated by the

formula:

'l+S' / ,l-S"

Tß, =iw DC u(Tr,.,," F (Tr'0,ø J'

where the weights (wDC¡¡)and scores (S';) are ¡ead from column 2 and 3 in Table 12'

Step 9: Calculation oftotal adjusted TIF

The TIF contributlons "o* "utË contributing class are sumnied up:

TIF=TIFr +TIFz+TIF¡

3.8 CalculationexamPle

A calculation example is given to highlight the content of each step'

il1îJ;l*lrr3:îiïJ.i':iliiä.'ä:ä" a inrrared point detector' hence rabre e is

Step 4.

$i,3iJi:Xt'Iiåi:î,"[ätflT.t:"tiÍT,u," . lksls using rhe "rert" part or rabre e

Step 3: IdentifÎcation of tvoe of area

We assume that the gas'"utug" is in a mechanically ventilated area

Step 4: Establishing correct TIF-values for 'Í.¿calion errord'

B ased on the specification; il; ì ;;" Jtuin TIF z r* = 5' 1 0-3 and rIF 2'¡¡s¡ = o'r'

Step 5: Gas leakage scenario

ä:"d#;;;;;;:ti' '"öã¡z' = 0'33 (relativelv low densitv)' hence

TIF z ton = TIF 2.¡e*(1 - 0.7 5k) = 3 ] 1']y-'liF ri, ;:;^ = TI Fz.¡¡e¡Q - o.?sk) = o'075

These values are used in Table I 1'

Step 6: Identification of state of influencing conditions

Thá scores are shown in Table I I'

Step 7: Calculation of average scores for each direct failure cause

See Tabìe 1 I for calculation of avetage scores

Step 8: Calculation of adjusted TIF.for.each^contributinB class (CC)

The TIF contribution from-each contributing class inTable Il is based on the formula:

33

following

used in

34

lL , .l+s,/, ,l-srTß, =\wDCr(rm,.,,")' 1rm,,* ¡;

Step 9: Calculation oftotal adjusted TIFThe T1F contributions from each contributing class are summed up:

TIF = TIFI + Tþ + TIF3 = 36.9. lO-3

@srNTEF Reìiability Data for Control and Saiety Systems'

1998 Edition. )

TablellExamplecalculation;adjustingtheTlFprobability

35

¿

rj

36

Table 12 Check list for influencing conditions

r@srNTEF

and quaìitatively/vely differentdemand

Reliabilìty Data for Control and Saf ety Systems

1998 EdiÌion. )

4. DemDossrnns

The following pages presents the data dossiers of the control *d ïY -sy-stem

components'

These are the input to Tab; 2-Table 4, summarising the "recoÍmended" generic input data to

PDS-II anaiYses'

Thedatadossiersarebasedonthoseintheg5edition/13/,whichcontainsfailuremodeabbreviations no longer or.irn oREDA. Definitions of these abbreviations æe given in /13/ and

l1'7 | .

FollowingthedefinitionusedinoREDA,severaiseverityclassrypesarereferredtointhedatadossiers. The various types are defined as follows:

Critical failure

Afailurewhichcausesimmediateandcompletelossofasystem,scapabilityofprovidingitsoutPut.

Degradedfailure i-:^^r L,rr.which orevents the system from providing its output within

:"';li:l;lî*:ii:Jî'i::Ï:i'T;l'ili'ili";^,;"'n'' o" gradual or partiar' and mav

dru"lop into a critical failure in time'

ÏÏ,Ï;,tfüïîo"' no'immediatelv causes ross-ora svstem's:'t*tl:tl1Ï::viding íts output'

but which, if not utt"n¿"¿ tî].""* rårU t" a critical or áegraded failure in the nea¡ future'

Unknown

Failure severiry was not recorded or could not be deduced'

Notethatonlyfailuresclassifiedascritica]arepresentedandincluderltheestimatesofthe93edition.

Bypass not removed

I TIF3 r"- = 0.001; 1¡R "'",

0.02

I Total all contribution classes

31

TIF = TIFI +

38

Component: Process Switch' Conventional

DescrtPfion

Pressure switch including sensor and

pneumatic switch

. :Retiability:DuhDjI!4 : PPQ&

Recommenileil Vølues for Calculøtion

*) snmunr

Total rate

FTO 2.3 Per 106 hrs

SO 1.1 Per 106 hrs

Overall 3.4 Per 106 hrs

Døte of Revßion

1999-01-1 I

Previously Recomtneniled' Values for Calculntion (95 edition)

h", = 1.0 Per 106 hrs

l,FTo = 2.5 per 106 hrs Coverage

Iso = 2'5 Per lo6 hrs

L¡, = 6.0 per 106 hrs ag-p¡obability

Reliab¡lity Data for C ) and Safety Systems'

1998 Edition.

r) Withoulwith the sensing line

F ailur e Rate As s ess ment

Thegivenfailurerateessentiallyappliestopressure_switches.Thefailurerateestimateisanupdate of the previous "ui*"*

- *uinfy Uu'"a on OREDA-84 and PDS I - with the complete

oREDAphaseIIIdata(phaserVcontainsnodataonprocessswitches).Theestimatedcoverage

is based on expert judgement lassuming ZOVo coverage)and the observecl coverage (1007o in

oREDAphaseIII).TherateofFTofailuresisestimatedassumingacoverageol90vo(previousiy assumed

'o O"'i*''observed in OREDA Phase III was IOO 7o)' The rate of SO

failures is estimated assuming a coverage of z0 7o (previous estimate, expert juclgcment)'

lJndetected

0.2 per 106 hrs

0.9 per 106 hrs

103 - 5 . 103 r)

Component: Process Switch, Conventional

TheTlF-probabilityisentirelybasedonexpertjudgements.Detailsontheexpertjudgementare

foundintheappendix.AsummaryofsomeofthemainargumentsisprovidedinSection2'3.

Reliabitity rDriø'Dossier:' PDS'ilata

Overall

failure rate

(per 106 hrs)

FTO: 1.39

SO: 0.00

Observed:

cfro = 100 Vo

39

Data relevant for conventional process switches'Phase IV Softwæe /15/.

Filter:Inv. Equipment Class = PRocEss SENsoRs AND

iiv. Dåsiln Class = Pressure

Inv.Att.iype-processsensor=Switch ANDInv Phase=

4 aNn(nv. System = Gas Processing OR

òil processingl ÄND

Fail. SeveritY Class = Critical

No. of inventories = 12

No. of critical FTO failures = 1

No. of critical SO failures = 0

FTO: 0.61

SO: 1.15

Other: 032

Cal. time ='l19 I

T-boken /6/: Pressure switch

FTO: 2.28

SO: 0.32

Other: 0.37

T-boken /6/: Pressure differential switch

For FTO: e=0'149 Per 10' demands

T-boken i6l: Flow switch

0.61

0.15

2.O4

T-boken /6/: Level switch

40

Module: Input Devices

Component: Process Switch, Conventional

' Fniilui¡ e Røl e R èler e n c e s

Overall

failure rate

þer 1Ú hrs)

Reliability Data Dossier - PÐS.data

Lo Me Hi1540

Failure mode

distributíon

In Med. Hi2520

FTO:

SO:

V ÐuNUBLT

Lo Med. Hi440

IÐ Med. Hi320

Data source/comment

0.25

0.15

T-boken /6/: Temperature switch

5.6

FARADIP.THREE /7/: Pressure switch

FARADIP.THREE /7/: Level switch

FTOÆhys. 0.1

FTOÆunct. 2.0

FTOlrorru 2.1

Reliabiìily Data lor Control ano ùaIety Ðy5tErr1Þ'

1e98 Edition. )

5;Ì

FARADIP.THREE i7l: Flow switch

5.2

FARADIP.THREE /7/: Temperarure switch

SOÆhys.

SOÆunct.

SO/roret

6.8

PDS I /8/: Pressure switch (normally energized)

Note! Both physical andfunctional failures areincluded.

Only criÍical failures are included.1.5

2.0

3.5

Co*poo.nt, Pressure Transmitter' Conu entional

DescriPtion

The pressure transmitter includes the

;;i"t element, local electronics and the

process isolation valves'

RetiabilitYDaøDo*t* t M

OREDA-84 /3i: Pressure switch, Pneumatic, Iowpressure (less than I 500 psig)

OREDA-84 /3/: Pressure switch; Pneumatic, highpressure (1500 psig or grearer)

OREDA-84 /3/: P¡essure switch, Electric

OREDA IY - /l3l: Pressure switch. total

Toøl rate

FTO 0'8 Per 106 hrs

SO 0'5 Per 10" hrs

Overall 1'3 Per 106 brs

Døte of Revísíon

1999-01-11

Previously Recommendeil Values for Calculation (95 eilitíon)

ho = 0.9 Per 106 hrs Coverage = 0'60

ÀF o = 0.1 per 106 hrs

Iso = 0.5 Per 106 hrs

ñ --^L^Lilit\' = 5'10'L¡, = 1'5 per 106 hrs TlF-probability

-smartüansm.= 3'104

Undetected

0.1 Per 106 hrs

0.4 Per 106 hrs

= 5. 104

F ailur e Rate Ass es sment

The failure rate estimate is an update of the previous estimate - mainly based on oREDA iII -

with .REDA phase lV u^tJni" ;;;' *å '"ei'tt'". ;ô*o nn^e Iv' The rate of FTo

failures is estimated """*;;;-';;""' t no *f"*l;t*;X"tl-*n:'Ti"ï:lt' .'

î* ì^" "t

to failures is estimated assuming a coverag

ão.porr.nt, Pressure Transnitteúyy

lts' Details on the expert judgement are

rherlF-probabilitv is entireivbasedon *o"i1,'-u11i::;;ÏÏ,*;tä"åî.ä""t"" ''''

found in the appendix' O 'o'o** of some of the main arguments is provided in Sec

RetiabiiitY Data Dossigl!!$e

Qsnmuur

õffiÃ Phase-Iv s"ftwa¡e lr5l'

Data relevant fof conventtonal pressure transmit-

Reliability Data for C' ,and

Saf etY Systems

1998 Ed¡tion.

Filter:inil"equip*"'" clâs: = T:cEss

SENsoRs AND

Inv. Dèsign Clas = k"ttY -,.unrrnitter ÁÑD Inv. Phase =

Inv. Att. Typeprocess sensor= lr AND

ftn". sy.t"t = c's Processing Î*"Oil Drocesslng,Fail. SeveritY Class = CrÍtical

Module: InPut Devices

Component: Pressure Transmitter, Conventíonal

FTO:

SO:

Obsertted:

No. of inventories = 205^rìã. .i"ti i.¡ frO failures = o

Ño. of "¡ti"¿ SO failures = 0

Overall

failure rate

@er IÚ hrs)

çfto = 100 Vo

(Calculated'

including

tansmitters having

some kind of self'

rc$ arranEement

onlY,)

OREDA Phæe III /1/ Database PS3l-'

i"ä ,"n"*, "r

conventional pressure transmit'

ters.

f ifl, .¡t"rlu' TAxcoD=ÞsPR''Al'{D' FuNcrN='oP'

No- of inventories - 186

Total no. of failures - 89

Cal. time = 4 680 182 h¡s

îi r- i "'

ò *, ¡"tlure s cla s s ifi e d as " c r itíc al" ar e

inclwletl ín the faíIure rate esttmates'

43

f-Uot* lOl, Ptessure transmitter

OREDA IV- /13/: Pressure switch' total

M


Component: l*vel (Disptacement) Transmitter' Conventional

Description

The level transmitter includes the sensing

element, local electronics and the process

isolation valves.

Reliability Data Dossier -. P.'DS-91!

Re c onnenile il Value s for C alculation

Total rate

FTO 1.4 Per 106 hrs

SO 1.5 Per 106 hrs

Overall 3.1 Per 106 hrs

þ snmrur

Date of Revision

1999-01 -1 1

Remarlts

Only displacement level transmitters are included in

Previoasly Recommeniled' Values for Calculatíon (95 edition)

h", = 4.5 per 106 lrs Coverage = o'is

l,Fro = 0.5 per 106 hrs

l,so = 1.0 per 106 hrs

L¡, = 6.0 per 106 hrs TlF-probability = : l:1smarttransm' - 3'10-

the OREDA Phase III and [V data

Coverage

0.90

0.50

TIF-probabíIîtY

Rel¡abil¡ty Data for ( Jr and Safety Systems.

1998 Ed¡tion.

Undetected

0.1 per 106 hrs

0.8 per 106 hrs

= 5' 104

Faílure Rate Assessment l

Thefailurerateestimateisanupdateofthepreviousestimate-mainlybasedonoREDAIII.withoREDAphaselVoata.TherateofFTofailuresisestimatedassumingacoverageof9ovo(observedinOREDAPhaseIIIwasl00To).Therateofsofailuresisestimatedassumrngacoverageof50To(previouslyassumedtobe2}Vo'observedinOREDAPhaselVwasl00T¿)'


Component: I*vel (Dßplacement) Transmitter, ConventiÔnal

TI F -probabílily Ass essment

The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is

found in the appendix. A summary of some of the main arguments are provided in Section 2.3.

Reliabilitf,Data'Dossier - PDSdata

F aílur q' Røt ii::Riçfp r enc e s

Overall

faílure rate

(per 106 hrs)

1.89

Failure mode

distribution

FTO: 0.00

SO: 1.89

Observed:

,so = t00 Vo

Data source/commenl

OREDA Phase fV Software /15/.Data relevant fo¡ conventional dhplnc ement level

transmitters.

FíIter:Inv. Equipment Class = PRocESs SENsoRs ANDInv. Design Class = Level AND

Inv. Att. Type process sensor = Transmitter ANDlnv. Att. Level sens. princ. = Displacement ANDInv.Phase=4 AND(Inv. System = Gas processing OROilprocessing) AND

Fail. Severity Class = Critica.l

No. of inventories = l7No. of critical FTO failures = 0

No. of critical SO failu¡es = ICal. time = 530 208

6.17 FTO: 4.94

SO: 1.23

Observed:

cno = 100 7o

(CaIcuIated

including

transmitters having

some kind of selfiest

arrangement only,)

OREDA Phase III /1/ Database PS31-.Data relevant for conventional dßplncement leluel

transmitters.

Filter criteria: TAxcoD=?sLE'.AND' FUNCTN='oP'

.OR,,GP'


Total no. of failures = 50

Cal. time = | 620 l7'7 ttts

Note! OnIy failures classified as "critical" are

included in the failure rdte esftmates'

FTO: 0.21 T-boken /6/: Level t¡ansmrtter

ão*porr"rrtt l*vet (Displncement) Transmitter' Conuentional

tRetiabifitvDallPcrssier' PDS<!!

þer lÚ hrg

L,o Med. Hi

10 20

SilMTEF

irln¡g tZ' t-*el transmitter

OREDA IV- /13/: Pressure switch' total

Reliability Data f or C )and

Safetv Systems'

1998 Edition.


Component: Temperature Transmitter, Conventional

Description

The temperature transmitter includes the

sensing element, Iocal elect¡onics and the

orocess isolation valves.

R¿liability Dáta Dossier - PDS-data "

Rec ommendeil V alues for C alculntion

Total rate

FTO 0.7 Per 106 hrs

SO 1.1 Per 106 trs

OveraII 1.8 Per 106 hrs

Date of Revision

1999-01-1 1

Remarks

Note that the data material for temperature

ftansmitters is scarce, i e', the failure rate estimate

Previously Recommendeil Values for Calcul¿tion (95 edition)

h* = 3.0 per 106 hrs Coverage

ÀFro = 0.5 per 106 hrs

trso = 1.5 Per 106 hrs

Lr,, = 5.0 per 106 hrs TlF-probability

- smart tfansm'

Coverage IJndetected

0.60 0'3 Per 106 hrs

0.60 0'4 Per 106 hrs

TlF-probabilitY = 5' lOa

smaftüansm' - 3'10-

F ailure Rat e As s e s s ment

Thefailurerateestimateisanupdateofthepreviousestimate-basedonoREDAPhaseIIIincluding some expert judg"*"nt do" to scarce data - with OREDA phase fV data' The

distribution between (undetected) FTO- and so-failures is based on the distribution for pressure

andflowtransmitters.Theoverallcovelagegivenaboveisestimatedmainlybasedonexpert

= 5'104

= 3'104

Component: Temperature Transmítter' lconveily

TIF -Prob ab ilitY As s es stne nt

The TlF-probability is entirely based on expert judgements' Details on the expert judgement is

foundintheappendix.asunlmaryofsomeofthemainargumentsareprovidedinSection2.3.

Reliability Data Dossier :.PD!:datâ

QsumunrReliability Data for Con'

,nd SafetV Systems'

"1998 Edition.

ffiFh*" Iv software /15/'

óuãi"l"u-t ror conventional temperature

Filter:inu. equip**, Class = PRocEss SENsoRs

Inv. Design Class = TemPerarure

il;. Áu' itp" pt*ess sensor = Transmitter

Inv. Phase = 4

(Inv. SYstem = Gas Processrng

Oil processing)

Fail. SeveritY Class = Critical

No. of inventoriss = 19

| Ño. of critic¡ FTO failures = 0

I No. of critical SO failures = 0

FTO: 5'06

Component: Temperature Transmítter' Conventional

Obsented:

cfro = 100 7o

( C alc ulate il includin g

ff ansmitter s hav in g s ome

kind of self-test

arrangement onlY,)

Reliability Eatå'Dossier - PDS'qala

OREDA Phase III /l/ Database PS31-'

Data relevant for conventional temperature

transmitter.

Filter criteria: TAxcoD=ÞsrE'AND'

FUNCTN='OP'.OR' 'GP'



Cal. time = 197 808 hrs

lìr", on, ¡oilures classifietl as "critical"

are included in the Jailure rate esti'

mdIes.

T-boken /6/: Temperarure transrru$er

FARADIP.THREE /7/: Temperature uars-

50


Component: Flow Transmitter, Conventional

Descríption

The flow transmitter includes the sensing

element, local electronics and the process

isolation valves.

Reliability Data Dossier ' PDS:ilatå

Recommeniled Values fot Calculttion

Ç)sumrun

FTO

so

Date of Revision

1999-01-l I

Total rate

1.5 per 106 hrs

2.2 per 106 hrs

Overall 3.7 per 106 hrs

Remarks

Previonsly Recommended Values for Calculation (95 edition)

L",},FTO

l.so

Coverage

0.60

0.50

TIF-probability

- smaft transm

\Reliability Data for Co, ¿'ìd Safety Systems.

1998 Edit¡on.

1.5 per 106 hrs

0.1 per 106 hrs

1.4 per 106 hrs

3.0 per 106 hrsL¡,

Failure Rate Ass es srnent

The failure rate estimate is an update of the previous estimate - based on oREDA III - with

oREDAphaselVdata.TherateofFTofailuresisestimatedassumingacovelageof60vo(observedinoREDAPhaseIIIandIVwas 10070 ando4o,respectively).TherateofFTO

failures is estimated assuming a coverage of 60 vo (observed in OREDA Phase III and IV was

100 7o and 0 7o, respectively). The rate ofso failures is estimated assuming a coverage of 50 7o

(previouslyassumedtobe}}vo,observedinOREDAPhaselVwasl00To).lheSofailurerate includes 'Erratic output' failures.

Undetected

0.6 per 106 hrs

1.1 per 106 hrs

5.1043.104


Coverage


T I F -pro b abilify As s e s sment

The TlF-probability is entirely based on expert judgements. Details on the expert judgement is

found in the appendix. A summary of some of the main arguments are provided in Sectíon 2.3.

TIF-probability

- smart transm.

0.50

Reliability¡Data'Dossier,' -,, PDS-.data

F ailare :Rate Refere nc e s

OveraII

failure rate

þer 1Ú hrs)

5.1043 . l0-4

5.70

Failure mode

distribution

FTO: 2.85

SO: 2.85

Obsemed:

cfro = 7Vo

"so = 100 Vo

51

Data source/comment

OREDA Phase IV Software /15/.Data relevant for conventional flow transmit'ters.

Filter:Inv.EquipmentClass =PRocEssSENsoRs ANDInv. Design Class = Flow ANDInv. Att. Type process sensor=Transmitter ÀNDInv.Phase=4 AND

(Inv. System = Gas processing OROil processing) ANDFail. Severity Class = Critical

No. ofinventories = 10

No. of critical FTO failures = INo. of critical SO failures = 1

Cal. time = 350 640

2.89 FTO:

SO:

Obsertted:

cno = 100 lo(Calculated including

transmitters having

some kind of self-test

arrangement only,)

1.24

1.ó5

OREDA Phase III /1/ Database PS3l-.Data relevant for conventional flow transmit-

ters.

Filter criteria: TAXcoD=ÞsFL' .AND. FUNcTN=L

oP'.oR.'GP'


Total no. of failu¡es = 92

Cal- time =2422200h¡sNote! Onlyfailures classified as "critical" are

included in the failure rate estimates.

52

Module:


Faít¿re: naø Refere nc g s

Input Devices

Overall

failure rate

(per 106 hrs)

Reliability Data Dossier - PDS.data

Lo Med. Híl5zu

Failure mode

distribution

FTO: 0.25

ÇrsrNTEF

Data source/comment

T-boken /6i: Flow transmitte¡

FARADIP.THREE /7 | : Flow transmitter

Reliabil¡ty Data for Con ,iO S"t"ty Systems.

1998 Edition.

Component: Catalytic Gas Detector, Conventionøl

Description

The detector includes the sensor and localelectronics such as the address/interface

unit.

.:il

Reliability.:Data Dossier r PDS.data

Total rate

1.6 per 106 hrs

0.7 per 106 fus

2.3 per 106 hrs

Date of Revision

1999-01-1 I

Previously Recommended Valaes for Cahalation (95 edition)

53

Coverage Llndetected

0.60 0.6 per 106 hrs

0.40 0.4 per 106 hrs

TlF-probability see secrion ...

3.0 per 106 hrs

1.5 per 106hrs

1.0 per 106 hrs

I.¡, = 5.5 pe¡ 106 h¡s TlF-probability = 3 . lO4 - 0.1 r)

Faílure Rate Assessment

Due to àdditional phase III data the failure rate esrimate is updated iterative. The previousestimate is updated with rhe final phase IrI data, and this estimate is finally updare using theOREDA phase IV data. The rate of FTo failures is estimated assuming a coverage of 60 To

(previously assumed to be 90 7¿, observed in OREDA phase III was 38 vo). The rate of sofailures is estimated assuming a coverage of. 4O Vo (previously assumed to be 20Vo, observed inOREDA phase III was 1007o). The FTO failure rate includes ,No output' and .Very lowoutput' failures.

') Lurge to small gas leaks

54

Component: Cafalytic Gas Detector, Conventíonal

TI F -probabilþ As s e s s me nt


found in the appendix. A summary of some of the main a¡guments are provided in Section 2.3.

Reliability:Data Dossier - PDS-data

F ailure Rat e Refere nc e s

SINTEF

OREDA Phase IV Software /15/.Data relevant for conventional catalytic gas

detectors.

Fíher:

Reliability Data for C J and Safety Systems.

'| 998 Ed¡tion.

Inv. Eq. Class = FIRE& CAs DETECToRS

Inv. Att. Sensing principle = CatalyticInv. Phase = 4

Fail. Severity Class = Critical

No. of inventories = 24No. of critical FTO failures = 0No. of critical SO failu¡es = 0

NOO: 3.62

SHH: 0.79

Sum FTO: 4.41


Component: Catalytic Gas Detector, Conventíonal

OREDA Phase III /1/ Database FG31-.Data relevant for conventional catalytic gas

detectors. More than 97 Eo of the detectors

have automatic loop test.

Filter criteria: TAXCoD=FGHC',

SENSPRI=TATALYTIC'

No. of inventories = 2 046

Total no. of failures = | 749

Cal. time = 49 185 5'72hrs

Note! Only failures classífied as "critical" are

included in the faiLure rate cstimates.

''Faílur e Rate Refer enc es

Observed:

cno = 64 ?o

(Calculated including

detectors having some

kind of self+est

arrangement only)

Overall

failure rate

(per 106 hrs)

Reliability:Daø Dossier - PDS-data

Ðc¿ ¿i"¿å

lg | û b

5Fs '.'-í:r

Failure mode

distribution

Frod"t: 0.5

Irl'Oundet; 1.4 i" tì

SOo"t: 0.2

S6und"t: 0.4 e"trÞ.4, lt

5.09

55

Data source/comment

OsebergC 14/.

Data ¡elevant fo¡ conventional catalytic gas

detectors.


No. of failu¡es = 85 (25 critical)

Time = 10 215 888 hrs



FTOA{at.aging 3.83

FTO/Stress 0.06

FlOÆntervent. 0.1'7

FTOh)TAL 4.06

SO/lrlat.aging 0.74

SO/Stress 0.06

SOllntervent. 0.06

SOllnput 0.17

Solror¡t 1.03

VI.ÍLCAN /5/:

Failure rates are splitted into, in addition to

failure modes, failure categories, following the

"PDS-model".

FTOlPhys. IFTOÆunct, 2FTO/T}TAL 3

SOÆhys.

SOÆunct.

SO/roTAL

Note! Onlyfailures classiJìed. as "critical" are


PDS I /8/: Gas detector

I3

/

Note! Both physical and functional failuresare included.

OnIy critical failures are included.

56


Component: IR Gas Detector, Conventional

Description

The detector includes the sensor and

loca.l electronics such as the address/-

interface unit.


Recotnmended Values for C alculation

FTOso

þsnmrnr

Date of Revision

1999-01- 1 1

Total rate

3.3 per 106 tus

0.3 per 106 hrs

Overall 3.6 per 10o hrs

Remarks

Previously Recommended Values for Calculation (95 edítion)

14",

2rFTO

Àso

Coverage

0.80

0.70

2.9 per 106 hrs

1.0 per 106 hrs

0.1 per 10ó hrs

L¡, = 4.0 per 106 hrsl) Large to small gas leaks

TlF-probabílity seesection

Reliability Data for ( ),1

and Safety Systems

1998 Ed¡tion.

Failure Rate Ass essment

The failure ¡ate estimate is an updâte of the previous estimate - essentially based the Oseberg C

data j with OREDA phase fV data. The rate of FTO failures is estimated assuming a coverage

of 8O 7o (previously assumed tobe70Vo, observed in OREDA Phase IV was 100 Vo).The rate

of S O failures is estimated assuming a coverage of 70 Vo (previous estimate). The FTO failure

rate includes 'No output' failures.

Undetected

0.7 per 106 hrs

0.1 per 106 hrs

Coverage


Component: IR Gas Detector, Conventional

TI F -probahílity Ass es sment



TIF-probability

0.70

Reliabilify,Ðata Dossier - PDS.data

'F ail ur e,: Rat e, Rëfer e n c e s

Overall

failure rate

@er 1Ú hrs)

3.lo4-o.lr)

3.49

Failure mode

distribution

FTO: 3.49

SO: 0.00

5l

Observed:

,nocso

Data source/comment

= I00Vo

= }Vo

OREDA Phase IV Software /15/.Data relevant for conventional IR gas de-tectors.

Filter:Inv.Eq.Class =FrRE&GAsDETEsroRs AND(Inv.Att. Sensingprinciple=IR ORInv.Att. Sensingprinciple=lR/W) ANDInv.Phase=3 ANDFail. Severity Class = Critical

No. of inventories = 54No. of critical FTO failures = 4No. of critical SO failures = 0Cal. time = | 147 176

4.1 FIOdd: 2.9

FIOUn&r: , 1.2

SO"'': 0

soono.r: 0

Oseberg C /4/.

Data relevant for conventional IR gas de-

tectors.

No. ofinventories = 4lTotal no. of failures = 26 (4 critical)

Time=977 472lusNote! Only failures classified as "critical" are


Modufe: InPut Devices

Component: Smoke Detector, Conventional

Description

The detector includes the sensor and local

electronics such as the address/interface

unit.

'' ':|: .

Reliability Datâ.Dos5ier. - PDSdata

Recommended Values for Calculation

Total rate Coverage lJndetected

FTO 1.3 per 106 hrs 0.40 0.8 per 106 hrs

SO 2.4 per 106 hrs 0.50 1.2 per 10'hrs

overall 3.7 per 106 hrs TlF-probability = 10-3 - 0'05 r)

Qsnmrum

Døte of Revision

1999-01-1 I

') The range represents the occurrenee of different tYPes of fires (smok

Previously Recommended Values for Calculntion (95 edÌfion)

L* = 1.5 per 106 hrs Coverage

ÀFro = o-5 Perlo6hrs

fso = 2.0 Per 106 hrs

L¡, = 4.0 per 106 hrs TlF-probability = lO3 - 0'05 r)

r)The range represents the occurence ofdifferelttypes offires (smoke/fl Ð

Reliability Data for C ì and Safety Systems.

1998 Edition.

Failure Rate Asses sment

The failure rate estimate is an update of the previous,estimate - based on OREDA Phase Itr data

- with complete OREDA IU data (no inventories in phase tV). The rate of FTO failures is

estimated assuming a coverage of.4O Vo (observed in OREDA incomplete and complete Phase

lllwas 29Vo and50 Vo,respectively). The rate of SO failures is estimated assuming a coverage

of 60 7o (previously assumed robe2\Vo, observed in OREDA (complete) Phase III was 98 7o)'

Module:

Component: Smoke Detector, Conventional

TI F -probabilþ Ass essment



Input Devices

Reliability,,Dâø Dôs:sier- -. PDj daø

,F aílur¿,Ràte Referenc e s

Overall

failure rate

@er IÚ hrs)

3.70

Failure mode

distribution

FTO: 1.31

SO: 2.39

59

Obsemed:

"no = 50 Vo

,to = 98 7o

Data source/comment

OREDA Phase IV Software /15/.Data relevant for conventionalsmokdcombustion detectors.

Filter:Inv.Eq.Class =FIRE&GAsDE'rEcroRs ANDInv. Att. Sens. princ. = Smoke/Combustion ANDInv.Phase=4 AND


No. of inventories = 2389No. of critical FTO failures = 80No. of critical SO failures = 146

Cal. time = 61 11098/.

3.73 FTO:

SPO:

Observed:

cno = 29 Vo


deteclors having some

kind of self-test

arrangement only)

1.01

2.72

OREDA Phase trI /1/ Database FG31-.Data relevant for smoke/combustion detec'

tors. Both conventional (65 7o) and addres'

sable (35 7o) detectors are included. 56 7o have

automatic loop test, 35 Vo have a combination

of loop and built.in self-test, rest (97o) have

no self-test feature.

Filte¡ criteria: TAXCoD=FGFS'

No. of inventories = i 897

Totat no. of failures = 218

Cal. time = 50 374 800 hrs


included in the failure rate estímates'

60

Component: Smoke Detector, Conventíonøl

t.., ..., :::..' F ailuie,Rate Rèlpr enc e s,

Overall

failure rate

þer lÚ hrs)


.QsrNTEF

Oseberg C /4/.

Data relevant for smoke detectors.


No. of failures = 4 (l critical)

Time= 12'l8528husNote! OnIy faílures classified as "critical" are

included in the faíIure rate estimates-

FTO/1.{at.aging 0.8i

FTO/Stress 0.13

FTO/Intervent.0.03

FTO/ror¿,t 0.97

SOÀ{at.aging 0.87

SO/Stress 0.43

SOllntervent. 0.03

SO/Input 4.39

SOlrorAL 5.72

Reliability Data for' ¡l

and SafetV Systems.

1998 Edìt¡on.

VULCAN/5/:Failure rates are splitted into, in addition to

failure modes, failure categories' following the

"PDS-model".

FTO/Phys. 0.4

FTOÆunct. 0.4

FTOlrorAL 0.8




Component: Heøt Detector, Conventional

SO/Phys.

SOlFunct.

SOlror¿,r

Description


iocal electronics such as the address/-

interface unit.

PDS.I /8/: Smoke detector

Reliability,Data,Dossier - PDS.data


Only critical failures are included.

Recommended Values for Calculntion

Date of Revision

1999-01-1 1

Total rate Cov¿rage Undetected

0.9 per 10ó hrs 0.50 0.5 Per 106 hrs

1.5 per 106 hrs 0.50 1.3 per 106 hrs

Overall 2.4 per 106 hrs TlF-probabitity = 0-05 - 0.5 r)

t) The range represents the occurence of different types of fires (smoke/flame)

Previously Recommended Values for Calcalation (95 edition)

L., = 1.0 per 106 hrs Coverage = 0.40

IFro = 0.5 per 106 b¡s

?rso = 1.0 per lo6hrs

L¡, = 2.5 per 106 hrs TlF-probability = 0.05 - 0'5 r)

o_t

l) The range represents the occulrence of different types of fires (smoke/flame)

F ailur e Rate As s e s srnent

The failure rate estimate is an update of the previous estimate - based on OREDA Phase IIIdata - with complete OREDA trI data (no inventories in phase IV). The late of FTO failures is

estimated assuming a coverage of 50 Vo (observed in OREDA incomplete and complete Phase

III was 50 Vo and36 7o, respectively). The rate of SO failures is estimated assuming a

coverage of 50 Vo (previously assumed to be 2OVo, obsewed in OREDA (complete) Phase III

was 98 Vo).

Module:

Component: Heat Detector, Conventional

TI F -pro bability As s es s me nt

The TlF-probabiliry is entirely based on expertjudgements. Details on the expertjudgementis found in the appendix. A summary of some of the main arguments are provided in section

Input Devices

Reliability Data Dossier : PDS-data

F ailur e Rate Relerenc e s

Overall

failure rate

@er ld hrs)

þsnmrer

2.35

Failure mode

distibution

FTO: 0.88

SO: 1.47

Observed:

"fro = 36 Vo

cso = 98 Vo

Data source/comment

OREDA Phase IV Softwa¡e /15/.Data relevant fo¡ conventional he¿t detec-tons.

Filter:lnv. Eq. Class = FIRE & GAs DETEcroRs ANDInv. Att. Sens. princ. = Hear ANDInv.Phase=4 AND


No. of invento¡ies = 994No. of critical FTO failures = 24No. of critical SO failures = 40Cal. time = 27 260 832

Reliability Data for ,)rl and Safety Systems.

1998 Edit¡on.

a ôt FTO: 0.82

SPO: 1.39

Observed:

: cno=50Vo(Calculated including

deteetors having some

kind of self+est

arrangement only)

Component: Heat Detector, Conventional

F ailure Rate lieferences

OREDA Phase III /i/ Database FG3l_.Data ¡elevant for conventional heat detec-

tors. Both rate-ofrise (23 7o) andrate-compensated (71 7o) detecfors are included.

Of the detectors,S9 Vohave automatic looptest, rest (llVo) have no self-test feature.

Further, 77 Vo úe reported as "normally de-energized", 29 Vo as "normally energized"Filter criteria: TAXCoD=FGFH'


Total no. offailures = 79

Ca.l. time = 24 470 588 hrsNote! Only failures clussifietl a.r "t:ritical" are

i¡tcluled in thc ftLiLure rû( ßtina!$.

Reliability,Data Dossier -,PDS.data

FTO/Irlat.aging 1.28

FTO/Stress 0.14

FTOllntervent.0.05

FTo/rorer 1.47

SO/l.lat.aging 0.49

SO/Stress 0.32

SO/ftrtervent. 0.14

SO/Input 0.51

SOh'orAL 1.46

OJ

VULCAN /5/:



"PDS-model".

FTOÆhys. 0.1

FTOlFunct. 0.2

FTO/î1rAL 0.i

SO/Phys.

SOlFunct.

SO/ror¡t

Note! Onlyfailures clnssifi.ed as "critical" are

included.

PDS I /8i: Heat detector


Onlv critical failures are included.

o¿+


Component: Flnme detector, Conventional

Description


local electronics such as the addressi-

interface unit.

Reliability:Data Dossier - PDS:iIata

Recomtnended Vølues for Calculation

Total rate Coverage Undetect¿d

FTO 4.2 per 106 hrs 0.50 2.1 per 106 hrs

SO 4.1 per 106 hrs 0.50 2.1 per 106 hrs

Overall 8.3 per 106 hrs TlF-probabitity = 3 ' 104 - 0.5 r)

l) The range represents the occunence of different types of fires (smoke/flame)

@snmunm

Date of Revßion

1999-01-1 1

Previously Recomtnended Values for Cøbulation (95 edition)

Remarks

L", =

ÀFro

7"so

Lr¡, = 7.0 per 106 hrs TlF-probability = 3 ' 104 - 0'5 r)

l) The range represents the occuûence of different types of fires (smoke/flame)

2.5 per l0ó hrs

1.5 per 106 hrs

3.0 per 106 hrs

Failure Rate Ass es sment

The failurp rate estimate is an update oi the previous estimate - based on OREDA Phase IIIdata - with complete OREDA III data (no inventories in phase IV). The rate of FTO failures is

estimated æsuming a coverage of 40 7o (observed in OREDA incompletè and.complete Phase

III was 48 Vo and 50 Vo, respectívely). The rate of SO failures is estimated assuming a

coverage of50 Vo (previously assumed tobe2OVo, observed in OREDA (complete) Phase IIIwas 100 7o).

Reliabrlity Data fr \¡trol and Safety SystemsI/

1998 Ed¡tion.

Coverage


Component: Flame detector, Conventional

TI F -probability Asses sment

The TlF-probability is entirely based on expef judgements. Details on the expert judgement is


0.40

Reliability Data Dossier - PDS-data

' ''. : _:ir :

F ailu¡ e :Rat e: R.efq r e lç9 s .

65

Obsened:

,oo = 50 7o

cso = 100 Vo

OREDA Phase fV Software /15/-Data relevant for conventional flame detectors'

Filter:Inv.Eq.Class =FIRE&GAsDETEcroRs AND

Inv. Ait- Sens. princ. = Flame AND

Inv. Phase=4 AND

Fail. Severity Clæs = Critical


No. of critical FTO failures = I 19


FTO: 3.20

SPO: 3.98

Observed:

cfro = 48 Vo



kind of self-test

Lrrangemenr only)

Cal. time =28 5l'1

OREDA Phase trI /1/ Database FG31-'Data relevant for conventional flame detectors'

Both IR (52 %o),W (13 Vo) and combined

IR/IIV (35 7o) detectors are included' Ofthe

detectors, 'r-5 Tohave automatic loop test, 3 7o

have built-in self'test, 15 Tohave combination

of automatic loop anil buitt-in self-test' rest

(ll%o) have no self-test feature.

Filter criteria: TAXcoD=FGFF

No. of inventoris5 = 1 010

No. of failures = 292

Cal. time =23 136820hrs

Note! Only failures classified as "critícal" are

included in the failure rate est'mates'

66


Component: Flame iletector, Conventional

Reliability'Data Dossier - PDS'data

@er 1Ú hrs)

@snmrnr

Oseberg C /4/.

Data relevant for IR flame detectors'

No. of inventori es = 162

No. of failures = 30 (18 critical)

Time = 3 978240hrsNote! It is assumed that only failures classified

as "critical" are included in the failurerate estimates.

FTO/t{at.aging 1.77

FTO/Stress O.l2

FTO/Intervent.0.12

FTOftor¡t 2.01

SOÀ{at.aging 0.16

SO/Stress O.l2

SO/Intervent. 0.12

SO/Input 2.9'7

SO/rorAL 3.37

Reliability Data for ' {rol and Safety Systems'

)1998 Edition.

VI.JLCAN/5/:



"PDS-model".

FTO/PhYs. 1.1

FTOÆunct. 0.2

FTolrorer 1.3

Component: ESD Push button

Description

Pushbutton including wiring

SO/PhYs.

SO/Funct

SO/ror¿'t


included.

Reìiability Data DO$liei . PDS¡data

Reconmended Values for CalculaÍion

N ot e ! B oth physic aI and functional failures ar e

included'

O nLy c ritic al failure s ar e include d'

Total rate

FTO 0.3 Per 106 hrs

SO 0.8 per 106 brs

OveraII 1.0 Per 106 fus

Date of Revßion

1999-01-l I

ì

i

l

I

iI

I

III

I

I

I

II

I

I

II

II

II

I

II

II

I

iIIII

II

III

ì

Remarks

No data available in OREDA Phase fV'

Previously Recommendeil Valaes for Calculation (1995)

o/

h., =r FTO

rSO

Coverage

0.20

0.20

TIF-probabilitY

0.2 per 106 hrs

0.2 per 106 hrs

0.6 per 106 hrs

= 1.0 per 106 hrsL¡,

F ailur e Røt e As s es sment

The failure rate is estimated based on all listed data sources, taking into account the€xpert

judgements.Theoverallcoveragegivenaboveisestimatedasiheaverageforbothfaiiure

modes, also taken into account the expef judgement'

lJndetected

0.2 per 106 hrs

0.6 per 106 hrs

10-5

Coverage

TI F - prob abilitY As s es sm ent

The TlF-probability is entirely based on expert judgements' Details on

found in the appendix. A tu*^ury of to*" of th" -dn *g

TlF-probabilitY

= 0.20

= lOs

provided in Section 2'3'

68


Component: ESD Push button

Faihäe Rate R_efuqences

Overall

failure rate

þer IÚ hrs)

Reliability Data Dossier .. PDS-data

In Med. Hi0. r 0.5 10

Failure mode

dístribution

@snmunm

5.8

0.13

Data source/comment

FARADIP.THREE /7/: Pushbutton

NPRD-9l: Switch, Push button, ground fixed,commercial quality

Reliability Data fc )rtrot

and Safery Systems

1998 Edition.

NPRD-91: Switch, Push button, ground fixed,military qualiry

Component: PLC System

Description

PLC system includes input/output cards,

CPU incl. memory and watchdog,

controlle¡s (int. bus, comm. etc.), system

bus and power supply.

Reliability Data Dossier . PDS-data


Total rate Coverage

FTO 16 per 106 hrs 0.90

SO l6per 106hrs 0.90

OveraII 32 per 106 hrs TlF-probabílityl) For TÜV certified and standard system, respectively

Date of Revßion

1999-01-1 1

Previoasly Recommended Values for Calculation (95 edition)

69

L,i, = 80.0 per 106 h¡sr) For TÜV certified and standa¡d svstem.

72.0 per 106 hrs

2.0 per 106 hrs

6.0 per 106 hrs

F ailure Rate As s ess ment

The failure rate estimate,is an update of the previous estimate - based on OREDA Phase III data

- with complete OREDA III data (no inventories in phase IV), taking into account the aspects

discussed below: It is assumed that some of the observed FTO-failures in OREDA III isincluded in the TlF-probabiiity. Further, for FTO-failures, only the current loop (i.e. one I-card,

etc.), not the entire PLC System, is required for a shut-down to be initiated. Thus, the estimated

rate of FTO-failures is reduced by approx. 7O Vo comparcd to the OREDA III data. The overallcoverage is set by expertjudgement a¡d observed coverage. The SO failure rate includes

Undetected .

1.6 per 106 hrs

1.6 per 106 fus

5.lo-s-5.lo4r)

'Enatic output' failures.

'10

Module:

Component: PLC System

TI F -probabilþ As s e s sment

The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is

found in the appendix. A summary of some of the main ¿uguments æe provided in Section 2.3.

Control Logic Uniß

Reliabilif,y Data Dossier - PDS-data

Failur e Rate Refer e nc e S

OveraII

failure rate

(per 106 hrs)

75.0

@snmuen

Failure mode distribu-

tion

FTO: 59.4

SO: 15.6

Observed:

,fro = 9i 7o

,so = 88 7o

Data sourcelcbmment

OREDA Phase IV Software i l5/.

Data relevant for for control logic units

including I/O-cards. Both PLCs (14 Vo) and

computers (86 Vo) are included. The cont¡ol

logic units are used both in ESD/PSD system

QO Vo) and F&G systems (30 7o).

Filter:Inv. Eq. Class = CoNTRoL Loclc UNITS ANDInv.Phase=4 ANDFail. Severity Clæs = Critical

No. of inventories = 7 INo. of critical FTO failures = 103


Cal. time = | 733 664

Reliability Data tor ' 1cl and Safety SystemsI

1998 Ed¡tion.

91.0 FTO:

SO:

Obseried:

cno = 91 7o



kind of self-test

arrangement onlY)

'14:7

16.3

' F dilur e tRate, Refeie nc es

OREDA Phase III /1/ Database CL3l-.Data ¡elevant for control logic units including

VO-cards. Both PLCs (19 Vo) and computers

(81 To) arc included. The cont¡ol logic units are

used both in control systems (54 %)' ESD

system (13 7o) and F&G systems (33 7o). .



Cal. time = I 164 384 hrs

Note! Only failures classified as "critical" and

with failure modes FTO or SO are

included in the failure rate cstimates.

þer Id hrs)

Per ch. 0.28 FTO/Phys.

FTO/Îunct.FTO/T)TAL

Pe¡ ch. 0.31

SO/Phys. 0.09

SOlFunct. 0.05

SOnorAL 0.14

1l

FTO/Phys.

FTOÆunct.

FTOIT1TAL

SOlPhys.

SOÆunct.

SO/rorAL

PDS I /8/: InpuVdigitål' failure rate per

channel

Note! Both physical and functional failures

are incluiled.

Only critical failures are included'

0.09

0.05

0.14

0.12

0.05

0.17

FTO/Phys.

FTOÆunct.

FTOITOTAL

SO/Phys.

SO/Funct.

SO/TqTAL

PDS I /8/: Inpuf/analog, failure rate per

channel


are included.

OnIy critical failures are included'

Per ch. 0.21

II

Ia

J

FTO/Phys. 0.02

FTOÆunct. 0.01

FTo/rorAL 0.03

PDS I/8/: CPUMemorY


are included.

Only critical failures are included'

PDS I /8/: Outpuldigital, normally ener-

gized, failure rate Per channel


are included.

OnIy crítical faíIures are included'

Module:

Component: PLC SYstem

-

F àíluìe' Røt e Relerenc e s

Control Logic Units

Overall

failure rate

@er 1Ú hrs)

Reliability Data Dossier . PÐSdata

Per ch. 0.21


tion

@smunr

FTO/Phys. 0.17

FTO/Funct. 0.01

FTO/TOTAL O.]8

SOlPhys.

SOÆunct.

SO/|OTAL

Data source/comment

PDS I /8/: OutpuUdigital, normally de'ener'

gized, failure rate per channel

Note! Both physical andfunctional farilures

are included.

Only critical failures are included.

0.02

0.01

0.03

Reliability Data

1998 Edition.)ntrol

and Safety Systems.

Module: Control Logic Units

Component: Field Bus Coupler

Reliabilily Data Dossier - PDS.dàtå

Recommended Values for Cqlculatian

Total rate

0.01 per 106 hrs

0.2 per 106 tus

Overall 0.2 per 106 tus

Date of Revision

1999-01-1 I

Previously Recommended Values for Calculation (95 etlition)

Remarks

No data available in OREDA Phase IV

Coverage

0.90

0.90

TIF-probabíIity

0.18 per 106 hrs

0-001 per 106 hrs

0.02 per l0ó hrs

0.2 per 106 hrs

F ailure Rate Assessment

No sources of failure iate data a¡e identified. The failure rates afe estimated based on expert

judgement and the failure rate data found for PLC system'

Unàetected

0.001 per 106 hrs

0.02 per 106 hns

10-s

T IF -probability Ass es s ment

The TlF-probability is entirely based on expert judgements. Details on the expert judgement ts

found in the appendix. A summary of some of the main arguments are provided in Section 2'3'

TlF-probabilitY = 10-5

'74

Module: Control I'ogic Uniß

Component: Fielà' Bus CPUlCommunication Unit

R¿lia¡ility oaø,Dossier - PDS.data

.Total rate

FTO 0.01 per 106 hrs

SO 0.2 per 106 hrs


@snmunm

Date of Revision

1999-01-1 1

Previously Reconmended Vølues for Calculntion (95 edífíon)

Remarks

No data available in OREDA Phase IV'

h., = 0.18 per 10ó hrs

IFro = 0.001 per 106 hrs

lso - o.o2 per lo6 hrs

Coverage

0.90

0.90

TIF-probability

L¡, - 0.2 per 106 hrs

Reliability Data f

1998 Edition.

F ailure Rate Ass essment

No sourcés of failure rate data are identified. The failure rates are estimated based on expert

judgement and the failure rate data found for PLC system'

Undetected

0.001 per 10ó hrs

0.02 per 106 hrs

10-5

;ntrol and Safety Systems

The T.IF-probability is entirely based on expert judgements. Details on the expert judgement ts

found in ihe appendix. A summary of some of the main arguments are provided in Section 2 3'

Component: ESV, X-mas Tree

Description

Hydraulically operated production

master, wing and swab valves'

Output Devices / Valves

Reliability Data;Dossiei - PDSid¡ta


Total rate Coverage

FTO 0.8 per 106 hrs 0.00

SO 0.7 per 106,hrs 0.30

Overall 1.6 per 106 hrs TlF-probability

1) For complete and incomplete functional testing respectively'

Date of Revision

1999-01-1 1

Previously Recommendeil Yalues for Calculation (95 etlition)

h", = 0-0 Per 106 hrs Coverage

)"Fro = 3.0 per 106 hrs

Iso = 0.5 Per 106 hrs

Ào¡, = 3.5 per 106 hrs TlF-probability

t)

t) For complete and incomplete functional testing


The failure rare estimate is an update of the previous estimate - based on oREDA Phase III -

*rìnã*oÀ nhase IV dutu. Th" so coverage given above is estimated based on observed

coverage.

IJndetected

0.8 per 106 hrs

0.5 per 106 hrs

10-6 _ l0-s r)

T I F -probabilitY As s es s ment

The TlF-probability is entirely based on expert judgements. Details on the expert judgement rs

found in the appendix. A summary of some of the maln a¡guments a¡e provided in Section 2'3

= 10-6 - 10-s r)

76

Module: Output Devices / Valves


'F aílür e' R ate Rêfer enc es

Overall

failure rate

(per 106 hrs)

Reliabitity Data Dossier - PDS-data

1.1 I

F ailur e mo de di s t rib ution

FTO: 0.00

SO: l.l1

Observed:

,so = 100 Vo

Qsnmrnr

Data source/comment

OREDA Phase lV Software /15/.Data relevant for hydraulically operatetlwellhead master valves, swab valves and wingvalves. The previous f,rlter does not apply to the

OREDA v.5 software.

Fiher:Inv. Eq. Class = \ilElIIæADs AND X-MAS TREES ÀND(Inv. System = Gas production ORInv. System = Oil Production) ANDInv.Phase=4 ANDFail. Severity Class = Critical AI\'D(Fail. Item Failed = Prod. master valve, hyd. op. ORFail. Item Failed = Prod. swab valve, hyd. op. ORFail. Item Failed = hod. wing valve, hyd. op.)


No. of critical FIO failures = 0No. of critical SO failures = ICal. time = 902 544

7.36

Reliab¡lity Data for C I and Safety Systems.

1998 Edition.

DOP: 0.15

EXL: 1.84

FTC: 037FTOpen: 0.46

INL: 2.30

LCP: 1.69

PLU: 0.15

Module:


OREDA Phase trI /1/ Database VA31-.Data relevant for wellhead ESDÆSD valves,

main valve or acfuator.

Filter criteria: FUNgTN='ow' oR'clv',APPUC=tsSD/PSD" MATIEM=bODY' OR VALVSEAT'

OR SEAIJ'OR ACTUATOR'.



Cal. time = 6 518 058 hrs

Note! Onlylfailures classified as "critical" are

included in the failure rate estimdtes.

F ailure Rale References

OuQtut Devices / Valves

Overall

failure rate

þer 1Ú hrs)

: Reliabilify Data Dossier -, PDS-dat¿

9 .17

F ailure mode distribution

EXL: 0.28

FTC: 3.81

FTOpen: 2.1,2

INL: 0.14

OVH: 0.28

SEL: 0.14

SEP: O.l4

SIL: 1.12

SPO: 0.43

UNK: 0.14

Data source/commenl

7',7

14

OREDA Phase Il /21 , P. 89, Valves ESD-

Data relevant for topside ESD valves. Note!

Includes also control and monitoring unit.

No of inventories =322No. of failures = 151

Cal. time = 6 406 500 hrs

Note! Only failures classified as "critical" are


FTOÆhys.

FTOÆunct.

FTO/ror,qt

SO/Phys.

SOÆunct.

SOlror¡r

6

2

I

2À

6

PDS I /8/: ESD valve. Note! Includes also pilot

valve etc.

N ote ! Both physical and functional failure s are

included.

Only critical failures are íncluded.

't8

l,R.U"lil!.itv'P4tq Po*lÞ", . Ð

Module: OutPut Devices / Valves

Component: Other ESV

Description

Main valve including actuator. Nof

including pilot valve and local control

and monitoring.

Rec ommended Values for Cølculation

Total rate Coverage

FTO 1.3 per 106 hrs 0'00

SO 0.3 Per 106hrs 0'00

Overall 1.6per 106hrs TlF-probabilityl) For complete and incomplete functional testing respectively

þsnmrur

Date of Revision

1999-01 -1 1

Remarks

,*"-r, ^t--***tlues

for Calculntion (95 edition)

L", = 0.0 Per 106 h¡s Coverage

IFro = 3.0 per 106 hrs

Xso = 0.5 Per loó hrs

Li, = 3.5 per 106 hrs TlF-probability

t) For complete and incomplete functional testing respectively'

Reliability Data for / .)ì

and Safety Systems

1998 Edition.

Undetected

1.3 per 106 hrs

0.3 per 106 hrs

10-6 _ 10-s r)

Failure Rate Ass essment

Due to additional phase III data the failure rate estimâte is an iterative updated' The prevtous

esrimate is updared with the final phase III data, and this estimate is finally update using the

oREDA phase IV data. The rate of FTO and so failures is estimated assuming a coverage of

0 vo .TheFTO failure rate incìudes 'Fail to closc on demand' and 'structural clefrrciency''


Ouþut Devices / Valves

TheTlF-probabilityisentirelybasedonexpertjudgements.DetailsontheexPertjudgementls

found in the appendix. A summary of some of th'e main urgum"nts ar" p@

Reliab¡tity Data Dossiér ' : PDS'datâ-

F ailure Rate,References

0.00

10-6.10sr)

FTO: 1.06

SO: 0.26

19

OREDA Pil'.s" IV Software /15/'

Ouãi"t"u*t for process ESDÆSD valves'

ã*.i"¿ing tft" pilot anil control & monitoring'

Filter:Inv. Eq. Class = VALvES

(Inv. Syslem = Gas exPort.Inv. System = Gas ProcesslngInv. System = Oil exPort

.

Inv. System = Oil Processlng)Inv. Phæe = 4

Inv. Att, ÀPPtication = ESD/PSD

Fail. SeveritY Class = Critical(Fail. Item Failed <> Pilot valve

Èuil. Suuunit f*fed o contol & Monitoring)

No. ofinventoriss = 106

No. of critical FTO failures = 4


FTOpen: 1.12

LCP: 1.12

OREDA Phase III /1/ Database VA31-'Data relevant for process ESD/PSD valves'

main valve or actuator'

Filter criteria: RjNctl'¡='op' ot 'cp"

APPLIC=tsSD/PSD" MAffEM= tsODY' OR

vALvsEAT' oR SEALS' oR Ac'ÍuAToR''


Total no. of failures - 20


Note! OnIy failures classífied as "crítical" are included

in the faílure rate eslimt*

80



F øiliir e'.R.at e R ete r e n c e s

Overall

failare rate

þer IÚ hrs)

Reliability Data Dossier - PDS-data

9.17

FaíIure mode dßtribu'

tion

@snmunr

EXL: 0.28

FTC: 3.81

FTOpen: 2.12

INL: 0.14

OVH: 0.28

SEL: 0.14

SEP: 0.14

SIL: l.l2SPO: 0.43

UNK: 0.14

Data source/comment

t4

OREDA Phasefr.l2l, p. 89, Valves ESD.

Data relevant for topside ESD valves. Note!

Includes also pilot valve etc.

No of inventories.= 322

No. of failures = 151

Cal. time = 6 406 500 h¡s

FTO/Phys. 6

FTOlFunct. 2

FTOftoTAL 8

Reliabìl¡ty Data for ' ¡ol

and SafetV Systems.

1998 Edit¡on.

Note! Onlyfailures classified as "crilical" are

included in the faíIure rate estimates.

SO/Phys.

SOlFunct.

Softorn

PDS I /8/: ESD valve. Note! Includes also pilot

valve etc.

2

4

6

Note! Both physical and functional failures are

included.

Only critical failure s are included.


Component: Pilot Valve

Description

Pilot valve on hydraulically or pneu-

matically operated, process or wellhead,

shut-off or ESD/PSD valves.

Retiâbility:Data Dossier - PDS'data

Recommended Values for Calculntíon

Total rate

FTO 1.7 per 106 hrs

SO 2.5 per 106 hrs


Date of Revßion

1999-01-1 I

Previously Recommended Values for Calcalation (95 edition)

8i

Coverage

0.20

0.30

TlF-probability =

0.0 per 106 hrs

0.6 per 106 hrs

0.4 per 106 hrs

1.0 per 106 hrs

Failure Rate Ass essnent

Due to additional phæe III data the failure rate estimate is an iterative updated. The previous

esrimate is updated wirh the final phase Itr data, and this estimate is finally update using the

OREDA phase IV data. The ¡ate of FTO failures is estimated assuming a coverage of 2O 7o

(previously assumed tobe0 To,observed in OREDA incomplete and complete Phase III was

40 Vo and 67 7o, rcspectively). The rate of SO failures is estimated assuming a coverage of 30

7o (previously assumed to be 0 To, observed in OREDA incompiete and complete Phase III was

20 vo and 94 7o, respectively). The FTO failure rate includes 'Fail to close on demand' and

Undetected

1.4 per 106 hrs

1.8 per 106 hrs

'Fai[ to open on demand' failures.

TlF-probabilitY =

82

Moduf e: Output Devices I Valves


TIF -prohability As s es s ment

The TIF-probabiliry is entirely based on expert judgements. Details on the expert judgement is


Reliabiliw'Data Dossie¡ : PDSrdata

F aílure, Rate Referenc es

Overall

failure rate

@er ld hrs)

4.52

@snmrem


tion

FTO: 1.69

SO: 2.83

Observed:

"fro = 67 Vo

"so = 94 7o

Data soturcelcomment

OREDA Phase IV Softwa¡e /15/.Data relevant pilot valves with control &monitoring in ESDÆSD applications.

Filter:Inv. Eq. Class = VALvEs ÀND(Inv. Att. Application = ESD/PSD ORInv. Att. Application = Shut-ofÐ ANDInv. Phase=4 ANDFail. Severity Class = Critical AND(Fail. ItemFailed=Pilot valve ORFail. Subunit Failed = Control & Monitoring)


No. of critical FTO failu¡es = 10

No. of c¡itical SO failures = 17

Cal. time = 6 023 256

Reliability Data f' )rtrol

and Safety Systems

1998 Edition.

0.51 FTC: 0.07

FTOpen: 0.36

SO: 0.07

Module:


F aiture: Rate Rèfere nc es

Ouþut Devfues /Valves

OREDA Phase III /1/ Database VA3l-.Data relevant for pilot valve on hydraulicallyor pneumatically operated, process orwellhead, shut-off or ESD/PSD valves.

Filter criteria: ACrUAT=IYDRAULIC' .oR.

ÞN¡uuerrc', AppLIc=5HUT-on¡' .oR. bsD/PSD',

MÄITEM='ACTUATION'.

No. of invento¡ies = 516


Cal. time = 13 156 654 hrs

Note! Allfailures are included, i.e. both "Critical",

"Degraded" arul "lncipient" failures, since the

failure classif.catiott is given on system" level.

Overall

failure rate

@er Iú hrs)

Reliabitity DCta,DoSiCi;' . PÐsiilata

0.45


tion

FTO: 0.45

0.11

Lo Med. Hi0.4 14

FTO: 0.11

Data source/comment

83

T-boken /6/: Solenoid valve, normally ener'

gized. The failure mode used in the source is

"Missing function". This has been interpreted as

FTO.

I

i:

T-boken /6/: Solenoid valve, normally de'

energized. The failure mode used in the source

is "Failed to change state". This has been inter-

preted as FTO.

FARADIP.THREE /7/: Solenoid.

84

Module: Ouþut Devices / Valves

Component: Process ControlValve

Description

Process control valves including actua-

tor, pilot valve and local controVmoni-

toring. Both large and small control

valves a¡e included.

Reliability Data Dossier - PD,S-data


þsnmrnr

FTO

so

Date of Revßîon

1999-01-1 l

Total rate

Small - Iarge Valves'1 .1 - 2.1per 106 hrs

0.4 - 0.7 per 106 tus

7 .6 - 2.8 per 106 hrsOverall

Remnrks

Previoasly Recommended Values for Calculation (95 edition)

L., =r FTOlL=

¡SO

Coverage

0.60

0.70

TIF-probability

Small - Largevalves

18.0 - 8.0 per l06hrs

9.0 - 4.0 per 106 hrs

0.1 - 2-0 per106hrs

27.0 - l4.O per 109hrs

Reliabil¡ty Data for -!ol and Safety Systems.

1998 Ed¡tion.

L¡,

F ailur e Rate As s e s sme nt

The failure rate estimate is an update of the previous estimate - based on OREDA Phase III -

with OREDA phase IV data. Total rate of FTO-failures estimated by including the OREDA

failure modes FTC and LCP, and 50 Vo of the DOP-and EXl-failures. The rate of FTO failures

is estimated assuming a coverage of 50 Vo (previously assumed to be 65 7o, observed in

OREDA Phase IV was 25 Vo). The rate of SO failures is estimated assuming a coverage of 80

7o (previously assumed to be 65 %, observed in OREDA Phase IV was 100 7o).

Undetected

SmaII- Large Valves

2.8 - 0.8 per 106 tus

O.l -0.2per 106 hrs

10-s

Module: Outout Devices / Valves

Component: Process Control Valve

Coverage

T I F -p ro b ability A s s e s s m ent


.:"Reliabiüfy;Data Dossiei - PÐS.dâta

found in the appendix. A summary of some of the main arguments tt" plgytd:g tn Jgttion3'3'

TIF-probability

F aíluie RaÍe, Refi:¡ e nc e s'',

0.65

1o-5

FTO: 3.97

SO: l.O2

Obsemed:^FîO -

.r< oj^L _ LJ

'V

,so = 100 Vo

85

OREDA Phase IV Software /15/'Data relevant for Data relevant for process con'

trol valves including pilot valYe etc' Note! Allsizes are includ ed. 47 Vo of the registered valves

a¡e small, i.e., size < 10 inches. Thus, 53 7o are

large, with size > l0 inches.

FíIter (small valves):Inv. Eq. Class = VALvES(Inv. System = Gas exportInv. System = Gas processing

Inv. System = Oil exPofInv. System = Oil processing)

Inv. Phase = 4

Inv. Att. Application = Process Control


No. of inventories = 99No. of critical FTO failures = 10'5


DOP: 0.72

EXL: 0.36

FID: 1.79

FIC 4.29

FTOpen: 2.15

LCP 1.43

oTH 3.22

ovH 0;72

PLU 2.50

SO: 0.07

OREDA Phase III /1/ Database VA31-'Data relevant for process control vâlves

including pilot valve etc. Note! All sizes are

included.

Filter criteria: APPLIc=ÞRoc crRL', FLrNcrN='oP'

.oR. 'GP'.



Cai. time =2'796745 hrs

Note! Only failures classified as "crítícal" are included

in the failure rate eslimates

86

Module:

Component: Process Control Valve

F aílùie Rate Rèferencès


Overall failure rate

(per IÚ hrs)

Reliahility,Data:Dossier . PDS-data

27.0'1

Failure mode distribu

tion

DOP: 1.04

FID: 4.17

Frc 5.21

FTOpen: l.MLCP 3.12

oTH 3.12

ovH 2.o8

PLU 7.29

Qsnmrum

Data source/comment

OREDA Phase III /1/ Database VA3l-.Data relevant for process control valves

including pilot valve etc. Note! Only sizes less

than 5" are included in this run.

Filte¡ criteria: A?pLIc=ÞRoc crRL', FuNcrN='op'

.oR.'cP', srzE<=5.000.




Note! Onlyfailures classified as "critical" are


14.16 DOP:

EXL:FID:FTC

FTOpen:

LCP

Reliabìl¡ty Data fo }rol

and Safety Systems.

1998 Edition.

0.54

0.54

0.54

3.81

2.72

0.54

3.nOTH

SO:

OREDA Phase Itr /l/ Database VA3l_.Data relevant for process control valves

including pilot valve etc. Note! Only sizes

larger than 5" are included in this run.

Filter criteria: AppLIc=ÞRoc crRL'. FUNcTN='op'

.oR. 'cP" slz>5.000.No. of inventories = 67

No. offailures = 120

Cai. time = I 836 425 trsNote! Onlyfailures classified as "critical" are


8.6 FTO:

Module: OuQtut Devices / Valves

.18

Component: Pressure Relief Valve

8 .6

Reliãb,ility Daøóoqsier :'PDS'dâtá.

T-boken /6/: Motor-operated control valve.

The failure mode used in the source is "Failed to

change position". This has been interpreted as

Ffo.

Recommendeil Values for Calculation

Total rate Coverage

FTO 1.0 per 106 hrs 0.00

so 0.2 per 106 hrs t) 0.oo

OveraII 1.2 per 106 hrs TlF-probabitity

Date of Revßion

1999-01-l I

l) Note that trip of PSV does not necessarily lead to system

Previously Recommended Values for Calculatinn (95 eilition)

h", - 0.0 per 106 hrs Coverage = 0.00

?lFTo = 0.1 per l06hrs

l,so = 0.9 per 106 h¡s r)

L¡, = 1-0 per 106 hrs TlF-probability = l0 3

8'l

t) Note that trip of PSV does not necessarily lead to system trip


The failure rate estimate is an update of the previous estimate - based on OREDA Phase III'

OREDA 84 and other sou¡ces - with OREDA phase IV data. Only failures classified as 'Fail to

Undetected

1.0 per 106 fus

0.2 per 106 hrs

1o-3

' a¡e considered FTO failures.

T I F -p ro b a bility As s e s s m e nl

The TlF-probabiliry is entirely based on expert judgements. Details on the expert judgement is

foundintheappendix.Asummaryofsomeofthemainarcu@

88

Module:


F ailur e,' Rate,Relere nc es


Overall

failure rate

þer Id hrs)


L .27


tion

þsnmrnr

FlO: 2.14

SO: 0.13

Observed:

,fto = |vo,so = 07o

Data source/comment

OREDA Phase fV Softwa¡e /15i.Data reievant for self-acting or self-acting/pilotactuated relief valves.

Filter;Inv. Eq. Class = VALvES ANDInv. Phase=4 ANDInv. Att. Application = Relief ANI)Fail. Severity Class = Critical

No. of inventories = 2'1 5No. ofcritical FlO failures = 17No. of critical SO failures = ICal. time ='l 493 448

¿o .78

\Reliabil¡ty Data fo. lrol and Safety Systems.

1998 Edition.

INL/Degr. 22.06

INI-/Degr. 1.58

Sum/Degr. 23.63

EXl-/lncip. 1.58

EXl/krcip. 1.58

Sumllncip. 3.15

Note!

Also "Degraded" and

" In c ipíent" fai lures ar e

includeed, since no

" C ritic al " failur es ar e

observed.

OREDA Phase III /l/ Database VA31-.Data relevant for self-acting or self-acting/pilotactuated relief valves.

Filter criteria: AppLrc=Þ.ELIEF', AcruAT=5ELF

ACT'.OR. 3.e.ÞU-Or'.



Opr. time = 634 730 hrs

Cal. time = I 119 360 h¡s

Note! Operational time is used in the failure rate

estimates.

Module:

Lo Med. Hi28


F ailure Rat e, Referenie s


Overall

failure rate

@er ld hrs)

, Reliability-:Date :Dossier - P-DS.iIâta

t.5i


tion

FARADIP.THREE /7/: Valve. Relief

4.4

Data sourcelcomment

89

NPRD-9l l9l'.Yalve, relief, Ground, unknown

quality

OREDA-84 /3/, Pilot operated safety relief

valve.

REFERENCES

llt OREDA Phase III, computerised database on topsíde equipment, OREDA Participants

(mutticlient project on collection of offshore reliability data).

ril 1REDA Handbook; offshore Reliability Data Hanìboo&, 2nd edition, oREDA

Participants (mutticlient project on collection ofoffshore reliability data)' 1992

13/ OREDA Handbook; ffishore Reliabiliry Data Hanlbook,lst edition, OREDA Participants

(multiclient project on collection ofoffshore reliability data)' 1984

l4l Jon Ame Grammeltvedt, u&P; oseberg c - Gjennomgang av erfartngsdatafor brann- og

gassd.etelctorer på Oseberg C. Forslng til testintervallerfor detektorene, rcWrt from Norsk

Hydro, Forskningssenteret Porsgn:nn, 1994-07-28 (in Norwegian).

l5l Lars Bodsberg, VULCAN - AVulnerability CalculartonMethodfor Process Safety Systems,

Doctoral dissertation, Norwegian Institute of Technology, Dep. of Mathematical Sciences,

Trondheim, 1993.

16/ T-bolcen, Version 3: Titfòrlítlighetsdata för komponenter i nordislca krafirealaorer, NI\-kansliet and Studsvik AB, publisehd by Vattenfall, Sweden, 1992 (n Swedish)'

nl David J. Sflit¡}^, Retiability, MaintainabíIíty and Risk - Practical Methods for Engineers,

Butterworth-Heinemann Ltd., Oxford, England, Fou¡th edition, 1993'

tgl Lars Bodsberg, Relíabitity Data for Computer-Based Process Safety Systems' SINTEF

Report STF75 F89025, 1989.

lgt William Denson et a1., NPRD-9L: Nonelectronic Parts Reliability Data 1991, Reliability

Analysis Center, Rome, New York, USA' l99l-

ll}t Ragnar Aar/ et aI, Reliability Prediction Handbook. Computer-Based Process Safety

Systems, SINTEF Report STF75 489023' 1989.

¡lt Lars Bodsberg et aI, Reliability Quantification of Control and Safety Systems. The PDS-II

method. SINTEF Report STF75 493064' 1994'

tl2l K. Øien and P. R. Hokstad. Handbook for performing exPert iudgmenL. SINTEF report

sTF38 498419, 1998.

ll3l per Hoktad and Ragnar Aa¡ø, Retiability Data for Control and Safety Systems, Revision l.SINTEF report STF75 F94056, January 1995.

¡41 Geir Klingenberg Hansen and Ragnar Aæø, Reliability Quantification of Computer-Based

Safety Systems- An Introduction to PDS. SINETF report STF38 A97434, December 1997.

tlst OREDA Phose IV, computerised database on topside equipmcnt, OREDA Participants

(multiclient project on collection ofoffshore reliability data).

)snmrun Reliabilìty Dala fo )rot and Safety Systems.

1998 Edìtion.

/t6l

t17 |

Harry F. Maftz and Ray A. \ffaller, Bayesian Reliability Analysis, IGieger Publishing

Company,1982.

1REDA Handbook; Affshore Retínbility Data Handbook, 3rd edition, oREDA Pafiicipants

(multiclient project on collection ofoffsho¡e reliability data)' 1997.

91

)/The PDS Forum was initiated in 1995, and follows up the PDS projects.The main objective of the PDS Forum is to maintain a professional forumfor exchange of experience between Norwegian vendors and users ofcontrol and safety systems. The primary focus is on safety and reliabilìtyaspects of such systems. Research results are transferred, and personalcontacts between those working with offshore control and safety systemsare encouraged. Topics of the forum are:

Use of new standards for control and safetv svstems. Use of acceptance criteria. Exchange and use of reliability field data. Exchange of information on new technology

The main activity of the PDS Forum in 1998 was to update the so-called"PDS-recommended data". The present report summarizes the results fromthis activity. For information regarding the PDS Forum please visit the webs ite http ://www.s i ntef . n o/s i paalp rosjekt/pds-foru m.

The OREDA project is also acknowledged for allowing OREDA phase lVdata to be used in preparation of the present report. For informationregarding OREDA please visit the web site www.oreda.com

The PDS-method is an analytical method for quantification of reliability,safety and Life Cycle Cost (LCC) for control and safety systems, and therebrto perform an overall evaluation of such systems. The method wasdeveloped for the offshore industry, where it has gained a widespread use.The method supports the reliability analyses in the international standardIEC 61508: Functional Safety of E/E/PE Safety Related Systems. lt is alsoreferred to in the NORSOK standards for Safety and Automation Systems as

a method to be used for verification of safety systems.

SINTEF lndustrial Management, Dept. of Safety and Reliability hasdeveloped a computer program "PDS-Tool" to support PDS calculations.Sydvest Software has from March 1999 taken over the responsibility forPDS-Tool. Sydvest Software has been established to develop and marketsoftware tools aimed at preventing losses caused by accidents and otherundesired events. SINTEF lndustrial Management, Dept of Safety andReliability is one of the initiators and main owners of Sydvest Software.

For information regarding the PDS-Tool please visit the web site ofSydvest Software at www.sydvest.com.

sintef stf38 reliability data for control and safety systems (1998)

Documents