Post on 08-Apr-2015
@$t'LiEF
STF38 A98445
Classif ication: Unrestricted
ReliabilitY Data for Control and
SafetY SYstems
1998 Edition
SINTEF Industrial Management
SafetY and ReliabilitYJanuarY 1999
;'ifiV€}f ,'l';-15KEMIRAKIRJASTO
)
@s[Nr,,imSINTEF lndustrial Management
Safety and ReliabilitY
Address: N-7034Trondhe¡m'NORWAY
Læatiôn; Strindveien 4
Tefephone: +47 73 59 27 56
fa: +47 73 59 28 96
EnterPrise No.: NO 948 007 029 MVA
SINTEF REPORT
Reliability Data for Control and Safety Systems'
L998 Edition.
Geir Klingenberg Hansen and Jøm Vatn
BSTBACT
eliability data estimates for components of control and.safety systems are provided in this report' D
¡r both fietd devices (sensoäïäîö;; .ãnuor rogi. (etectronicÐ.ar" n::"-T:l Data dossiers I
iven for these components, based on various sources, ..g.'oRr,oe and expert judgements' The level
etail of the data is adapted t#;f"rm;t suired for ,"liiuiiitv anaiyses applying the PDS method'
t999-01-l I
reliabilitydataestimatesareessentiallybasedonthepreviouslyrecommendeddataforusewithmethod, updated with OREDA Phæe IV data'
Also,amethodforobtainingapplication^specificreliabilitYdataestimatesisgiven.Asacase'*",irtJ t
"ppfied to TIF probabìlities for IR gas detectors'
srGN.).
It. Lk^1
iltrol and SafetY SYstems
Feliability Data for Control and Safety Systems'
1998 Edit¡on )
PREFACEThePDsForumisaforumofoilcomparries,vendorsandlesearcherswithaspecialintefestln;it";,ryr,*:,g"lt'::.."üf f äïT'Jf t:#Ë:H#,'äî'-Tåiif:'i:":3"ìi:i"T'åoHi1,J:ir}ill,,ll iiJffiir'ã.,i"i,y. ror inrormatiJi-'"J*a"e the PDS Forum please visit
ifäî"il* ft tp://www'sintef 'no/sipaa/prosjekt/pds-forum'html
TheresultsinthePlesenlreportistoagreatextendtasedonworkSlNlEFcarriedoutonrequestfrom Norsk Hydro in 1ee5 ffi"]i, ff;sÑiEf ;"I;':'sinzs Fe40s6 - Reliabilitv Data for
Control and Safety Systems" t13l' We appreciate ttfttttt that Norsk Hydro ailowed using
these '95 results in the present report'
TheoREDAprojectisalsoacknowiedgeclfor.allowingOREDAphaselVdata.tobeusedinpreDaration of the present';d;;.-ï* iiformation ,"g.iAne-óREOA please visit the web site
ütí,Ï¡,tï-. ""tri.nloni
tslindman/sipaa/prosjektioreda'/
Trondheim, 1999-01-1 I
Geir Klingenberg Hansen
PDS Forum ParticiPants 1998
Oil ComPanies. ÀmocoNorwaY Oil ComPanY
. BP Norgeo ElfPetroleumNorgeAJSe Norsk HYdro ASA
. Phillips Petroleum Company Norway
o SagaPetroleumASA. A"/S Norske Shell
. Den norske stats oljeselskap (Statoil) a's'
Control and Safety Systems Vendors
. ABB Indust¡i
o Auronicao BaileY Norge
. Boo Instrument AS
o HoneYwello ICS GrouP
o Kongsberg Sirnrad
. Norfass (Yokogawa)
. SAASASA
. Siemens
Engineering ComPanies ând Consultânts
o Aker Engineertng
. Det Norske Veritas
. Dovre Safetec AS
o Kværner Oil and Gas A'S
. NORSOC
. Umoe Olje og Gass
OREDA ParticiPants 1998
Eni S.p.A./AGIP Exploration & Production
Amocô ExPloration ComPanY'fp'Biol"täi"" operating company Ltd'
ã1"*ån p"ttot"u* Technology company
Elf Perroleum Norge A'/S
Esso Norge a.s'
Norsk HYdro ASAPhillips Þeuoleum ComPanY Norway
bln tï*.rc r,uo oljeselskap (Statoil) a's'
Sasâ Petloleum ASAËiãiì""ä"ä".¡ Exploration and Production B V'
TOTAL S.A.
Reliability Data for conlrol and Safety Syslems'
l eea Edition. )
TABLE OF CONTENTS
LIST OF TABLF,S
LIST OF FIGURF,S
t.I
INTRoDUcrIoN......""'
Rrsul,rSutt¡1t14RY""""""""' ' """' rr
äHil:H*ir*i:î'ffi :::: r+
Z.¡ Summury Table of PDS Input Data """"""" """""""' 17
2.3.1 Tßprobabilities"" """""""""'17
2.3.2 Cotterages """"""""""' """""" 18
2.3.3 P-factors """""" 18
2.4 FufherVÍork """""""'23
2.4.1 Variability of the ?IF probability"""'-':"""""""""""1"":"""' :' ::: ' |""'T3
2.4.2Distinguon*.*.*u"ö.*i'*¿i'"*anellofsduringtesttng......'''ANIETHoDFoROBTAININGAPP"'"o",o*,""orrcTIFrnosÆILITIES.......'.'..''............25lll.trn¡lllntion......'.......''...........'.
3. A NIETHoD
a^1a Á',
3.i
I
I
k
Relìability Dala for Conlroì and Safety Systems
1998 Edition. )
2. RnsulrSulrulnY
2.1 Parameter Definitions
The following parameters are quantified for each component:
À"¡,=Totalcriticalfailurerateofthecomponent.Rateoffailuresthatwillcauseeithertriporunavailability ";*#.r,
-n
".ii* (unless cletected and prevented from causing such
failure).
Æß.=RateoffailurescausingFail-To.operate(,FTo)failures,øndetectablebyautomaticself-test.The,FlofailurescontributetotheCriticalSafetyUnavailability(csu)ofthecomPonenlsYstem' * \,\,,.
ÌliÉ,=RateofSpuriousoperaúon(So)failures,undetectablebyautomaticself-test.TherateofSpuriousoperation(So)failuresofacomponentcontributestotheSlRofthesystem1åa.p"nO"ntofoptràtionpbllosophy)' l\+'"
Àndet = Total rate of ¡¿r¡detectable failures' i'e' /ffi?t * 2i10"
lFTO/het = Rate of failures causing FaiJ-To'Operate (-FIO) failures' detectable by automatic self-
test. t\\à
=RateofspuriousOperation(So)failures,detectablebyautomaticself-test'Theeffectofthese failures on tne spuriouì trip Rate (S7R) depends on the operation philosophy'
= Totalrateofdetectablefailures,i'e' W+ ftf'
= Total rate of critical FTO failures of the component' Causes loss of safety function
(unless detected and prevented from causing critical failure)' i'"' Æ + m''
lso'"ðer
it
h",
TFTO/brit
Ìy* = Total rate of critical so failures of the component. causes loss of production regularity
(unlessdetectedandpreventedfromcausingcriticalfaiturÐ,i.e.,i,fl+,{f0"..
,no--Lw|^F[ll=Coverageoftheautomaticself-test+controlloomoperatoronFTo- fu¡-lor.r. É ih¡"o',atiL t'?$à'ìr{,,\r : '}kl\òå"
,So=1r.t^n=Coverageoftheautomaticself-test+controlroomoperatolonSofailures.
nF-Theprobabilitythatacomponentwhichhasjustbeenfunctionallytestedwillfailon¿eman¿ (applies for FTO failures only)'
The relation between tbe different ¿-values is shown in Table l '
:i. xr ...: : ,¡\
\:*- * '."$.IÈì INSTRIIMENTATION AND ELECTRICAL TECHMCAL AND ENGINEERING SERVICES
::. '. .
Phase 4
Overall SafetY Requirements
Specification comprised of the overall safety Function Requirements and the overan safety Integnty Requ'ements
Incrudes. for each safety function trre necessary risk reduction required to achieve the target level and the required safeqv
Integri(y of the components' r r,^_^r^ñ^1 peds to be maintained
This documentation forms part of the Eâzard and Risk Management Description, which r
tluoughout the EUC's Safety Liferycle'
Risk Reduction
T'e required Risk Reducúon can be determined either qualitatively or quantitatively- Bs EN IEC 61508-5 contains
examples of both methods'
The quantitative melhod reads to rather laborious calcurations and is not u.idery used- The quaritative method using a
.calibrated' Risk Graph is significantly less laborious' (It is also possible to use a Risk Matrix)'
T'e proposed method of this guide is a cornpromise between the quantitative and qualitative methods, and should alleviate
some of the non-linearity probt"* of the Risk Graph approach'
Neither the qualitative nor the semiquantitative method requires the numericar exact determination of the risk reduction
facror for each safetv fi¡nction. However, ,fd;;;;-"-;*i, nu.r. u""n àerermined and the required sIL been found' the
risk reduction factor (RRF) is simply the inverse oithe PFD",= as in this table for the sIL'
For example. if the determined SiL is 2. rhe range of pFD""=of the safeqv function is between 0'01 and 0'001' The
corresponding range of RRF is then from 100 to 1000-
Safetv tntegrit-v Levels (SIL)
targetfailureforasaferyfunction.allocatedtoanEÆiPEsafery"-relateds]_Stem
Phase 5
Safeqv Requirements Allocaúon
It is expected rhat the normar engineering procedure of a EUC operator w't take into account the requirements for t'e
erlernal risk reduction facilities like fire walls. drainage and vent syï;s. Àso other safety related systems zuch as relief
'alves and nrpt*re disks. therefore. tïey are. in tltit gù¿" considered as pârt of the EUC'
The remaining Risk reducúon required to achieve the As Low As Reasonabry pracúcal (ALARP) value is that required of
the SIS.
Tlre functioning of the sIS needs to be verified as meeting the required Safetv Integritv Le'el (sIS) for each component
forming the qYstem architecture'
In this gr¡ide, the risk assessmentand sIL determination are then based on the remaining risk after the external risk
reduction facilities and otìer safetv related s-vstems have been implemented' i'ê' ttre leftmost box in the figure
The fo'owing figure illustrates the generar concept of safetv requirement allocation to the three safegv s-vstems'
10.000 to 100.000> t0-5 to < 10*1000 to 10.000> lo4 to < 1o-3100 to 1000> l0-3 to < 10-t0 to 100> to-' to < to-'
I.R llitchen BA(TIons) C.Eng" MIEE' Profit Through Loss Control (BS EN IEC 61508) Part One t1 of23
t2
Table 1 Relation between different 2 _ values
Undetectable
Detectable
Sum
Some of these parameters, in particular the rlf probability, and partry the coverage q are æsessed byexpert judgements, see /13l. A¡ essential element of this expert judgement is-to clariff preciselywhich failures conhibute to ?7F and l.¡¡, respectively. Figure I was used æ an aid to crarify this. rnparticular the following is stressed conceming the iterpretation of these .on."p,r-* used in thepresent report.
Spurious operation}so
îso'"d¿¡
7sotudt
Fail to operate
@ STNTEF
lFTO/tnd¿r
I "¡t
2FrOtriet
¡FTOh.
2FTO'Înr
¡SOhd"t
il
{ro'!undet
l,o¿",
2'"det
nSo4undet
Detected by automatic self-test, or byoperator/maintenance personnel(inespective of funcrional testing).
Loss of safety failures. Detected bydemands only.
Trip failure, immediatelyrevealed. Nol prevented by arytest.
Design enorst softwae. degreeofdiscrimination'Wrong
LocationInsufficient fct. testptocedureHuman error during test if. forget to test
' wong calibration
' damage detector. leave in by-pass
A^,
Coveragec= loolÀ*,
Belìability Data t^- Controì and Safety Syslems'
1998 Ed¡tion. )
E}
Thus,notethatifanimperfectÞsrlngprinciple^isadoptedforthefunctional.testing,thiswillconr¡ibure to rhe IIF prouuffi.-n- îniun.", if a procåss switch is nar tested by introducing a
change in rhe pro""r. itr"tt u'oirå,¡". "i""tãüy i*pårirg u ¿"¿icated test signal, there is no perfect
functional testing, æ ttre test wilì'not ¿"""t a blocking of the sensing line'
The contributions of the T/F probability and x.¡-¡o to the cridcal safe{ unavailabiliw (csÐ are
illustrated in Figure 2. I' Sí"rt,ïrtil.* t"üÙn*"q io tt" f¡tut" rate are phvsical faíIures'
ComDonents with physical fJ;;; ;q** ,o*. t ind.ot r"p; ,o ,"* to an operational state' The
contfiburion to csu ao* pri*i"i;.il,.i ü,u';d "li"í;"ã bv tunctional iesting' on the other
hand, failures contributing -iäJtiËîr"tãu¡try ; ¡*o¡*ol ¡å¡nrøs. No repair is required but
suchfailureswi]]occurrepeatedlyifthesamescenariorepeatsitself,unless.modificationsareiniúated. The contribution ,iåiäffi"ñn;ä:Ji;Ñ; ir'utto*t¿ constant' independent of the
frequencY of functional testing'
Figure 1 Interpretation of reliability parameters
TIF probabilityThi.s
1s t!1øobability that acomponent, which has just been tesred, will fail on demand. This wilìinclude failures caused e'g. by-improper/wrong loc"ation or inadequate design (software error orinadequate detection principle). tmperrèct functiãnd testÀg pnncipleþrocedure will a.lso contribute.Finally' the possibility that the maintenance crew perform an erroneous functional testing (which isusually not detected before the next test) also contribute to the ?IF probabilitv.
10'2
103
10{
Figure 2 Contributions to CSU
CoveraReThecoverageisthefractionofthecritica]failures,whichisdetectedbytheautomaticself-testorby¿rn operaror. Thus, we include as part of the ":Yiq:.î;
t;ure that in s91e way is detected in
betwien functional tests. Anãalo! r"nro, t..g. t *r*itt"rj ti,ìi ¡ "tto"r" will have a critical failure'
but this failure is assuméd ,"^#Ëffi;,i. t*.t "p"í*t -¿ thus contribute to À¿"¡' Any trip
ä"* ;i; derector, eiui,,e"" "r;i:"d
:T:l ' ::J:'Jiil#,låî:,i:."JiiÏ;::fi;:Ï #uuto*uti" activation (trip) to occur is also part ol À¿r an ' r the operauon
include in À¿", failures f"; ;hi;h a np coutd be prevented by specifying so tt
philosophy'Thismeans rh^rb:';; ffi*à Zffu' cancontributetothespurioustriprate'
TTTFunctional test interval
IRevealed ¡n
functional lesl, lrl2(physical failures)
Unrevealed in
funcl¡onal test, TIF(luncìional lailures)
t4
)2.2 Ãpproach and Data Sources
Failure rate dnta in the 95 edition is mainly bæed on the oREDA phæe Itr database, which _ in thepresenr report - is updated wirh rhe OREDA phase IV data.
The idea is to let the estimates from the 95 edition form the so-called pnar diskibution, and nextupdate this prior distribution to the posteior distribution using oREDA rv jurÑin." the 95 editiononly presents point estimates,
_it is not possible to establish u "o,rrpr*-pior distribution.Pragmaticaily we therefore use the point estimate as the mean vaiue of the prior distribution, a¡dmake an implicit argument about the variation in the prior distribution *dæcåb".-å in the following.It is assumed that the true fail*" t:l:.f":i given e4rìipment type is a random variable with a priordistributed Gamma(q, p), see e.g. /16/. This distrituìión will be updated with the observed failuresand calenda¡ times from OREDA phase rV and used to give the new faü*..*" À,i*u*r.
'we.need t: specify the parameters of the prior dishibution by speciffing its mean a¡d standa¡ddeviation' To simplify matters we assume that the mean in ttre gamma prior is the previous failurerate estimate,Lø. Furthermo¡e, it is assumed that ø= 1 which r.do"* trr. g**nì art rbution to anexponenrial distribution. This implies that the standæd deviation "f
rh. ñ;;;;; and is equal tothe mean, l¿¿. Note that this assumption need not always be approp.iute, ñ th; a¡e not enoughdata to validate the æsumption.
Now the new failure rate is given by
1t ¡^
tÎ I
'þnw -l]i-tlAoD + t
where / is the number of failu¡es obsewed in OREDA phase rv, and r is the equipment,s totarcalendar time in OREDA phase rv. Nore rhar this method can r" useo repeateay irnË.¿"¿.
The following should be noted about the update of the reriabiliry dara esrimates:
o For some equipment types additional data was registered in the oREDA phæe Itr database afierthe finishing of the 95 edition . lvhen this is-the cæe the previous estimates are updatedsequentially with the complete OREDA Phase Itr data and rhe OREDA phase Ñ data, using theapproach described above.
o Also, for some types of equipment, there are no inventories registered in phase rv (r = 6¡. ¡,¡r"r"are additional data in phase rr, the OREDA phase III ¿uta arã us"a io;pd;;; reriabiriry datagstimates' If this is not the case, the previousìy recommended estimates still apply. (Note that ifthere are no,faitures registered in phase rV(f = 0) tlri. i.¡;;;ìì;;î';J"ä., updare theestimates).
o There hæ been no new expert judgements in this project, except for those related to the themethod described in chapter 4. Thii means that no iIF variu, ,ir"pi ¡o'ì-iÃ- gà detectors, havebeen changed since the 95 edition.
t Th" covemge updates are taken as a weighted average between the previous estimates and theobserved coverage in the OREDA phase IV databæeì. The previous åstimates are given doubleweight since they include expert judgements arid the datá material is s"o¡c",
"ven with theOREDA Phase IV dara.
@s5|LiiulllF Relìabitily Dala for Conlrol and Safety Systems
1998 Edition
For the sake of comparison, the previously recommended estimates - along with the source
tisting - æe included in the data dossiers'
Notethatintheg5etlition,thedatawerepresente-in.asliehtlydifferentway.Insteadofusingacomrnon coverage for both iôäO nfCj types of f¡rurel tné coverage is in the present repofl
split into its FTO -a so purt ]rJ"i."iiãn áj. rni, l, ¿on.ìo ¡" comiatible with the PDS Tool'
SomefiltersusedinthepreviousstudywithearlierversionsoftheOREDAsoftwæea¡enotã"r"oæiUf" *itf, the later versions' Thus new filters have to be set'
WheretheoREDAPhæelllorlVdatabasedoesnotcontaindata,ordataissca¡ce,thefailurerateesdmate is bæeil on other releîai;;;;;;-t'ún"¿ in *'"ìt"'i*: *dl:lTl:*liduat reliabiLiry
data dossiers give informatirîrî; th" il sources for the uario,rs components'-The previous
estimates in the ss .auon *'ie;; ;;;;;;xt*bïi9,:" o'ht' 'o*t"t than the OREDA database'
ö;;i;v.J;w of all the failure tutt dutu to*tts are given below'
OÙEDA - Olfshore Retiabit¡Û Datq rel' /1/' /2/' /3/' /15/' /17/
Hll;:;;;' oREDA ParticÞants' distributed bv DNV rechnica' Høvik' Norwav';;;1.;r'r,
rs84,1se2'.ree3andree'I
"#:"1î;:"'"'H"iffË,'i"îîå'f i,,3îi-:""i.:åì"lilff å',,iåiïi.'ffi "ïiliåexpenence, installations, collected from installation'î".ãi" Ñ"nn Sea and in the Adriatic Sea'
OREDA has publishecl tlrce handbgg;tl ì'i "iiti"t rt9ry- T8: (ref ' l3t)' 2nd
edition ftom tbgz Get' t2) r'fld:¿ "¿ilon
frqT l?e1 !'"j''11-%:**r' there are
threeversionsoftheOREDAdatabase,ofwhichthelatestversion.isthemaindatasourceinthisrepoft,denotedtheoneplpr'*"Ñd"tab"s"(ref./15/).Thedataint¡e Onepà pnle fV database was collected in 1993-96'
Oseberg C 'Experience Datø on Fire anil Gas Detecton' ref' /4/
Á;;í":ri Jon Arne Grammeltvedt'ä;:;u;rt
Norsk Hydro' Research Centre' Porsgnrnn' Norway
Publ.war: 1994
";:::;:::"Ï' if:"ätJ;i::ents rerd "-ry.-".:i- data on catatvtic gas detectors' IR name
detectors anå smoke detectors from the Oseberg C pìatform in the North Sea'
WLCAN - A Vulnerability Calculation Methoil for Process Safety Systems' ref' /5/
Author: Lars Bodsbere
publisher: Nor*"giäirirtituteofTechnology,Trondheim, Norway
Publ.Year: 1993
';':r:;i::"?'' i#l;ffiT:serration incrudes experience railure data on fire and sas detectors
rrom"J;î,il;;;iglrlr:^.: jl,;:;í,gl*:m:,*:lJJff lìî1"i:ñ"1:very comprehensive with respect to ra
,nu,,n"
"äiiäiåìt
¿t" rt"i'¿t¿ in the oREDA Phase III data'
l)
l6
NPRD-9L: Nonelectronic parts Reliability Data 1991, ref. /9/Authors: william Denson, Greg chandler, william crowelr and Rick wannerPublisher: Reliability Analysis Center, Rome, New york, USAPubI. year: 1991Data based on: Field experienceDescription: The handbook provides failure rate data for a wide variety of component types
incruding mechanicar, electromechanical, and disc¡ete erectronic parts andassemblies. Drta.represents a compilation of field experience in military andindustrial applicarions, and concenrraies on irems nor.o";.J;t ú'--HDBK 2r7,"Reliability hediction of Erect¡onic Equìpment". outu ãu1., include partdescriptions, quarity levers, apprication erwiionments, point .rti*ut", of failu¡e.^il^l:r:^**.es, number of failures, rotal operaring.toun, an¿ detailed partcha¡acteristics.
ne\bilitl Datafor Computer-Based process Safety Systems, re!. /g/Authos: LarsBodsbergPublisher: SINTEF Safety and Reliability, T¡ondheim, NorwayPubI.year: 1989Data based on: Field experience/expert judgementDescriprton: The report Presents field data and guide figures for prediction of reliability of
computer-based process safety systems. Data is based ãn ¡eview of oil comiaaydata files, workshop with technical experts, interviews with technical ;p"*;áquestionnaires.
T-boken: Reliability Datø of componenß in Nordic Nucrear power pranß, ref. /6/Authors: ATV-kansliet and Studsvik ABPublisher: Vattenfall, SwedenPubl. year: Version 3, 1992Data based on: Field experienceDescriptíon: The handbook_ (in swedish) provides failu¡e rate estimates for pumps, varves,'
instruments and electropower components in Nordic nuclear power flants. The dataare presented as constant failure ¡ates, with respect to the most significant failuremodes. Mean active repair times a¡e also ¡ecorded.
F ARADI P.TH REE, ref. /7/Author: David J. SmithPublisher: Butterworth-HeinemannLtd.,Oxford,EnelandPubl. year: Fourth edition, 1993Data based on: Mixture of field experience and expert judgement ,Description: The rextbook "Reliabilþ, uatntanaw[ity and Risk - practical Methods for,: Engineers" (ref. lZt) have a specific chaptér and an appendix on-iailu¡e,rate data:
The data presented are mainly compiled from variãus sources, such as MIL-HDBK-217, NpRD-r985 (i.e. rhe 85 vìrsion of MRD-91) an¿ opGoe Handbook' 1984. The failure rate data presented in the textbook is an extract.from the databaseFARADIP.THREE.
,@stltìllllEm
Reliability Data for Control and Salety Systems
1998 Edìtion. Ì
2.3 Summary Table of PDS Input Data !
Table 24summa¡ise the recommended input data to pDS analysis. The definition of the column
fr*aingr r.tut", to the parameter definitions given in Chapter 2'1
Somecomments'basedontheexpertjudgementsessionperfolle¿¿]:nngthe^previousandpresent;öiäñ;à;dbelow, in partiËuhr onihe given values for l/F and coverage'
i11'l'r"r'- t''''-'¡"" i-\lo"-*' ilr';"'"' ;1 ìY\r'rr'i--! ")\r.i
2.3.1 rrFprobabilities i;;þ{ tr-i:-ì1.1.:l),,:r, .n ,¡".\-;1\, ",.,;..,,, ..,,;ì.ù-,,r." ,,;*t},.-
,\.,. .^ " {,,.t,s 'rt--tt-o''-t ' - {.,.,:;r) .
.Process tüffinrra
probability, 10-3, is assigne¿ io üI switch itsJlf, essentiatly caused by human
interyention (" g' ü"*t";ätatî n"*O' ny it"i"A;ttc the sensing line (piping)' ¡he TIF
probabiliry *uy lnårË*" ,o 5.10-3, uniess u p"i"", funcîonal testing is carried out' which
also detects blocking of the sensing line'
ProcesstmdreÉ"rs have a "live signal"' Thus' bloc-king "f
th".1:i:T^i lineìsdetectecl bY the
operator -¿ is ln.tì,¿"ä ,n "U,.aßo a significa;t part of failures of the transmitter itself
(all ,,stuck,, failures) are detected by the operator anicontribute to 2¿",. Thus' the lIF prob-
ability is less thær'thì of the switch. sma¡t and field bus t¡ansmitters are, due to mole
"o*pl"t"'"túng, expected to have even smaller lIF'
Gas detectorsNotethatanewexpertjudgemenîsessionlgasperformedduríngthelggSstudy,givingTIFvalues for g* a.tã"ior. dîfferentiated *itt r"sp""i to detectoitype S point or line)' the
size of the leakage, and other .onaition*p"íja inflo"n." ihe TIF probability for IR
detectors. s". cri"pto ã iã, ¿"t"1.. a¡, 1at-probability for catal¡ic gas detectors was not
evaluated * tfo' t"ãn"ology is considered to be old and less relevant'
Fire detectorsItisassumedthata.detectorwiththe,,right,'detectiorrP'il"'Pl:is.applied(Smokedetectors are applied where smoke fires t" "*p"tt"J*a
d: *-i::nt^îwhere
flame ftres
æe expected') Even so' there ìs a.possibility tiat a fue may occur which gives a very low
orobabilityofdetectionbythedetectornuîro"".i*.bo"tothisfactanintervalisprovided for
"^.h ää";:Th; i¡r u¡u. *u1n ;dt,i"; to the size of the fire, essentially
depend on tne tocaùor/envi¡onmenr "r *t ãli""t"t (indoor/outdoorl qrocess area/living
quarter). n", *"i"ä""' '*"t" detecto¡ ttt"-tJ* 19:t æ-ptï:^l^"jtilt"ctors generally
serve as " ,".onäuìì iuri"., and the value is sigrrificantly grelter' Flame detectors are
reliabte untess "ìîîåf îä"t" ir J;"n4_t""imalted ,IF = 3'104), but oil fues in process
æeæ will d*"1ö;il;ir*"r.", *¿ u ?Lprouuuiliry as high as 0.5, could apply'
PLC systems , - ^^ ^^ç+",ô'a .*^'q For dedic^---"'T;;rIF for the rogics is.essent4lt *:jî.','Jîï"::il""::rff:.t"#åfiiìthlTîHI :*i,':ï"n::Ïfff îJ l"iliåi r'Jffi *md;;;,år,**" ""o's
Fo' standard
systems, the estimate Î/F = 5{0- appxes'
11
18
ValvesThe zIF probabiliry for ESVs witl depend on the type of functional resring. If the ESV isshut in completely and pressure testeà, iryF = 10-6'ithis
"¿"" ir al*"*å because of rhepossibility of human elrors' e'g. related to bypass and improper testing). If the ,,functionaltesting"just involves a check that the valve moves lstarts closìng¡ on dãman¿, the value 10r is suggested. This.?IF val,re also applies ioi
"ont ol valves. AII these values include thepilot valve. The major contibution to the llF probabiJity for psVs is wrong set point dueto enor of the maintenance crew, and the same TIF vaJue æ used for switches is suggested(sensing line nor included).
2.3.2 Coverages
SensonLine testing gives a coverage of 20vo for switches, conventional transmjtters and ESD pushbuttons' In addition operatoß detect a significant p* of p.o"".r-t¡animitter failures(transmitter being stuck), giving a total coverage foi transrnitters which is significantlyhigher. For gas detectors also drift are detected (low alarm) an¿ trris *-uy
"uur" trips to be
prevented. The given covefage for smoke detecrors applies for analog sensors.
Control logicFor bus coupler and communication unit 1007o of Îrip tailures actually gives trip. Further, itis estimated that 957o of loss of safety failures æe detected, and a Fró iailure is prevented.
ValvesNo automatic self-test for valves. It is estimated that o-pgqlo"rs detect 6^5/9 of criticalfailures (stuck railures) for çB¡¡-q9l-ygJ=v^es. There ." ..ffiiãa so failures on valvesdetected by continuous condition mõñioìrl,ng in the OREDã phase fV data It is assumedthat these failures are detected by operators and thus included in the So coverage.
Note that these values are partially updated with the TREDA phase IV data, see also thecomments in Section 2-2-
23.3 p-factors _r.1,r,rn flq¡\a
When quantifying the reliability of.systems elnploying redundancy, e.g., duplicated or triplicatedsystems, it is essential to distinguish between indepentlent and, dependint foiìor"r. Normal ageingfailures (see /141) are usually considercd as independenl failu¡es. However, both physical failuresdue to excessive stresses/human interaction and alt firnctional failures are by nãture depend.ent(common cause) failures. Dependent failu¡es can lead to simultaneous failurå of more than onemodule in the safety system, and thus ¡educe the advantage of redundancy.
In PDS dependent failures a¡e accounted for by introdu cing a multiplicity ttis¡ibution. Them-ultiplicity distribution specifìes the probability that - given that a failure has ãccurred - exactly ftof the n redundanr modules fail. Here, & equals r,2, ... , n. The probability of k modures failingsimultaneously is denoted p¿.
@)stlNTEF Reìiability Data for Conlrol and Safety Systems'
1998 Edirion. ]
As an exampre, consider the murtipricitv,gt-:'b:i:.î^1":li:i'åliltih::IîJJJ;Ï5':;:;ä;; ã H+ r' : 0 ?0_Tfj"';3,.i;TÏi'i:ffiå:h'ü,"i"in'iv ir'" uoth modures have
probabilitY that just one mo(
failed is 0.10'
Figure 3 Example of multiplicity distribution for iluplicated components
Table6plesentsrecommendedp.factordistributionsadoptedfrom/11/.Thedistributionsarepårå"il"i ,tte following degrees of dependency
¡ Lowr Mediumr Highr ComPlete
Table5pfesentsguidelinesforselectingappropriatedegreeofdependency(adoptedfrom/11ô.
Fìeliability btæk diagrm ot
the redundant modules
lo
Unit A single SimultanìousìYfailure la¡lure ol A and B
B singlelailure
20
Table 2 Failure rates, coverage and TIF probabilities for input devices
Gomponent
¡. InpfficeProcess Switch,Conventional l)
À-i;Pf{ 106
h¡s
Pressure
T¡ansmitte¡
Co
cFrQ
Level (displace)
T¡ansmitter
verage
':.t .: 'i, :..
| .so
TemperatueTransmitter
3.4
FlowTransmitte¡
1 FlQ"ùndd;:'1SO : ,,Lnðà¡ |
l.J
90Vo
Gas detector,catalytic
)@ sulìlilem
3.1
'I-¿.r.iIff"
9ÙVo
20Vo
Gas detector IRpoint
per 10ó
lrst| ¡So| ^'n¿r
I
90Vo
.8
20Vo
2.1
Gas detector IRline
60Vo
50Vo
1.6
lL'*
Smokedetector
0.2
2.3
60Vo
60Vo
0.9
Heatdetecto¡
0.1
J
0.9
60Vo
.6
5jVo
0.6
Flamedetector
0.t
3.6
0.4
80Vo
l.lo3 - 5.10r 2)
4OVo
0.7
ESD Pushbutton
Reìiability Data for Control and Saf ety Systems
1ee8 Ed¡tlon. )
0.3
0.8
80Vo
3'104 - 5.104 3)
7ÙVo
0.6
2.4
0.4
40Vo
3.104 _ 5.104 3)
7jVo
Table 3 Failure rates' coverage and TIF probabilities for control logic
t1 .0
0.6
8.2
1.1
50Vo
¡)
2)
3)
4)
6)
1)
8)
3.104 - 5.104 3)
507o
11.0
Daa primarily apply for pressure swrtchesWilhout/with the sensine lineFor smarlconventional,iespectivelyThe rangc,gives values for læge ro smalt gas leaks (large gas leala a¡e leak> I kg/s)For smoke and flame fres, respectivelylherange represents the occurence ofdifferent types of fires (different locations)Forflame and smoke frres, respectivelyAverage over ventilation type and besl,/worsr conditions, see Chaoter 3
0.7
1.0
0.4
5OVo
3.i0" - 5.104 3)
5OVo
0.5
0;l
0.1
20Vo
5OVo
3.104 - 0.1 4)
0.6
0.8
6.10-3 _ l.l0_3 4,8)
0.1
2OVo
1.0
0.5
6.10-2 _ 7.70-2 4.8)
1.2
0.3
Field bus
couPler
2.1
1.3
lo-3 - o.o5 5)
0.2
2.1
0.05 - 0.5 6)
Control logic units
0.6
3.10* - 0.5 7)
l) Note that the value for one signal path is somewhat less than this value
t) por ftfv ceruned and standud system' respectively
Table 4 Failure rates' coYerage an'l TIF probabilities for output devices
l0-5
Component
21
ESVX-Mas
,E¡
per 106'hrs
5.10-s - 5.104 2)
Other ESV lmainvalve+actuator)
COYeraBe
crro..l cso
Pilot valve
Control valve,
small
I .6
Control val-ve,
læge
j IilO,.,"ùndr¡
--l so'-
,,ffi'
Outpul
1.6
OVo
À.¡a"¡ Per 10o
hrs
Pressure reliefvalve, PSV
4 .2
devices
30To
OVo
7.6
rff., I rf...
20Vo
For complete and incomPlete functional testing' respectively
ttote tnaì tnp of fSV does not necessarily lead to system [aP
ÙVo
1.1
,R
604o
3O7o
+-3
0.8
1.2
'107o
6O1o
0.7
TU'
1.3
0.5
'7j%o
07o
17.8
I A
0.3
1O6 _ 10-s r)
0Vo
3.0
2.8
t.8
lo{-105r)
5
0-8
.0
0.1
u-¿
1.0
10-s
o.z2)
t0-
10-3
22
Table 5 p-factors of various components
Component'.
, =hlFire/gasdetector
te'rmÐ p-factol:disfribution
Àmo
¡.so
Pressure switch
Ttr<0.2
2: Mediumdependence
Pressure
hansmitter
Comment
TIF>0.2
3: Highdependence
,@ SINTEF
ut devices
Field bus
transmitters
4: Completedependence
Same manufacturer, environment and maintenancecontribute to CCFs
atl
"iO
Same location and design give high fraction ofCCFs
all
2: Mediumdependence
PLC
Almost complete dependence when the detectorsæe applied in scenarios which they are not de_signed to handle
1: [¡wdependence
all
Ouþut devices/Valves
Same manufacturer, medium location and main_tenance contribute to CCFs
Pilot valves onsame valve
1: Lowdependence
all
Field data shows a significantly lower f¡action ofcommon cause failures for transmitters ascompared to srilitches
Pilot valves ondifferent valves
2: Mediumdependence
Reliability Data for Conlrol and Safety Syslems
\1998 Edition. 1
ESV
Application software has a lower fraction of CCFsthan the system software
aIl
Couplers
Table 6 Recommended p-factor tlistributions
all
2: Mediumdependence
System software errors gives a rather high contri_bution to CCFs. Other fr:nctìonal failures alsoconûibute.
all
1: Lowdependence
r) specifies which failure rate/probability rhe given distribution appries for
1: Lowdependence
all
Same design, location, cont¡ol fluid and main_tenance contribute to CCFs
Lower fraction of CCFs when pilots activatesdifferent ESVs
l: Lowdependence
Same design, medium a¡rd maintenance conhibuteto CCFs. Field data indicate a relatively smallfraction of CCFs..
Application software has a lowe¡ f¡action of CCFsthan system software
2.4 Further Work
Boththeg5editionandthepresentstudyi]lust¡ates,thatfurtherworkshouldbecarriedoutonfailufedata definitions/cf*rifr"ution io inir".rJ tn" cr"¿i¡ility and validity of reliabiliry analyses:
2.4.1 Variability of the TIF probability
Forseveralcomponents(e.g.sensors)thereisobviouslyawiderarrgeofTlFvaluesthatmayapply'depending on various factors such as
- location (e'g' indoor/outdoor' process arealliving quarter)
- detecdonPrinciPle- ;;;;s"(e'!'anaiogue/diqil4'Pginqn'].-,^^,,-- svstem boundary it'g' *ittt/*itttout impulse line)
- fype of functional testing þerfecVtncomptere't
- u*ount of self{esVmonitoring
Anefforthasbeenmadetomeetthischallenge,b.ytyfaronlyforgasdetectofs.However,itisanobuiou, need to quantirv *"Ï:îö"t'ü+;;"':"t:::tí:i*l'r":*;mt"?iiî:ttr#åtå'åor.* ,vp.t, so that an appropriate T/F value' rerlecung
for actual studies'
2.42 Distinguish between design errors and human errors during testing
ItissuggestedthattheTlFprobabiÌityshouldberestrictedtoaccountforfac.*:'ll,arepresentfromday l, and which are ".""i';ä;#
in-ly uuto*utl"¡f"".,1"ìJ "tt' These are failures caused by
design enors, e.g' including *'å"î r""ìr* "f d".:t:'.t:-t-t';;i;-suggested th-i|1{ errors introduced bv
the maintenance crew upoi testing (e.g. by;pals ruilu,", -J ini¿ãquate testing) should be defined as
a separate category of f"ifor"s,--ar;d'no't Ué inctu¿e¿ i" ili'üË-p't"äîility' u"Jprov"d models should
;ää;t.a 6r fäitures inuoáuced during tunctional testing'
ñ-"er.. "f
d"pendenceruã¿ium I Irigh
r.'t.r.,.À.¡
0.98000.01800.0015
23
24
)
The above suggestions will make analyses more credible and accurate (ptant specifrc), and it willfacilitate the communication.between analysts and maintenance/operational personnel. It wili alsomake analyses more informative with respeãt to identifying facto¡s that "rr""
ri" i"ü"-ùiliry, and rhusidentifuing means of improving system dèpendability.
\g ÐtlNULqf Beliability Data for Control and Saf ety Systems'
1998 Edition' )
3. A unrgoo roR oBTAINING ÀPPLIcMIoN sPEcIFIc TIF pnosnnIr.rrIps
3.1 Introduction
In most RAMS analyses generic data are used as input parameters in quantitative dependability
assessments. These generic ä;;;;;;i ;uu"'ug" "¿*i;unJ
it is theiefore desired to establish
a method for adjusting th"'"-;;;;g;;alues to tut' 'pt"int
conditions into account' In this report
vr'e present a merhod f", "urrJtî;ïr;; "aà-u¡nut øt^git-iirryrrs. In future repofts we aim at
;.:"ï;ffi;;iit"¿"l"gv iÀ otñer parameters and equipment classes'
Firstthemethodisestab]ishedandcalib¡atedbasedontheresultsfromanexpertseminar.Themain resulrs *. *urn**i."ä ir S".,.. :.S. N.*t tt" orJoi iftã *ttito¿ is described by a step by
step procedure, and an example is given' see Sections 3'7-3'8'
3.2 ConcePtual aPProach
A.conceptualhierarchicalmodelhasbeenestablishedrelatinginfluencin.gconditionstodirectfailure causes and the "rJ;î-T¡f;;"U,liry
u, if*rt ui"å irifig*" 4' This conceptual model
contains a set of baseline züìJr.r'*¿ r"tutiu" i,npo,iulît t*tigñ"1 of the various direct failure
causes.
25
Figure 4 Conceptual hierarchical structure
Thetotall/FprobabilityisthesumofTlF-contributionsfromthefollowingcontributingclassesGA:
r Design enors (CCr) giving TIF¡'
. Wroig Iocation (CCù glvingTlFz
. Insufficient functional å't pîo""ao'" or human errors (CC¡) giving ?lF:'
..Behind,,eachcontributingclassasetofdirectfailurecauses(DC)are.defined,forexample"forset to test" and "*'o'l' ì""îtä" ît-å"sign" The impottun"" of each direct failure cause
within a contributing "r"""i'ï#"åãïy a
"v'eight (wnö' nin¿ty the direct failure causes are
Generic basel¡ne
TIF values from
expert Tminar
\
-( DC,, IV
High
-
APplication specific scores (S)
Generic weights from
expert semlnar
High
26
influenced by a set of influencing conditions (1Q. These are conditions that are controllable bythe operator/designer of the installation.
These bæeline Î/F values and the weights we¡e established during an expert seminar. In apractical study the TIF probability is adjusted according to the staL of a set of influencingconditions..A "check list" procedure is applied, where for each pre-defined influencing condition,l t"of tl given representing the state for the particular applicatiôn. A sco¡e is a number between -I Td 1l' A score of -l represents the "worst
"us"", rhLt u, +1 represents ttre ;üest
case,,. SeeTable7 for an example.
Table 7 Example of check list for TIF evaluation
3.3 Definitions
The following definitions will be used throughout this presentation:
o A contributing class (CO is a class of direct failure causes that contribute to the TIFprobability.
o A direct failure cause (DQ is a specific and clearly defined cause within one contributingclass, influencing the IIF probability.
' An Wuencing condition (1Q is a condition that influences the probability of failures due tothe relevant direct failure cause.
c A score (.f) denote the state of a specific influencing condition for a given application.
3.4 Method
The main idea is to establish rheTIF contribution from each of the contributing classes, and thennext evaluate the di¡ect causes within each contributing class. The following cãntributing classeshave been defined for gas detectors:
. Design enors (CC1).
. Wrong location (CCz)
. Insufficient functional test procedure or human enors (CC3);
In the expert seminar baseline numerical T/F-values were established for each contributing class,CC¡, i = l;,'.,3. These baseline numerícal Î/F-values represent the anticipated range for TIFvalues for væious conditions on an offshore installation. Notational we leT TlF¡to*conesponds tothe "best case" and rlF¡,¡¡s¡ cofiesponds to the "wo¡st cæe" for contributing clasïi.
.A set of direct failure causes are defined for each contributing class. For example for thecontributing classwrong location the following di¡ect failure
"ous"i u.e,- Wrong location by design
- Wrong documentation at installation
,@srNTEFReliabiìily Data for Control and Safely Syslems'
19eB Edition. )
- Modifications
For each conrributins crassíÍ:, iii;,il 1,r.î;îff::,ï:.Îî:1ît li;flft,l; l;;ï i:th*I
of these direct causes a ret¿
ilätillu*;; to 1007o for each contributins class'
Notethatadirectfailurecausedoesnotdirecdycorrespondtotheconditionsthatafecontrollableby a designer. Therefore *;;;Jt*ically focuses äi.,r'"ä"¿i,i"ns inJluenc.ing on a direct
ra'ur" caus". For example,r'.'i""'"i*,1"' "r l"::* 1;Lj;l=*il.:îT::"*:,tÏ:?:tl';odi'"å:;
liäi"îi,ïäffi: ;:îi,::iläiiin 'fi{*4;l r" ' p'""ir"¡ -arvsis a score w'r be
assigned to each of 'h"";;;'i;;' 1iråre -] I:t¡:'ii"ff.#äï:f:;#''Jgli:å"Ïi *;
rräri.Jlffiäîä:ilî.f:"T'":ïfi i"Jlffi;;;;iî' ür' possibre to estabrish an
application specrllc llr'
Thereisnostraightforwædmannertoestablishafe]ationbetweenthescore.sandThreTlF.values'rt
" r"iu,ioo p.";*"u * tti"iää t"d;;;;"å on tt'" following principles:
t TIF¡should equal TIF¡,¡on\f all S¡¡= 1'T1,
' i¡r' Ji""ia equal 1/F,,n3r' if all 'fu = 1,lurthll'---.n, *.* o f the low ardhighrlF-vaiues'-
;.11;;'; tqtà o tne flF strould equal the Seometr
Figure 5 i'ustrates the implications of this principle (TIFnign= 10 r' and rIFø' = lo'3)'
27
:-+-
Figure 5 TTF values as a function of score values
The formula for acljusting the ÎIF for contributing class i is given by:
- .l+S, / al-S,
Tß, =iwDc, (TIF,,," )T (TIF,,ø J'
and the total TIF for all contnbuting classes is given by:
o 0.5
Scoæ
rrn = irq =ä'oc,fr",""Ë h*''.' Ë
Note that average scores on all influence conditions gives:
(l)
(z)
28
rj--TIF, = ) JTF, r-' Tß.o,ro
That is, 71Fa is the sum of geometric means for each of the contributing classes.
3.5 Results from the expert seminar
The objective of the expert seminar was too Establish a set of "Contributing Classes" CC¡ Establish a set of "Direct Causes" DC for each CCr Establish a set of "Influencing Conditions" .tC fo¡ each DCo Establish TIFø and TIF¡¡r¡for each CC¡ Establish ¡elative weights wDC¡within each CC
Two diffe¡ent detection systems we¡e considered:
o Infrared (IR) point detector¡ lnfrared line detector
ln addition the following 8 different scenarios were considered:
o Small gas leakage in open areao Small gas leakage in naturally ventilated area. Small gas leakage in mechanically ventilated a¡ea. Small gas leakage in ventilation intaker Large gas leakage in open area. Large gas leakage in naturally ventilated areao Large gæ leakage in mechanically ventilated arear Large gas leakage in ventilation intake
where¡ Smail gas leakage, release ¡ate <1 kgls i. Large gas leakage, release rate 2 | kgls
Note that such a scenario conside¡ation is only necessary for contributing class cc2 = .,wrong
location".
On the expert semina¡ focus was on the qualitative identification of direct failure causes andinfluencing conditions. In addition, Z/F-values were èstablished for each contributing class fordifferent detector types and scenarios. Based on the discussion on the expert semina¡ SINTEF hasproposed numerical values fo¡ the "weights" of each di¡ect failure cause, and performed agrouping of influencing conditions. The members of the "PDS-forum" have had this results forcomments. Table 8 summarises cci, DCs, ICs, wDC¡¡s and r/F-values established during theexpert seminar and the post processing of results.
psnmrnm Reliabilily Ort" to' çentrol and Saf ety Systems
1998 Edition. 'i '
Table 8 Overall results, TIF consiilerat"Ï t"t *
ËñãouiP.u*"t"rsettings .
(response time, sensitivitY etc'¡
Wrong ryPe ot detecror^
ioo"i."tioi "n"itonment2,
heavy/li ght
lns¡riion <¿tu*ings, taglists' air
@of weather
29
6äõlith h.^uY or light gasses
Giãe-mandqualitatitelY/ouantitâtively different from rue.
áemand (e'g., covered by plasuc oag'
wfong gas tyPe ând/of gas
ô'"äi.dEf C"'uã"t"ãor tesrcd'
forget to test" wfong documentatlon'
mis-understandings)
@odification
$Gt-. -a Pto""dures for
6Tvouss not t"mo"ed (wron g- derecro
úi'p"r*¿' forgel to remove bypass)
@uuitiry and
I No consideration of failure modes ae made
t T"moerature, pressure, flaring etc'
:i:m::ti;;!läation with respect to heavv/right gasses
Ëi@e' accessibilitv
Wpassed componens
ffidtitÑ(ti*t P*ssure' working
30
Table 9 TIF for CC2"V,lronglocation", IR point detector
Ventilationtype
Open
Naturallyventilated a¡ea
Mechanicallyventilated area
Small sas leakaseBest
Ventilationintake
0.5
Table 10 TIF for CCz r¡\ilrong location",IR line detector
0.1
Worst
VentilatlontvDe
5.10-3
104
0.9
{(P st]l,ìlulsF
Open
Naturallyventilated area
0.3
Large gas leakaeeBest
Mechanicallyventilâted area
0.1
small sâs leal(âse
Best
0.01
lo'2
Ventilationìntake
5.10-3
0.05
'Worst
3.6 The relation between TIF and detector densitv
Note that when the values in Table 9 and Table l0 were established the following question wereasked:
"Assume that there is only one detector installed to detect a gas leakage. What ís the TIF-probability of not detecting such a leakage related to contributing class 'wrong location'?"
The f,rgures given therefore contain two types oflocation enors:
r "local" effects related to a detector in an area containing gas
r "global" effects related to the fact that there might not be gas at all in the area where thedetector is placed.
For a specific analysis where only one detector is considered, the TIF values may be used as
stated in Table 9 and Table 10. However, in the situations whe¡e several detectors a¡e used, it isnot straight forward to use these results. When the total CSU is calculated, the "T1F-contribution"from each detector depends on the dependency, or so-called 'þ-factors", and it is reasonable toassign different dependency factors for the "local" and the "global" l/F-contribution.
l0-3
0.01
Wôrst
5.10-4
104
0.1
5.102
104
0.09
Beliability Data for Control and Saf ety Systems
10-2
0.03
Larse sas leakaseBest
1998 Edìtion' )
During the.expert se\ffipaiîJìffåi;:i,Hï:iir'iil::,:å'1'i":r',iïiî'ï;ilYïl;and "global" effects' surr¡
î{c, îlo"¡' eff ect, and'l 57o "global" effect
It is reasonable to assume that the "local" f/F-contribution does not depend on-the density of
derectors. How ever,,n" ..
g r
"¡ ¿ï'i' !Ãp:lîl *rifu:itf"mi"uiÏäT ;Ïrì"Ë1tr
iffïä";;;;,i.: 1",,",jifii*lg'iJffJ,i",:i: fi: ffii;;; procedure suggested berow a
l'"'#"r:"i":iÏ" ä?.,Ï:* assumed
TIF10r
0.01
0.002
7o'2
1.10-3
Worst
2.lf
104
0.02
l.1o-2
2.10-3
r n-3
'Local"
Figure 6 TIF versus detector density
ro simp,irv *j,p:'f-::iiåîJiîi,îï:lfr Ëä,yi*Uk* :ffîffi":löJ$å
number per detector' try i:äî:iÄ"" þ*tr, o:t:t"^ot
ro..uure is pragmatic, ano is as follows:new TIF number i:,p::::.här'ciu
formurus. T¡e Ibe used as usual with the slanoarus uev ¡v^..'----
o. Denote this
r. For a given scenario,,ååro:i",ff"j:,",:,ï:,*iiyjfffif:tm;:it'ä*ratreastonenumber /<, where - = läfi;; å-nly on" d.t."tot.detecror. /( = 0 means *,1iÏi::;#''_-,,'_
= TIF r^,"t¡n"(t - o ;1 5k)
z ää"ïä'¡" ":ri::li:; :,{}: I{'*;;,i[]Xi.'3. This is rePeatedboth ro
3.7 Using the methodologY
AstepbystepprocedureisproposedtoestablishTlF-probabilitiesforaspecificapplication.
Step 1: Identificationofdetection system
--:-r-^red line detector. This choice will determine
i'ti"t,.*g"^"t"::lîiîo',t#:å'o1"l,'J"ï';i:i';whether Table 9 or'l aole
Step 2: Itlentification of gas leakage size
ilirãil"*i"g definitions are used:
. Small gas leakage' release rate < ikgls
. ;;" las leatage' release rate 2 lkgis
3l
Step 3: Identification of type of areaData is available for the following types of æea:t OPenr Naturally ventilated arear Mechanically ventilated area¡ Ventilation intake
Step 4: Establishing correct TlF.values for,Í.ocation errors,,Based on the specifications.in s-teps r-3 it is possible to look-up the cor¡ect values for TIF2,¡¿. artdTIF2,¡¡.¡ f¡om Table 9 or Table 10.
Step 5: Gas leakage scenarioAs discussed in chapter 3.,6 the TIFz,tow and TlF2,¡¡r¡values in Table g or Table 10 represent theTIF for a "single detecror". T\.Tr-c:ntriuution fä derector i, tr",mlu* ãr.**y derectorswin be less than rhese values indicare. To adjust the TrF_varue th; ;.d;t*ñ;;rnr,,,
o, shourd beidentified' we now define È such that k = ioovo = 1 means that .,it is likely,, the gas cloud willreach at least one detector. & less than I mears it is likely that there ir no'¿"t."to, in that areawhere the gas cloud will pas.
Now calculate new Î/F-values
TIF2,bn = TI Fz nn(1 - 03 5k)TIF2¡¡s¡= TIF2,¡¡g¡(7 - 0.75k)
These numbers a¡e then to be inserted in Tabre r2,see discussion in Step 6.
Step 6: Identilication ofstate ofinfluencing conditionsEach influencing condition which hæ been identified should be evaluated with respect to the statefor- the particular analysis. Table 12 may be used as a starting point for this evaluation. In therightmosr corumn of rable 12 the apprication specific ..r"or"^" ,hr"ld ;; iiri.o, ,¡"r" tt"following coding shategy may be used:
S = -1 - Worst state, i.e. no specific means has been identifiedS = -Vz - Bad states = 0 - Average state, or no information about this condition availabreS = Yz - Good stateS = 1 - Best state, i.e. specific means have been implemented
An example how the scores are entered is shown in Table I l.
Step 7: Calculation ofaverage scores for each direct failure causeThe average score for each influencing condition relevant for that cause should be calculated andplaced in column 3 of rabre 12- Tabre I r shows an example of such average calcuÌation.
9suNTEFReliability Data for Control and Safely Syslems'
\1998 Edil¡on. I
Step 8: Calculation of adjusted TIF for each contributine class (CC)
Foieach contributing tl^t ì.,-¡ =-l'"''l the ''F
contribiution is calculated by the
formula:
'l+S' / ,l-S"
Tß, =iw DC u(Tr,.,," F (Tr'0,ø J'
where the weights (wDC¡¡)and scores (S';) are ¡ead from column 2 and 3 in Table 12'
Step 9: Calculation oftotal adjusted TIF
The TIF contributlons "o* "utË contributing class are sumnied up:
TIF=TIFr +TIFz+TIF¡
3.8 CalculationexamPle
A calculation example is given to highlight the content of each step'
il1îJ;l*lrr3:îiïJ.i':iliiä.'ä:ä" a inrrared point detector' hence rabre e is
Step 4.
$i,3iJi:Xt'Iiåi:î,"[ätflT.t:"tiÍT,u," . lksls using rhe "rert" part or rabre e
Step 3: IdentifÎcation of tvoe of area
We assume that the gas'"utug" is in a mechanically ventilated area
Step 4: Establishing correct TIF-values for 'Í.¿calion errord'
B ased on the specification; il; ì ;;" Jtuin TIF z r* = 5' 1 0-3 and rIF 2'¡¡s¡ = o'r'
Step 5: Gas leakage scenario
ä:"d#;;;;;;:ti' '"öã¡z' = 0'33 (relativelv low densitv)' hence
TIF z ton = TIF 2.¡e*(1 - 0.7 5k) = 3 ] 1']y-'liF ri, ;:;^ = TI Fz.¡¡e¡Q - o.?sk) = o'075
These values are used in Table I 1'
Step 6: Identification of state of influencing conditions
Thá scores are shown in Table I I'
Step 7: Calculation of average scores for each direct failure cause
See Tabìe 1 I for calculation of avetage scores
Step 8: Calculation of adjusted TIF.for.each^contributinB class (CC)
The TIF contribution from-each contributing class inTable Il is based on the formula:
33
following
used in
34
lL , .l+s,/, ,l-srTß, =\wDCr(rm,.,,")' 1rm,,* ¡;
Step 9: Calculation oftotal adjusted TIFThe T1F contributions from each contributing class are summed up:
TIF = TIFI + Tþ + TIF3 = 36.9. lO-3
@srNTEF Reìiability Data for Control and Saiety Systems'
1998 Edition. )
TablellExamplecalculation;adjustingtheTlFprobability
35
¿
rj
36
Table 12 Check list for influencing conditions
r@srNTEF
and quaìitatively/vely differentdemand
Reliabilìty Data for Control and Saf ety Systems
1998 EdiÌion. )
4. DemDossrnns
The following pages presents the data dossiers of the control *d ïY -sy-stem
components'
These are the input to Tab; 2-Table 4, summarising the "recoÍmended" generic input data to
PDS-II anaiYses'
Thedatadossiersarebasedonthoseintheg5edition/13/,whichcontainsfailuremodeabbreviations no longer or.irn oREDA. Definitions of these abbreviations æe given in /13/ and
l1'7 | .
FollowingthedefinitionusedinoREDA,severaiseverityclassrypesarereferredtointhedatadossiers. The various types are defined as follows:
Critical failure
Afailurewhichcausesimmediateandcompletelossofasystem,scapabilityofprovidingitsoutPut.
Degradedfailure i-:^^r L,rr.which orevents the system from providing its output within
:"';li:l;lî*:ii:Jî'i::Ï:i'T;l'ili'ili";^,;"'n'' o" gradual or partiar' and mav
dru"lop into a critical failure in time'
ÏÏ,Ï;,tfüïîo"' no'immediatelv causes ross-ora svstem's:'t*tl:tl1Ï::viding íts output'
but which, if not utt"n¿"¿ tî].""* rårU t" a critical or áegraded failure in the nea¡ future'
Unknown
Failure severiry was not recorded or could not be deduced'
Notethatonlyfailuresclassifiedascritica]arepresentedandincluderltheestimatesofthe93edition.
Bypass not removed
I TIF3 r"- = 0.001; 1¡R "'",
0.02
I Total all contribution classes
31
TIF = TIFI +
38
Component: Process Switch' Conventional
DescrtPfion
Pressure switch including sensor and
pneumatic switch
. :Retiability:DuhDjI!4 : PPQ&
Recommenileil Vølues for Calculøtion
*) snmunr
Total rate
FTO 2.3 Per 106 hrs
SO 1.1 Per 106 hrs
Overall 3.4 Per 106 hrs
Døte of Revßion
1999-01-1 I
Previously Recomtneniled' Values for Calculntion (95 edition)
h", = 1.0 Per 106 hrs
l,FTo = 2.5 per 106 hrs Coverage
Iso = 2'5 Per lo6 hrs
L¡, = 6.0 per 106 hrs ag-p¡obability
Reliab¡lity Data for C ) and Safety Systems'
1998 Edition.
r) Withoulwith the sensing line
F ailur e Rate As s ess ment
Thegivenfailurerateessentiallyappliestopressure_switches.Thefailurerateestimateisanupdate of the previous "ui*"*
- *uinfy Uu'"a on OREDA-84 and PDS I - with the complete
oREDAphaseIIIdata(phaserVcontainsnodataonprocessswitches).Theestimatedcoverage
is based on expert judgement lassuming ZOVo coverage)and the observecl coverage (1007o in
oREDAphaseIII).TherateofFTofailuresisestimatedassumingacoverageol90vo(previousiy assumed
'o O"'i*''observed in OREDA Phase III was IOO 7o)' The rate of SO
failures is estimated assuming a coverage of z0 7o (previous estimate, expert juclgcment)'
lJndetected
0.2 per 106 hrs
0.9 per 106 hrs
103 - 5 . 103 r)
Component: Process Switch, Conventional
TheTlF-probabilityisentirelybasedonexpertjudgements.Detailsontheexpertjudgementare
foundintheappendix.AsummaryofsomeofthemainargumentsisprovidedinSection2'3.
Reliabitity rDriø'Dossier:' PDS'ilata
Overall
failure rate
(per 106 hrs)
FTO: 1.39
SO: 0.00
Observed:
cfro = 100 Vo
39
Data relevant for conventional process switches'Phase IV Softwæe /15/.
Filter:Inv. Equipment Class = PRocEss SENsoRs AND
iiv. Dåsiln Class = Pressure
Inv.Att.iype-processsensor=Switch ANDInv Phase=
4 aNn(nv. System = Gas Processing OR
òil processingl ÄND
Fail. SeveritY Class = Critical
No. of inventories = 12
No. of critical FTO failures = 1
No. of critical SO failures = 0
FTO: 0.61
SO: 1.15
Other: 032
Cal. time ='l19 I
T-boken /6/: Pressure switch
FTO: 2.28
SO: 0.32
Other: 0.37
T-boken /6/: Pressure differential switch
For FTO: e=0'149 Per 10' demands
T-boken i6l: Flow switch
0.61
0.15
2.O4
T-boken /6/: Level switch
40
Module: Input Devices
Component: Process Switch, Conventional
' Fniilui¡ e Røl e R èler e n c e s
Overall
failure rate
þer 1Ú hrs)
Reliability Data Dossier - PÐS.data
Lo Me Hi1540
Failure mode
distributíon
In Med. Hi2520
FTO:
SO:
V ÐuNUBLT
Lo Med. Hi440
IÐ Med. Hi320
Data source/comment
0.25
0.15
T-boken /6/: Temperature switch
5.6
FARADIP.THREE /7/: Pressure switch
FARADIP.THREE /7/: Level switch
FTOÆhys. 0.1
FTOÆunct. 2.0
FTOlrorru 2.1
Reliabiìily Data lor Control ano ùaIety Ðy5tErr1Þ'
1e98 Edition. )
5;Ì
FARADIP.THREE i7l: Flow switch
5.2
FARADIP.THREE /7/: Temperarure switch
SOÆhys.
SOÆunct.
SO/roret
6.8
PDS I /8/: Pressure switch (normally energized)
Note! Both physical andfunctional failures areincluded.
Only criÍical failures are included.1.5
2.0
3.5
Co*poo.nt, Pressure Transmitter' Conu entional
DescriPtion
The pressure transmitter includes the
;;i"t element, local electronics and the
process isolation valves'
RetiabilitYDaøDo*t* t M
OREDA-84 /3i: Pressure switch, Pneumatic, Iowpressure (less than I 500 psig)
OREDA-84 /3/: Pressure switch; Pneumatic, highpressure (1500 psig or grearer)
OREDA-84 /3/: P¡essure switch, Electric
OREDA IY - /l3l: Pressure switch. total
Toøl rate
FTO 0'8 Per 106 hrs
SO 0'5 Per 10" hrs
Overall 1'3 Per 106 brs
Døte of Revísíon
1999-01-11
Previously Recommendeil Values for Calculation (95 eilitíon)
ho = 0.9 Per 106 hrs Coverage = 0'60
ÀF o = 0.1 per 106 hrs
Iso = 0.5 Per 106 hrs
ñ --^L^Lilit\' = 5'10'L¡, = 1'5 per 106 hrs TlF-probability
-smartüansm.= 3'104
Undetected
0.1 Per 106 hrs
0.4 Per 106 hrs
= 5. 104
F ailur e Rate Ass es sment
The failure rate estimate is an update of the previous estimate - mainly based on oREDA iII -
with .REDA phase lV u^tJni" ;;;' *å '"ei'tt'". ;ô*o nn^e Iv' The rate of FTo
failures is estimated """*;;;-';;""' t no *f"*l;t*;X"tl-*n:'Ti"ï:lt' .'
î* ì^" "t
to failures is estimated assuming a coverag
ão.porr.nt, Pressure Transnitteúyy
lts' Details on the expert judgement are
rherlF-probabilitv is entireivbasedon *o"i1,'-u11i::;;ÏÏ,*;tä"åî.ä""t"" ''''
found in the appendix' O 'o'o** of some of the main arguments is provided in Sec
RetiabiiitY Data Dossigl!!$e
Qsnmuur
õffià Phase-Iv s"ftwa¡e lr5l'
Data relevant fof conventtonal pressure transmit-
Reliability Data for C' ,and
Saf etY Systems
1998 Ed¡tion.
Filter:inil"equip*"'" clâs: = T:cEss
SENsoRs AND
Inv. Dèsign Clas = k"ttY -,.unrrnitter ÁÑD Inv. Phase =
Inv. Att. Typeprocess sensor= lr AND
ftn". sy.t"t = c's Processing Î*"Oil Drocesslng,Fail. SeveritY Class = CrÍtical
Module: InPut Devices
Component: Pressure Transmitter, Conventíonal
FTO:
SO:
Obsertted:
No. of inventories = 205^rìã. .i"ti i.¡ frO failures = o
Ño. of "¡ti"¿ SO failures = 0
Overall
failure rate
@er IÚ hrs)
çfto = 100 Vo
(Calculated'
including
tansmitters having
some kind of self'
rc$ arranEement
onlY,)
OREDA Phæe III /1/ Database PS3l-'
i"ä ,"n"*, "r
conventional pressure transmit'
ters.
f ifl, .¡t"rlu' TAxcoD=ÞsPR''Al'{D' FuNcrN='oP'
No- of inventories - 186
Total no. of failures - 89
Cal. time = 4 680 182 h¡s
îi r- i "'
ò *, ¡"tlure s cla s s ifi e d as " c r itíc al" ar e
inclwletl ín the faíIure rate esttmates'
43
f-Uot* lOl, Ptessure transmitter
OREDA IV- /13/: Pressure switch' total
M
Module: InPut Devices
Component: l*vel (Disptacement) Transmitter' Conventional
Description
The level transmitter includes the sensing
element, local electronics and the process
isolation valves.
Reliability Data Dossier -. P.'DS-91!
Re c onnenile il Value s for C alculation
Total rate
FTO 1.4 Per 106 hrs
SO 1.5 Per 106 hrs
Overall 3.1 Per 106 hrs
þ snmrur
Date of Revision
1999-01 -1 1
Remarlts
Only displacement level transmitters are included in
Previoasly Recommeniled' Values for Calculatíon (95 edition)
h", = 4.5 per 106 lrs Coverage = o'is
l,Fro = 0.5 per 106 hrs
l,so = 1.0 per 106 hrs
L¡, = 6.0 per 106 hrs TlF-probability = : l:1smarttransm' - 3'10-
the OREDA Phase III and [V data
Coverage
0.90
0.50
TIF-probabíIîtY
Rel¡abil¡ty Data for ( Jr and Safety Systems.
1998 Ed¡tion.
Undetected
0.1 per 106 hrs
0.8 per 106 hrs
= 5' 104
Faílure Rate Assessment l
Thefailurerateestimateisanupdateofthepreviousestimate-mainlybasedonoREDAIII.withoREDAphaselVoata.TherateofFTofailuresisestimatedassumingacoverageof9ovo(observedinOREDAPhaseIIIwasl00To).Therateofsofailuresisestimatedassumrngacoverageof50To(previouslyassumedtobe2}Vo'observedinOREDAPhaselVwasl00T¿)'
Module: Input Devices
Component: I*vel (Dßplacement) Transmitter, ConventiÔnal
TI F -probabílily Ass essment
The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is
found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
Reliabilitf,Data'Dossier - PDSdata
F aílur q' Røt ii::Riçfp r enc e s
Overall
faílure rate
(per 106 hrs)
1.89
Failure mode
distribution
FTO: 0.00
SO: 1.89
Observed:
,so = t00 Vo
Data source/commenl
OREDA Phase fV Software /15/.Data relevant fo¡ conventional dhplnc ement level
transmitters.
FíIter:Inv. Equipment Class = PRocESs SENsoRs ANDInv. Design Class = Level AND
Inv. Att. Type process sensor = Transmitter ANDlnv. Att. Level sens. princ. = Displacement ANDInv.Phase=4 AND(Inv. System = Gas processing OROilprocessing) AND
Fail. Severity Class = Critica.l
No. of inventories = l7No. of critical FTO failures = 0
No. of critical SO failu¡es = ICal. time = 530 208
6.17 FTO: 4.94
SO: 1.23
Observed:
cno = 100 7o
(CaIcuIated
including
transmitters having
some kind of selfiest
arrangement only,)
OREDA Phase III /1/ Database PS31-.Data relevant for conventional dßplncement leluel
transmitters.
Filter criteria: TAxcoD=?sLE'.AND' FUNCTN='oP'
.OR,,GP'
No. of inventories = 65
Total no. of failures = 50
Cal. time = | 620 l7'7 ttts
Note! OnIy failures classified as "critical" are
included in the failure rdte esftmates'
FTO: 0.21 T-boken /6/: Level t¡ansmrtter
ão*porr"rrtt l*vet (Displncement) Transmitter' Conuentional
tRetiabifitvDallPcrssier' PDS<!!
þer lÚ hrg
L,o Med. Hi
10 20
SilMTEF
irln¡g tZ' t-*el transmitter
OREDA IV- /13/: Pressure switch' total
Reliability Data f or C )and
Safetv Systems'
1998 Edition.
Module: InPut Devices
Component: Temperature Transmitter, Conventional
Description
The temperature transmitter includes the
sensing element, Iocal elect¡onics and the
orocess isolation valves.
R¿liability Dáta Dossier - PDS-data "
Rec ommendeil V alues for C alculntion
Total rate
FTO 0.7 Per 106 hrs
SO 1.1 Per 106 trs
OveraII 1.8 Per 106 hrs
Date of Revision
1999-01-1 1
Remarks
Note that the data material for temperature
ftansmitters is scarce, i e', the failure rate estimate
Previously Recommendeil Values for Calcul¿tion (95 edition)
h* = 3.0 per 106 hrs Coverage
ÀFro = 0.5 per 106 hrs
trso = 1.5 Per 106 hrs
Lr,, = 5.0 per 106 hrs TlF-probability
- smart tfansm'
Coverage IJndetected
0.60 0'3 Per 106 hrs
0.60 0'4 Per 106 hrs
TlF-probabilitY = 5' lOa
smaftüansm' - 3'10-
F ailure Rat e As s e s s ment
Thefailurerateestimateisanupdateofthepreviousestimate-basedonoREDAPhaseIIIincluding some expert judg"*"nt do" to scarce data - with OREDA phase fV data' The
distribution between (undetected) FTO- and so-failures is based on the distribution for pressure
andflowtransmitters.Theoverallcovelagegivenaboveisestimatedmainlybasedonexpert
= 5'104
= 3'104
Component: Temperature Transmítter' lconveily
TIF -Prob ab ilitY As s es stne nt
The TlF-probability is entirely based on expert judgements' Details on the expert judgement is
foundintheappendix.asunlmaryofsomeofthemainargumentsareprovidedinSection2.3.
Reliability Data Dossier :.PD!:datâ
QsumunrReliability Data for Con'
,nd SafetV Systems'
"1998 Edition.
ffiFh*" Iv software /15/'
óuãi"l"u-t ror conventional temperature
Filter:inu. equip**, Class = PRocEss SENsoRs
Inv. Design Class = TemPerarure
il;. Áu' itp" pt*ess sensor = Transmitter
Inv. Phase = 4
(Inv. SYstem = Gas Processrng
Oil processing)
Fail. SeveritY Class = Critical
No. of inventoriss = 19
| Ño. of critic¡ FTO failures = 0
I No. of critical SO failures = 0
FTO: 5'06
Component: Temperature Transmítter' Conventional
Obsented:
cfro = 100 7o
( C alc ulate il includin g
ff ansmitter s hav in g s ome
kind of self-test
arrangement onlY,)
Reliability Eatå'Dossier - PDS'qala
OREDA Phase III /l/ Database PS31-'
Data relevant for conventional temperature
transmitter.
Filter criteria: TAxcoD=ÞsrE'AND'
FUNCTN='OP'.OR' 'GP'
No. of inventories = 8
Total no. of failures = 7
Cal. time = 197 808 hrs
lìr", on, ¡oilures classifietl as "critical"
are included in the Jailure rate esti'
mdIes.
T-boken /6/: Temperarure transrru$er
FARADIP.THREE /7/: Temperature uars-
50
Module: InPut Devices
Component: Flow Transmitter, Conventional
Descríption
The flow transmitter includes the sensing
element, local electronics and the process
isolation valves.
Reliability Data Dossier ' PDS:ilatå
Recommeniled Values fot Calculttion
Ç)sumrun
FTO
so
Date of Revision
1999-01-l I
Total rate
1.5 per 106 hrs
2.2 per 106 hrs
Overall 3.7 per 106 hrs
Remarks
Previonsly Recommended Values for Calculation (95 edition)
L",},FTO
l.so
Coverage
0.60
0.50
TIF-probability
- smaft transm
\Reliability Data for Co, ¿'ìd Safety Systems.
1998 Edit¡on.
1.5 per 106 hrs
0.1 per 106 hrs
1.4 per 106 hrs
3.0 per 106 hrsL¡,
Failure Rate Ass es srnent
The failure rate estimate is an update of the previous estimate - based on oREDA III - with
oREDAphaselVdata.TherateofFTofailuresisestimatedassumingacovelageof60vo(observedinoREDAPhaseIIIandIVwas 10070 ando4o,respectively).TherateofFTO
failures is estimated assuming a coverage of 60 vo (observed in OREDA Phase III and IV was
100 7o and 0 7o, respectively). The rate ofso failures is estimated assuming a coverage of 50 7o
(previouslyassumedtobe}}vo,observedinOREDAPhaselVwasl00To).lheSofailurerate includes 'Erratic output' failures.
Undetected
0.6 per 106 hrs
1.1 per 106 hrs
5.1043.104
Module: Input Devices
Coverage
Component: Flow Transmitter, Conventional
T I F -pro b abilify As s e s sment
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
found in the appendix. A summary of some of the main arguments are provided in Sectíon 2.3.
TIF-probability
- smart transm.
0.50
Reliability¡Data'Dossier,' -,, PDS-.data
F ailare :Rate Refere nc e s
OveraII
failure rate
þer 1Ú hrs)
5.1043 . l0-4
5.70
Failure mode
distribution
FTO: 2.85
SO: 2.85
Obsemed:
cfro = 7Vo
"so = 100 Vo
51
Data source/comment
OREDA Phase IV Software /15/.Data relevant for conventional flow transmit'ters.
Filter:Inv.EquipmentClass =PRocEssSENsoRs ANDInv. Design Class = Flow ANDInv. Att. Type process sensor=Transmitter ÀNDInv.Phase=4 AND
(Inv. System = Gas processing OROil processing) ANDFail. Severity Class = Critical
No. ofinventories = 10
No. of critical FTO failures = INo. of critical SO failures = 1
Cal. time = 350 640
2.89 FTO:
SO:
Obsertted:
cno = 100 lo(Calculated including
transmitters having
some kind of self-test
arrangement only,)
1.24
1.ó5
OREDA Phase III /1/ Database PS3l-.Data relevant for conventional flow transmit-
ters.
Filter criteria: TAXcoD=ÞsFL' .AND. FUNcTN=L
oP'.oR.'GP'
No. of inventories = 72
Total no. of failu¡es = 92
Cal- time =2422200h¡sNote! Onlyfailures classified as "critical" are
included in the failure rate estimates.
52
Module:
Component: Flow Transmitter, Conventional
Faít¿re: naø Refere nc g s
Input Devices
Overall
failure rate
(per 106 hrs)
Reliability Data Dossier - PDS.data
Lo Med. Híl5zu
Failure mode
distribution
FTO: 0.25
ÇrsrNTEF
Data source/comment
T-boken /6i: Flow transmitte¡
FARADIP.THREE /7 | : Flow transmitter
Reliabil¡ty Data for Con ,iO S"t"ty Systems.
1998 Edition.
Component: Catalytic Gas Detector, Conventionøl
Description
The detector includes the sensor and localelectronics such as the address/interface
unit.
.:il
Reliability.:Data Dossier r PDS.data
Total rate
1.6 per 106 hrs
0.7 per 106 fus
2.3 per 106 hrs
Date of Revision
1999-01-1 I
Previously Recommended Valaes for Cahalation (95 edition)
53
Coverage Llndetected
0.60 0.6 per 106 hrs
0.40 0.4 per 106 hrs
TlF-probability see secrion ...
3.0 per 106 hrs
1.5 per 106hrs
1.0 per 106 hrs
I.¡, = 5.5 pe¡ 106 h¡s TlF-probability = 3 . lO4 - 0.1 r)
Faílure Rate Assessment
Due to àdditional phase III data the failure rate esrimate is updated iterative. The previousestimate is updated with rhe final phase IrI data, and this estimate is finally updare using theOREDA phase IV data. The rate of FTo failures is estimated assuming a coverage of 60 To
(previously assumed to be 90 7¿, observed in OREDA phase III was 38 vo). The rate of sofailures is estimated assuming a coverage of. 4O Vo (previously assumed to be 20Vo, observed inOREDA phase III was 1007o). The FTO failure rate includes ,No output' and .Very lowoutput' failures.
') Lurge to small gas leaks
54
Component: Cafalytic Gas Detector, Conventíonal
TI F -probabilþ As s e s s me nt
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
found in the appendix. A summary of some of the main a¡guments are provided in Section 2.3.
Reliability:Data Dossier - PDS-data
F ailure Rat e Refere nc e s
SINTEF
OREDA Phase IV Software /15/.Data relevant for conventional catalytic gas
detectors.
Fíher:
Reliability Data for C J and Safety Systems.
'| 998 Ed¡tion.
Inv. Eq. Class = FIRE& CAs DETECToRS
Inv. Att. Sensing principle = CatalyticInv. Phase = 4
Fail. Severity Class = Critical
No. of inventories = 24No. of critical FTO failures = 0No. of critical SO failu¡es = 0
NOO: 3.62
SHH: 0.79
Sum FTO: 4.41
Module: Input Devices
Component: Catalytic Gas Detector, Conventíonal
OREDA Phase III /1/ Database FG31-.Data relevant for conventional catalytic gas
detectors. More than 97 Eo of the detectors
have automatic loop test.
Filter criteria: TAXCoD=FGHC',
SENSPRI=TATALYTIC'
No. of inventories = 2 046
Total no. of failures = | 749
Cal. time = 49 185 5'72hrs
Note! Only failures classífied as "critical" are
included in the faiLure rate cstimates.
''Faílur e Rate Refer enc es
Observed:
cno = 64 ?o
(Calculated including
detectors having some
kind of self+est
arrangement only)
Overall
failure rate
(per 106 hrs)
Reliability:Daø Dossier - PDS-data
Ðc¿ ¿i"¿å
lg | û b
5Fs '.'-í:r
Failure mode
distribution
Frod"t: 0.5
Irl'Oundet; 1.4 i" tì
SOo"t: 0.2
S6und"t: 0.4 e"trÞ.4, lt
5.09
55
Data source/comment
OsebergC 14/.
Data ¡elevant fo¡ conventional catalytic gas
detectors.
No. of inventories = 431
No. of failu¡es = 85 (25 critical)
Time = 10 215 888 hrs
Note! OnIy failures classified as "critical" are
included in the failure rate estimates.
FTOA{at.aging 3.83
FTO/Stress 0.06
FlOÆntervent. 0.1'7
FTOh)TAL 4.06
SO/lrlat.aging 0.74
SO/Stress 0.06
SOllntervent. 0.06
SOllnput 0.17
Solror¡t 1.03
VI.ÍLCAN /5/:
Failure rates are splitted into, in addition to
failure modes, failure categories, following the
"PDS-model".
FTOlPhys. IFTOÆunct, 2FTO/T}TAL 3
SOÆhys.
SOÆunct.
SO/roTAL
Note! Onlyfailures classiJìed. as "critical" are
included in the failure rate estimates.
PDS I /8/: Gas detector
I3
/
Note! Both physical and functional failuresare included.
OnIy critical failures are included.
56
Module: Input Devices
Component: IR Gas Detector, Conventional
Description
The detector includes the sensor and
loca.l electronics such as the address/-
interface unit.
Reliability Data Dossier - PDS.data
Recotnmended Values for C alculation
FTOso
þsnmrnr
Date of Revision
1999-01- 1 1
Total rate
3.3 per 106 tus
0.3 per 106 hrs
Overall 3.6 per 10o hrs
Remarks
Previously Recommended Values for Calculation (95 edítion)
14",
2rFTO
Àso
Coverage
0.80
0.70
2.9 per 106 hrs
1.0 per 106 hrs
0.1 per 10ó hrs
L¡, = 4.0 per 106 hrsl) Large to small gas leaks
TlF-probabílity seesection
Reliability Data for ( ),1
and Safety Systems
1998 Ed¡tion.
Failure Rate Ass essment
The failure ¡ate estimate is an updâte of the previous estimate - essentially based the Oseberg C
data j with OREDA phase fV data. The rate of FTO failures is estimated assuming a coverage
of 8O 7o (previously assumed tobe70Vo, observed in OREDA Phase IV was 100 Vo).The rate
of S O failures is estimated assuming a coverage of 70 Vo (previous estimate). The FTO failure
rate includes 'No output' failures.
Undetected
0.7 per 106 hrs
0.1 per 106 hrs
Coverage
Module: Input Devices
Component: IR Gas Detector, Conventional
TI F -probahílity Ass es sment
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
TIF-probability
0.70
Reliabilify,Ðata Dossier - PDS.data
'F ail ur e,: Rat e, Rëfer e n c e s
Overall
failure rate
@er 1Ú hrs)
3.lo4-o.lr)
3.49
Failure mode
distribution
FTO: 3.49
SO: 0.00
5l
Observed:
,nocso
Data source/comment
= I00Vo
= }Vo
OREDA Phase IV Software /15/.Data relevant for conventional IR gas de-tectors.
Filter:Inv.Eq.Class =FrRE&GAsDETEsroRs AND(Inv.Att. Sensingprinciple=IR ORInv.Att. Sensingprinciple=lR/W) ANDInv.Phase=3 ANDFail. Severity Class = Critical
No. of inventories = 54No. of critical FTO failures = 4No. of critical SO failures = 0Cal. time = | 147 176
4.1 FIOdd: 2.9
FIOUn&r: , 1.2
SO"'': 0
soono.r: 0
Oseberg C /4/.
Data relevant for conventional IR gas de-
tectors.
No. ofinventories = 4lTotal no. of failures = 26 (4 critical)
Time=977 472lusNote! Only failures classified as "critical" are
included in the failure rate estimates.
Modufe: InPut Devices
Component: Smoke Detector, Conventional
Description
The detector includes the sensor and local
electronics such as the address/interface
unit.
'' ':|: .
Reliability Datâ.Dos5ier. - PDSdata
Recommended Values for Calculation
Total rate Coverage lJndetected
FTO 1.3 per 106 hrs 0.40 0.8 per 106 hrs
SO 2.4 per 106 hrs 0.50 1.2 per 10'hrs
overall 3.7 per 106 hrs TlF-probability = 10-3 - 0'05 r)
Qsnmrum
Døte of Revision
1999-01-1 I
') The range represents the occurrenee of different tYPes of fires (smok
Previously Recommended Values for Calculntion (95 edÌfion)
L* = 1.5 per 106 hrs Coverage
ÀFro = o-5 Perlo6hrs
fso = 2.0 Per 106 hrs
L¡, = 4.0 per 106 hrs TlF-probability = lO3 - 0'05 r)
r)The range represents the occurence ofdifferelttypes offires (smoke/fl Ð
Reliability Data for C ì and Safety Systems.
1998 Edition.
Failure Rate Asses sment
The failure rate estimate is an update of the previous,estimate - based on OREDA Phase Itr data
- with complete OREDA IU data (no inventories in phase tV). The rate of FTO failures is
estimated assuming a coverage of.4O Vo (observed in OREDA incomplete and complete Phase
lllwas 29Vo and50 Vo,respectively). The rate of SO failures is estimated assuming a coverage
of 60 7o (previously assumed robe2\Vo, observed in OREDA (complete) Phase III was 98 7o)'
Module:
Component: Smoke Detector, Conventional
TI F -probabilþ Ass essment
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
Input Devices
Reliability,,Dâø Dôs:sier- -. PDj daø
,F aílur¿,Ràte Referenc e s
Overall
failure rate
@er IÚ hrs)
3.70
Failure mode
distribution
FTO: 1.31
SO: 2.39
59
Obsemed:
"no = 50 Vo
,to = 98 7o
Data source/comment
OREDA Phase IV Software /15/.Data relevant for conventionalsmokdcombustion detectors.
Filter:Inv.Eq.Class =FIRE&GAsDE'rEcroRs ANDInv. Att. Sens. princ. = Smoke/Combustion ANDInv.Phase=4 AND
Fail. Severity Class = Critical
No. of inventories = 2389No. of critical FTO failures = 80No. of critical SO failures = 146
Cal. time = 61 11098/.
3.73 FTO:
SPO:
Observed:
cno = 29 Vo
(Calculated including
deteclors having some
kind of self-test
arrangement only)
1.01
2.72
OREDA Phase trI /1/ Database FG31-.Data relevant for smoke/combustion detec'
tors. Both conventional (65 7o) and addres'
sable (35 7o) detectors are included. 56 7o have
automatic loop test, 35 Vo have a combination
of loop and built.in self-test, rest (97o) have
no self-test feature.
Filte¡ criteria: TAXCoD=FGFS'
No. of inventories = i 897
Totat no. of failures = 218
Cal. time = 50 374 800 hrs
Note! OnIy failures classified as "critical" are
included in the failure rate estímates'
60
Component: Smoke Detector, Conventíonøl
t.., ..., :::..' F ailuie,Rate Rèlpr enc e s,
Overall
failure rate
þer lÚ hrs)
Reliability Data Dossier - PDS.data
.QsrNTEF
Oseberg C /4/.
Data relevant for smoke detectors.
No. of inventories = 53
No. of failures = 4 (l critical)
Time= 12'l8528husNote! OnIy faílures classified as "critical" are
included in the faíIure rate estimates-
FTO/1.{at.aging 0.8i
FTO/Stress 0.13
FTO/Intervent.0.03
FTO/ror¿,t 0.97
SOÀ{at.aging 0.87
SO/Stress 0.43
SOllntervent. 0.03
SO/Input 4.39
SOlrorAL 5.72
Reliability Data for' ¡l
and SafetV Systems.
1998 Edìt¡on.
VULCAN/5/:Failure rates are splitted into, in addition to
failure modes, failure categories' following the
"PDS-model".
FTO/Phys. 0.4
FTOÆunct. 0.4
FTOlrorAL 0.8
Module: Input Devices
Note! OnIy failures classified as "critical" are
included in the failure rate estimates.
Component: Heøt Detector, Conventional
SO/Phys.
SOlFunct.
SOlror¿,r
Description
The detector includes the sensor and
iocal electronics such as the address/-
interface unit.
PDS.I /8/: Smoke detector
Reliability,Data,Dossier - PDS.data
Note! Both physical and functional failuresare included.
Only critical failures are included.
Recommended Values for Calculntion
Date of Revision
1999-01-1 1
Total rate Cov¿rage Undetected
0.9 per 10ó hrs 0.50 0.5 Per 106 hrs
1.5 per 106 hrs 0.50 1.3 per 106 hrs
Overall 2.4 per 106 hrs TlF-probabitity = 0-05 - 0.5 r)
t) The range represents the occurence of different types of fires (smoke/flame)
Previously Recommended Values for Calcalation (95 edition)
L., = 1.0 per 106 hrs Coverage = 0.40
IFro = 0.5 per 106 b¡s
?rso = 1.0 per lo6hrs
L¡, = 2.5 per 106 hrs TlF-probability = 0.05 - 0'5 r)
o_t
l) The range represents the occulrence of different types of fires (smoke/flame)
F ailur e Rate As s e s srnent
The failure rate estimate is an update of the previous estimate - based on OREDA Phase IIIdata - with complete OREDA trI data (no inventories in phase IV). The late of FTO failures is
estimated assuming a coverage of 50 Vo (observed in OREDA incomplete and complete Phase
III was 50 Vo and36 7o, respectively). The rate of SO failures is estimated assuming a
coverage of 50 Vo (previously assumed to be 2OVo, obsewed in OREDA (complete) Phase III
was 98 Vo).
Module:
Component: Heat Detector, Conventional
TI F -pro bability As s es s me nt
The TlF-probabiliry is entirely based on expertjudgements. Details on the expertjudgementis found in the appendix. A summary of some of the main arguments are provided in section
Input Devices
Reliability Data Dossier : PDS-data
F ailur e Rate Relerenc e s
Overall
failure rate
@er ld hrs)
þsnmrer
2.35
Failure mode
distibution
FTO: 0.88
SO: 1.47
Observed:
"fro = 36 Vo
cso = 98 Vo
Data source/comment
OREDA Phase IV Softwa¡e /15/.Data relevant fo¡ conventional he¿t detec-tons.
Filter:lnv. Eq. Class = FIRE & GAs DETEcroRs ANDInv. Att. Sens. princ. = Hear ANDInv.Phase=4 AND
Fail. Severity Class = Critical
No. of invento¡ies = 994No. of critical FTO failures = 24No. of critical SO failures = 40Cal. time = 27 260 832
Reliability Data for ,)rl and Safety Systems.
1998 Edit¡on.
a ôt FTO: 0.82
SPO: 1.39
Observed:
: cno=50Vo(Calculated including
deteetors having some
kind of self+est
arrangement only)
Component: Heat Detector, Conventional
F ailure Rate lieferences
OREDA Phase III /i/ Database FG3l_.Data ¡elevant for conventional heat detec-
tors. Both rate-ofrise (23 7o) andrate-compensated (71 7o) detecfors are included.
Of the detectors,S9 Vohave automatic looptest, rest (llVo) have no self-test feature.
Further, 77 Vo úe reported as "normally de-energized", 29 Vo as "normally energized"Filter criteria: TAXCoD=FGFH'
No. ofinventories = 865
Total no. offailures = 79
Ca.l. time = 24 470 588 hrsNote! Only failures clussifietl a.r "t:ritical" are
i¡tcluled in thc ftLiLure rû( ßtina!$.
Reliability,Data Dossier -,PDS.data
FTO/Irlat.aging 1.28
FTO/Stress 0.14
FTOllntervent.0.05
FTo/rorer 1.47
SO/l.lat.aging 0.49
SO/Stress 0.32
SO/ftrtervent. 0.14
SO/Input 0.51
SOh'orAL 1.46
OJ
VULCAN /5/:
Failure rates are splitted into, in addition to
failure modes, failure categories, following the
"PDS-model".
FTOÆhys. 0.1
FTOlFunct. 0.2
FTO/î1rAL 0.i
SO/Phys.
SOlFunct.
SO/ror¡t
Note! Onlyfailures clnssifi.ed as "critical" are
included.
PDS I /8i: Heat detector
Note! Both physical and functional failuresare included.
Onlv critical failures are included.
o¿+
Module: Input Devices
Component: Flnme detector, Conventional
Description
The detector includes the sensor and
local electronics such as the addressi-
interface unit.
Reliability:Data Dossier - PDS:iIata
Recomtnended Vølues for Calculation
Total rate Coverage Undetect¿d
FTO 4.2 per 106 hrs 0.50 2.1 per 106 hrs
SO 4.1 per 106 hrs 0.50 2.1 per 106 hrs
Overall 8.3 per 106 hrs TlF-probabitity = 3 ' 104 - 0.5 r)
l) The range represents the occunence of different types of fires (smoke/flame)
@snmunm
Date of Revßion
1999-01-1 1
Previously Recomtnended Values for Cøbulation (95 edition)
Remarks
L", =
ÀFro
7"so
Lr¡, = 7.0 per 106 hrs TlF-probability = 3 ' 104 - 0'5 r)
l) The range represents the occuûence of different types of fires (smoke/flame)
2.5 per l0ó hrs
1.5 per 106 hrs
3.0 per 106 hrs
Failure Rate Ass es sment
The failurp rate estimate is an update oi the previous estimate - based on OREDA Phase IIIdata - with complete OREDA III data (no inventories in phase IV). The rate of FTO failures is
estimated æsuming a coverage of 40 7o (observed in OREDA incompletè and.complete Phase
III was 48 Vo and 50 Vo, respectívely). The rate of SO failures is estimated assuming a
coverage of50 Vo (previously assumed tobe2OVo, observed in OREDA (complete) Phase IIIwas 100 7o).
Reliabrlity Data fr \¡trol and Safety SystemsI/
1998 Ed¡tion.
Coverage
Module: Input Devices
Component: Flame detector, Conventional
TI F -probability Asses sment
The TlF-probability is entirely based on expef judgements. Details on the expert judgement is
found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
0.40
Reliability Data Dossier - PDS-data
' ''. : _:ir :
F ailu¡ e :Rat e: R.efq r e lç9 s .
65
Obsened:
,oo = 50 7o
cso = 100 Vo
OREDA Phase fV Software /15/-Data relevant for conventional flame detectors'
Filter:Inv.Eq.Class =FIRE&GAsDETEcroRs AND
Inv. Ait- Sens. princ. = Flame AND
Inv. Phase=4 AND
Fail. Severity Clæs = Critical
No. of inventories = 1256
No. of critical FTO failures = I 19
No. of critical SO failures = 116
FTO: 3.20
SPO: 3.98
Observed:
cfro = 48 Vo
(Calculated including
detectors having some
kind of self-test
Lrrangemenr only)
Cal. time =28 5l'1
OREDA Phase trI /1/ Database FG31-'Data relevant for conventional flame detectors'
Both IR (52 %o),W (13 Vo) and combined
IR/IIV (35 7o) detectors are included' Ofthe
detectors, 'r-5 Tohave automatic loop test, 3 7o
have built-in self'test, 15 Tohave combination
of automatic loop anil buitt-in self-test' rest
(ll%o) have no self-test feature.
Filter criteria: TAXcoD=FGFF
No. of inventoris5 = 1 010
No. of failures = 292
Cal. time =23 136820hrs
Note! Only failures classified as "critícal" are
included in the failure rate est'mates'
66
Module: InPut Devices
Component: Flame iletector, Conventional
Reliability'Data Dossier - PDS'data
@er 1Ú hrs)
@snmrnr
Oseberg C /4/.
Data relevant for IR flame detectors'
No. of inventori es = 162
No. of failures = 30 (18 critical)
Time = 3 978240hrsNote! It is assumed that only failures classified
as "critical" are included in the failurerate estimates.
FTO/t{at.aging 1.77
FTO/Stress O.l2
FTO/Intervent.0.12
FTOftor¡t 2.01
SOÀ{at.aging 0.16
SO/Stress O.l2
SO/Intervent. 0.12
SO/Input 2.9'7
SO/rorAL 3.37
Reliability Data for ' {rol and Safety Systems'
)1998 Edition.
VI.JLCAN/5/:
Failure rates are splitted into, in addition to
failure modes, failure categories, following the
"PDS-model".
FTO/PhYs. 1.1
FTOÆunct. 0.2
FTolrorer 1.3
Component: ESD Push button
Description
Pushbutton including wiring
SO/PhYs.
SO/Funct
SO/ror¿'t
Note! OnIy failures classified as "critical" are
included.
Reìiability Data DO$liei . PDS¡data
Reconmended Values for CalculaÍion
N ot e ! B oth physic aI and functional failures ar e
included'
O nLy c ritic al failure s ar e include d'
Total rate
FTO 0.3 Per 106 hrs
SO 0.8 per 106 brs
OveraII 1.0 Per 106 fus
Date of Revßion
1999-01-l I
ì
i
l
I
iI
I
III
I
I
I
II
I
I
II
II
II
I
II
II
I
iIIII
II
III
ì
Remarks
No data available in OREDA Phase fV'
Previously Recommendeil Valaes for Calculation (1995)
o/
h., =r FTO
rSO
Coverage
0.20
0.20
TIF-probabilitY
0.2 per 106 hrs
0.2 per 106 hrs
0.6 per 106 hrs
= 1.0 per 106 hrsL¡,
F ailur e Røt e As s es sment
The failure rate is estimated based on all listed data sources, taking into account the€xpert
judgements.Theoverallcoveragegivenaboveisestimatedasiheaverageforbothfaiiure
modes, also taken into account the expef judgement'
lJndetected
0.2 per 106 hrs
0.6 per 106 hrs
10-5
Coverage
TI F - prob abilitY As s es sm ent
The TlF-probability is entirely based on expert judgements' Details on
found in the appendix. A tu*^ury of to*" of th" -dn *g
TlF-probabilitY
= 0.20
= lOs
provided in Section 2'3'
68
Module: Input Devices
Component: ESD Push button
Faihäe Rate R_efuqences
Overall
failure rate
þer IÚ hrs)
Reliability Data Dossier .. PDS-data
In Med. Hi0. r 0.5 10
Failure mode
dístribution
@snmunm
5.8
0.13
Data source/comment
FARADIP.THREE /7/: Pushbutton
NPRD-9l: Switch, Push button, ground fixed,commercial quality
Reliability Data fc )rtrot
and Safery Systems
1998 Edition.
NPRD-91: Switch, Push button, ground fixed,military qualiry
Component: PLC System
Description
PLC system includes input/output cards,
CPU incl. memory and watchdog,
controlle¡s (int. bus, comm. etc.), system
bus and power supply.
Reliability Data Dossier . PDS-data
Recommended Values for Calculation
Total rate Coverage
FTO 16 per 106 hrs 0.90
SO l6per 106hrs 0.90
OveraII 32 per 106 hrs TlF-probabílityl) For TÜV certified and standard system, respectively
Date of Revßion
1999-01-1 1
Previoasly Recommended Values for Calculation (95 edition)
69
L,i, = 80.0 per 106 h¡sr) For TÜV certified and standa¡d svstem.
72.0 per 106 hrs
2.0 per 106 hrs
6.0 per 106 hrs
F ailure Rate As s ess ment
The failure rate estimate,is an update of the previous estimate - based on OREDA Phase III data
- with complete OREDA III data (no inventories in phase IV), taking into account the aspects
discussed below: It is assumed that some of the observed FTO-failures in OREDA III isincluded in the TlF-probabiiity. Further, for FTO-failures, only the current loop (i.e. one I-card,
etc.), not the entire PLC System, is required for a shut-down to be initiated. Thus, the estimated
rate of FTO-failures is reduced by approx. 7O Vo comparcd to the OREDA III data. The overallcoverage is set by expertjudgement a¡d observed coverage. The SO failure rate includes
Undetected .
1.6 per 106 hrs
1.6 per 106 fus
5.lo-s-5.lo4r)
'Enatic output' failures.
'10
Module:
Component: PLC System
TI F -probabilþ As s e s sment
The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is
found in the appendix. A summary of some of the main ¿uguments æe provided in Section 2.3.
Control Logic Uniß
Reliabilif,y Data Dossier - PDS-data
Failur e Rate Refer e nc e S
OveraII
failure rate
(per 106 hrs)
75.0
@snmuen
Failure mode distribu-
tion
FTO: 59.4
SO: 15.6
Observed:
,fro = 9i 7o
,so = 88 7o
Data sourcelcbmment
OREDA Phase IV Software i l5/.
Data relevant for for control logic units
including I/O-cards. Both PLCs (14 Vo) and
computers (86 Vo) are included. The cont¡ol
logic units are used both in ESD/PSD system
QO Vo) and F&G systems (30 7o).
Filter:Inv. Eq. Class = CoNTRoL Loclc UNITS ANDInv.Phase=4 ANDFail. Severity Clæs = Critical
No. of inventories = 7 INo. of critical FTO failures = 103
No. of critical SO failures = 27
Cal. time = | 733 664
Reliability Data tor ' 1cl and Safety SystemsI
1998 Ed¡tion.
91.0 FTO:
SO:
Obseried:
cno = 91 7o
(Calculated including
detectors having some
kind of self-test
arrangement onlY)
'14:7
16.3
' F dilur e tRate, Refeie nc es
OREDA Phase III /1/ Database CL3l-.Data ¡elevant for control logic units including
VO-cards. Both PLCs (19 Vo) and computers
(81 To) arc included. The cont¡ol logic units are
used both in control systems (54 %)' ESD
system (13 7o) and F&G systems (33 7o). .
No. of inventories = 52
Total no. of failures = 214
Cal. time = I 164 384 hrs
Note! Only failures classified as "critical" and
with failure modes FTO or SO are
included in the failure rate cstimates.
þer Id hrs)
Per ch. 0.28 FTO/Phys.
FTO/Îunct.FTO/T)TAL
Pe¡ ch. 0.31
SO/Phys. 0.09
SOlFunct. 0.05
SOnorAL 0.14
1l
FTO/Phys.
FTOÆunct.
FTOIT1TAL
SOlPhys.
SOÆunct.
SO/rorAL
PDS I /8/: InpuVdigitål' failure rate per
channel
Note! Both physical and functional failures
are incluiled.
Only critical failures are included'
0.09
0.05
0.14
0.12
0.05
0.17
FTO/Phys.
FTOÆunct.
FTOITOTAL
SO/Phys.
SO/Funct.
SO/TqTAL
PDS I /8/: Inpuf/analog, failure rate per
channel
Note! Both physical and functional failures
are included.
OnIy critical failures are included'
Per ch. 0.21
II
Ia
J
FTO/Phys. 0.02
FTOÆunct. 0.01
FTo/rorAL 0.03
PDS I/8/: CPUMemorY
Note! Both physical and functional failures
are included.
Only critical failures are included'
PDS I /8/: Outpuldigital, normally ener-
gized, failure rate Per channel
Note! Both physical and functional failures
are included.
OnIy crítical faíIures are included'
Module:
Component: PLC SYstem
-
F àíluìe' Røt e Relerenc e s
Control Logic Units
Overall
failure rate
@er 1Ú hrs)
Reliability Data Dossier . PÐSdata
Per ch. 0.21
Failure mode distribu-
tion
@smunr
FTO/Phys. 0.17
FTO/Funct. 0.01
FTO/TOTAL O.]8
SOlPhys.
SOÆunct.
SO/|OTAL
Data source/comment
PDS I /8/: OutpuUdigital, normally de'ener'
gized, failure rate per channel
Note! Both physical andfunctional farilures
are included.
Only critical failures are included.
0.02
0.01
0.03
Reliability Data
1998 Edition.)ntrol
and Safety Systems.
Module: Control Logic Units
Component: Field Bus Coupler
Reliabilily Data Dossier - PDS.dàtå
Recommended Values for Cqlculatian
Total rate
0.01 per 106 hrs
0.2 per 106 tus
Overall 0.2 per 106 tus
Date of Revision
1999-01-1 I
Previously Recommended Values for Calculation (95 etlition)
Remarks
No data available in OREDA Phase IV
Coverage
0.90
0.90
TIF-probabíIity
0.18 per 106 hrs
0-001 per 106 hrs
0.02 per l0ó hrs
0.2 per 106 hrs
F ailure Rate Assessment
No sources of failure iate data a¡e identified. The failure rates afe estimated based on expert
judgement and the failure rate data found for PLC system'
Unàetected
0.001 per 106 hrs
0.02 per 106 hns
10-s
T IF -probability Ass es s ment
The TlF-probability is entirely based on expert judgements. Details on the expert judgement ts
found in the appendix. A summary of some of the main arguments are provided in Section 2'3'
TlF-probabilitY = 10-5
'74
Module: Control I'ogic Uniß
Component: Fielà' Bus CPUlCommunication Unit
R¿lia¡ility oaø,Dossier - PDS.data
.Total rate
FTO 0.01 per 106 hrs
SO 0.2 per 106 hrs
Overall 0.2 per 106 hrs
@snmunm
Date of Revision
1999-01-1 1
Previously Reconmended Vølues for Calculntion (95 edífíon)
Remarks
No data available in OREDA Phase IV'
h., = 0.18 per 10ó hrs
IFro = 0.001 per 106 hrs
lso - o.o2 per lo6 hrs
Coverage
0.90
0.90
TIF-probability
L¡, - 0.2 per 106 hrs
Reliability Data f
1998 Edition.
F ailure Rate Ass essment
No sourcés of failure rate data are identified. The failure rates are estimated based on expert
judgement and the failure rate data found for PLC system'
Undetected
0.001 per 10ó hrs
0.02 per 106 hrs
10-5
;ntrol and Safety Systems
The T.IF-probability is entirely based on expert judgements. Details on the expert judgement ts
found in ihe appendix. A summary of some of the main arguments are provided in Section 2 3'
Component: ESV, X-mas Tree
Description
Hydraulically operated production
master, wing and swab valves'
Output Devices / Valves
Reliability Data;Dossiei - PDSid¡ta
Recommended Values for Calculation
Total rate Coverage
FTO 0.8 per 106 hrs 0.00
SO 0.7 per 106,hrs 0.30
Overall 1.6 per 106 hrs TlF-probability
1) For complete and incomplete functional testing respectively'
Date of Revision
1999-01-1 1
Previously Recommendeil Yalues for Calculation (95 etlition)
h", = 0-0 Per 106 hrs Coverage
)"Fro = 3.0 per 106 hrs
Iso = 0.5 Per 106 hrs
Ào¡, = 3.5 per 106 hrs TlF-probability
t)
t) For complete and incomplete functional testing
F ailure Rate Ass essment
The failure rare estimate is an update of the previous estimate - based on oREDA Phase III -
*rìnã*oÀ nhase IV dutu. Th" so coverage given above is estimated based on observed
coverage.
IJndetected
0.8 per 106 hrs
0.5 per 106 hrs
10-6 _ l0-s r)
T I F -probabilitY As s es s ment
The TlF-probability is entirely based on expert judgements. Details on the expert judgement rs
found in the appendix. A summary of some of the maln a¡guments a¡e provided in Section 2'3
= 10-6 - 10-s r)
76
Module: Output Devices / Valves
Component: ESV, X-mas Tree
'F aílür e' R ate Rêfer enc es
Overall
failure rate
(per 106 hrs)
Reliabitity Data Dossier - PDS-data
1.1 I
F ailur e mo de di s t rib ution
FTO: 0.00
SO: l.l1
Observed:
,so = 100 Vo
Qsnmrnr
Data source/comment
OREDA Phase lV Software /15/.Data relevant for hydraulically operatetlwellhead master valves, swab valves and wingvalves. The previous f,rlter does not apply to the
OREDA v.5 software.
Fiher:Inv. Eq. Class = \ilElIIæADs AND X-MAS TREES ÀND(Inv. System = Gas production ORInv. System = Oil Production) ANDInv.Phase=4 ANDFail. Severity Class = Critical AI\'D(Fail. Item Failed = Prod. master valve, hyd. op. ORFail. Item Failed = Prod. swab valve, hyd. op. ORFail. Item Failed = hod. wing valve, hyd. op.)
No. ofinventories = 18
No. of critical FIO failures = 0No. of critical SO failures = ICal. time = 902 544
7.36
Reliab¡lity Data for C I and Safety Systems.
1998 Edition.
DOP: 0.15
EXL: 1.84
FTC: 037FTOpen: 0.46
INL: 2.30
LCP: 1.69
PLU: 0.15
Module:
Component: ESV, X-mas Tree
OREDA Phase trI /1/ Database VA31-.Data relevant for wellhead ESDÆSD valves,
main valve or acfuator.
Filter criteria: FUNgTN='ow' oR'clv',APPUC=tsSD/PSD" MATIEM=bODY' OR VALVSEAT'
OR SEAIJ'OR ACTUATOR'.
No. of inventories = 349
Total no. offailures = 120
Cal. time = 6 518 058 hrs
Note! Onlylfailures classified as "critical" are
included in the failure rate estimdtes.
F ailure Rale References
OuQtut Devices / Valves
Overall
failure rate
þer 1Ú hrs)
: Reliabilify Data Dossier -, PDS-dat¿
9 .17
F ailure mode distribution
EXL: 0.28
FTC: 3.81
FTOpen: 2.1,2
INL: 0.14
OVH: 0.28
SEL: 0.14
SEP: O.l4
SIL: 1.12
SPO: 0.43
UNK: 0.14
Data source/commenl
7',7
14
OREDA Phase Il /21 , P. 89, Valves ESD-
Data relevant for topside ESD valves. Note!
Includes also control and monitoring unit.
No of inventories =322No. of failures = 151
Cal. time = 6 406 500 hrs
Note! Only failures classified as "critical" are
included in the failure rate estimates.
FTOÆhys.
FTOÆunct.
FTO/ror,qt
SO/Phys.
SOÆunct.
SOlror¡r
6
2
I
2À
6
PDS I /8/: ESD valve. Note! Includes also pilot
valve etc.
N ote ! Both physical and functional failure s are
included.
Only critical failures are íncluded.
't8
l,R.U"lil!.itv'P4tq Po*lÞ", . Ð
Module: OutPut Devices / Valves
Component: Other ESV
Description
Main valve including actuator. Nof
including pilot valve and local control
and monitoring.
Rec ommended Values for Cølculation
Total rate Coverage
FTO 1.3 per 106 hrs 0'00
SO 0.3 Per 106hrs 0'00
Overall 1.6per 106hrs TlF-probabilityl) For complete and incomplete functional testing respectively
þsnmrur
Date of Revision
1999-01 -1 1
Remarks
,*"-r, ^t--***tlues
for Calculntion (95 edition)
L", = 0.0 Per 106 h¡s Coverage
IFro = 3.0 per 106 hrs
Xso = 0.5 Per loó hrs
Li, = 3.5 per 106 hrs TlF-probability
t) For complete and incomplete functional testing respectively'
Reliability Data for / .)ì
and Safety Systems
1998 Edition.
Undetected
1.3 per 106 hrs
0.3 per 106 hrs
10-6 _ 10-s r)
Failure Rate Ass essment
Due to additional phase III data the failure rate estimâte is an iterative updated' The prevtous
esrimate is updared with the final phase III data, and this estimate is finally update using the
oREDA phase IV data. The rate of FTO and so failures is estimated assuming a coverage of
0 vo .TheFTO failure rate incìudes 'Fail to closc on demand' and 'structural clefrrciency''
Component: Other ESV
Ouþut Devices / Valves
TheTlF-probabilityisentirelybasedonexpertjudgements.DetailsontheexPertjudgementls
found in the appendix. A summary of some of th'e main urgum"nts ar" p@
Reliab¡tity Data Dossiér ' : PDS'datâ-
F ailure Rate,References
0.00
10-6.10sr)
FTO: 1.06
SO: 0.26
19
OREDA Pil'.s" IV Software /15/'
Ouãi"t"u*t for process ESDÆSD valves'
ã*.i"¿ing tft" pilot anil control & monitoring'
Filter:Inv. Eq. Class = VALvES
(Inv. Syslem = Gas exPort.Inv. System = Gas ProcesslngInv. System = Oil exPort
.
Inv. System = Oil Processlng)Inv. Phæe = 4
Inv. Att, ÀPPtication = ESD/PSD
Fail. SeveritY Class = Critical(Fail. Item Failed <> Pilot valve
Èuil. Suuunit f*fed o contol & Monitoring)
No. ofinventoriss = 106
No. of critical FTO failures = 4
No. of critical SO failures = 1
FTOpen: 1.12
LCP: 1.12
OREDA Phase III /1/ Database VA31-'Data relevant for process ESD/PSD valves'
main valve or actuator'
Filter criteria: RjNctl'¡='op' ot 'cp"
APPLIC=tsSD/PSD" MAffEM= tsODY' OR
vALvsEAT' oR SEALS' oR Ac'ÍuAToR''
No. of inventories = 26
Total no. of failures - 20
Cal. time = 891 214 hrs
Note! OnIy failures classífied as "crítical" are included
in the faílure rate eslimt*
80
Module: Output Devices / Valves
Component: Other ESV
F øiliir e'.R.at e R ete r e n c e s
Overall
failare rate
þer IÚ hrs)
Reliability Data Dossier - PDS-data
9.17
FaíIure mode dßtribu'
tion
@snmunr
EXL: 0.28
FTC: 3.81
FTOpen: 2.12
INL: 0.14
OVH: 0.28
SEL: 0.14
SEP: 0.14
SIL: l.l2SPO: 0.43
UNK: 0.14
Data source/comment
t4
OREDA Phasefr.l2l, p. 89, Valves ESD.
Data relevant for topside ESD valves. Note!
Includes also pilot valve etc.
No of inventories.= 322
No. of failures = 151
Cal. time = 6 406 500 h¡s
FTO/Phys. 6
FTOlFunct. 2
FTOftoTAL 8
Reliabìl¡ty Data for ' ¡ol
and SafetV Systems.
1998 Edit¡on.
Note! Onlyfailures classified as "crilical" are
included in the faíIure rate estimates.
SO/Phys.
SOlFunct.
Softorn
PDS I /8/: ESD valve. Note! Includes also pilot
valve etc.
2
4
6
Note! Both physical and functional failures are
included.
Only critical failure s are included.
Module: Output Devices / Valves
Component: Pilot Valve
Description
Pilot valve on hydraulically or pneu-
matically operated, process or wellhead,
shut-off or ESD/PSD valves.
Retiâbility:Data Dossier - PDS'data
Recommended Values for Calculntíon
Total rate
FTO 1.7 per 106 hrs
SO 2.5 per 106 hrs
Overall 4.2 per 106 hrs
Date of Revßion
1999-01-1 I
Previously Recommended Values for Calcalation (95 edition)
8i
Coverage
0.20
0.30
TlF-probability =
0.0 per 106 hrs
0.6 per 106 hrs
0.4 per 106 hrs
1.0 per 106 hrs
Failure Rate Ass essnent
Due to additional phæe III data the failure rate estimate is an iterative updated. The previous
esrimate is updated wirh the final phase Itr data, and this estimate is finally update using the
OREDA phase IV data. The ¡ate of FTO failures is estimated assuming a coverage of 2O 7o
(previously assumed tobe0 To,observed in OREDA incomplete and complete Phase III was
40 Vo and 67 7o, rcspectively). The rate of SO failures is estimated assuming a coverage of 30
7o (previously assumed to be 0 To, observed in OREDA incompiete and complete Phase III was
20 vo and 94 7o, respectively). The FTO failure rate includes 'Fail to close on demand' and
Undetected
1.4 per 106 hrs
1.8 per 106 hrs
'Fai[ to open on demand' failures.
TlF-probabilitY =
82
Moduf e: Output Devices I Valves
Component: Pilot Valve
TIF -prohability As s es s ment
The TIF-probabiliry is entirely based on expert judgements. Details on the expert judgement is
found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
Reliabiliw'Data Dossie¡ : PDSrdata
F aílure, Rate Referenc es
Overall
failure rate
@er ld hrs)
4.52
@snmrem
Failure mode distribu-
tion
FTO: 1.69
SO: 2.83
Observed:
"fro = 67 Vo
"so = 94 7o
Data soturcelcomment
OREDA Phase IV Softwa¡e /15/.Data relevant pilot valves with control &monitoring in ESDÆSD applications.
Filter:Inv. Eq. Class = VALvEs ÀND(Inv. Att. Application = ESD/PSD ORInv. Att. Application = Shut-ofÐ ANDInv. Phase=4 ANDFail. Severity Class = Critical AND(Fail. ItemFailed=Pilot valve ORFail. Subunit Failed = Control & Monitoring)
No. ofinventories = 184
No. of critical FTO failu¡es = 10
No. of c¡itical SO failures = 17
Cal. time = 6 023 256
Reliability Data f' )rtrol
and Safety Systems
1998 Edition.
0.51 FTC: 0.07
FTOpen: 0.36
SO: 0.07
Module:
Component: Pilot Valve
F aiture: Rate Rèfere nc es
Ouþut Devfues /Valves
OREDA Phase III /1/ Database VA3l-.Data relevant for pilot valve on hydraulicallyor pneumatically operated, process orwellhead, shut-off or ESD/PSD valves.
Filter criteria: ACrUAT=IYDRAULIC' .oR.
ÞN¡uuerrc', AppLIc=5HUT-on¡' .oR. bsD/PSD',
MÄITEM='ACTUATION'.
No. of invento¡ies = 516
Total no. of failures = 42
Cal. time = 13 156 654 hrs
Note! Allfailures are included, i.e. both "Critical",
"Degraded" arul "lncipient" failures, since the
failure classif.catiott is given on system" level.
Overall
failure rate
@er Iú hrs)
Reliabitity DCta,DoSiCi;' . PÐsiilata
0.45
Failure mode distribu-
tion
FTO: 0.45
0.11
Lo Med. Hi0.4 14
FTO: 0.11
Data source/comment
83
T-boken /6/: Solenoid valve, normally ener'
gized. The failure mode used in the source is
"Missing function". This has been interpreted as
FTO.
I
i:
T-boken /6/: Solenoid valve, normally de'
energized. The failure mode used in the source
is "Failed to change state". This has been inter-
preted as FTO.
FARADIP.THREE /7/: Solenoid.
84
Module: Ouþut Devices / Valves
Component: Process ControlValve
Description
Process control valves including actua-
tor, pilot valve and local controVmoni-
toring. Both large and small control
valves a¡e included.
Reliability Data Dossier - PD,S-data
Recommended Values for Calculation
þsnmrnr
FTO
so
Date of Revßîon
1999-01-1 l
Total rate
Small - Iarge Valves'1 .1 - 2.1per 106 hrs
0.4 - 0.7 per 106 tus
7 .6 - 2.8 per 106 hrsOverall
Remnrks
Previoasly Recommended Values for Calculation (95 edition)
L., =r FTOlL=
¡SO
Coverage
0.60
0.70
TIF-probability
Small - Largevalves
18.0 - 8.0 per l06hrs
9.0 - 4.0 per 106 hrs
0.1 - 2-0 per106hrs
27.0 - l4.O per 109hrs
Reliabil¡ty Data for -!ol and Safety Systems.
1998 Ed¡tion.
L¡,
F ailur e Rate As s e s sme nt
The failure rate estimate is an update of the previous estimate - based on OREDA Phase III -
with OREDA phase IV data. Total rate of FTO-failures estimated by including the OREDA
failure modes FTC and LCP, and 50 Vo of the DOP-and EXl-failures. The rate of FTO failures
is estimated assuming a coverage of 50 Vo (previously assumed to be 65 7o, observed in
OREDA Phase IV was 25 Vo). The rate of SO failures is estimated assuming a coverage of 80
7o (previously assumed to be 65 %, observed in OREDA Phase IV was 100 7o).
Undetected
SmaII- Large Valves
2.8 - 0.8 per 106 tus
O.l -0.2per 106 hrs
10-s
Module: Outout Devices / Valves
Component: Process Control Valve
Coverage
T I F -p ro b ability A s s e s s m ent
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
.:"Reliabiüfy;Data Dossiei - PÐS.dâta
found in the appendix. A summary of some of the main arguments tt" plgytd:g tn Jgttion3'3'
TIF-probability
F aíluie RaÍe, Refi:¡ e nc e s'',
0.65
1o-5
FTO: 3.97
SO: l.O2
Obsemed:^FîO -
.r< oj^L _ LJ
'V
,so = 100 Vo
85
OREDA Phase IV Software /15/'Data relevant for Data relevant for process con'
trol valves including pilot valYe etc' Note! Allsizes are includ ed. 47 Vo of the registered valves
a¡e small, i.e., size < 10 inches. Thus, 53 7o are
large, with size > l0 inches.
FíIter (small valves):Inv. Eq. Class = VALvES(Inv. System = Gas exportInv. System = Gas processing
Inv. System = Oil exPofInv. System = Oil processing)
Inv. Phase = 4
Inv. Att. Application = Process Control
Fail. Severity Class = Critical
No. of inventories = 99No. of critical FTO failures = 10'5
No. of critical SO failures = 1
DOP: 0.72
EXL: 0.36
FID: 1.79
FIC 4.29
FTOpen: 2.15
LCP 1.43
oTH 3.22
ovH 0;72
PLU 2.50
SO: 0.07
OREDA Phase III /1/ Database VA31-'Data relevant for process control vâlves
including pilot valve etc. Note! All sizes are
included.
Filter criteria: APPLIc=ÞRoc crRL', FLrNcrN='oP'
.oR. 'GP'.
No. of inventories = 100
Total no. of failures = 186
Cai. time =2'796745 hrs
Note! Only failures classified as "crítícal" are included
in the failure rate eslimates
86
Module:
Component: Process Control Valve
F aílùie Rate Rèferencès
Output Devices / Valves
Overall failure rate
(per IÚ hrs)
Reliahility,Data:Dossier . PDS-data
27.0'1
Failure mode distribu
tion
DOP: 1.04
FID: 4.17
Frc 5.21
FTOpen: l.MLCP 3.12
oTH 3.12
ovH 2.o8
PLU 7.29
Qsnmrum
Data source/comment
OREDA Phase III /1/ Database VA3l-.Data relevant for process control valves
including pilot valve etc. Note! Only sizes less
than 5" are included in this run.
Filte¡ criteria: A?pLIc=ÞRoc crRL', FuNcrN='op'
.oR.'cP', srzE<=5.000.
No. of inventories = 33
Total no. of failures = 66
Cal. time = 960 320 hrs
Note! Onlyfailures classified as "critical" are
included in the failure rate estimates.
14.16 DOP:
EXL:FID:FTC
FTOpen:
LCP
Reliabìl¡ty Data fo }rol
and Safety Systems.
1998 Edition.
0.54
0.54
0.54
3.81
2.72
0.54
3.nOTH
SO:
OREDA Phase Itr /l/ Database VA3l_.Data relevant for process control valves
including pilot valve etc. Note! Only sizes
larger than 5" are included in this run.
Filter criteria: AppLIc=ÞRoc crRL'. FUNcTN='op'
.oR. 'cP" slz>5.000.No. of inventories = 67
No. offailures = 120
Cai. time = I 836 425 trsNote! Onlyfailures classified as "critical" are
included in the failure rate estimates.
8.6 FTO:
Module: OuQtut Devices / Valves
.18
Component: Pressure Relief Valve
8 .6
Reliãb,ility Daøóoqsier :'PDS'dâtá.
T-boken /6/: Motor-operated control valve.
The failure mode used in the source is "Failed to
change position". This has been interpreted as
Ffo.
Recommendeil Values for Calculation
Total rate Coverage
FTO 1.0 per 106 hrs 0.00
so 0.2 per 106 hrs t) 0.oo
OveraII 1.2 per 106 hrs TlF-probabitity
Date of Revßion
1999-01-l I
l) Note that trip of PSV does not necessarily lead to system
Previously Recommended Values for Calculatinn (95 eilition)
h", - 0.0 per 106 hrs Coverage = 0.00
?lFTo = 0.1 per l06hrs
l,so = 0.9 per 106 h¡s r)
L¡, = 1-0 per 106 hrs TlF-probability = l0 3
8'l
t) Note that trip of PSV does not necessarily lead to system trip
F ailure Rate Ass essment
The failure rate estimate is an update of the previous estimate - based on OREDA Phase III'
OREDA 84 and other sou¡ces - with OREDA phase IV data. Only failures classified as 'Fail to
Undetected
1.0 per 106 fus
0.2 per 106 hrs
1o-3
' a¡e considered FTO failures.
T I F -p ro b a bility As s e s s m e nl
The TlF-probabiliry is entirely based on expert judgements. Details on the expert judgement is
foundintheappendix.Asummaryofsomeofthemainarcu@
88
Module:
Component: Pressure Relief Valve
F ailur e,' Rate,Relere nc es
Output Devices / Valves
Overall
failure rate
þer Id hrs)
Reliability Data Dossier - PDS.data
L .27
Failure mode distribu-
tion
þsnmrnr
FlO: 2.14
SO: 0.13
Observed:
,fto = |vo,so = 07o
Data source/comment
OREDA Phase fV Softwa¡e /15i.Data reievant for self-acting or self-acting/pilotactuated relief valves.
Filter;Inv. Eq. Class = VALvES ANDInv. Phase=4 ANDInv. Att. Application = Relief ANI)Fail. Severity Class = Critical
No. of inventories = 2'1 5No. ofcritical FlO failures = 17No. of critical SO failures = ICal. time ='l 493 448
¿o .78
\Reliabil¡ty Data fo. lrol and Safety Systems.
1998 Edition.
INL/Degr. 22.06
INI-/Degr. 1.58
Sum/Degr. 23.63
EXl-/lncip. 1.58
EXl/krcip. 1.58
Sumllncip. 3.15
Note!
Also "Degraded" and
" In c ipíent" fai lures ar e
includeed, since no
" C ritic al " failur es ar e
observed.
OREDA Phase III /l/ Database VA31-.Data relevant for self-acting or self-acting/pilotactuated relief valves.
Filter criteria: AppLrc=Þ.ELIEF', AcruAT=5ELF
ACT'.OR. 3.e.ÞU-Or'.
No. of inventories = 34
Total no. offailures = 17
Opr. time = 634 730 hrs
Cal. time = I 119 360 h¡s
Note! Operational time is used in the failure rate
estimates.
Module:
Lo Med. Hi28
Component: Pressure Relief Valve
F ailure Rat e, Referenie s
Output Devices / Valves
Overall
failure rate
@er ld hrs)
, Reliability-:Date :Dossier - P-DS.iIâta
t.5i
Failure mode distribu-
tion
FARADIP.THREE /7/: Valve. Relief
4.4
Data sourcelcomment
89
NPRD-9l l9l'.Yalve, relief, Ground, unknown
quality
OREDA-84 /3/, Pilot operated safety relief
valve.
REFERENCES
llt OREDA Phase III, computerised database on topsíde equipment, OREDA Participants
(mutticlient project on collection of offshore reliability data).
ril 1REDA Handbook; offshore Reliability Data Hanìboo&, 2nd edition, oREDA
Participants (mutticlient project on collection ofoffshore reliability data)' 1992
13/ OREDA Handbook; ffishore Reliabiliry Data Hanlbook,lst edition, OREDA Participants
(multiclient project on collection ofoffshore reliability data)' 1984
l4l Jon Ame Grammeltvedt, u&P; oseberg c - Gjennomgang av erfartngsdatafor brann- og
gassd.etelctorer på Oseberg C. Forslng til testintervallerfor detektorene, rcWrt from Norsk
Hydro, Forskningssenteret Porsgn:nn, 1994-07-28 (in Norwegian).
l5l Lars Bodsberg, VULCAN - AVulnerability CalculartonMethodfor Process Safety Systems,
Doctoral dissertation, Norwegian Institute of Technology, Dep. of Mathematical Sciences,
Trondheim, 1993.
16/ T-bolcen, Version 3: Titfòrlítlighetsdata för komponenter i nordislca krafirealaorer, NI\-kansliet and Studsvik AB, publisehd by Vattenfall, Sweden, 1992 (n Swedish)'
nl David J. Sflit¡}^, Retiability, MaintainabíIíty and Risk - Practical Methods for Engineers,
Butterworth-Heinemann Ltd., Oxford, England, Fou¡th edition, 1993'
tgl Lars Bodsberg, Relíabitity Data for Computer-Based Process Safety Systems' SINTEF
Report STF75 F89025, 1989.
lgt William Denson et a1., NPRD-9L: Nonelectronic Parts Reliability Data 1991, Reliability
Analysis Center, Rome, New York, USA' l99l-
ll}t Ragnar Aar/ et aI, Reliability Prediction Handbook. Computer-Based Process Safety
Systems, SINTEF Report STF75 489023' 1989.
¡lt Lars Bodsberg et aI, Reliability Quantification of Control and Safety Systems. The PDS-II
method. SINTEF Report STF75 493064' 1994'
tl2l K. Øien and P. R. Hokstad. Handbook for performing exPert iudgmenL. SINTEF report
sTF38 498419, 1998.
ll3l per Hoktad and Ragnar Aa¡ø, Retiability Data for Control and Safety Systems, Revision l.SINTEF report STF75 F94056, January 1995.
¡41 Geir Klingenberg Hansen and Ragnar Aæø, Reliability Quantification of Computer-Based
Safety Systems- An Introduction to PDS. SINETF report STF38 A97434, December 1997.
tlst OREDA Phose IV, computerised database on topside equipmcnt, OREDA Participants
(multiclient project on collection ofoffshore reliability data).
)snmrun Reliabilìty Dala fo )rot and Safety Systems.
1998 Edìtion.
/t6l
t17 |
Harry F. Maftz and Ray A. \ffaller, Bayesian Reliability Analysis, IGieger Publishing
Company,1982.
1REDA Handbook; Affshore Retínbility Data Handbook, 3rd edition, oREDA Pafiicipants
(multiclient project on collection ofoffsho¡e reliability data)' 1997.
91
)/The PDS Forum was initiated in 1995, and follows up the PDS projects.The main objective of the PDS Forum is to maintain a professional forumfor exchange of experience between Norwegian vendors and users ofcontrol and safety systems. The primary focus is on safety and reliabilìtyaspects of such systems. Research results are transferred, and personalcontacts between those working with offshore control and safety systemsare encouraged. Topics of the forum are:
Use of new standards for control and safetv svstems. Use of acceptance criteria. Exchange and use of reliability field data. Exchange of information on new technology
The main activity of the PDS Forum in 1998 was to update the so-called"PDS-recommended data". The present report summarizes the results fromthis activity. For information regarding the PDS Forum please visit the webs ite http ://www.s i ntef . n o/s i paalp rosjekt/pds-foru m.
The OREDA project is also acknowledged for allowing OREDA phase lVdata to be used in preparation of the present report. For informationregarding OREDA please visit the web site www.oreda.com
The PDS-method is an analytical method for quantification of reliability,safety and Life Cycle Cost (LCC) for control and safety systems, and therebrto perform an overall evaluation of such systems. The method wasdeveloped for the offshore industry, where it has gained a widespread use.The method supports the reliability analyses in the international standardIEC 61508: Functional Safety of E/E/PE Safety Related Systems. lt is alsoreferred to in the NORSOK standards for Safety and Automation Systems as
a method to be used for verification of safety systems.
SINTEF lndustrial Management, Dept. of Safety and Reliability hasdeveloped a computer program "PDS-Tool" to support PDS calculations.Sydvest Software has from March 1999 taken over the responsibility forPDS-Tool. Sydvest Software has been established to develop and marketsoftware tools aimed at preventing losses caused by accidents and otherundesired events. SINTEF lndustrial Management, Dept of Safety andReliability is one of the initiators and main owners of Sydvest Software.
For information regarding the PDS-Tool please visit the web site ofSydvest Software at www.sydvest.com.