Sintef STF38 Reliability Data For Control and Safety Systems (1998)

STF38 A98445
Classif ication: Unrestricted
@$t'LiEF
ReliabilitY Data for Control and

SafetY SYstems
1998 Edition
SINTEF Industrial Management

SafetY and ReliabilitY
JanuarY 1999
;'ifiV€}f ,'l';-15 KEMIRA

KIRJASTO
SINTEF REPORT
)
@s[Nr,,im Systems'
Reliability Data for Control and Safety
SINTEF lndustrial Management L998 Edition.
Safety and ReliabilitY
Address: N-7034Trondhe¡m'
NORWAY
Læatiôn; Strindveien 4
Tefephone: +47 73 59 27 56
fa: +47 73 59 28 96
EnterPrise No.: NO 948 007 029 MVA

Geir Klingenberg Hansen and Jøm
Vatn
srGN.).
It. Lk^1
t999-01-l I
in this report' D
control and.safety systems are provided
BSTBACT
eliability data estimates for components of (etectronicÐ.ar" n::"-T:l Data dossiers I
.ãnuor rogi.
¡r both fietd devices (sensoäïäîö;; and expert judgements' The level
various sources, ..g.'oRr,oe
iven for these components, based on anaiyses applying the PDS method'
etail of the data is adapted suired for ,"liiuiiitv
t#;f"rm;t
reliabilitydataestimatesareessentiallybasedonthepreviouslyrecommendeddataforusewith
method, updated with OREDA Phæe
IV data'
Also,amethodforobtainingapplication^specificreliabilitYdataestimatesisgiven.Asacase'
*",irtJ t to TIF probabìlities for IR gas detectors'
"ppfied
iltrol and SafetY SYstems

Systems'
Feliability Data for Control and Safety
1998 Edit¡on )
PREFACE
ThePDsForumisaforumofoilcomparries,vendorsandlesearcherswithaspecialintefestln
;it";,ryr,*:,g"lt'::.."üf f äïT'Jf t:#Ë:H#,'äî'-Tåiif:'i:":3"ìi:i"T
the PDS Forum please visit
ror inrormatiJi-'"J*a"e
'åoHi1,J:ir}ill,,ll iiJffiir'ã.,i"i,y.
ifäî"il* ft tp://www'sintef 'no/sipaa/prosjekt/pds-forum'html
Fe40s6 - Reliabilitv Data for

TheresultsinthePlesenlreportistoagreatextendtasedonworkSlNlEFcarriedoutonrequest
ff;sÑiEf ;"I;':'sinzs
from Norsk Hydro in 1ee5 ffi"]i, Hydro ailowed using
We appreciate ttfttttt that Norsk
Control and Safety Systems" t13l'
these '95 results in the present
report'
the web site

TheoREDAprojectisalsoacknowiedgeclfor.allowingOREDAphaselVdata.tobeusedin
the present';d;;.-ï* iiformation
,"g.iAne-óREOA please visit
preDaration of
ütí,Ï¡,tï-. tslindman/sipaa/prosjektioreda'/
""tri.nloni
Trondheim, 1999-01-1 I
Geir Klingenberg Hansen
OREDA ParticiPants 1998

PDS Forum ParticiPants 1998
Eni S.p.A./AGIP Exploration
& Production
Oil ComPanies Amocô ExPloration ComPanY
. 'fp'Biol"täi""
ÀmocoNorwaY Oil ComPanY operating company Ltd'
. BP Norge ã1"*ån p"ttot"u* Technology company
o ElfPetroleumNorgeAJS Elf Perroleum Norge A'/S
e Norsk HYdro ASA Esso Norge a.s'
. Norway
Phillips Petroleum Company Norsk HYdro ASA
o Norway
SagaPetroleumASA Phillips Þeuoleum ComPanY
. A"/S Norske Shell bln tï*.rc r,uo oljeselskap (Statoil) a's'
. (Statoil) a's' ASA
Den norske stats oljeselskap Sasâ Petloleum B V'
Ëiãiì""ä"ä".¡ Exploration and Production
Control and Safety Systems Vendors
. ABB Indust¡i TOTAL S.A.
o Auronica
o BaileY Norge
. Boo Instrument AS
o HoneYwell
o ICS GrouP
o Kongsberg Sirnrad
. Norfass (Yokogawa)
. SAASASA
. Siemens
Consultânts
Engineering ComPanies ând
o Aker Engineertng
. Det Norske Veritas
. Dovre Safetec AS
o Kværner Oil and Gas A'S
. NORSOC
. Umoe Olje og Gass
and Safety Syslems'
Reliability Data for conlrol
l eea Edition. )
TABLE OF CONTENTS
LIST OF TABLF,S
LIST OF FIGURF,S
t. INTRoDUcrIoN......""' I
Rrsul,rSutt¡1t14RY""""""""' ' """' rr
I
äHil:H*ir*i:î'ffi ::::
"""""""
Summury Table of PDS Input
Data
r+
I
"""""""' 17
"""""""""'17
Z.¡ k
Tßprobabilities""
2.3.1 """""" 18
2.3.2 Cotterages """"""""""' """""" 18
2.3.3 P-factors """""""'23
2.4 FufherVÍork :' :::
'
2.4.1 Variability of the ?IF probability"""'-':"""""""""""1"":"""'
a^1 |""'T3
a Á',
2.4.2Distinguon*.*.*u"ö.*i'*¿i'"*anellofsduringtesttng......'''
3. ANIETHoDFoROBTAININGAPP"'"o",o*,""orrcTIFrnosÆILITIES.......'.'..''............25
A NIETHoD
lll.trn¡lllntion......'.......''...........'.
3.i
Relìability Dala for Conlroì and Safety Systems it
1998 Edition. )
2. RnsulrSulrulnY
2.1 Parameter Definitions
each component:
The following parameters are quantified for
À"¡,=Totalcriticalfailurerateofthecomponent.Rateoffailuresthatwillcauseeithertripor
-n
(unless cletected and prevented from
causing such
unavailability
failure).
";*#.r, ".ii*
Æß.=RateoffailurescausingFail-To.operate(,FTo)failures,øndetectablebyautomaticself-
test.The,FlofailurescontributetotheCriticalSafetyUnavailability(csu)ofthe
comPonenlsYstem' * \,\,,.
ÌliÉ,=RateofSpuriousoperaúon(So)failures,undetectablebyautomaticself-test.Therateof
Spuriousoperation(So)failuresofacomponentcontributestotheSlRofthesystem
1åa.p"nO"ntofoptràtionpbllosophy)' l\+'"
* 2i10"
Àndet = Total rate of ¡¿r¡detectable failures' i'e' /ffi?t
detectable by automatic self-

of failures causing FaiJ-To'Operate (-FIO) failures'
lFTO
/het = Rate
test. t\\à
lso =RateofspuriousOperation(So)failures,detectablebyautomaticself-test'Theeffectof
'"ðer
trip the operation philosophy'
Rate (S7R) depends on
these failures on tne spuriouì
h", = Totalrateofdetectablefailures,i'e' W+ ftf'

the component' Causes loss of safety
function
TFTO
/brit = Total rate of critical FTO failures of
(unless detected and prevented from causing critical
failure)' i'"' Æ + m''
regularity
component. causes loss of production
Ìy* = Total rate of critical so failures of the
(unlessdetectedandpreventedfromcausingcriticalfaiturÐ,i.e.,i,fl+,{f0"..
,no--Lw|^F[ll=Coverageoftheautomaticself-test+controlloomoperatoronFTo
-
fu¡-lor.r. É ih¡"o',atiL t'?$à'ìr{,,\r : '}kl\òå"
,So=1r.t^n=Coverageoftheautomaticself-test+controlroomoperatolonSofailures.
nF-Theprobabilitythatacomponentwhichhasjustbeenfunctionallytestedwillfailon
¿eman¿ (applies for FTO failures only)'
is shown in Table l '

The relation between tbe different ¿-values
xr : ,¡\ AND ENGINEERING SERVICES
\:*- *::. '."$.IÈì INSTRIIMENTATION AND ELECTRICAL TECHMCAL
:i. ...:
'. .
Phase 4
Overall SafetY Requirements
the overan safety Integnty Requ'ements
safety Function Requirements and
Specification comprised of the overall required safeqv
to achieve the target level and the
necessary risk reduction required
Incrudes. for each safety function trre
Integri(y of the components'
r r,^_^r^ñ^1
and Risk Management Description,
which rpeds to be maintained
This documentation forms part of the Eâzard
tluoughout the EUC's Safety Liferycle'
Risk Reduction
Bs EN IEC 61508-5 contains
either qualitatively or quantitatively-
T'e required Risk Reducúon can be determined
examples of both methods' using a
u.idery used- The quaritative method
laborious calcurations and is not
The quantitative melhod reads to rather Risk Matrix)'
.calibrated' Risk Graph is significantly less laborious' (It is also possible to use a
between the quantitative and
qualitative methods, and should alleviate
method of this guide is a cornpromise
T'e proposed
the Risk Graph approach'
some of the non-linearity probt"* of
determination of the risk reduction
method requires the numericar exact
Neither the qualitative nor the semiquantitative and the required sIL been found' the
facror for each safetv fi¡nction. However, ,fd;;;;-"-;*i, nu.r. u""n àerermined
for the sIL'
inverse oithe PFD",= as in this table
risk reduction factor (RRF) is simply the The
pFD""=of the safeqv function is between 0'01 and 0'001'
is 2. rhe range of
For example. if the determined SiL
100 to 1000-
corresponding range of RRF is then from
Safetv tntegrit-v Levels (SIL)
targetfailureforasaferyfunction.allocatedtoanEÆiPEsafery"-relateds]_Stem
10.000 to 100.000
> t0-5 to < 10*
1000 to 10.000
> lo4 to < 1o-3
> l0-3 to < 10- 100 to 1000
> to-' to < to-' t0 to 100
Phase 5
Safeqv Requirements Allocaúon
w't take into account the requirements
for t'e
of a EUC operator
It is expected rhat the normar engineering procedure safety related systems zuch as relief
drainage and vent syï;s. Àso other
erlernal risk reduction facilities like fire walls.
gù¿" considered as pârt of the EUC'
and nrpt*re disks. therefore. tïey are. in tltit
'alves pracúcal (ALARP) value is that required of
the As Low As Reasonabry
The remaining Risk reducúon required to achieve
the SIS.
Le'el (sIS) for each component
as meeting the required Safetv Integritv
Tlre functioning of the sIS needs to be verified
forming the qYstem architecture'
after the external risk
are then based on the remaining risk
In this gr¡ide, the risk assessmentand sIL determination box in the figure
have been implemented' i'ê' ttre leftmost
reduction facilities and otìer safetv related s-vstems
to the three safegv s-vstems'

concept of safetv requirement allocation
The fo'owing figure illustrates the generar
61508) Part One t1 of23

Profit Through Loss Control (BS EN IEC
I.R llitchen BA(TIons) C.Eng" MIEE'
Syslems'
t2
@ STNTEF Belìability Data t^- Controì and Safety
1998 Ed¡tion. )
Table 1 Relation between different 2 _ values

Thus,notethatifanimperfectÞsrlngprincipleîsadoptedforthefunctional.testing,thiswill
a procåss switch is nar tested
by introducing a
îniun.", if
Spurious operation Fail to operate conr¡ibure to rhe IIF prouuffi.-n- is no perfect
Undetectable i*pårirg u ¿"¿icated test signal, there
change in rhe pro""r. itr"tt u'oirå,¡". "i""tãüy
}so lFTO
/tnd¿r
Detectable
l,o¿",
functional testing, æ ttre test wilì'not
¿"""t a blocking of the sensing line'
îso 2FrO
triet
'"d¿¡ 2
(csÐ are
to the cridcal safe{ unavailabiliw
'"det
Sum and x.¡-¡o
The contributions of the T/F probability
7so
tudt 2FTO
'Înr phvsical
Sí"rt,ïrtil.* t"üÙn*"q io tt" f¡tut" to an operational state' The
A^, rate are faíIures'
illustrated in Figure 2. I' r"p; ,"*
Some of these parameters, in particular the rlf ComDonents with physical fJ;;; ;q**,o*. t ind.ot ,o
bv tunctional iesting' on the other
probability, and partry the coverage q are
expert judgements, see /13l. A¡ essential element æsessed by
contfiburion to csu ao* pri*i"i;.il,.i ü,u';d "li"í;"ã No repair is required but
of this expert judgement is-to clariff precisely
which failures conhibute to ?7F and l.¡¡, respectively. hand, failures contributing
;
-iäJtiËîr"tãu¡try ¡*o¡*ol ¡å¡nrøs.
Figure I was used æ an aid to crarify this. rn
ir'utto*t¿ constant' independent of
particular the following is stressed conceming suchfailureswi]]occurrepeatedlyifthesamescenariorepeatsitself,unless.modificationsare the
present report.
the iterpretation of these .on."p,r-* used
in the iniúated. The contribution ,iåiäffi"ñn;ä:Ji;Ñ;
frequencY of functional testing'
¡FTO
h.
Detected by automatic self-test, or by
operator/maintenance personnel
¡SO (inespective of funcrional testing).
hd"t
I Revealed ¡n
functional lesl, lrl2
"¡t {ro Loss of safety failures. Detected by
I
'!undet
i demands only. 10'2
103
(physical failures)
Unrevealed in
l
Trip failure, immediately funcl¡onal test, TIF
nSo revealed. Nol prevented by ary (luncìional lailures)
4undet 10{
test.
Coveragec= loolÀ*,
TTT
Functional test interval
Design enors
t softwae Figure 2 Contributions to CSU
. degreeofdiscrimination
'Wrong
Location
E}
Insufficient fct. testptocedure CoveraRe
Human error during test if t;ure that in s91e way is detected in
Thecoverageisthefractionofthecritica]failures,whichisdetectedbytheautomaticself-testorby
include as part of the ":Yiq:.î;
. ¿rn operaror. Thus, we ¡ "tto"r" will have a critical failure'
r"nro, t..g. t *r*itt"rj ti,ìi
forget to test
' wong calibration betwien functional tests. Anãalo! thus contribute to À¿"¡' Any trip
"r;i:"d t*.t "p"í*t -¿
but this failure is assuméd ,"^#Ëffi;,i.
'
.
damage detector
ä"* ;i; derector,(trip) eiui,,e"" '
:T:l ::J:'Jiil#,låî:,i:."JiiÏ;::fi;:Ï #
to occur is also part ol À¿r an
leave in by-pass
' r the operauon
uuto*uti" activation so tt
a np coutd be prevented by
Figure 1 Interpretation of reliability parameters specifying
include in À¿", failures f"; ;hi;h
Zffu' cancontributetothespurioustriprate'
TIF probability philosophy'Thismeans rh^rb:';; ffi*à
Thi.s t!1øobability that acomponent, which has just been tesred,
1s will fail on demand. This wilì
include failures caused e'g. by-improper/wrong loc"ation
or inadequate design (software error or
inadequate detection principle). tmperrèct functiãnd
testÀg pnncipleþrocedure will a.lso contribute.
Finally' the possibility that the maintenance crew perform
an erroneous functional testing (which is
usually not detected before the next test) also contribute
to the ?IF probabilitv.
Safety Systems
t4 Relìabitily Dala for Conlrol and l)
@s5|LiiulllF
1998 Edition
)
2.2 Ãpproach and Data Sources
- along with the source
previously recommended estimates
For the sake of comparison, the
Failure rate dnta in the 95 edition is mainly bæed on the dossiers'
oREDA phæe Itr database, which _ in the tisting - æe included in the data
presenr report - is updated wirh rhe OREDA phase
IV data.
is in the present repofl
Notethatintheg5etlition,thedatawerepresente-in.asliehtlydifferentway.Insteadofusinga
types of f¡rurel tné coverage
comrnon coverage for both iôäO
nfCj
The idea is to let the estimates from the 95 edition
form the so-called pnar diskibution, and next áj. rni, l, ¿on.ìo ¡" comiatible with the PDS Tool'
split into its FTO -a so purt ]rJ"i."iiãn
using oREDA rv jurÑin." the 95 edition
update this prior distribution to the posteior distribution
only presents point estimates, is not possible to establish u
_it distribution. SomefiltersusedinthepreviousstudywithearlierversionsoftheOREDAsoftwæea¡enot
have to be set'
Pragmaticaily we therefore use the point estimate as the mean vaiue "o,rrpr*-pior the later versions' Thus new
filters
of the prior distribution, a¡d ã"r"oæiUf" *itf,
make an implicit argument about the variation in the prior
distribution *dæcåb".-å in the following.
It is assumed that the true fail*" t:l:.f":i given e4rìipment
type is a random variable with a prior
in *'"ìt"'i*: *dl:lTl:*liduat
distributed Gamma(q, p), see e.g. /16/. This distrituìión WheretheoREDAPhæelllorlVdatabasedoesnotcontaindata,ordataissca¡ce,thefailurerate
reliabiLiry
will be updated with the observed failures releîai;;;;;;-t'ún"¿
esdmate is bæeil on other previous
and calenda¡ times from OREDA phase rV and used
to give the new faü*..*" À,i*u*r.
data dossiers give informatirîrî;
th" il sources for the uario,rs components'-The
than the OREDA database'
o'ht'
'we.need
t: specify the parameters of the prior dishibution by speciffing its estimates in the ss .auon *'ie;; ;;;;;;xt*bïi9,:" 'o*t"t
tutt dutu to*tts are given below'
deviation' To simplify matters we assume that the mean a¡d standa¡d
mean in ttre gamma prior is the previous failure
ö;;i;v.J;w of all the failure
rate estimate,Lø. Furthermo¡e, it is assumed that

ø= 1 which r.do"* trr. g**nì art rbution to an
exponenrial distribution. This implies that the standæd rel' /1/' /2/' /3/' /15/' /17/
OÙEDA - Olfshore Retiabit¡Û Datq
deviation rh. ñ;;;;;
and is equal to
the mean, l¿¿. Note that this assumption need not always "f
be approp.iute, ñ th;
a¡e not enough
data to validate the æsumption. bv DNV rechnica' Høvik' Norwav
Hll;:;;;' oREDA ParticÞants' distributed
';;;1.;r'r, rs84,1se2'.ree3andree'I
Now the new failure rate is given by
1t
tÎ
¡
I
"#:"1î;:"'"'H"iffË,'i"îîå'f i,,3îi-:""i.:åì"lilff å',,iåiïi.'ffi "ïiliå
expenence
Ñ"nn Sea and in the Adriatic Sea'
^
'þnw -l]i- installation'î".ãi"
tlAoD + t , installations, collected from
T8: '
ì'i rt9ry- (ref l3t)' 2nd
OREDA has publishecl tlrce handbgg;tl
frqT"iiti"t
l?e1 there are
edition ftom tbgz Get' t2) r'fld:¿ "¿ilon !'"j''11-%:**r'
where / is the number of failu¡es obsewed in OREDA phase rv,
and r is the equipment,s totar
threeversionsoftheOREDAdatabase,ofwhichthelatestversion.isthemaindata
calendar time in OREDA phase rv. Nore rhar this method can r" sourceinthisrepoft,denotedtheoneplpr'*"Ñd"tab"s"(ref./15/).Thedatain
useo repeateay was collected in 1993-96'
t¡e OnepÃ pnle fV database
irnË.¿"¿.
The following should be noted about the update of the
reriabiliry dara esrimates:
on Fire anil Gas Detecton' ref' /4/
Oseberg C 'Experience Datø
o For some equipment types additional data was registered Á;;í":ri Jon Arne Grammeltvedt
the finishing of the 95 edition . lvhen this is-the cæe
in the oREDA phæe afier Itr database 'ä;:;u;rt Norsk Hydro' Research Centre'
Porsgnrnn' Norway
the previous estimates are updated
sequentially
with the complete OREDA Phase Itr data and rhe OREDA phase Ñ data, using the
Publ.war: 1994
approach described above.
data on catatvtic gas detectors'
IR name
";:::;:::"Ï' if:"ätJ;i::ents rerd
o Also, for some types of equipment, there are no inventories "-ry.-".:i-
from the Oseberg C pìatform
in the North Sea'
registered in phase rv (r = 6¡. ¡,¡r"r" detectors anå smoke detectors
are additional data in phase rr, the OREDA phase
gstimates' If this is not the case, the previousìy
III ¿uta arã us"a io;pd;;; reriabiriry data Process Safety Systems'
ref' /5/
Methoil for
there are no,faitures registered in phase rV(f
recommended estimates still apply. (Note that if WLCAN - A Vulnerability Calculation
estimates).
= 0) tlri. i.¡;;;ìì;;î';J"ä., updare the Author: Lars Bodsbere
Norway
publisher: Nor*"giäirirtituteofTechnology,Trondheim,
o There hæ been no new expert judgements in this project,
except for those related to the the Publ.Year: 1993
detectors
method described in chapter 4. Thii means that no iIF variu,
,ir"pi railure data on fire and sas
¡o'ì-iÃ- gÃ detectors, have
been changed since the 95 edition. ';':r:;i::"?'' i#l;ffiT:serration incrudes experience
jl,;:;í,gl*:m:,*:lJJff
t rrom"J;î,il;;;iglrlr:^.:
respect to ra
lìî1"i:ñ"1:
Th" covemge updates are taken as a weighted average between the previous estimates and the very comprehensive with III data'
observed coverage in the OREDA phase IV databæeì. ¿t" rt"i'¿t¿ in the oREDA Phase
The previous åstimates are given double ,nu,,n"
weight since they include expert judgements arid the datá
material is s"o¡c", with the
OREDA Phase IV dara. "ven "äiiäiåìt
Systems
l6 Reliability Data for Control and Salety 11
1998 Edìtion. Ì
,@stltìllllEm
NPRD-9L: Nonelectronic parts Reliability Data 1991, ref. /9/
Authors: william Denson, Greg chandler, william crowelr and
Rick wanner 2.3 Summary Table of PDS Input Data !
Publisher: Reliability Analysis Center, Rome, New york, USA

year:
PubI. 1991 input data to pDS analysis. The definition
of the column
on: Field experience
Data based Table 24summa¡ise the recommended 2'1
given in Chapter
Description: The handbook provides failure fr*aingr r.tut", to the parameter definitions
rate data for a wide variety of component types
incruding mechanicar, electromechanical, and disc¡ete
erectronic parts and Somecomments'basedontheexpertjudgementsessionperfolle¿¿]:nngthe^previousandpresent
and coverage'
assemblies. Drta.represents a compilation of field
experience in military and ;öiäñ;à;dbelow, in partiËuhr onihe given values for l/F
industrial applicarions, and concenrraies on irems i
nor.o";.J;t ú'--HDBK 2r7, t''''-'¡"" i-\lo"-*' ilr';"'"' ;1 ìY\r'rr'i--! ")\r.i
"Reliability hediction of Erect¡onic Equìpment". outu ãu1., include part
11'l'r"r'-
descriptions, quarity levers, apprication erwiionments, tr-i:-ì1.1.:l),,:r,
.îl^l:r:^**.es, number of
point .rti*ut", offailu¡e
failures, rotal operaring.toun, an¿ detailed part
2.3.1 rrFprobabilities i;;þ{ 'rt--tt-o''-t ' .n ,¡".\-;1\, ",.,;..,,, ..,,;ì.ù-,,r." ,,;*t},.-
,\.,. .^ " {,,.t,s - .
cha¡acteristics. {.,.,:;r)
tüffinrra itsJlf, essentiatly caused by human
.Process
probability, 10-3, is assigne¿ io üI switch
ne\bilitl Datafor Computer-Based process Safety Systems, ny it"i"A;ttc the sensing line (piping)' ¡he TIF
Authos: re!. /g/ interyention (" g' ü"*t";ätatî n"*O'
is carried out' which
LarsBodsberg u p"i"", funcîonal testing
Publisher: probabiliry *uy lnårË*" ,o 5.10-3, uniess
SINTEF Safety and Reliability, T¡ondheim, Norway line'
also detects blocking of the sensing
PubI.year: 1989
on:
Data based Field experience/expert judgement
Descriprton: The report Presents field data and guide figures for prediction ProcesstmdreÉ"rs th".1:i:Tî lineìsdetectecl bY the
of reliability of have a "live signal"' Thus' bloc-king "f
computer-based process safety systems. Data is "U,.aßo a significa;t part of failures of the transmitter itself
based ãn ¡eview of oil comiaay operator -¿ is ln.tì,¿"ä ,n Thus' the lIF prob-
data files, workshop with technical experts, interviews
with technical ;p"*;á ,,stuck,, failures) are detected by the operator anicontribute to 2¿",.
questionnaires.
(all are, due to mole
and field bus t¡ansmitters
ability is less thær'thì of the switch. sma¡t
expected to have even smaller lIF'
T-boken: Reliability Datø of componenß in Nordic Nucrear power pranß,
ref. /6/ "o*pl"t"'"túng,
Authors: ATV-kansliet and Studsvik AB
Publisher: Vattenfall, Sweden Gas detectors
year:
Publ. Version 3, 1992 NotethatanewexpertjudgemenîsessionlgasperformedduríngthelggSstudy,givingTIF
*itt r"sp""i to detectoitype S point or line)'
the
Data based on: Field experience values for g* a.tã"ior. dîfferentiated ihe TIF probability for IR
size of the leakage, and other .onaition*p"íja
inflo"n."
Descriptíon: was not
' The handbook_ (in swedish) provides failu¡e rate estimates for pumps, varves,
detectors. s". cri"pto ã iã, ¿"t"1..
a¡, 1at-probability for catal¡ic gas detectors
instruments and electropower components in Nordic nuclear old and less relevant'
are presented as constant failure ¡ates, with respect to
power flants. The data evaluated * tfo' t"ãn"ology is considered to be
the most significant failure
modes. Mean active repair times a¡e also ¡ecorded.
Fire detectors
F ARADI P.TH REE, ref. /7/ Itisassumedthata.detectorwiththe,,right,'detectiorrP'il"'Pl:is.applied(Smoke
d: *-i::nt^îwhere flame ftres
fires t"
Author: detectors are applied where smoke "*p"tt"J*a gives a very low
David J. Smith
æe expected') Even so' there
ìs a.possibility tiat a fue may occur which
Publisher: Butterworth-HeinemannLtd.,Oxford,Eneland
Publ. year: orobabilityofdetectionbythedetectornuîro"".i*.bo"tothisfactanintervalis
the fire, essentially
Fourth edition, 1993
on: Mixture of field experience and expert judgement , provided for ää";:Th; i¡r u¡u. *u1n ;dt,i"; to the size of (indoor/outdoorl qrocess area/living
Data based "^.h
depend on tne tocaùor/envi¡onmenr "r
*t ãli""t"t generally
Description: The rextbook "Reliabilþ, uatntanaw[ity and Risk - practical ttt"-tJ*
Methods *"i"ä""' '*"t"
quarter). n", detecto¡ 19:t æ-ptï:^l^"jtilt"ctors
,: Engineers" (ref. lZt) have a specific chaptér and an appendix on-iailu¡e,rate for is sigrrificantly grelter' Flame detectors are
serve as ,".onäuìì iuri"., and
data: the value
but oil fues in process
The data presented are mainly compiled from variãus sources, such as
MIL- "
reliabte untess îä"t" ir J;"n4_t""imalted ,IF = 3'104),
"ìîîåf as 0.5, could apply'high
HDBK-217, NpRD-r985 (i.e. rhe 85 vìrsion of MRD-91) an¿ opGoe
Handbook æeæ will d*"1ö;il;ir*"r.", *¿ u ?Lprouuuiliry as
' 1984. The failure rate data presented in the textbook is an extract.from
the database
FARADIP.THREE.
systems
^---"'T;;rIF
PLC , - ^^ ^^ç+",ô'a .*^'q For dedic
for the rogics is.essent4lt *:jî.','Jîï"::il""::rff:.t"#åfiiìthlTîH
:*i,':ï"n::Ïfff îJ l"iliåi r'Jffi *md;;;,år,**" ""o's

I Fo' standard
systems, the estimate Î/F = 5{0- appxes'

Reìiability Data for Conlrol and
Safety Systems' lo
18 @)stlNTEF Edirion.
1998 ]
As an exampre, consider the murtipricitv,gt-:'b:i:.î^1":li:i'åliltih::IîJJJ;Ï5':;:

Valves
The zIF probabiliry for ESVs witl depend on the type
;ä;; ã H+ r' : ?0_Tfj"';3,.i;TÏi'i:ffiå:h'ü,"i"in'iv ir'" uoth modures have
0
of functional resring. If the ESV is probabilitYthat just one mo(
shut in completely and pressure testeà, iryF
= 10-6'ithis ir al*"*å because of rhe failed is 0.10'
possibility of human elrors' e'g. related to bypass and "¿""
improper testing). If the ,,functional
testing"just involves a check that the valve moves
r lstarts closìng¡ on dãman¿, the value 10
is suggested. This.?IF val,re also applies ioi ol valves. AII these values include the
"ont
pilot valve. The major contibution to the llF probabiJity
for psVs is wrong set point due
to enor of the maintenance crew, and the same TIF vaJue
æ used for switches is suggested
(sensing line nor included).
B single
single SimultanìousìY
Unit A lailure
2.3.2 Coverages failure la¡lure ol A and B
Fìeliability btæk diagrm ot
the redundant modules
Senson
Line testing gives a coverage of 20vo for switches, conventional components
transmjtters and ESD push distribution for iluplicated
buttons' In addition operatoß detect a significant Figure 3 Example of multiplicity
p* of p.o"".r-t¡animitter failures
(transmitter being stuck), giving a total coverage
foi transrnitters which is significantly
higher. For gas detectors also drift are detected (low alarm) Table6plesentsrecommendedp.factordistributionsadoptedfrom/11/.Thedistributionsare
an¿ trris *-uy trips to be
,tte following degrees of
dependency
prevented. The given covefage for smoke detecrors
applies for analog "uur"
sensors. pårå"il"i
Control logic ¡ Low
For bus coupler and communication unit 1007o of Îrip tailures
actually gives trip. Further, it r Medium
is estimated that 957o of loss of safety failures æe detected,
and a Fró iailure is prevented. r High
Valves
r ComPlete
No automatic self-test for valves. It is estimated that o-pgqlo"rs detect
6^5/9 of critical Table5pfesentsguidelinesforselectingappropriatedegreeofdependency(adoptedfrom/11ô.
failures (stuck railures) for çB¡¡-q9l-ygJ=vês. There ." ..ffiiãa
so failures on valves
detected by continuous condition mõñioìrl,ng in the OREDã phase
fV data It is assumed
that these failures are detected by operators and thus included
in the So coverage.
Note that these values are partially updated with the TREDA phase IV data, see also the
comments in Section 2-2-
23.3 p-factors _r.1,r,rn flq¡\a
When quantifying the reliability of.systems elnploying redundancy, e.g., duplicated

or triplicated
systems, it is essential to distinguish between indepentlent and, dependint
foiìor"r. Normal ageing
failures (see /141) are usually considercd as independenl failu¡es. However,
both physical failures
due to excessive stresses/human interaction and alt firnctional failures are by nãture
depend.ent
(common cause) failures. Dependent failu¡es can lead to simultaneous
failurå of more than one
module in the safety system, and thus ¡educe the advantage of redundancy.
In PDS dependent failures a¡e accounted for by introdu cing a multiplicity ttis¡ibution. The
m-ultiplicity distribution specifìes the probability that - given that a failure has
ãccurred - exactly ft
of the n redundanr modules fail. Here, & equals r,2, ... , n. The probability of k
modures failing
simultaneously is denoted p¿.
20 sulìlilem Reìiability Data for Control and Saf ety Systems 21
)@ 1ee8 Ed¡tlon. )
Table 2 Failure rates, coverage and TIF probabilities
for input devices
probabilities for control logic
Table 3 Failure rates' coverage and TIF
À-i Co verage 'I-¿.r per
FlQ 10ó
Gomponent ;Pf{ 106 ':
.t .: 'i,
1
"ùndd;:'
1SO
.i lrs
lL'*
:.. :
| Lnðà¡ ,,
h¡s .so | t
cFrQ Iff" || ^'n¿r
¡So
¡. Inpffice
Process Switch,
Control logic units
Conventional l) 3.4 90Vo 20Vo 2.1
2)
0.2 0.9 l.lo3 - 5.10r 2) 5.10-s - 5.104
Pressure
l.J 9ÙVo 20Vo 1.6
T¡ansmitte¡ 0.1 0.4 3'104 - 5.104 3)
Level (displace)
3.1
Field bus
T¡ansmitter 90Vo 50Vo 0.9 0.t 3)
0.8 3.104 _ 5.104 couPler
Temperatue
Transmitter I .8 60Vo 60Vo 0.6 0.3 0.4 3)
3.104 - 5.104
Flow
Transmitte¡ 60Vo 5jVo 0.7 0.6
l) Note that the value for one signal path is
somewhat less than this value
1.1 3.i0" - 5.104 3) t) por ftfv ceruned and standud system' respectively
Gas detector,
2.3 60Vo 4OVo
catalytic 0.6 0.4 3.104 - 0.1 4)
probabilities for output devices
Table 4 Failure rates' coYerage an'l TIF
Gas detector IR
J .6 80Vo 7ÙVo t1 .0 COYeraBe À.¡a"¡ Per 10o
point 0.7 0.1 6.10-3 _ l.l0_3 4,8)
,E¡ j IilO,.,
"ùndr¡ hrs TU'
Gas detector IR Component per 106 so'-
,,ffi'
line 3.6 80Vo 7jVo 11.0 0;l 4.8)
'hrs crro..l cso --l rff., I rf...
0.1 6.10-2 _ 7.70-2
Smoke Outpul devices

detector 40Vo 507o 0.5 0.8 5)
1.2 lo-3 - o.o5 r)
ESV 0.8 0.5 1O6 _ 10-s
I .6 OVo 30To 1.1
Heat
2.4 50Vo 5OVo 0.6 X-Mas
detecto¡ 0.5 1.3 0.05 - 0.5 6)
Other ESV lmain OVo ÙVo +-3 1.3 0.3 lo{-105r)

Flame 1.6
8.2 valve+actuator)
detector 5OVo 5OVo 1.0 2.1 7)
2.1 3.10* - 0.5
20Vo 3O7o 0.7 I A t.8
Pilot valve 4 .2
ESD Push
1.0
button 20Vo 2OVo 0.3 0.2 10-s
0.6 l0-5 Control valve, 7.6 604o '107o 17.8 2.8 0.1
small
¡)
Daa primarily apply for pressure swrtches Control val-ve, '7j%o 3.0 0-8 u-¿ t0-
2) ,R 6O1o
Wilhout/with the sensine line
3) læge
For smarlconventional,iespectively
4)
The rangc,gives values for læge ro smalt gas o.z2) 10-3
leaks (large gas leala a¡e leak Pressure relief 1.2 07o 0Vo 5 .0 1.0
> I kg/s)
For smoke and flame fres, respectively
valve, PSV
6)
lherange represents the occurence ofdifferent types
1) of fires (different locations) respectively
testing'
Forflame and smoke frres, respectively For complete and incomPlete functional
8) lead to system [aP
Average over ventilation type and besl,/worsr
conditions, see Chaoter ttote tnaì tnp of fSV does not necessarily
3
Safety Syslems
22
,@ SINTEF Reliability Data for Conlrol and
1998 Edition.
\
1
23
Table 5 p-factors of various components

r.'t.r.,.À.¡
tlistributions
Table 6 Recommended p-factor
p-factol
Component'. te'rmÐ
:disfribution
Comment ñ-"er.. d"pendence
"f I Irigh
ruã¿ium
ut devices
Fire/gas
, =hl
Àmo 2: Medium Same manufacturer, environment and maintenance
detector
¡.so dependence contribute to CCFs
Ttr 3: High Same location and design give high fraction of

<0.2 dependence CCFs
0.9800
TIF 4: Complete Almost complete dependence when the detectors 0.0180
>0.2 dependence æe applied in scenarios which they are not de_ 0.0015
signed to handle
Pressure switch atl 2: Medium Same manufacturer, medium location and main_
dependence tenance contribute to CCFs
Pressure all 1: [¡w Field data shows a significantly lower f¡action of 2.4 Further Work
hansmitter dependence common cause failures for transmitters as
compared to srilitches Boththeg5editionandthepresentstudyi]lust¡ates,thatfurtherworkshouldbecarriedoutonfailufe
io inir".rJ tn" cr"¿i¡ility and
validity of reliabiliry analyses:
Field bus all 1: Low data definitions/cf*rifr"ution
Application software has a lower fraction of CCFs
transmitters dependence than the system software
2.4.1 Variability of the TIF

probability
"iO
PLC all 2: Medium System software errors gives a rather high contri_ Forseveralcomponents(e.g.sensors)thereisobviouslyawiderarrgeofTlFvaluesthatmayapply'
dependence bution to CCFs. Other fr:nctìonal failures also depending on various factors
such as
conûibute.
process arealliving quarter)
Ouþut devices/Valves - location (e'g' indoor/outdoor'
- detecdonPrinciPle
Pilot valves on aIl 2: Medium Same design, location, cont¡ol fluid and main_
- ;;;;s"(e'!'anaiogue/diqil4'Pginqn'].-,^^,,-line)
svstem boundary it'g' *ittt/*itttout
impulse
same valve dependence tenance contribute to CCFs -
- fype of functional testing þerfecVtncomptere't
Pilot valves on all
different valves
1: Low Lower fraction of CCFs when pilots activates - u*ount of self{esVmonitoring
dependence different ESVs
ESV Anefforthasbeenmadetomeetthischallenge,b.ytyfaronlyforgasdetectofs.However,itisan
all 1: Low Same design, medium a¡rd maintenance conhibute
obuiou, need to quantirv *"Ï:îö"t'ü+;;"':"t:::tí:i*l'r":*;mt"?iiî:ttr#åtå'å
dependence to CCFs. Field data indicate a relatively small value' rerlecung
fraction of CCFs..
or.* ,vp.t, so that an appropriate T/F
for actual studies'
Couplers all l: Low Application software has a lowe¡ f¡action of CCFs
testing
errors and human errors during
dependence than system software
2.42 Distinguish between design
r)
specifies which failure rate/probability rhe given distribution appries
for by
These are failures caused
ItissuggestedthattheTlFprobabiÌityshouldberestrictedtoaccountforfac.*:'ll,arepresentfrom
day l,
and which are
in-ly
uuto*utl"¡f"".,1"ìJ "tt' th-i|1{ errors introduced bv
".""i';ä;#
*'å"î r""ìr* d".:t:'.t:-t-t';;i;-suggested
be defined as
design enors, e.g' including "f ini¿ãquate testing) should
crew upoi testing (e.g. by;pals ruilu,", -J u"Jprov"d models should
Ué inctu¿e¿ i" ili'üË-p't"äîility'
the maintenance
a separate category of f"ifor"s,--ar;d'no't testing'
;ää;t.a 6r fäitures inuoáuced during tunctional
Saf ety Systems'
24
\g ÐtlNULqf Beliability Data for Control and
1998 Edition'
25
) )
pnosnnIr.rrIps
unrgoo roR oBTAINING ÀPPLIcMIoN sPEcIFIc TIF
The above suggestions will make analyses more credible and
3. A
accurate (ptant specifrc), and it will
facilitate the communication.between analysts and
maintenance/operational personnel. It wili also 3.1 Introduction
make analyses more informative with respeãt to identifying
facto¡s that ri" i"ü"-ùiliry, and rhus
identifuing means of improving system dèpendability. "rr"" parameters in quantitative dependability
data are used as input
In most RAMS analyses generic ;uu"'ug" it is theiefore desired to establish
assessments. These generic
ä;;;;;;i "¿*i;unJ into account' In this report
to tut' conditions
a method for adjusting th"'"-;;;;g;;alues 'pt"int
øt^git-iirryrrs. In future repofts we aim at
present a merhod f",
vr'e
"urrJtî;ïr;; "aà-u¡nut
parameters and equipment classes'
iÀ otñer
;.:"ï;ffi;;iit"¿"l"gv
Firstthemethodisestab]ishedandcalib¡atedbasedontheresultsfromanexpertseminar.Theby a step by
*.*urn**i."ä N.*t tt" orJoi iftã *ttito¿ is described
ir S".,.. :.S.
main resulrs
is given' see Sections 3'7-3'8'
step procedure, and an example
3.2 ConcePtual aPProach
conceptual model
u, if*rt ui"å irifig*" 4' This
A.conceptualhierarchicalmodelhasbeenestablishedrelatinginfluencin.gconditionstodirect
failure causes and the direct failure
"rJ;î-T¡f;;"U,liry
züìJr.r'*¿ r"tutiu" i,npo,iulît t*tigñ"1 of the various
contains a set of baseline
causes.
Generic basel¡ne
TIF values from
expert
Tminar
\
High
High
Generic weights from

expert semlnar
-V
(DC,, I
(S)
APplication specific scores
structure
Figure 4 Conceptual hierarchical
-
Thetotall/FprobabilityisthesumofTlF-contributionsfromthefollowingcontributingclasses
GA:
r Design enors (CCr) giving
TIF¡'
. Wroig Iocation (CCù glvingTlFz
giving ?lF:'
å't pîo""ao'" or human errors (CC¡)
. Insufficient functional
..Behind,,eachcontributingclassasetofdirectfailurecauses(DC)are.defined,forexample
each direct failure cause
"forset to test" and "*'o'l' ì""îtä"
ît-å"sign" The impottun"" of are
(wnö' nin¿ty the direct failure causes
a
within a contributing "r"""i'ï#"åãïy "v'eight
and Safely Syslems' 27
Reliabiìily Data for Control
26
,@srNTEF 19eB Edition. )
influenced by a set of influencing conditions (1Q. These are conditions

that are controllable by
the operator/designer of the installation. - Modifications
These bæeline Î/F values and the weights we¡e established during an expert seminar. In a
practical study the TIF probability is adjusted according to the
For each conrributins crassíÍ:,
iii;,il 1,r.î;îff::,ï:.Îî:1ît li;flft,l;
l;;ï i:th*I
staL of a set of influencing of these direct causes a ret¿ class'
conditions..A "check list" procedure is applied, where for each pre-defined
influencing condition, ilätillu*;; to 1007o for each contributins
l t"of tl given representing the state for the particular applicatiôn. A sco¡e is a number between - a direct
Td 1l' A score of
I -l
represents the "worst rhLt u, +1 represents ttre ;üest case,,. See focuses äi.,r'"ä"¿i,i"ns
inJluenc.ing on
Notethatadirectfailurecausedoesnotdirecdycorrespondtotheconditionsthatafecontrollable
by a designer. Therefore *;;;Jt*ically
Table7 for an example. "us"",
ra'ur" caus". For example,r'.'i""'"i*,1"' "r l"::* 1;Lj;l=*il.:îT::"*:,tÏ:?:tl';odi'"å:;
score w'r be
r" p'""ir"¡ -arvsis a
liäi"îi,ïäffi:of ;:îi,::iläiiin -]'fi{*4;l '

Table 7 Example of check list for TIF evaluation
*;
assigned to each
'h"";;;'i;;' 1iråre I:t¡:'ii"ff.#äï:f:;#''Jgli:å"Ïi
ür' possibre an
rräri.Jlffiäîä:ilî.f:"T'":ïfi i"Jlffi;;;;iî' to estabrish
application specrllc llr'
on tt'" following principles:

Thereisnostraightforwædmannertoestablishafe]ationbetweenthescore.sandThreTlF.values'
3.3 Definitions rt r"iu,ioo p.";*"u * tti"iää t"d;;;;"å
"
The following definitions will be used throughout this presentation: t TIF¡should equal TIF¡,¡on\f all S¡¡= 1'T1,
1/F,,n3r' if all 'fu = 1,lurthll'---.n,
-' i¡r' Ji""ia equal tne the *.* f the low ardhighrlF-vaiues'
o
o A contributing class (CO is a class of direct failure causes that contribute to the TIF ;.11;;'; tqtà o flF strould equal Seometr
r' and rIFø' = lo'3)'
probability. 10
of this principle (TIFnign=
o A direct failure cause (DQ is a specific and clearly defined cause within one contributing Figure 5 i'ustrates the implications
class, influencing the IIF probability.
' An Wuencing condition (1Q is a condition that influences the probability of failures :-+-
due to
the relevant direct failure cause.
c A score (.f) denote the state of a specific influencing condition for a given application.
3.4 Method
o 0.5
Scoæ
The main idea is to establish rheTIF contribution from each of the contributing classes,
and then
next evaluate the di¡ect causes within each contributing class. The following cãntributing function of score values
classes Figure 5 TTF values as a
have been defined for gas detectors:
ÎIF for contributing class i is given by:

. Design enors (CC1). The formula for acljusting
the
. Wrong location (CCz)
- .l+S, / al-S,
(l)
. Insufficient functional test procedure or human enors (CC3);
Tß, =iwDc, (TIF,,," )T (TIF,,ø J'
In the expert seminar baseline numerical T/F-values were established for each contributing given by:
class,
CC¡, i = l;,'.,3. These baseline numerícal Î/F-values represent the anticipated range TIF for all contnbuting classes is
for TIF and the total
values for væious conditions on an offshore installation. Notational we
leT TlF¡to*conesponds to
the "best case" and rlF¡,¡¡s¡ cofiesponds to the "wo¡st cæe" for contributing (z)
clasïi.
.A set of direct failure causes are defined for each contributing class. For example rrn = irq =ä'oc,fr",""Ë h*''.' Ë
for the
contributing classwrong location the following di¡ect failure u.e,
- Wrong location by design "ous"i
Note that average scores on
all influence conditions
gives:
- Wrong documentation at installation
and Saf ety Systems 29
Reliabilily Ort" to' çentrol
28 psnmrnm '
1998 Edition. 'i
rj-- Table 8 Overall results, TIF consiilerat"Ï t"t *

TIF, = ) JTF, r-' Tß.o,ro
That is, 71Fa is the sum of geometric means for each of the contributing classes.
ËñãouiP.u*"t"rsettings .
(response time, sensitivitY etc'¡
3.5 Results from the expert seminar
Wrong ryPe ot detecror^ h.ûY or light gasses
ioo"i."tioi heavy/li ght 6äõlith
The objective of the expert seminar was to "n"itonment2, weather
o Establish a set of "Contributing Classes" CC @of
¡ Establish a set of "Direct Causes" DC for each CC
r Establish a set of "Influencing Conditions" .tC fo¡ each DC
o Establish TIFø and TIF¡¡r¡for each CC
¡ Establish ¡elative weights wDC¡within each CC
Two diffe¡ent detection systems we¡e considered:
o Infrared (IR) point detector

¡ lnfrared line detector
air
ln addition the following 8 different scenarios were considered: lns¡riion <¿tu*ings, taglists'
@odification
o Small gas leakage in open area
o Small gas leakage in naturally ventilated area
. Small gas leakage in mechanically ventilated a¡ea
. Small gas leakage in ventilation intake
$Gt-. -a Pto""dures for
r Large gas leakage in open area
. Large gas leakage in naturally ventilated area
o Large gæ leakage in mechanically ventilated area @uuitiry
and
r Large gas leakage in ventilation intake Giãe-mandqualitatitelY/

rue.
ouantitâtively different from
plasuc oag'
áemand (e'g., covered by
where wfong gas tyPe ând/of
gas
¡ Smail gas leakage, release ¡ate <1 kgls i
. Large gas leakage, release rate 2 | kgls ô'"äi.dEf C"'uã"t"ãor tesrcd' ffidtitÑ(ti*t P*ssure' working
forget to test" wfong documentatlon'
accessibilitv
Note that such a scenario conside¡ation is only necessary for contributing class cc2 .,wrong
=
mis-understandings)
Ëi@e'
location".
componens
On the expert semina¡ focus was on the qualitative identification of direct failure causes and
influencing conditions. In addition, Z/F-values were èstablished for each contributing class for 6Tvoussnot t"mo"ed
(wron g- derecro Wpassed
different detector types and scenarios. Based on the discussion on the expert semina¡ SINTEF has úi'p"r*¿' forgel to remove bypass)
proposed numerical values fo¡ the "weights" of each di¡ect failure cause, and performed a
grouping of influencing conditions. The members of the "PDS-forum" have had this results for
comments. Table 8 summarises cci, DCs, ICs, wDC¡¡s and r/F-values established during the
expert seminar and the post processing of results.
I modes ae made
No consideration of failure
t T"moerature, pressure, flaring etc'
gasses
:i:m::ti;;!läation with respect to heavv/right
3l
30
{(P st]l,ìlulsF Beliability Data for
Control and Saf ety Systems
1998 Edìtion' )
Table 9 TIF for CC2"V,lronglocation", IR point detector

During the.expert se\ffipaiîJìffåi;:i,Hï:iir'iil::,:å'1'i":r',iïiî'ï;ilYïl;
Ventilation Small sas leakase Large gas leakaee surr¡
'Worst and "global" effects'
type Best Worst Best
î{c, îlo"¡' eff ect, and'l 57o "global" effect
does not depend
on-the density of
that the "local" f/F-contribution
It is reasonable to assume
Open
0.5 0.9 0.01 0.1
derectors. How
..
ever,,n" g r
"¡
¿ï'i' !Ãp:lîl *rifu:itf"mi"uiÏäT ;Ïrì"Ë1tr
iffïä";;;;,i.: 1",,",jifii*lg'iJffJ,i",:i: fi: ffii;;; berow a
Naturally procedure suggested
0.1 0.3 5.10-3 5.102
ventilated a¡ea
Mechanically
5.10-3 0.1 l0-3 10-2
l'"'#"r:"i":iÏ" ä?.,Ï:* assumed
ventilated area
Ventilation TIF
104 lo'2 104 10r
intake
Table 10 TIF for CCz r¡\ilrong location",IR line detector

Ventilatlon small sâs leal(âse Larse sas leakase
tvDe Best Wôrst Best Worst
Open 'Local"
0.05 0.09 0.002 0.02
Naturally detector density
ventilated area
0.01 0.03 1.10-3 l.1o-2 Figure 6 TIF versus
Mechanically
5.10-4 0.01 2.lf 2.10-3 *j,p:'f-::iiåîJiîi,îï:lfr :ffîffi":löJ$å
ventilâted area
Ventilation
104 7o'2 104 r n-3
ro simp,irv
number per detector'
try
i:äî:iÄ"" þ*tr, o:t:t"ôt
i:,p::::.här'ciu
Ëä,yi*Uk* pragmatic, ano is as
follows:
ìntake new TIF number
the slanoarus ¡v^..'----T¡e I ro..uure is
uev formurus.
be used as usual with o. Denote this
3.6 The relation between TIF and detector densitv r. For a given scenario,,ååro:i",ff"j:,",:,ï:,*iiyjfffif:tm;:it'ä*ratreastone
-=
number /<, where
means
läfi;; å-nly on" d.t."tot.
*,1iÏi::;#''_-,,'_
Note that when the values in Table 9 and Table l0 were established the following question were /(
detecror. = 0 - o ;1 5k)
= TIF r^,"t¡n"(t
asked: z ää"ïä'¡" ":ri::li:; :,{}:
ro I{'*;;,i[]Xi.'
3. This is rePeatedboth
"Assume that there is only one detector installed to detect a gas leakage. What ís the TIF-
probability of not detecting such a leakage related to contributing class 'wrong location'?"
3.7 Using the methodologY
The f,rgures given therefore contain two types oflocation enors:
AstepbystepprocedureisproposedtoestablishTlF-probabilitiesforaspecificapplication.
r "local" effects related to a detector in an area containing gas system will determine
r "global" effects related to the fact that there might not be gas at all in the area where the Step 1: Identificationofdetection --:-r-^red line detector. This choice
detector is placed. i'ti"t,.*g"^"t"::lîiîo',t#:å'o1"l,'J"ï';i:i';
whether Table 9
aoleor'l
For a specific analysis where only one detector is considered, the TIF values may be used as
of gas leakage size
stated in Table 9 and Table 10. However, in the situations whe¡e several detectors a¡e used, it is Step 2: Itlentification
not straight forward to use these results. When the total CSU is calculated, the "T1F-contribution" ilirãil"*i"g definitions are used: < ikgls
from each detector depends on the dependency, or so-called 'þ-factors", and it is reasonable to . Small gas leakage' release rate
rate 2 lkgis
assign different dependency factors for the "local" and the "global" l/F-contribution. . ;;" las leatage' release
Syslems'
Reliability Data for Control and Safely 33
9suNTEF 1998 Edil¡on. \

I
(CC)
Step 8: Calculation of adjusted
TIF for each contributine class following
contribiution is calculated by the
Foieach contributing tl^t the
ì.,-¡ =-l'"''l
Step 3: Identification of type of area ''F
formula:
Data is available for the following types of æea:
t OPen 'l+S' / ,l-S"
r Naturally ventilated area Tß, =iw DC u(Tr,.,," F (Tr'0,ø J'
r Mechanically ventilated area
¡ Ventilation intake (S';) are ¡ead from column 2 and
3 in Table 12'
where the weights (wDC¡¡)and scores
Step 4: Establishing correct TlF.values for,Í.ocation errors,, TIF
Based on the specifications.in s-teps r-3 it is possible to Step 9: Calculation oftotal adjusted
look-up the cor¡ect values for TIF2,¡¿. artd contributing class are sumnied up:
TIF2,¡¡.¡ f¡om Table 9 or Table 10. The TIF contributlons
"o*
"utË
Step 5: Gas leakage scenario TIF=TIFr +TIFz+TIF¡

As discussed in chapter 3.,6 the TIFz,tow and TlF2,¡¡r¡values
in Table g or Table 10 represent the
TIF for a "single detecror". T\.Tr-c:ntriuution derector i, tr",mlu* ãr.**y derectors
fä 3.8 CalculationexamPle
th; ;.d;t*ñ;;rnr,,, o, shourd be
win be less than rhese values indicare. To adjust the TrF_varue
identified' we now define È such that k ioovo 1 means
= = that .,it is likely,, the gas cloud will highlight the content of each step'
reach at least one detector. & less than I mears it is likely A calculation example is given to
that there ir no'¿"t."to, in that area
where the gas cloud will pas.
used in
a inrrared point detector' hence rabre e is
Now calculate new Î/F-values il1îJ;l*lrr3:îiïJ.i':iliiä.'ä:ä"
Step 4.
TIF2,bn = TI Fz nn(1 - 03 5k)
e
using rhe "rert" part or rabre
$i,3iJi:Xt'Iiåi:î,"[ätflT.t:"tiÍT,u," . lksls
TIF2¡¡s¡= TIF2,¡¡g¡(7 - 0.75k)
These numbers a¡e then to be inserted in Tabre r2,see discussion in Step 6. of area
Step 3: IdentifÎcation of tvoe
a mechanically ventilated area
Step 6: Identilication ofstate ofinfluencing conditions We assume that the gas'"utug" is in
TIF-values for 'Í.¿calion errord'

Each influencing condition which hæ been identified should
be evaluated with respect to the state
for- the particular analysis. Table 12 may be used as a Step 4: Establishing correct rIF 2'¡¡s¡ = o'r'
starting point for this evaluation. In the specification; ì Jtuin TIF z r* = 5' 1 0-3 and
il; ;;"
rightmosr corumn of rable 12 the apprication specific ..r"or"^" B ased on the
following coding shategy may be used:
,hr"ld ;; iiri.o, ,¡"r" tt"
Step 5: Gas leakage scenario low densitv)' hence
S = -1 - Worst state, i.e. no specific means has been ä:"d#;;;;;;:ti' = 0'33 (relativelv
identified '"öã¡z'
S = -Vz - Bad state
s = 0 - Average state, or no information about this condition TIF z ton = TIF 2.¡e*(1 - 0.7 5k) = ] 1']y-'
3
availabre o'075
S = Yz - Good state liF ;:;^ = TI Fz.¡¡e¡Q - o.?sk) =
ri,
S = 1 - Best state, i.e. specific means have been implemented

I 1'
These values are used in Table
An example how the scores are entered is shown in Table I l. of influencing conditions
Step 6: Identification of state
Step 7: Calculation ofaverage scores for each direct failure Thá scores are shown in Table I
I'
cause
The average score for each influencing condition relevant cause
for that cause should be calculated and scores for each direct failure
placed in column 3 of rabre 12- Tabre I r shows an Step 7: Calculation of average
example of such average calcuÌation. of avetage scores
See Tabìe 1 I for calculation
(CC)
TIF.for.each^contributinB class
Step 8: Calculation of adjusted is based Il
on the formula:
contributing class inTable
The TIF contribution from-each
and Saiety Systems' 35
Reìiability Data for Control
34 @srNTEF 1998 Edition. )
lL , .l+s,/, ,l-sr
Tß, =\wDCr(rm,.,,")' 1rm,,* ¡; TablellExamplecalculation;adjustingtheTlFprobability
Step 9: Calculation oftotal adjusted TIF

The T1F contributions from each contributing class are summed up:
TIF = TIFI + Tþ + TIF3 = 36.9. lO-3
¿
rj
and Saf ety Systems
36
r@srNTEF Reliabilìty Data for Control
31
1998 EdiÌion. )
Table 12 Check list for influencing conditions

4. DemDossrnns
components'
the data dossiers of the
control *d
The following pages presents
ïY -sy-stem input data to
4, summarising the "recoÍmended" generic
These are the input to Tab; 2-Table
PDS-II anaiYses'
æe given in /13/ and

Thedatadossiersarebasedonthoseintheg5edition/13/,whichcontainsfailuremode
of these abbreviations
abbreviations no longer
or.irn oREDA. Definitions
l1'7 | .
FollowingthedefinitionusedinoREDA,severaiseverityclassrypesarereferredtointhedata
are defined as follows:
dossiers. The various types
Critical failure
Afailurewhichcausesimmediateandcompletelossofasystem,scapabilityofprovidingits
outPut.
Degradedfailure i-:^^r providing its output within

L,rr.which orevents the system from mav
o" gradual or partiar' and
:"';li:l;lî*:ii:Jî'i::Ï:i'T;l'ili'ili";^,;"'n''
failure in time'
dru"lop into a critical
íts output'
svstem's:'t*tl:tl1Ï::viding
ÏÏ,Ï;,tfüïîo"' no'immediatelv causes ross-ora
failure in the nea¡ future'
tî].""* rårU t" a critical or áegraded
but which, if not utt"n¿"¿
Unknown deduced'
recorded or could not be
Failure severiry was not
and quaìitatively/
vely different
Notethatonlyfailuresclassifiedascritica]arepresentedandincluderltheestimatesofthe93
demand
edition.
Bypass not removed
I TIF3 r"- = 0.001; 1¡R 0.02

"'",
I Total all contribution classes TIF = TIFI +
C
38
*) snmunr Reliab¡lity Data for
1998 Edition.
) and Safety Systems'
39
Reliabitity rDriø'Dossier:' PDS'ilata

. :Retiability:DuhDjI!4 : PPQ&
Component: Process Switch, Conventional

Component: Process Switch' Conventional
Døte of Revßion
DescrtPfion
1999-01-1 I
TheTlF-probabilityisentirelybasedonexpertjudgements.Detailsontheexpertjudgementare
sensor and
Pressure switch including foundintheappendix.AsummaryofsomeofthemainargumentsisprovidedinSection2'3.
pneumatic switch
Overall
failure rate
Recommenileil Vølues for Calculøtion (per 106 hrs)
FTO: 1.39 Phase IV Softwæe /15/.
lJndetected Data relevant for conventional process switches'
Total rate SO: 0.00
0.2 per 106 hrs
FTO 2.3 Per 106 hrs
0.9 per 106 hrs Filter:
SO 1.1 Per 106 hrs Inv. Equipment Class = PRocEss SENsoRs AND
r)
Observed: iiv. Dåsiln Class = Pressure
103 - 5 . 103 Inv.Att.iype-processsensor=Switch ANDInv Phase=
Overall 3.4 Per 106 hrs cfro = 100 Vo
4 aNn
(nv. System = Gas Processing OR
(95 edition)
òil processingl ÄND
Previously Recomtneniled'
Values for Calculntion Fail. SeveritY Class = Critical
No. of inventories = 12
h", = 1.0 Per 106 hrs No. of critical FTO failures = 1
l,FTo = 2.5 per 106 hrs Coverage No. of critical SO failures = 0
Cal. time ='l19 I
Iso = 2'5 Per lo6 hrs
FTO: 0.61 T-boken /6/: Pressure switch
L¡, = 6.0 per 106 hrs ag-p¡obability SO: 1.15
r)
Withoulwith the sensing line
Other: 032
T-boken Pressure differential switch

/6/:
F ailur e Rate As s ess ment
For FTO: e=0'149 Per 10' demands
Thegivenfailurerateessentiallyappliestopressure_switches.Thefailurerateestimateisan
and PDS I - with the complete FTO: 2.28 T-boken i6l: Flow switch
- *uinfy Uu'"a on OREDA-84
update of the previous "ui*"* SO: 0.32
(1007o in
oREDAphaseIIIdata(phaserVcontainsnodataonprocessswitches).Theestimatedcoverage
the observecl coverage
Other: 0.37
is based on expert
judgement lassuming ZOVo coverage)and
0.61 T-boken /6/: Level switch
oREDAphaseIII).TherateofFTofailuresisestimatedassumingacoverageol90vo
III was IOO 7o)' The rate of SO
O"'i*''observed in OREDA Phase 0.15
(previousiy assumed
'o a coverage of z0 7o (previous
estimate, expert juclgcment)' 2.O4
failures is estimated assuming
ano ùaIety Ðy5tErr1Þ'
Reliabiìily Data lor Control
40 V ÐuNUBLT
1e98 Edition.
)
Reliability Data Dossier - PÐS.data

RetiabilitYDaøDo*t* t
M
Module: Input Devices
Component: Process Switch, Conventional

Conu entional
Co*poo.nt, Pressure Transmitter'
Fniilui¡ e Røle R èler e n ce s
'
Døte of Revísíon
Overall DescriPtion
Failure mode 1999-01-11
failure rate Data source/comment
distributíon includes the
þer 1Ú hrs) The pressure transmitter
electronics and the
;;i"t element, local
FTO: 0.25 T-boken /6/: Temperature switch
process isolation valves'
SO: 0.15
Lo Me Hi FARADIP.THREE /7/: Pressure switch

1540
Undetected
In Med. Hi FARADIP.THREE /7/: Level switch Toøl rate 0.1 Per 106 hrs
2520 0'8 Per 106 hrs
FTO 0.4 Per 106 hrs
Lo Med. Hi FARADIP.THREE i7l: Flow switch SO 0'5 Per 10" hrs
440 = 5. 104
Overall 1'3 Per 106 brs
IÐ Med. Hi FARADIP.THREE /7/: Temperarure switch
320 (95 eilitíon)
Values for Calculation
Previously Recommendeil
5.6 FTOÆhys. 0.1 PDS I /8/: Pressure switch (normally energized)
FTOÆunct. 2.0 hrs Coverage = 0'60
FTOlrorru Note! Both physical andfunctional failures are

ho = 0.9 Per 106
2.1
ÀF
o = 0.1 per 106 hrs
included.
Iso = 0.5 Per 106 hrs
SOÆhys. 1.5 Only criÍical failures are included.
SOÆunct. 2.0 ñ --^L^Lilit\'
TlF-probability = 5'10'
SO/roret L¡, = 1'5 per 106 hrs
3.5
-smartüansm.= 3'104
5;Ì OREDA-84 /3i: Pressure switch, Pneumatic, Iow
pressure (less than I 500 psig) F ailur e Rate Ass es sment
based on oREDA iII -
5.2 OREDA-84 /3/: Pressure switch; Pneumatic, high is an update of the
previous estimate - mainly FTo
The rate of
nnê Iv'
pressure (1500 psig or grearer)
The failure rate estimate
with .REDA phase lV
u^tJni" ;;;' *å '"ei'tt'". ;ô*o .'
t no *f"*l;t*;X"tl-*n:'Ti"ï:lt'
6.8 OREDA-84 /3/: P¡essure switch, Electric failures is estimated """*;;;-';;""' a coverag
assuming
î* ì^" failures is estimated
to
OREDA IY - /l3l: Pressure switch. total "t
Reliability Data for C' Saf etY Systems
43
,and
Qsnmuur 1998 Ed¡tion.
RetiabiiitY Data Dossigl!!$e

Module: InPut Devices
Component: Pressure Transmitter, Conventíonal

ão.porr.nt, Pressure Transnitteúyy
judgement are Overall

lts' Details on the expert
*o"i1,'-u11i::;;ÏÏ,*;tä"åî.ä""t""
rherlF-probabilitv is entireivbasedon in Sec
is provided failure rate
found in the appendix'
O of some of the main arguments '''' @er IÚ hrs)
'o'o**
f-Uot* lOl, Ptessure transmitter
total
OREDA IV- /13/: Pressure switch'
õffiÃ Phase-Ivs"ftwa¡e lr5l'
pressure transmit-
Data relevant fof conventtonal
Filter:
SENsoRs AND
inil"equip*"'" clâs: =
T:cEss
Inv. Dèsign Clas = k"ttY Phase =
Inv. Att. Typeprocess
sensor= lr
-,.unrrnitter ÁÑD Inv.
AND
ftn". sy.t"t = c's Processing Î*"

Oil Drocesslng,
Fail. SeveritY Class = CrÍtical
^rìã. of
No. inventories = 205
.i"ti i.¡ frO failures = o
Ño. of SO failures = 0
"¡ti"¿
PS3l-'
OREDA Phæe III /1/ Database
FTO: pressure transmit'
i"ä ,"n"*, conventional
SO:
ters.
"r
FuNcrN='oP'
Obsertted:
f ifl, .¡t"rlu' TAxcoD=ÞsPR''Al'{D'
çfto = 100 Vo
(Calculated' No- of inventories 186 -

Total no. of failures -
89
including
h¡s
tansmitters having "' = 4 680 182
Cal. time
r itíc al" ar e
s s s ifi e d as " c
îi r-i ò *, ¡"tlure cla
some kind of self'
ín the faíIure rate esttmates'
inclwletl
rc$ arranEement
onlY,)
(
M
þ snmrur Rel¡abil¡ty Data for
1998 Ed¡tion.
Jr
and Safety Systems.
Reliabilitf,Data'Dossier - PDSdata
Reliability Data Dossier -. P.'DS-91!
Component: I*vel (Dßplacement) Transmitter, ConventiÔnal
Conventional
Component: l*vel (Disptacement) Transmitter'
TI F -probabílily Ass essment
Date of Revision
Description
1999-01 -1 1
The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is
The level transmitter includes the sensing Remarlts found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
process
element, local electronics and the
isolation valves. Only displacement level transmitters are included
in F aílur q' Røt ii::Riçfp r enc e s
the OREDA Phase III and [V data Overall

Failure mode
faílure rate Data source/commenl
Re onnenile il Value for
s C alculation distribution
c
(per 106 hrs)
1.89 FTO: 0.00 OREDA Phase fV Software /15/.
Coverage Undetected
Total rate Data relevant fo¡ conventional dhplnc ement level
FTO 1.4 Per 106 hrs 0.90 0.1 per 106 hrs SO: 1.89
transmitters.
0.50 0.8 per 106 hrs
SO 1.5 Per 106 hrs
FíIter:
Observed: Inv. Equipment Class = PRocESs SENsoRs AND
Overall 3.1 Per 106 hrs TIF-probabíIîtY = 5' 104
,so = t00 Vo Inv. Design Class = Level AND
Inv. Att. Type process sensor = Transmitter AND
lnv. Att. Level sens. princ. = Displacement AND
for Calculatíon (95 edition)

Inv.Phase=4 AND
Previoasly Recommeniled' Values (Inv. System = Gas processing OR
Oilprocessing) AND
h", = 4.5 per 106 lrs Coverage = o'is Fail. Severity Class = Critica.l
l,Fro = 0.5 per 106 hrs No. of inventories = l7

No. of critical FTO failures = 0
l,so = 1.0 per 106 hrs No. of critical SO failu¡es = I
Cal. time = 530 208
L¡, = 6.0 per 106 hrs TlF-probability = : l:1
- 3'10- 6.17 FTO: 4.94 OREDA Phase III /1/ Database PS31-.
smarttransm'
SO: 1.23 Data relevant for conventional dßplncement leluel
transmitters.
Faílure Rate Assessment Observed: Filter criteria: TAxcoD=?sLE'.AND' FUNCTN='oP'
l
cno = 100 7o .OR,,GP'
Thefailurerateestimateisanupdateofthepreviousestimate-mainlybasedonoREDAIII. (CaIcuIated No. of inventories = 65

withoREDAphaselVoata.TherateofFTofailuresisestimatedassumingacoverageof9ovo including Total no. of failures = 50
(observedinOREDAPhaseIIIwasl00To).Therateofsofailuresisestimatedassumrnga transmitters having Cal. time= | 620 l7'7 ttts
coverageof50To(previouslyassumedtobe2}Vo'observedinOREDAPhaselVwasl00T¿)' some kind of selfiest Note! OnIy failures classified as "critical" are
arrangement only,) included in the failure rdte esftmates'
FTO: 0.21 T-boken /6/: Level t¡ansmrtter

Reliability Data f or C Safetv Systems'
SilMTEF )and
1998 Edition.
PDS<!!
tRetiabifitvDallPcrssier' R¿liability Dáta Dossier - PDS-data "

Transmitter' Conuentional
ão*porr"rrtt l*vet (Displncement) Component: Temperature Transmitter, Conventional
Date of Revision
Description
1999-01-1 1
The temperature transmitter includes the Remarks

sensing element, Iocal elect¡onics and the
þer lÚ hrg irln¡g tZ' t-*el transmitter
orocess isolation valves. Note that the data material for temperature
L,o Med. Hi estimate
ftansmitters is scarce, i e', the failure rate
10 20
total
OREDA IV- /13/: Pressure switch'
Recommendeil Values for C alculntion
Total rate Coverage IJndetected
FTO 0.7 Per 106 hrs 0.60 0'3 Per 106 hrs
SO 1.1 Per 106 trs 0.60 0'4 Per 106 hrs
OveraII 1.8 Per 106 hrs TlF-probabilitY = 5' lOa

smaftüansm' - 3'10-
Previously Recommendeil Values for Calcul¿tion (95 edition)
h* = 3.0 per 106 hrs Coverage
ÀFro = 0.5 per 106 hrs
trso = 1.5 Per 106 hrs
hrs TlF-probability = 5'104

Lr,, = 5.0 per 106
3'104
- smart tfansm' =
F ailure Rat e As s e s s ment
Thefailurerateestimateisanupdateofthepreviousestimate-basedonoREDAPhaseIII
data - with OREDA phase fV
data' The
including some expert judg"*"nt do" to scarce pressure
so-failures is based on the distribution for
distribution between (undetected) FTO- and
andflowtransmitters.Theoverallcovelagegivenaboveisestimatedmainlybasedonexpert
Reliability Data for Con' SafetV Systems'
Qsumunr "1998 Edition.

,nd
Reliability Eatå'Dossier - PDS'qala

Reliability Data Dossier :.PD!:datâ
Transmítter' lconveily Component: Temperature Transmítter' Conventional

Component: Temperature
ab ilitY As s es stne nt
TIF -Prob
judgement is
judgements' Details on the expert
TlF-probability is entirely based on expert
The
foundintheappendix.asunlmaryofsomeofthemainargumentsareprovidedinSection2.3.
T-boken /6/: Temperarure transrru$er
FARADIP.THREE /7/: Temperature

uars-
ffiFh*" Iv software /15/'

óuãi"l"u-t ror conventional temperature
Filter:
inu. equip**, Class = PRocEss SENsoRs
Inv. Design Class = TemPerarure
il;. itp" pt*ess sensor = Transmitter
Áu'
Inv. Phase = 4
(Inv. SYstem = Gas Processrng
Oil processing)
Fail. SeveritY Class = Critical
No. of inventoriss = 19
| Ño. of critic¡
FTO failures = 0
0
I No. of critical SO failures =
OREDA Phase III /l/ Database

PS31-'
FTO: 5'06
for conventional temperature
Data relevant
transmitter.
Obsented:
cfro Filter criteria: TAxcoD=ÞsrE'AND'
= 100 7o
il includin g FUNCTN='OP'.OR' 'GP'
( C alc ulate
s hav in g s ome No. of inventories = 8
ffansmitter
Total no. of failures = 7
kind of self-test
Cal. time = 197 808 hrs
arrangement onlY,) as "critical"
lìr", on, ¡oilures classifietl
are included in the Jailure rate esti'
mdIes.
\
Reliability Data for Co, ¿'ìd Safety Systems.
50
Ç)sumrun 1998 Edit¡on. 51
Reliability¡Data'Dossier,' PDS-.data
Reliability Data Dossier ' PDS:ilatå -,,

Component: Flow Transmitter, Conventional
TI F -pro b abilify As s e s sment
Descríption Date of Revision
1999-01-l I The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
The flow transmitter includes the sensing found in the appendix. A summary of some of the main arguments are provided in Sectíon 2.3.
Remarks
element, local electronics and the process
isolation valves.
F ailare :Rate Refere nc e s
OveraII
Recommeniled Values fot Calculttion failure rate Failure mode
þer 1Ú hrs) distribution Data source/comment
Total rate Coverage Undetected
5.70 FTO: 2.85 OREDA Phase IV Software /15/.
FTO 1.5 per 106 hrs 0.60 0.6 per 106 hrs Data relevant for conventional flow transmit'
0.50 1.1 per 106 hrs
SO: 2.85
ters.
so 2.2 per 106 hrs
TIF-probability 5.104 Filter:

Overall 3.7 per 106 hrs Obsemed: Inv.EquipmentClass =PRocEssSENsoRs AND
- smaft transm 3.104 cfro = 7Vo Inv. Design Class = Flow AND
Inv. Att. Type process sensor=Transmitter ÀND
"so =
100 Vo
Previonsly Recommended Values for Calculation (95 edition) Inv.Phase=4 AND
(Inv. System = Gas processing OR
Oil processing) AND
1.5 per 106 hrs Coverage 0.50 Fail. Severity Class = Critical
L",
},FTO 0.1 per 106 hrs No. ofinventories = 10
l.so 1.4 per 106 hrs No. of critical FTO failures = I
No. of critical SO failures = 1
Cal. time = 350 640
3.0 per 106 hrs TIF-probability 5.104
L¡,
- smart transm. 3 . l0-4 2.89 FTO: 1.24 OREDA Phase III /1/ Database PS3l-.
SO: 1.ó5 Data relevant for conventional flow transmit-
ters.
Failure Rate Ass es srnent Obsertted: Filter criteria: TAXcoD=ÞsFL' .AND. FUNcTN=L
cno = 100 lo oP'.oR.'GP'
- on oREDA III - with
The failure rate estimate is an update of the previous estimate based (Calculated including No. of inventories = 72
oREDAphaselVdata.TherateofFTofailuresisestimatedassumingacovelageof60vo transmitters having Total no. of failu¡es = 92
(observedinoREDAPhaseIIIandIVwas 10070 ando4o,respectively).TherateofFTO some kind of self-test Cal- time =2422200h¡s
Phase III and IV was
failures is estimated assuming a coverage of 60 vo (observed in OREDA arrangement only,) Note! Onlyfailures classified as "critical" are
a coverage of 50 7o
100 7o and 0 7o, respectively). The rate ofso failures is estimated
assuming
included in the failure rate estimates.
(previouslyassumedtobe}}vo,observedinOREDAPhaselVwasl00To).lheSofailure
rate includes 'Erratic output' failures.
Reliabil¡ty Data for Con S"t"ty Systems.
52 ÇrsrNTEF 1998 Edition.
,iO
53
Reliability Data Dossier - PDS.data

.:il
Module: Input Devices Reliability.:Data Dossier r PDS.data
naø Refere nc g s
Component: Catalytic Gas Detector, Conventionøl
Faít¿re:
Overall Description Date of Revision

failure rate Failure mode 1999-01-1 I
(per 106 hrs) distribution Data source/comment The detector includes the sensor and local
electronics such as the address/interface
FTO: 0.25 T-boken /6i: Flow transmitte¡
unit.
Lo Med. Hí FARADIP.THREE /7 | : Flow transmitter
l5zu
Total rate Coverage Llndetected

1.6 per 106 hrs 0.60 0.6 per 106 hrs
0.7 per 106 fus 0.40 0.4 per 106 hrs
2.3 per 106 hrs TlF-probability see secrion ...
Previously Recommended Valaes for Cahalation (95 edition)
3.0 per 106 hrs

1.5 per 106hrs
1.0 per 106 hrs
I.¡, = 5.5 pe¡ 106 h¡s TlF-probability = 3 . lO4 - 0.1

r)
') Lurge to small gas leaks
Faílure Rate Assessment
Due to àdditional phase III data the failure rate esrimate is updated iterative. The previous
estimate is updated with rhe final phase IrI data, and this estimate is finally updare using the
OREDA phase IV data. The rate of FTo failures is estimated assuming a coverage of 60 To
(previously assumed to be 90 7¿, observed in OREDA phase III was 38 vo). The rate of so
failures is estimated assuming a coverage of. 4O Vo (previously assumed to be 20Vo, observed in
OREDA phase III was 1007o). The FTO failure rate includes ,No output' and .Very low
output' failures.
SINTEF Reliability Data for C J and Safety Systems.
54 '|
998 Ed¡tion. 55
Reliability:Data Dossier - PDS-data

Reliability:Daø Dossier - PDS-data

Component: Cafalytic Gas Detector, Conventíonal
Component: Catalytic Gas Detector, Conventíonal
TI F -probabilþ As s e s s me nt
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is ''Faílur e Rate Refer enc es
found in the appendix. A summary of some of the main a¡guments are provided in Section 2.3.
Overall
failure rate Failure mode
F ailure Rat e Refere nc e s (per 106 hrs) distribution Data source/comment
Frod"t: 0.5 OsebergC 14/.

tì
Irl'Oundet; 1.4 i" Data ¡elevant fo¡ conventional catalytic gas
SOo"t: 0.2 detectors.
OREDA Phase IV Software /15/. S6und"t: 0.4 e"t No. of inventories = 431
Data relevant for conventional catalytic gas rÞ
¿ No. of failu¡es = 85 (25 critical)
detectors.
Ðc¿ .4, lt
i"¿å Time = 10 215 888 hrs
5Fs '.'-í:r
lg | û b
Fíher: Note! OnIy failures classified as "critical" are
Inv. Eq. Class = FIRE& CAs DETECToRS included in the failure rate estimates.
Inv. Att. Sensing principle = Catalytic
Inv. Phase = 4 5.09 FTOA{at.aging 3.83 VI.ÍLCAN /5/:
Fail. Severity Class = Critical
FTO/Stress 0.06 Failure rates are splitted into, in addition to
No. of inventories = 24 FlOÆntervent. 0.1'7 failure modes, failure categories, following the
No. of critical FTO failures = 0 FTOh)TAL 4.06 "PDS-model".
No. of critical SO failu¡es = 0
SO/lrlat.aging 0.74
NOO: 3.62 OREDA Phase III /1/ Database FG31-. SO/Stress 0.06
SHH: 0.79 Data relevant for conventional catalytic gas SOllntervent. 0.06
Sum FTO: 4.41 detectors. More than 97 Eo of the detectors SOllnput 0.17 Note! Onlyfailures classiJìed. as "critical" are
have automatic loop test. Solror¡t 1.03 included in the failure rate estimates.
Filter criteria: TAXCoD=FGHC',
FTOlPhys. I PDS I /8/: Gas detector
SENSPRI=TATALYTIC'
FTOÆunct, 2
No. of inventories = 2 046
FTO/T}TAL 3
Total no. of failures = | 749
Observed: Cal. time = 49 185 5'72hrs
SOÆhys. I Note! Both physical and functional failures
cno = 64 ?o
SOÆunct. 3 are included.
(Calculated including
SO/roTAL / OnIy critical failures are included.
detectors having some Note! Only failures classífied as "critical" are
kind of self+est included in the faiLure rate cstimates.
arrangement only)
(
56 þsnmrnr Reliability Data for
1998 Ed¡tion.
),1
and Safety Systems
5l

Reliabilify,Ðata Dossier - PDS.data
Component: IR Gas Detector, Conventional
Component: IR Gas Detector, Conventional
Description Date of Revision
TI F -probahílity Ass es sment
1999-01- 1 1
The detector includes the sensor and

Remarks The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
loca.l electronics such as the address/-
found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
interface unit.
'F
ail ur e,: Rat e, Rëfer e n c e s
Overall
Recotnmended Values for C alculation failure rate Failure mode
@er 1Ú hrs) distribution Data source/comment
FTO 3.3 per 106 tus 0.80 0.7 per 106 hrs
SO: 0.00 Data relevant for conventional IR gas de-
so 0.3 per 106 hrs 0.70 0.1 per 106 hrs tectors.
TlF-probabílity Observed: Filter:

Overall 3.6 per 10o hrs seesection
AND
,no Inv.Eq.Class =FrRE&GAsDETEsroRs
= I00Vo
(Inv.Att. Sensingprinciple=IR OR
cso = }Vo Inv.Att. Sensingprinciple=lR/W) AND
Previously Recommended Values for Calculation (95 edítion) Inv.Phase=3 AND
14", 2.9 per 106 hrs Coverage 0.70 No. of inventories = 54

2rFTO 1.0 per 106 hrs No. of critical FTO failures = 4
0.1 per 10ó hrs
Àso |
Cal. time = 147 176
4.1 FIOdd: 2.9 Oseberg C /4/.

L¡, = 4.0 per 106 hrs TIF-probability 3.lo4-o.lr) ,
FIOUn&r: 1.2 Data relevant for conventional IR gas de-
l)
Large to small gas leaks
SO"'': 0 tectors.
Failure Rate Ass essment soono.r: 0 No. ofinventories = 4l
Total no. of failures = 26 (4 critical)
The failure ¡ate estimate is an updâte of the previous estimate - essentially based the Oseberg C Time=977 472lus
data j with OREDA phase fV data. The rate of FTO failures is estimated assuming a coverage Note! Only failures classified as "critical" are
of 8O 7o (previously assumed tobe70Vo, observed in OREDA Phase IV was 100 Vo).The rate
of S O failures is estimated assuming a coverage of 70 Vo (previous estimate). The FTO failure
rate includes 'No output' failures.
Reliability Data for C ì and Safety Systems.
Qsnmrum 1998 Edition. 59
'' ':|: .
Reliability Datâ.Dos5ier. - PDSdata Reliability,,Dâø Dôs:sier- -. PDj daø

Modufe: InPut Devices
Component: Smoke Detector, Conventional
Component: Smoke Detector, Conventional
TI F -probabilþ Ass essment
Description Døte of Revision
1999-01-1 I
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
The detector includes the sensor and local found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
electronics such as the address/interface
unit.
,F aílur¿,Ràte Referenc es
Overall
Recommended Values for Calculation failure rate Failure mode
@er IÚ hrs) distribution Data source/comment
Total rate Coverage lJndetected
FTO 1.3 per 106 hrs 0.40 0.8 per 106 hrs
SO: 2.39 Data relevant for conventional
SO 2.4 per 106 hrs 0.50 1.2 per 10'hrs smokdcombustion detectors.
r) Obsemed: Filter:
overall 3.7 per 106 hrs TlF-probability = 10-3 - 0'05
Inv.Eq.Class =FIRE&GAsDE'rEcroRs AND
') The range
represents the occurrenee of different tYPes of fires (smok "no = 50 Vo
Inv. Att. Sens. princ. = Smoke/Combustion AND
,to = 98 7o Inv.Phase=4 AND
Previously Recommended Values for Calculntion (95 edÌfion) Fail. Severity Class = Critical

L* = 1.5 per 106 hrs Coverage
No. of critical FTO failures = 80
ÀFro = o-5 Perlo6hrs No. of critical SO failures = 146
Cal. time = 61 11098/.
fso = 2.0 Per 106 hrs
3.73 FTO: 1.01 OREDA Phase trI /1/ Database FG31-.
r)
L¡, = 4.0 per 106 hrs TlF-probability = lO3 - 0'05 SPO: 2.72 Data relevant for smoke/combustion detec'
r)The range represents the occurence ofdifferelttypes offires (smoke/fl Ð tors. Both conventional (65 7o) and addres'
Observed: sable (35 7o) detectors are included. 56 7o have
Failure Rate Asses sment have a combination
cno = 29 Vo automatic loop test, 35 Vo
Phase Itr data
The failure rate estimate is an update of the previous,estimate - based on OREDA (Calculated including of loop and built.in self-test, rest (97o) have
(no inventories in phase tV). The rate of FTO failures is
- with complete OREDA IU data deteclors having some no self-test feature.
(observed in OREDA incomplete and complete Phase
estimated assuming a coverage of.4O Vo
kind of self-test Filte¡ criteria: TAXCoD=FGFS'
a coverage
lllwas 29Vo and50 Vo,respectively). The rate of SO failures is estimated assuming arrangement only) No. of inventories = i 897
of 60 7o (previously assumed robe2\Vo, observed in OREDA (complete) Phase III was 98 7o)'
Totat no. of failures = 218
Cal. time = 50 374 800 hrs
Note! OnIy failures classified as "critical" are
included in the failure rate estímates'
Reliability Data for' and SafetV Systems.
.QsrNTEF ¡l o_t
60 1998 Edìt¡on.

Reliability,Data,Dossier - PDS.data
Component: Smoke Detector, Conventíonøl

t.., ..., :::.. Component: Heøt Detector, Conventional

F ailuie,Rate Rèlpr enc e s,
'

Overall
1999-01-1 1
failure rate
þer lÚ hrs)
iocal electronics such as the address/-
Oseberg C /4/. interface unit.
Data relevant for smoke detectors.
No. of failures = 4 (l critical)
Recommended Values for Calculntion
Time= 12'l8528hus
Note! OnIy faílures classified as "critical" are Total rate Cov¿rage Undetected
included in the faíIure rate estimates-
0.9 per 10ó hrs 0.50 0.5 Per 106 hrs
FTO/1.{at.aging 0.8i VULCAN/5/: 1.5 per 106 hrs 0.50 1.3 per 106 hrs
FTO/Stress 0.13 Failure rates are splitted into, in addition to r)

FTO/Intervent.0.03 failure modes, failure categories' following the Overall 2.4 per 106 hrs TlF-probabitity = 0-05 - 0.5
t)
The range represents the occurence of different types of fires (smoke/flame)
FTO/ror¿,t 0.97 "PDS-model".
Previously Recommended Values for Calcalation (95 edition)
SOÀ{at.aging 0.87
SO/Stress 0.43
L., = 1.0 per 106 hrs Coverage = 0.40
SOllntervent. Note! OnIy failures classified as "critical" are
0.03
IFro = 0.5 per 106 b¡s
SO/Input 4.39 included in the failure rate estimates.
?rso = 1.0 per lo6hrs
SOlrorAL 5.72
r)
FTO/Phys. 0.4 PDS.I /8/: Smoke detector
L¡, = 2.5 per 106 hrs TlF-probability = 0.05 - 0'5
FTOÆunct. 0.4 l)
The range represents the occulrence of different types of fires (smoke/flame)
FTOlrorAL 0.8
F ailur e Rate As s e s srnent
SO/Phys. Note! Both physical and functional failures

are included. The failure rate estimate is an update of the previous estimate - based on OREDA Phase III
SOlFunct.
data - with complete OREDA trI data (no inventories in phase IV). The late of FTO failures
is
SOlror¿,r Only critical failures are included.
estimated assuming a coverage of 50 Vo (observed in OREDA incomplete and complete Phase
III was 50 Vo and36 7o, respectively). The rate of SO failures is estimated assuming a
coverage of 50 Vo (previously assumed to be 2OVo, obsewed in OREDA (complete) Phase III

was 98 Vo).
þsnmrer Reliability Data for ,)rl and Safety Systems.
1998 Edit¡on. OJ
Reliability Data Dossier : PDS-data

Reliability,Data Dossier -,PDS.data
Component: Heat Detector, Conventional

Component: Heat Detector, Conventional
TI F -pro bability As s es s me nt
The TlF-probabiliry is entirely based on expertjudgements. Details on the expertjudgement F ailure Rate lieferences
is found in the appendix. A summary of some of the main arguments are provided in section
F ailur e Rate Relerenc es

FTO/Irlat.aging 1.28 VULCAN /5/:
Overall FTO/Stress 0.14 Failure rates are splitted into, in addition to
failure rate Failure mode FTOllntervent.0.05 failure modes, failure categories, following the
@er ld hrs) distibution Data source/comment FTo/rorer 1.47 "PDS-model".
2.35 FTO: 0.88 OREDA Phase IV Softwa¡e /15/.
SO: 1.47 Data relevant fo¡ conventional he¿t detec- SO/l.lat.aging 0.49
tons. SO/Stress 0.32
SO/ftrtervent. 0.14
Observed: Filter:
DETEcroRs AND
SO/Input 0.51 Note! Onlyfailures clnssifi.ed as "critical" are
"fro = 36 Vo lnv. Eq. Class = FIRE & GAs
Inv. Att. Sens. princ. = Hear AND SOh'orAL 1.46 included.
cso = 98 Vo
Inv.Phase=4 AND
Fail. Severity Class = Critical FTOÆhys. 0.1 PDS I /8i: Heat detector
No. of invento¡ies = 994
FTOlFunct. 0.2
No. of critical FTO failures = 24 FTO/î1rAL 0.i
Cal. time = 27 260 832 SO/Phys. Note! Both physical and functional failures
SOlFunct.
a ôt
FTO: 0.82 OREDA Phase III /i/ Database FG3l_.
are included.
SO/ror¡t Onlv critical failures are included.
SPO: 1.39 Data ¡elevant for conventional heat detec-
tors. Both rate-ofrise (23 7o) andrate-
Observed: compensated (71 7o) detecfors are included.
: cno=50Vo Of the detectors,S9 Vohave automatic loop
(Calculated including test, rest (llVo) have no self-test feature.
deteetors having some Further, 77 Vo úe reported as "normally de-
kind of self+est energized", 29 Vo as "normally energized"
arrangement only) Filter criteria: TAXCoD=FGFH'
No. ofinventories = 865
Total no. offailures = 79
Ca.l. time = 24 470 588 hrs
Note! Only failures clussifietl a.r "t:ritical" are
i¡tcluled in thc ftLiLure rû( ßtina!$.
Reliabrlity Data fr \¡trol and Safety Systems
o¿+ @snmunm 1998 Ed¡tion.
/I 65
Reliability:Data Dossier - PDS:iIata Reliability Data Dossier - PDS-data
Module: Input Devices Module: Input Devices
Component: Flnme detector, Conventional Component: Flame detector, Conventional
TI F -probability Asses sment

Description Date of Revßion
1999-01-1 1
The TlF-probability is entirely based on expef judgements. Details on the expert judgement is
Remarks found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
local electronics such as the addressi-
interface unit. ' ''. :
_:ir :
F ailu¡ e :Rat e: R.efq r e lç9 s .
Recomtnended Vølues for Calculation
Total rate Coverage Undetect¿d

OREDA Phase fV Software /15/-
SO 4.1 per 106 hrs 0.50 2.1 per 106 hrs
Data relevant for conventional flame detectors'
r)
Overall 8.3 per 106 hrs TlF-probabitity = 3 ' 104 - 0.5 Filter:
l) Obsened: Inv.Eq.Class =FIRE&GAsDETEcroRs AND
The range represents the occunence of different types of fires (smoke/flame)
,oo = 50
Inv. Ait- Sens. princ. =Flame AND
Previously Recomtnended Values for Cøbulation (95 edition)

7o
Inv.Phase=4 AND
cso = 100 Vo Fail. Severity Clæs = Critical
L", = 2.5 per l0ó hrs Coverage 0.40 No. of inventories = 1256
No. of critical FTO failures = I 19
ÀFro 1.5 per 106 hrs
7"so 3.0 per 106 hrs Cal. time =28 5l'1
r) FTO: 3.20 OREDA Phase trI /1/ Database FG31-'

Lr¡, = 7.0 per 106 hrs TlF-probability = 3 ' 104 - 0'5
SPO: 3.98 Data relevant for conventional flame detectors'
l)
The range represents the occuûence of different types of fires (smoke/flame) Both IR (52 %o),W (13 Vo) and combined
Observed: IR/IIV (35 7o) detectors are included' Ofthe
Failure Rate Ass es sment
cfro = 48 Vo detectors, 'r-5 Tohave automatic loop test, 3 7o
(Calculated including have built-in self'test, 15 Tohave combination
The failurp rate estimate is an update oi the previous estimate - based on OREDA Phase III
detectors having some of automatic loop anil buitt-in self-test' rest
data - with complete OREDA III data (no inventories in phase IV). The rate of FTO failures is
kind of self-test (ll%o) have no self-test feature.
estimated æsuming a coverage of 40 7o (observed in OREDA incompletè and.complete Phase
Lrrangemenr only) Filter criteria: TAXcoD=FGFF
III was 48 Vo and 50 Vo, respectívely). The rate of SO failures is estimated assuming a
III No. of inventoris5 = 1 010
coverage of50 Vo (previously assumed tobe2OVo, observed in OREDA (complete) Phase
No. of failures = 292
was 100 7o).
Cal. time =23 136820hrs
Note! Only failures classified as "critícal" are
included in the failure rate est'mates'
Reliability Data for
' and Safety Systems'
{rol o/
66
@snmrnr 1998 Edition.
)
Reliability'Data Dossier - PDS'data

Reìiability Data DO$liei . PDS¡data
Component: Flame iletector, Conventional

Component: ESD Push button

1999-01-l I
Pushbutton including wiring
Remarks
No data available in OREDA Phase fV'
@er 1Ú hrs)
Oseberg C /4/.
Data relevant for IR flame detectors' Reconmended Values for CalculaÍion
No. of inventori es = 162
Coverage lJndetected
No. of failures = 30 (18 critical) Total rate
0.2 per 106 hrs
Time = 3 978240hrs FTO 0.3 Per 106 hrs 0.20
0.6 per 106 hrs
Note! It is assumed that only failures classified SO 0.8 per 106 brs 0.20
as "critical" are included in the failure
TIF-probabilitY 10-5
rate estimates. OveraII 1.0 Per 106 fus
FTO/t{at.aging 1.77 VI.JLCAN/5/:

Failure rates are splitted into, in addition to Previously Recommendeil Valaes for Calculation (1995)
FTO/Stress O.l2
FTO/Intervent.0.12 failure modes, failure categories, following the
FTOftor¡t 2.01 "PDS-model".
ì
i h., = 0.2 per 106 hrs Coverage = 0.20

l
r FTO
0.2 per 106 hrs
I
rSO 0.6 per 106 hrs
SOÀ{at.aging 0.16 i
I
SO/Stress O.l2 I
I
SO/Intervent. 0.12
I
I
L¡, = 1.0 per 106 hrs TlF-probabilitY = lOs
Note! OnIy failures classified as "critical"
are I
SO/Input 2.9'7
I
SO/rorAL 3.37 included. I
I
I F ailur e Røt e As s es sment
FTO/PhYs. 1.1 I
sources, taking into account

the€xpert
FTOÆunct. 0.2 I
I The failure rate is estimated based on all listed data
FTolrorer 1.3 I
I
I
judgements.Theoverallcoveragegivenaboveisestimatedasiheaverageforbothfaiiure
judgement'
modes, also taken into account the expef
I
I
ar e
SO/PhYs. N ot e ! B oth physic aI and functional failures I
I
SO/Funct included' I
SO/ror¿'t O nLy c ritical failure s ar e include d' I

TI F -prob abilitY As s es sm ent
I
i expert judgements' Details on

The TlF-probability is entirely based on
provided in Section 2'3'
I
-dn *g
I
I
I found in the appendix. A tu*ûry of to*" of th"
I
I
I
I
I
ì
Reliability Data fc and Safery Systems
68 @snmunm 1998 Edition.
)rtrot
69
Reliability Data Dossier .. PDS-data
Module: Input Devices Reliability Data Dossier . PDS-data

Component: ESD Push button
Component: PLC System

Faihäe Rate R_efuqences
Overall
1999-01-1 1
failure rate Failure mode PLC system includes input/output cards,

þer IÚ hrs) dístribution Data source/comment CPU incl. memory and watchdog,
controlle¡s (int. bus, comm. etc.), system
In Med. Hi FARADIP.THREE /7/: Pushbutton
bus and power supply.
0. r 0.5 10
5.8 NPRD-9l: Switch, Push button, ground fixed, Recommended Values for Calculation
commercial quality
Total rate Coverage Undetected .
0.13 NPRD-91: Switch, Push button, ground fixed,

FTO 16 per 106 hrs 0.90 1.6 per 106 hrs
military qualiry
SO l6per 106hrs 0.90 1.6 per 106 fus
OveraII 32 per 106 hrs TlF-probabílity 5.lo-s-5.lo4r)

l)
For TÜV certified and standard system, respectively
Previoasly Recommended Values for Calculation (95 edition)
72.0 per 106 hrs

2.0 per 106 hrs
6.0 per 106 hrs
L,i, = 80.0 per 106 h¡s

r)
For TÜV certified and standa¡d svstem.
F ailure Rate As s essment
The failure rate estimate,is an update of the previous estimate - based on OREDA Phase III data
- with complete OREDA III data (no inventories in phase IV), taking into account the aspects
discussed below: It is assumed that some of the observed FTO-failures in OREDA III is
included in the TlF-probabiiity. Further, for FTO-failures, only the current loop (i.e. one I-card,
etc.), not the entire PLC System, is required for a shut-down to be initiated. Thus, the estimated
rate of FTO-failures is reduced by approx. 7O Vo comparcd to the OREDA III data. The overall
coverage is set by expertjudgement a¡d observed coverage. The SO failure rate includes
'Enatic output' failures.
Reliability Data tor ' 1cl and Safety Systems
'10 @snmuen 1998 Ed¡tion.
I 1l
Reliabilif,y Data Dossier - PDS-data
Module: Control Logic Uniß
Component: PLC System
TI F -probabilþ As s e s sment tRate,

' F dilur e Refeie nc es
The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is

found in the appendix. A summary of some of the main ¿uguments æe provided in Section 2.3.
þer Id hrs)
Failur e Rate Refer e nc e S
Per ch. 0.28 FTO/Phys. PDS I /8/: InpuVdigitål' failure rate per
OveraII FTO/Îunct. channel
failure rate Failure mode distribu- FTO/T)TAL
(per 106 hrs) tion Data sourcelcbmment
Note! Both physical and functional failures
75.0 FTO: 59.4 OREDA Phase IV Software i l5/. SO/Phys. 0.09
are incluiled.
SO: 15.6 Data relevant for for control logic units SOlFunct. 0.05
Only critical failures are included'
including I/O-cards. Both PLCs (14 Vo) and SOnorAL 0.14
computers (86 Vo) are included. The cont¡ol 0.09 PDS I /8/: Inpuf/analog, failure rate per
Observed: Pe¡ ch. 0.31 FTO/Phys.
logic units are used both in ESD/PSD system
,fro = 9i 7o FTOÆunct. 0.05 channel
,so = 88 7o QO Vo) and F&G systems (30 7o). FTOIT1TAL 0.14

Filter: SOlPhys. 0.12
Loclc UNITS AND are included.
Inv. Eq. Class = CoNTRoL
SOÆunct. 0.05
Inv.Phase=4 AND OnIy critical failures are included'
Fail. Severity Clæs = Critical SO/rorAL 0.17
No. of inventories = 7 I FTO/Phys. I PDS I/8/: CPUMemorY

No. of critical FTO failures = 103 FTOÆunct. I
No. of critical SO failures = 27 FTOITOTAL Note! Both physical and functional failures
Cal. time = | 733 664 are included.
SO/Phys. I Only critical failures are included'
91.0 FTO: '14:7 OREDA Phase III /1/ Database CL3l-. a
SO/Funct.
SO: 16.3 Data ¡elevant for control logic units including SO/TqTAL J
VO-cards. Both PLCs (19 Vo) and computers
(81 To) arc included. The cont¡ol logic units are Per ch. 0.21 FTO/Phys. 0.02 PDS I /8/: Outpuldigital, normally ener-
Obseried:
cno = 91 7o used both in control systems (54 %)' ESD
FTOÆunct. 0.01 gized, failure rate Per channel
(Calculated including system (13 7o) and F&G systems (33 7o). .
FTo/rorAL 0.03
detectors having some No. of inventories = 52
are included.
kind of self-test Total no. of failures = 214
OnIy crítical faíIures are included'
arrangement onlY) Cal. time = I 164 384 hrs
Note! Only failures classified as "critical" and
with failure modes FTO or SO are
included in the failure rate cstimates.
and Safety Systems.
@smunr Reliability Data
1998 Edition.
)ntrol
Reliability Data Dossier . PÐSdata

Reliabilily Data Dossier - PDS.dàtå
Module: Control Logic Units
Component: PLC SYstem Module: Control Logic Units
Component: Field Bus Coupler
F àíluìe' Røt e Relerenc e s Date of Revision

1999-01-1 I
Overall
failure rate Failure mode distribu- Remarks
@er 1Ú hrs) tion Data source/comment No data available in OREDA Phase IV
Per ch. 0.21 FTO/Phys. 0.17 PDS I /8/: OutpuUdigital, normally de'ener'
- FTO/Funct. 0.01 gized, failure rate per channel
FTO/TOTAL O.]8
Recommended Values for Cqlculatian
Note! Both physical andfunctional farilures
SOlPhys. 0.02
are included. Total rate Coverage Unàetected
SOÆunct. 0.01
Only critical failures are included. 0.01 per 106 hrs 0.90 0.001 per 106 hrs
SO/|OTAL 0.03
0.2 per 106 tus 0.90 0.02 per 106 hns
Overall 0.2 per 106 tus TIF-probabíIity 10-s
Previously Recommended Values for Calculation (95 etlition)
0.18 per 106 hrs
0-001 per 106 hrs
0.02 per l0ó hrs
0.2 per 106 hrs TlF-probabilitY = 10-5
F ailure Rate Assessment
based on expert
No sources of failure iate data a¡e identified. The failure rates afe estimated
judgement and the failure rate data found for PLC system'
T IF -probability Ass es s ment
the expert judgement ts

The TlF-probability is entirely based on expert judgements. Details on
are provided in Section 2'3'
found in the appendix. A summary of some of the main arguments
Reliability Data f and Safety Systems
'74
@snmunm ;ntrol t)
1998 Edition.
R¿lia¡ility oaø,Dossier - PDS.data - PDSid¡ta

Reliability Data;Dossiei
Module: Control I'ogic Uniß
Output Devices / Valves
Component: Fielà' Bus CPUlCommunication Unit

Component: ESV, X-mas Tree
Date of Revision
1999-01-1 1
1999-01-1 1
Remarks Hydraulically operated production

No data available in OREDA Phase IV' master, wing and swab valves'
.Total rate Coverage Undetected Recommended Values for Calculation

FTO 0.01 per 106 hrs 0.90 0.001 per 10ó hrs
SO 0.2 per 106 hrs 0.90 0.02 per 106 hrs Total rate Coverage IJndetected
hrs
Overall 0.2 per 106 hrs TIF-probability 10-5 SO 0.7 per 106,hrs 0.30 0.5 per 106
r)
hrs 10-6 _ l0-s
Overall 1.6 per 106 TlF-probability
1) For complete and incomplete functional testing respectively'
Previously Reconmended Vølues for Calculntion (95 edífíon)
Previously Recommendeil Yalues for Calculation (95 etlition)

h., = 0.18 per 10ó hrs
IFro = 0.001 per 106 hrs

h", = 0-0 Per 106 hrs Coverage
lso - o.o2 per lo6 hrs
)"Fro = 3.0 per 106 hrs
L¡, - 0.2 per 106 hrs Iso = 0.5 Per 106 hrs
r)
hrs = 10-6 - 10-s
Ào¡, = 3.5 per 106 TlF-probability
F ailure Rate Ass essment t)
For complete and incomplete functional testing
based on expert F ailure Rate Ass essment

No sourcés of failure rate data are identified. The failure rates are estimated
- based on oREDA Phase III
-
judgement and the failure rate data found for PLC system' The failure rare estimate is an update of the previous estimate
based on observed
*rìnã*oÀ nhase IV dutu. Th" so coverage given above is estimated
coverage.
the expert judgement ts ment

The T.IF-probability is entirely based on expert judgements. Details on T I F -probabilitY As s es s
A summary of some of the main arguments are provided in Section 2 3'

found in ihe appendix. judgement rs
judgements. Details on the expert
The TlF-probability is entirely based on expert
a¡guments a¡e provided in Section 2'3
found in the appendix. A summary of some of the maln
C I and Safety Systems.
76 Qsnmrnr Reliab¡lity Data for
1998 Edition.
7',7
Reliabitity Data Dossier - PDS-data

: Reliabilify Data Dossier -, PDS-dat¿
Module: Output Devices / Valves
Module: OuQtut Devices / Valves
'F
aílür e' R ate Rêfer enc es
F ailure Rale References
Overall
Overall
failure rate
(per 106 hrs) F ailur e mo de di s t rib ution Data source/comment failure rate
1.1 I FTO: 0.00 OREDA Phase lV Software /15/. þer 1Ú hrs) F ailure mode distribution Data source/commenl
SO: l.l1 Data relevant for hydraulically operatetl

wellhead master valves, swab valves and wing
9 .17 EXL: 0.28 OREDA Phase Il /21 , P. 89, Valves ESD-
valves. The previous f,rlter does not apply to the

FTC: 3.81 Data relevantfor topside ESD valves. Note!
Observed: OREDA v.5 software. FTOpen: 2.1,2 Includes also control and monitoring unit.
,so = 100 Vo INL: 0.14 No of inventories =322
Fiher: OVH: 0.28 No. of failures = 151
Inv. Eq. Class = \ilElIIæADs AND X-MAS TREES ÀND
(Inv. System = Gas production OR
SEL: 0.14 Cal. time = 6 406 500 hrs
Inv. System = Oil Production) AND SEP: O.l4
Inv.Phase=4 AND SIL: 1.12 Note! Only failures classified as "critical" are
Fail. Severity Class = Critical AI\'D
op.
(Fail. Item Failed = Prod. master valve, hyd. OR SPO: 0.43 included in the failure rate estimates.
Fail. Item Failed = Prod. swab valve, hyd.op. OR UNK: 0.14
Fail. Item Failed = hod. wing valve, hyd. op.)
14 FTOÆhys. 6 PDS I /8/: ESD valve. Note! Includes also pilot
FTOÆunct. 2 valve etc.
No. of critical FIO failures = 0
No. of critical SO failures = I FTO/ror,qt I
Cal. time = 902 544 N ote ! Both physical and functional failure s are
SO/Phys. 2 included.
7.36 DOP: 0.15 OREDA Phase trI /1/ Database VA31-.
SOÆunct. À Only critical failures are íncluded.
EXL: 1.84 Data relevant for wellhead ESDÆSD valves,
SOlror¡r 6
FTC: 037 main valve or acfuator.
FTOpen: 0.46 Filter criteria: FUNgTN='ow' oR'clv',
INL: 2.30 APPUC=tsSD/PSD" MATIEM=bODY' OR VALVSEAT'
LCP: 1.69 OR SEAIJ'OR ACTUATOR'.
PLU: 0.15 No. of inventories = 349
Total no. offailures = 120
Cal. time = 6 518 058 hrs
Note! Onlylfailures classified as "critical" are
included in the failure rate estimdtes.
Reliability Data for / and Safety Systems
't8 þsnmrur 1998 Edition.

.)ì 19
Reliab¡tity Data Dossiér : PDS'datâ-

.Ð
l '
,R.U"lil!.itv'P4tq Po*lÞ",
Ouþut Devices / Valves
Module: OutPut Devices / Valves
Component: Other ESV
Component: Other ESV

1999-01 -1 1 TheTlF-probabilityisentirelybasedonexpertjudgements.DetailsontheexPertjudgementls
urgum"nts ar" p@
Main valve including actuator. Nof found in the appendix. A summary of some of th'e main
Remarks
including pilot valve and local control
F ailure Rate,References
and monitoring.
Recommended Values for Cølculation

FTO: 1.06 OREDA Pil'.s" IV Software /15/'
Total rate Coverage Undetected SO: 0.26 Ouãi"t"u*t for process ESDÆSD valves'
ã*.i"¿ing tft" pilot anil control & monitoring'
FTO hrs
1.3 per 106 0'00 1.3 per 106 hrs
SO 0.3 Per 106hrs 0'00 0.3 per 106 hrs

Filter:
Inv. Eq. Class = VALvES
r) (Inv. Syslem = Gas exPort.
Overall 1.6per 106hrs TlF-probability 10-6 _ 10-s
Inv. System = Gas Processlng
l)
For complete and incomplete functional testing respectively Inv. System = Oil exPort .
Inv. System = Oil Processlng)
Inv. Phæe = 4
Inv. Att, ÀPPtication = ESD/PSD
Fail. SeveritY Class = Critical
(Fail. Item Failed <> Pilot valve
f*fed o contol & Monitoring)
,*"-r, for Calculntion (95 edition) Èuil. Suuunit
^t--***tlues No. ofinventoriss = 106

L", = 0.0 Per 106 h¡s Coverage 0.00 No. of critical FTO failures = 4
IFro = 3.0 per 106 hrs
Xso = 0.5 Per loó hrs
FTOpen: 1.12 OREDA Phase III /1/ Database VA31-'
valves'
LCP: Data relevant for process ESD/PSD
Li, = 3.5 per 106 hrs TlF-probability 10-6.10sr) 1.12
main valve or actuator'
For complete and incomplete functional testing respectively'
t)
Filter criteria: RjNctl'¡='op' ot 'cp"
APPLIC=tsSD/PSD" MAffEM= tsODY'
OR
Failure Rate Ass essment vALvsEAT' oR SEALS' oR Ac'ÍuAToR''

prevtous
Due to additional phase data the failure rate estimâte is an iterative updated' The
III Total no. of failures - 20
is finally update using the
esrimate is updared with the final phase III data, and this
estimate Cal. time = 891 214 hrs
of are included
assuming a coverage OnIyfailures classífied as "crítical"
oREDA phase IV data. The rate of FTO and so failures is estimated Note!
'Fail to closc on demand' and 'structural clefrrciency'' in the faílure rate eslimt*
0 vo .TheFTO failure rate incìudes
Reliabìl¡ty Data for ' and SafetV Systems.
80 @snmunr 1998 Edit¡on.
¡ol 8i
Reliability Data Dossier - PDS-data
Retiâbility:Data Dossier - PDS'data

Component: Other ESV Module: Output Devices / Valves
Component: Pilot Valve

F øiliir e'.R.at e R ete r e n c e s
Overall Description Date of Revßion

FaíIure mode dßtribu' 1999-01-1 I
failare rate
Pilot valve on hydraulically or pneu-
þer IÚ hrs) tion Data source/comment
matically operated, process or wellhead,
9.17 EXL: 0.28 OREDA Phasefr.l2l, p. 89, Valves ESD. shut-off or ESD/PSD valves.
FTC: 3.81 Data relevant for topside ESD valves. Note!
FTOpen: 2.12 Includes also pilot valve etc.
INL: 0.14 No of inventories.= 322
Recommended Values for Calculntíon
OVH: 0.28 No. of failures = 151
SEL: 0.14 Cal. time = 6 406 500 h¡s
SEP: 0.14
SIL: l.l2 Note! Onlyfailures classified as "crilical" are
SO 2.5 per 106 hrs 0.30 1.8 per 106 hrs
SPO: 0.43 included in the faíIure rate estimates.
UNK: 0.14
Overall 4.2 per 106 hrs TlF-probability =
t4 FTO/Phys. 6 PDS I /8/: ESD valve. Note! Includes also pilot
FTOlFunct. 2 valve etc. Previously Recommended Values for Calcalation (95 edition)
FTOftoTAL 8
Note! Both physical and functional failures are 0.0 per 106 hrs
SO/Phys. 2 included.
0.6 per 106 hrs
SOlFunct. 4 Only critical failure s are included.
0.4 per 106 hrs
Softorn 6
1.0 per 106 hrs TlF-probabilitY =
Failure Rate Ass essnent
Due to additional phæe data the failure rate estimate is an iterative updated. The previous
III
using the
esrimate is updated wirh the final phase Itr data, and this estimate is finally update
of 2O 7o
OREDA phase IV data. The ¡ate of FTO failures is estimated assuming a coverage
(previously assumed tobe0 To,observed in OREDA incomplete and complete Phase III was
The rate of SO failures is estimated assuming a coverage of 30
40 Vo and 67 7o, rcspectively).
7o (previously assumed to be 0 in OREDA incompiete and complete Phase III was
To, observed
and
20 vo and 94 7o, respectively). The FTO failure rate includes 'Fail to close on demand'
'Fai[ to open on demand' failures.
Reliability Data f' and Safety Systems
82 @snmrem )rtrol 83
1998 Edition.
Reliabiliw'Data Dossie¡ : PDSrdata

Reliabitity DCta,DoSiCi;' . PÐsiilata
Moduf e: Output Devices I Valves
Module: Ouþut Devfues /Valves
TIF -prohability As s es s ment
F aiture: Rate Rèfere nc es
The TIF-probabiliry is entirely based on expert judgements. Details on the expert judgement is Overall
found in the appendix. A summary of some of the main arguments are provided in Section 2.3. Failure mode distribu-
failure rate
F aílure, Rate Referenc es @er Iú hrs) tion Data source/comment
Overall 0.45 FTO: 0.45 T-boken /6/:Solenoid valve, normally ener'

gized. The failure mode used in the source is
failure rate Failure mode distribu-
ld hrs) tion Data soturcelcomment "Missing function". This has been interpreted as
@er
FTO.
4.52 FTO: 1.69 OREDA Phase IV Softwa¡e /15/.
SO: Data relevant pilot valves with control & /6/: Solenoid valve, normally de'
2.83 0.11 FTO: 0.11 T-boken
monitoring in ESDÆSD applications.
energized. The failure mode used in the source
Observed: Filter: is "Failed to change state". This has been inter-
VALvEs ÀND preted as FTO.
"fro = 67 Vo Inv. Eq. Class =
ESD/PSD
(Inv. Att. Application = OR
"so = Shut-ofÐ
94 7o Inv. Att. Application =
Inv.Phase=4
AND
AND
Lo Med. Hi FARADIP.THREE /7/: Solenoid.
Critical
Fail. Severity Class = AND 0.4 14
valve
(Fail. ItemFailed=Pilot OR
Fail. Subunit Failed = Control & Monitoring)

No. of critical FTO failu¡es = 10
No. of c¡itical SO failures = 17
Cal. time = 6 023 256
0.51 FTC: 0.07 OREDA Phase III /1/ Database VA3l-.

FTOpen: 0.36 Data relevant for pilot valve on hydraulically
SO: 0.07 or pneumatically operated, process or
wellhead, shut-off or ESD/PSD valves.
I
Filter criteria: ACrUAT=IYDRAULIC' .oR.
ÞN¡uuerrc', AppLIc=5HUT-on¡' .oR. bsD/PSD', i
:
MÄITEM='ACTUATION'.
No. of invento¡ies = 516
Total no. of failures = 42
Cal. time = 13 156 654 hrs
Note! Allfailures are included, i.e. both "Critical",
"Degraded" arul "lncipient" failures, since the
failure classif.catiott is given on system" level.
for
84 þsnmrnr Reliabil¡ty Data
1998 Ed¡tion.
-!ol and Safety Systems.
85
Reliability Data Dossier - PD,S-data .:"Reliabiüfy;Data Dossiei - PÐS.dâta
Module: Ouþut Devices / Valves Module: Outout Devices / Valves
Component: Process ControlValve Component: Process Control Valve
TI F -p ro b ability A s s ess m ent

Description Date of Revßîon
1999-01-1 l judgement is
The TlF-probability is entirely based on expert judgements. Details on the expert
Process control valves including actua-
Remnrks found in the appendix. A summary of some of the main arguments tt" plgytd:g tn Jgttion3'3'
tor, pilot valve and local controVmoni-
toring. Both large and small control F aíluie RaÍe,Refi:¡ e nc e s'',
valves a¡e included.
Recommended Values for Calculation

FTO: 3.97 OREDA Phase IV Software /15/'
Data relevant for Data relevant for process con'
SO: l.O2
Total rate Coverage Undetected trol valves including pilot valYe etc' Note! All
Vo of the registered valves
Small - Iarge Valves SmaII- Large Valves sizes are includ ed. 47
2.8 - 0.8 per 106 tus Obsemed: a¡e small, i.e., size < 10 inches. Thus, 53 7o are
FTO '1
.1 - 2.1per 106 hrs 0.60
.r<
O.l -0.2per ^FîO _- oj^
large, with size > l0 inches.
so 0.4 - 0.7 per 106 tus 0.70 106 hrs L LJ
'V
,so = 100 Vo
FíIter (small valves):
Overall 7 .6 - 2.8 per 106 hrs TIF-probability 10-s Inv. Eq. Class = VALvES
(Inv. System = Gas export
Inv. System = Gas processing
(95 edition) Inv. System = Oil exPof
Previoasly Recommended Values for Calculation Inv. System = Oil processing)
Inv. Phase = 4
Small - Largevalves Inv. Att. Application = Process Control
L.,
r FTO
= 18.0 - 8.0 per l06hrs Coverage 0.65
lL= 9.0 - 4.0 per 106 hrs
¡SO No. of critical FTO failures = 10'5
0.1 - 2-0 per106hrs No. of critical SO failures = 1
L¡, 27.0 - l4.O per 109hrs TIF-probability 1o-5

DOP: 0.72 OREDA Phase III /1/ Database VA31-'
EXL: 0.36 Data relevant for process control vâlves
F ailur e Rate As s e s sme nt FID: 1.79 including pilot valve etc. Note! All sizes are
FIC 4.29 included.
The failure rate estimate is an update of the previous estimate - based on OREDA Phase III - FTOpen: 2.15 Filter criteria: APPLIc=ÞRoc crRL', FLrNcrN='oP'
with OREDA phase IV data. Total rate of FTO-failures estimated by including the OREDA LCP 1.43 .oR. 'GP'.
failure modes FTC and LCP, and 50 Vo of the DOP-and EXl-failures. The rate of FTO failures oTH 3.22 No. of inventories = 100
is estimated assuming a coverage of 50 Vo (previously assumed to be 65 7o, observed in ovH 0;72 Total no. of failures = 186
OREDA Phase IV was 25 Vo). The rate of SO failures is estimated assuming a coverage of 80 PLU 2.50 Cai. time =2'796745 hrs
included
7o (previously assumed to be 65 %, observed in OREDA Phase IV was 100 7o). SO: 0.07 Note! Only failures classified as "crítícal" are
in thefailure rate eslimates
Reliabìl¡ty Data fo and Safety Systems.
86 Qsnmrum 1998 Edition.
}rol 8'l
Reliahility,Data:Dossier . PDS-data
Module: Output Devices / Valves Reliãb,ility Daøóoqsier :'PDS'dâtá.
Component: Process Control Valve Module: OuQtut Devices / Valves
Component: Pressure Relief Valve

F aílùie Rate Rèferencès
Failure mode distribu Date of Revßion

Overall failure rate
(per IÚ hrs) tion Data source/comment 1999-01-l I
27.0'1 DOP: 1.04 OREDA Phase III /1/ Database VA3l-.

FID: 4.17 Data relevant for process control valves
Frc 5.21 including pilot valve etc. Note! Only sizes less
FTOpen: l.M than 5" are included in this run.
LCP 3.12 Filte¡ criteria: A?pLIc=ÞRoc crRL', FuNcrN='op'
Recommendeil Values for Calculation
oTH 3.12 .oR.'cP', srzE<=5.000.
ovH 2.o8 No. of inventories = 33
PLU 7.29 Total no. of failures = 66
FTO 1.0 per hrs
106 0.00 1.0 per 106 fus
Cal. time = 960 320 hrs
so 0.2 per 106 hrs
t) 0.oo 0.2 per 106 hrs
Note! Onlyfailures classified as "critical" are
OveraII 1.2 per 106 hrs TlF-probabitity 1o-3
l)
14.16 DOP: 0.54 OREDA Phase Itr /l/ Database VA3l_. Note that trip of PSV does not necessarily lead to system
EXL: 0.54 Data relevant for process control valves Previously Recommended Values for Calculatinn (95 eilition)
FID: 0.54 including pilot valve etc. Note! Only sizes
FTC larger than 5" are included in this run.
3.81
h", - 0.0 per 106 hrs Coverage = 0.00
FTOpen: 2.72 Filter criteria: AppLIc=ÞRoc crRL'. FUNcTN='op'
LCP 0.54 .oR. 'cP" slz>5.000.
?lFTo = 0.1 per l06hrs
OTH 3.n No. of inventories = 67 l,so = 0.9 per 106 h¡s

r)
SO: .18 No. offailures = 120

Cai. time = I 836 425 trs L¡, = 1-0 per 106 hrs TlF-probability = l0 3
t)
Note! Onlyfailures classified as "critical" are Note that trip of PSV does not necessarily lead to system trip
F ailure Rate Ass essment
8.6 FTO: 8 .6 T-boken /6/: Motor-operated control valve.
The failure rate estimate is an update of the previous estimate - based on OREDA Phase
III'
The failure mode used in the source is "Failed to
failures classified as 'Fail to
change position". This has been interpreted as OREDA 84 and other sou¡ces - with OREDA phase IV data. Only
Ffo. ' a¡e considered FTO failures.
T I F -p ro ba bility As s e s s m e nl
judgement is
The TlF-probabiliry is entirely based on expert judgements. Details on the expert
foundintheappendix.Asummaryofsomeofthemainarcu@
\
fo. lrol and Safety Systems.
88 þsnmrnr Reliabil¡ty Data
1998 Edition.
89

, Reliability-:Date :Dossier - P-DS.iIâta
F ailur e,'Rate,Relere nc es F ailure Rat e, Referenie s
Overall Overall
Failure mode distribu- failure rate Failure mode distribu-
failure rate
þer Id hrs) tion Data source/comment @er ld hrs) tion Data sourcelcomment
L .27 FlO: 2.14 OREDA Phase fV Softwa¡e /15i. t.5i NPRD-9l l9l'.Yalve, relief, Ground, unknown
SO: 0.13 Data reievant for self-acting or self-acting/pilot quality
actuated relief valves.
4.4 OREDA-84 /3/, Pilot operated safety relief
Observed: Filter; valve.
,fto = |vo Inv. Eq. Class = VALvES AND
Inv. Phase=4 AND
,so = 07o Inv. Att. Application = Relief ANI)
No. of inventories = 2'1 5

No. ofcritical FlO failures = 17
No. of critical SO failures = I
Cal. time ='l 493 448
¿o .78 INL/Degr. 22.06 OREDA Phase III /l/ Database VA31-.

INI-/Degr. 1.58 Data relevant for self-acting or self-acting/pilot
Sum/Degr. 23.63 actuated relief valves.
Filter criteria: AppLrc=Þ.ELIEF', AcruAT=5ELF
EXl-/lncip. 1.58 ACT'.OR. 3.e.ÞU-Or'.
EXl/krcip. 1.58 No. of inventories = 34
Sumllncip. 3.15 Total no. offailures = 17
Opr. time = 634 730 hrs
Note! Cal. time = I 119 360 h¡s
Also "Degraded" and
" In c ipíent" fai lures ar e Note! Operational time is used in the failure rate
includeed, since no estimates.
" C ritic al " failur es ar e
observed.
Lo Med. Hi FARADIP.THREE /7/: Valve. Relief

28
fo )rot and Safety Systems.
)snmrun Reliabilìty Dala
1998 Edìtion.
91
/t6l Harry F. Maftz and Ray A. \ffaller, Bayesian Reliability Analysis, IGieger Publishing
REFERENCES Company,1982.
t17 | 1REDA Handbook; Affshore Retínbility Data Handbook, 3rd edition, oREDA Pafiicipants
llt OREDA Phase III, computerised database on topsíde equipment, OREDA Participants
(multiclient project on collection ofoffsho¡e reliability data)' 1997.
(mutticlient project on collection of offshore reliability data).
ril 1REDA Handbook; offshore Reliability Data Hanìboo&, 2nd edition, oREDA
Participants (mutticlient project on collection ofoffshore reliability data)' 1992
13/ OREDA Handbook; ffishore Reliabiliry Data Hanlbook,lst edition, OREDA Participants
(multiclient project on collection ofoffshore reliability data)' 1984
l4l Jon Ame Grammeltvedt, u&P; oseberg c - Gjennomgang av erfartngsdatafor brann- og

gassd.etelctorer på Oseberg C. Forslng til testintervallerfor detektorene, rcWrt from Norsk
Hydro, Forskningssenteret Porsgn:nn, 1994-07-28 (in Norwegian).
l5l Lars Bodsberg, VULCAN - AVulnerability CalculartonMethodfor Process Safety Systems,

Doctoral dissertation, Norwegian Institute of Technology, Dep. of Mathematical Sciences,
Trondheim, 1993.
16/ T-bolcen, Version 3: Titfòrlítlighetsdata för komponenter i nordislca krafirealaorer, NI\-

kansliet and Studsvik AB, publisehd by Vattenfall, Sweden, 1992 (n Swedish)'
nl David J. Sflit¡}^, Retiability, MaintainabíIíty and Risk - Practical Methods for Engineers,
Butterworth-Heinemann Ltd., Oxford, England, Fou¡th edition, 1993'
tgl Lars Bodsberg, Relíabitity Data for Computer-Based Process Safety Systems' SINTEF
Report STF75 F89025, 1989.
lgt William Denson et a1., NPRD-9L: Nonelectronic Parts Reliability Data 1991, Reliability
Analysis Center, Rome, New York, USA' l99l-
ll}t Ragnar Aar/ et aI,

Reliability Prediction Handbook. Computer-Based Process Safety
Systems, SINTEF Report STF75 489023' 1989.
¡lt Lars Bodsberg et aI, Reliability Quantification of Control and Safety Systems. The PDS-II
method. SINTEF Report STF75 493064' 1994'
Øien and P. R. Hokstad. Handbook for performing exPert iudgmenL. SINTEF

tl2l K. report
sTF38 498419, 1998.
ll3l per Hoktad and Ragnar Aa¡ø, Retiability Data for Control and Safety Systems, Revision l.
SINTEF report STF75 F94056, January 1995.
¡41 Geir Klingenberg Hansen and Ragnar Aæø, Reliability Quantification of Computer-Based
Safety Systems- An Introduction to PDS. SINETF report STF38 A97434, December 1997.
tlst OREDA Phose IV, computerised database on topside equipmcnt, OREDA Participants
(multiclient project on collection ofoffshore reliability data).
/)
The PDS Forum was initiated in 1995, and follows up the PDS projects.
The main objective of the PDS Forum is to maintain a professional forum
for exchange of experience between Norwegian vendors and users of
control and safety systems. The primary focus is on safety and reliabilìty
aspects of such systems. Research results are transferred, and personal
contacts between those working with offshore control and safety systems
are encouraged. Topics of the forum are:
Use of new standards for control and safetv svstems

. Use of acceptance criteria
. Exchange and use of reliability field data
. Exchange of information on new technology
The main activity of the PDS Forum in 1998 was to update the so-called
"PDS-recommended data". The present report summarizes the results from
this activity. For information regarding the PDS Forum please visit the web
s ite http ://www.s i ntef . n o/s i paalp rosjekt/pds-foru m.
The OREDA project is also acknowledged for allowing OREDA phase lV

data to be used in preparation of the present report. For information
regarding OREDA please visit the web site www.oreda.com
The PDS-method is an analytical method for quantification of reliability,

safety and Life Cycle Cost (LCC) for control and safety systems, and therebr
to perform an overall evaluation of such systems. The method was
developed for the offshore industry, where it has gained a widespread use.
The method supports the reliability analyses in the international standard
IEC 61508: Functional Safety of E/E/PE Safety Related Systems. lt is also
referred to in the NORSOK standards for Safety and Automation Systems as
a method to be used for verification of safety systems.
SINTEF lndustrial Management, Dept. of Safety and Reliability has

developed a computer program "PDS-Tool" to support PDS calculations.
Sydvest Software has from March 1999 taken over the responsibility for
PDS-Tool. Sydvest Software has been established to develop and market
software tools aimed at preventing losses caused by accidents and other
undesired events. SINTEF lndustrial Management, Dept of Safety and
Reliability is one of the initiators and main owners of Sydvest Software.
For information regarding the PDS-Tool please visit the web site of
Sydvest Software at www.sydvest.com.

Sintef STF38 Reliability Data For Control and Safety Systems (1998)

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Sintef STF38 Reliability Data For Control and Safety Systems (1998)

Hochgeladen von

Copyright:

Verfügbare Formate

STF38 A98445

Classif ication: Unrestricted

ReliabilitY Data for Control and

SINTEF Industrial Management

;'ifiV€}f ,'l';-15 KEMIRA

EnterPrise No.: NO 948 007 029 MVA

iltrol and SafetY SYstems

Fe40s6 - Reliabilitv Data for

the web site

Geir Klingenberg Hansen

OREDA ParticiPants 1998

2.1 Parameter Definitions

detectable by automatic self-

h", = Totalrateofdetectablefailures,i'e' W+ ftf'

is shown in Table l '

Safetv tntegrit-v Levels (SIL)

> to-' to < to-' t0 to 100

to the three safegv s-vstems'

61508) Part One t1 of23

Table 1 Relation between different 2 _ values

rate estimate,Lø. Furthermo¡e, it is assumed that

Publisher: Reliability Analysis Center, Rome, New york, USA

:*i,':ï"n::Ïfff îJ l"iliåi r'Jffi *md;;;,år,**" ""o's

systems, the estimate Î/F = 5{0- appxes'

As an exampre, consider the murtipricitv,gt-:'b:i:.î^1":li:i'åliltih::IîJJJ;Ï5':;:

23.3 p-factors _r.1,r,rn flq¡\a

When quantifying the reliability of.systems elnploying redundancy, e.g., duplicated

Smoke Outpul devices

Other ESV lmain OVo ÙVo +-3 1.3 0.3 lo{-105r)

Table 5 p-factors of various components

Ttr 3: High Same location and design give high fraction of

2.4.1 Variability of the TIF

3.2 ConcePtual aPProach

Generic weights from

influenced by a set of influencing conditions (1Q. These are conditions

liäi"îi,ïäffi:of ;:îi,::iläiiin -]'fi{*4;l '

rräri.Jlffiäîä:ilî.f:"T'":ïfi i"Jlffi;;;;iî' to estabrish

application specrllc llr'

on tt'" following principles:

ÎIF for contributing class i is given by:

rj-- Table 8 Overall results, TIF consiilerat"Ï t"t *

Two diffe¡ent detection systems we¡e considered:

o Infrared (IR) point detector

r Large gas leakage in ventilation intake Giãe-mandqualitatitelY/

Table 9 TIF for CC2"V,lronglocation", IR point detector

Table 10 TIF for CCz r¡\ilrong location",IR line detector

9suNTEF 1998 Edil¡on. \

Step 5: Gas leakage scenario TIF=TIFr +TIFz+TIF¡

TIF-values for 'Í.¿calion errord'

S = 1 - Best state, i.e. specific means have been implemented

Step 9: Calculation oftotal adjusted TIF

TIF = TIFI + Tþ + TIF3 = 36.9. lO-3

Table 12 Check list for influencing conditions

æe given in /13/ and

Degradedfailure i-:^^r providing its output within

Bypass not removed

I TIF3 r"- = 0.001; 1¡R 0.02

Reliabitity rDriø'Dossier:' PDS'ilata

Component: Process Switch, Conventional

L¡, = 6.0 per 106 hrs ag-p¡obability SO: 1.15

T-boken Pressure differential switch

Reliability Data Dossier - PÐS.data

:i,':ï"n::Ïfff îJ l"iliåi r'Jffi md;;;,år,**" ""o's