STF38 Reliability Data For Control and Safety Systems 1998

STF38 A98445
Classif ication: Unrestricted
@$t'LiEF
ReliabilitY Data for Control and

SafetY SYstems
1998 Edition
SINTEF Industrial Management

SafetY and ReliabilitY
JanuarY 1999
;'ifiV}f
,'l';-15
KEMIRA
KIRJASTO
SINTEF REPORT
)
@s[Nr,,im
SINTEF lndustrial Management
Safety and ReliabilitY
Systems'
Reliability Data for Control and Safety
L998
Edition.
Address:
N-7034Trondhem'
NORWAY
Strindveien 4
Tefephone: +47 73 59 27 56
+47 73 59 28 96
Latin;
fa:
EnterPrise No.: NO 948 007 029 MVA
Vatn
Geir Klingenberg Hansen and Jm
srGN.).
It.
Lk^1
t999-01-l I
in this report' D
control and.safety systems are provided
eliability data estimates for components of
(etectronic.ar"
n::"-T:l Data dossiers
.nuor rogi.
r both fietd devices (senso;;
and expert judgements' The level
BSTBACT
various sources, ..g.'oRr,oe

iven for these components, based on
anaiyses applying the PDS method'
suired for ,"liiuiiitv
etail of the data is adapted
t#;f"rm;t
reliabilitydataestimatesareessentiallybasedonthepreviouslyrecommendeddataforusewith
IV data'
method, updated with OREDA Phe
Also,amethodforobtainingapplication^specificreliabilitYdataestimatesisgiven.Asacase'
*",irtJ t
to TIF probablities for IR gas detectors'
"ppfied
iltrol
and SafetY SYstems
Systems'
Feliability Data for Control and Safety
1998
Editon
PREFACE
ThePDsForumisaforumofoilcomparries,vendorsandlesearcherswithaspecialintefestln
;it";,ryr,*:,g"lt'::.."f f T'Jf t:#:H#,''-Tiif:'i:":3"i:i"T

the PDS Forum please visit
'oHi1,J:ir}ill,,ll iiJffiir'.,i"i,y.
if"il*
ror inrormatiJi-'"J*a"e
ft tp://www'sintef 'no/sipaa/prosjekt/pds-forum'html
TheresultsinthePlesenlreportistoagreatextendtasedonworkSlNlEFcarriedoutonrequest
Fe40s6 - Reliabilitv Data for
ff;siEf ;"I;':'sinzs
from Norsk Hydro in 1ee5 ffi"]i,
Hydro ailowed using
We appreciate ttfttttt that Norsk
Control and Safety Systems" t13l'
report'
these '95 results in the present
the web site

TheoREDAprojectisalsoacknowiedgeclfor.allowingOREDAphaselVdata.tobeusedin
,"g.iAne-REOA please visit
the present';d;;.-* iiformation
preDaration of
t,,t-.
tslindman/sipaa/prosjektioreda'/
""tri.nloni
Trondheim, 1999-01-1 I
Geir Klingenberg Hansen
PDS Forum ParticiPants 1998

Oil ComPanies
mocoNorwaY Oil ComPanY
.
o
e
.
o
.
.
BP Norge
ElfPetroleumNorgeAJS
Norsk HYdro ASA
Norway
Phillips Petroleum Company
SagaPetroleumASA
A"/S
Norske Shell
(Statoil) a's'
Den norske stats oljeselskap
Control and Safety Systems Vendors
. ABB Industi
o
o
.
o
o
o
.
.
.
Auronica
BaileY Norge
Boo Instrument AS
HoneYwell
ICS GrouP
Kongsberg Sirnrad
Norfass (Yokogawa)
SAASASA
Siemens
Consultnts
Engineering ComPanies nd
o
.
.
o
.
.
Aker Engineertng
Det Norske Veritas
Dovre Safetec AS
Kvrner Oil and Gas A'S
NORSOC
Umoe Olje og Gass
OREDA ParticiPants 1998

& Production
Eni S.p.A./AGIP Exploration
ComPanY
ExPloration
Amoc
'fp'Biol"ti""
operating company Ltd'
1"*n p"ttot"u* Technology company
Elf Perroleum Norge A'/S
Esso Norge a.s'
Norsk HYdro ASA
Norway
Phillips euoleum ComPanY
r,uo oljeselskap (Statoil) a's'
bln t*.rc
Sas Petloleum
ASA
ii"""".
TOTAL S.A.
B V'
Exploration and Production
and Safety Syslems'

Reliability Data for conlrol
l eea
Edition.
TABLE OF CONTENTS
LIST OF TABLF,S
LIST OF FIGURF,S
t.
INTRoDUcrIoN......""'
Rrsul,rSutt1t14RY""""""""'
::::
Hil:H*ir*i:'ffi
"""""""
Z.
Data
Summury Table of PDS Input
I
' """' rr
r+
I
"""""""' 17
"""""""""'17
"""""" 18
"""""" 18
"""""""'23
Tprobabilities""
2.3.2 Cotterages """"""""""'
2.3.3 P-factors
2.4 FufherVork
:' :::
a^1
2.4.1 Variability of the ?IF probability"""'-':"""""""""""1"":"""'
2.3.1
'
|""'T3
a
',
2.4.2Distinguon*.*.*u".*i'*i'"*anellofsduringtesttng......'''
3.
NIETHoD
ANIETHoDFoROBTAININGAPP"'"o",o*,""orrcTIFrnosILITIES.......'.'..''............25
A
lll.trnlllntion......'.......''...........'.
3.i
Relability Dala for Conlro and Safety Systems

1998
Edition.
it
2. RnsulrSulrulnY
2.1 Parameter Definitions
each component:
The following parameters are quantified for
-n
",=Totalcriticalfailurerateofthecomponent.Rateoffailuresthatwillcauseeithertripor
causing such
(unless cletected and prevented from
unavailability
failure).
";*#.r, ".ii*
.=RateoffailurescausingFail-To.operate(,FTo)failures,ndetectablebyautomaticself-
test.The,FlofailurescontributetotheCriticalSafetyUnavailability(csu)ofthe
comPonenlsYstem'
* \,\,,.
li,=RateofSpuriousoperaon(So)failures,undetectablebyautomaticself-test.Therateof
Spuriousoperation(So)failuresofacomponentcontributestotheSlRofthesystem
1a.p"nO"ntofoptrtionpbllosophy)' l\+'"
ndet
* 2i10"
Total rate of rdetectable failures' i'e' /ffi?t
lFTO
/het
Rate
lso
'"er
of failures
test.
detectable
causing FaiJ-To'Operate (-FIO) failures'
by automatic self-
t\\
=RateofspuriousOperation(So)failures,detectablebyautomaticself-test'Theeffectof
the operation philosophy'
these failures on tne spuriou
trip
Rate (S7R) depends on
W+ ftf'
h",
Totalrateofdetectablefailures,i'e'
TFTO
/brit
function
the component' Causes loss of safety
Total rate of critical FTO failures of
y* =
regularity
component. causes loss of production
Total rate of critical so failures of the
(unless detected and prevented from causing critical
failure)' i'"'
m''
(unlessdetectedandpreventedfromcausingcriticalfaitur,i.e.,i,fl+,{f0"..
,no--Lw|^F[ll=Coverageoftheautomaticself-test+controlloomoperatoronFTo
-
fu-lor.r. ih"o',atiL t'?$'r{,,\r : '}kl\"
,So=1r.t^n=Coverageoftheautomaticself-test+controlroomoperatolonSofailures.
nF-Theprobabilitythatacomponentwhichhasjustbeenfunctionallytestedwillfailon
eman (applies for FTO failures only)'
is shown in Table l '

The relation between tbe different -values
xr
: ,\
\:*- *::. '."$.I INSTRIIMENTATION AND ELECTRICAL TECHMCAL

:i.
...:
AND ENGINEERING SERVICES
'. .
Phase 4
Overall SafetY Requirements
the overan safety Integnty Requ'ements

safety Function Requirements and
Specification comprised of the overall
required safeqv
to achieve the target level and the
necessary risk reduction required
Incrudes. for each safety function trre
Integri(y of the
r
which rpeds to be maintained
and Risk Management Description,
This documentation forms part of the Ezard
tluoughout the EUC's Safety Liferycle'
components'
r,^_^r^^1
Risk Reduction
Bs EN IEC 61508-5 contains

either qualitatively or quantitativelyrequired Risk Reducon can be determined
examples of both methods'
using a
u.idery used- The quaritative method
laborious calcurations and is not
The quantitative melhod reads to rather
Risk Matrix)'
.calibrated' Risk Graph is significantly less laborious' (It is also possible to use a
qualitative methods, and should alleviate
between the quantitative and
cornpromise
is
a
guide
this
of
method
T'e proposed
the Risk Graph approach'
some of the non-linearity probt"* of
determination of the risk reduction
method requires the numericar exact
Neither the qualitative nor the semiquantitative
the required sIL been found' the
and
nu.r. u""n erermined
However,
finction.
facror for each safetv
for the sIL'
inverse oithe PFD",= as in this table
risk reduction factor (RRF) is simply the
The
pFD""=of the safeqv function is between 0'01 and 0'001'
is 2. rhe range of
For example. if the determined SiL
100 to 1000corresponding range of RRF is then from
T'e
,fd;;;;-"-;*i,
Safetv tntegrit-v Levels (SIL)
targetfailureforasaferyfunction.allocatedtoanEiPEsafery"-relateds]_Stem
> t0-5 to < 10*

> lo4 to < 1o-3
> l0-3 to < 10> to-' to < to-'
10.000 to 100.000
1000 to 10.000
100 to 1000
t0 to
100
Phase 5
Safeqv Requirements Allocaon
of a EUC operator
w't
for
take into account the requirements
t'e
It is expected rhat the normar engineering procedure

safety related systems zuch as relief
drainage and vent sy;s. so other
erlernal risk reduction facilities like fire walls.
g" considered as prt of the EUC'
and nrpt*re disks. therefore. tey are. in tltit
praccal (ALARP) value is that required of
'alves
the As Low As Reasonabry
The remaining Risk reducon required to achieve
the SIS.
(sIS) for each component
Le'el
as meeting the required Safetv Integritv
Tlre functioning of the sIS needs to be verified
forming the qYstem architecture'
after the external risk
are then based on the remaining risk
In this gride, the risk assessmentand sIL determination
in the figure
box
have been implemented' i'' ttre leftmost
reduction facilities and oter safetv related s-vstems
to the three safegv s-vstems'
concept of safetv requirement allocation
The fo'owing figure illustrates the generar
I.R llitchen BA(TIons) C.Eng" MIEE'
61508) Part One

Profit Through Loss Control (BS EN IEC
t1 of23
t2
STNTEF
Syslems'
Belability Data t^- Contro and Safety
1998
Edtion.
Table 1 Relation between different 2 _ values

Spurious operation
Undetectable
}so
lFTO
/tndr
Detectable
so
2FrO
triet
7so
tudt
2FTO
'nr
'"d
Sum
Thus,notethatifanimperfectsrlngprincipleîsadoptedforthefunctional.testing,thiswill
by introducing
a procss switch is nar tested
if
Fail to operate
l,o",
2
'"det
A^,
rlf
Some of these parameters, in particular the

probability, and partry the coverage q are
sessed by
expert judgements, see /13l. A essential element
of this expert judgement is-to clariff precisely
which failures conhibute to ?7F and l., respectively.
Figure I was used an aid to crarify this. rn
particular the following is stressed conceming
the iterpretation of these .on."p,r-* used
in the
present report.
niun.",
conribure to rhe IIF prouuffi.-nis no perfect
i*prirg u "icated test signal, there
change in rhe pro""r. itr"tt u'oir,". "i""ty
"""t a blocking of the sensing line'
functional testing, ttre test wil'not
(cs are
to the cridcal safe{ unavailabiliw
phvsical
are
faIures'
rate
S"rt,rtil.* t"n*"q io tt" ftut" to an operational state' The
illustrated in Figure 2.
,o
r"p;
,o*. t ind.ot
ComDonents with physical
bv tunctional iesting' on the other
contfiburion to csu ao*
"li";"
No repair is required but
nrs.
-iJtir"tutry *o*ol
and
The contributions of the T/F probability
x.-o
I'
fJ;;; ;q**
pri*i"i;.il,.i ,u';d
;
hand, failures contributing
,"*
the
suchfailureswi]]occurrepeatedlyifthesamescenariorepeatsitself,unless.modificationsare
ir'utto*t constant' independent of
,iiffi"n;:Ji;;
iniated. The contribution

frequencY of functional testing'
FTO
h.
Detected by automatic self-test, or by
operator/maintenance personnel
(inespective of funcrional testing).
SO
hd"t
{ro
'!undet
"t
nSo
4undet
Coveragec=
Loss of safety failures. Detected by

demands only.
Trip failure, immediately

revealed. Nol prevented by ary
test.
10'2
Revealed n
functional lesl, lrl2
(physical failures)
Unrevealed in
funclonal test, TIF
(luncional lailures)
103
10{
TTT
lool*,
Functional test interval

Design enors
t
.
E}
Figure 2 Contributions to CSU
softwae
degreeofdiscrimination
'Wrong
Location
Insufficient fct. testptocedure

Human error during
.
'
'
.
test if
forget to test
wong calibration
damage detector
leave in by-pass
Figure 1 Interpretation of reliability parameters

TIF probability
t!1obability that acomponent, which has just been tesred,

1s
will fail on demand. This wil
include failures caused e'g. by-improper/wrong loc"ation
or inadequate design (software error or
inadequate detection principle). tmperrct functind
testg pnnciplerocedure will a.lso contribute.
Finally' the possibility that the maintenance crew perform
an erroneous functional testing (which is
usually not detected before the next test) also contribute
to the ?IF probabilitv.
Thi.s
CoveraRe
Thecoverageisthefractionofthecritica]failures,whichisdetectedbytheautomaticself-testorby
t;ure that in s91e way is detected in
include as part of the ":Yiq:.;
rn operaror. Thus, we
r"nro, t..g. t *r*itt"rj ti,i
betwien functional tests. Analo!
"tto"r" will have a critical failure'

thus contribute to "' Any trip
"r;i:"d t*.t "p"*t -
but this failure is assumd ,"^#ffi;,i.
#
eiui,,e""
"* ;i; derector,(trip)
:T:l ::J:'Jiil#,l:,i:."Jii;::fi;:
' r the operauon
to occur is also part ol r an
tt
uuto*uti" activation
so
specifying
a np coutd be prevented by
include in ", failures f"; ;hi;h
Zffu' cancontributetothespurioustriprate'
philosophy'Thismeans rh^rb:';; ffi*
'
t4
@s5|LiiulllF
2.2
Safety Systems
Relabitily Dala for Conlrol and
1998 Edition
pproach and Data Sources
Failure rate dnta in the 95 edition is mainly bed on the

oREDA phe
presenr report - is updated wirh rhe OREDA phase
IV data.
previously recommended estimates

For the sake of comparison, the
Itr
database, which
in the
The idea is to let the estimates from the 95 edition

form the so-called pnar diskibution, and next
update this prior distribution to the posteior distribution
using oREDA rv jurin." the 95 edition
only presents point estimates,
is
not
possible
to
establish u
_it
distribution.
Pragmaticaily we therefore use the
point estimate as the mean vaiue "o,rrpr*-pior
of the prior distribution, ad
make an implicit argument about the variation in the prior
distribution *dcb".- in the following.
It is assumed that the true fail*" t:l:.f":i given e4ripment
type is a random variable with a prior
distributed Gamma(q, p), see e.g. /16/. This distrituin
will be updated with the observed failures
and calenda times from OREDA phase rV and used
to give the new fa*..*" ,i*u*r.
'we.need
t: specify the parameters of the prior dishibution by speciffing its

mean ad standad
deviation' To simplify matters we assume that the
mean in ttre gamma prior is the previous failure
rate estimate,L. Furthermoe, it is assumed that
= 1 which r.do"* trr. g**n art rbution to an
exponenrial distribution. This implies that the standd
deviation
rh.
and is equal to
the mean, l. Note that this assumption need not always
"f
be approp.iute,
ae not enough
data to validate the sumption.
;;;;;
th;
1t
t
where
tlAoD +
Notethatintheg5etlition,thedatawerepresente-in.asliehtlydifferentway.Insteadofusinga
is in the present repofl
types of frurel tn coverage
nfCj
comrnon coverage for both iO
split into its FTO -a so purt ]rJ"i."iin
is the number of failues obsewed in OREDA phase rv,

and r is the equipment,s
rv. Nore
rhar this method can
r"
useo repeateay
"r"oiUf"
*itf,
Itr
data and rhe OREDA phase
Also, for some types of equipment, there are no inventories

registered in phase
Itr
rv
io;pd;;;
there are no,faitures registered in phase rV(f

estimates).
= 0) tlri.
database
data, using the
(r = 6.
,r"r"
reriabiriry data
still apply. (Note that if
updare the
i.;;;;;';J".,
There h been no new expert judgements in this project,

except for those related to the the
method described in chapter 4. Thii means that no iIF variu,
been changed since the 95 edition.
,ir"pi
o'-i- g detectors, have
Th" covemge updates are taken as a weighted average between the previous estimates and the
observed coverage in the OREDA phase IV databe.
The previous stimates are given double
weight since they include expert judgements arid the dat
material is s"oc",
with the
OREDA
Phase
releai;;;;;;-t'n"
previous
il sources for the uario,rs components'-The
database'
OREDA
the
than
o'ht'
'o*t"t
estimates in the ss .auon *'ie;; ;;;;;;xt*bi9,:"
tutt dutu to*tts are given below'
failure
the
all
of
;;i;v.J;w
th"
data dossiers give informatirr;
rel' /1/' /2/' /3/' /15/' /17/

OEDA - Olfshore Retiabit Datq
Hll;:;;;'
';;;1.;r'r,
oREDA Particants' distributed

rs84,1se2'.ree3andree'I
IV
dara.
installations, collected from
bv DNV rechnica' Hvik' Norwav
"ven
installation'".i"
OREDA has publishecl tlrce handbgg;tl

edition ftom tbgz Get' t2) r'fld: "ilon
'i
l?e1
frqT"iiti"t
T8: '
!'"j''11-%:**r'
rt9ry-
(ref
l3t)' 2nd
there are
threeversionsoftheOREDAdatabase,ofwhichthelatestversion.isthemaindata
sourceinthisrepoft,denotedtheoneplpr'*"d"tab"s"(ref./15/).Thedatain
was collected in 1993-96'
te Onep pnle fV database
on Fire
Oseberg C 'Experience Dat
For some equipment types additional data was registered

in the oREDA phe
are additional data in phase rr, the OREDA phase

III uta ar us"a
gstimates' If this is not the case, the previousy
recommended estimates
filters
the later versions' Thus new
esdmate is beil on other
totar
afier
the finishing of the 95 edition . lvhen this is-the ce
the previous estimates are updated
sequentially
with the complete OREDA Phase
approach described above.
comiatible with the PDS Tool'
reliabiLiry
WheretheoREDAPhelllorlVdatabasedoesnotcontaindata,ordataisscace,thefailurerate
in *'"t"'i*: *dl:lTl:*liduat
irn.".
The following should be noted about the update of the

reriabiliry dara esrimates:
j. rni, l, on.o "
SomefiltersusedinthepreviousstudywithearlierversionsoftheOREDAsoftweaenot
have to be set'
calendar time in OREDA phase
along with the source
"#:"1;:"'"'H"iff,'i"'f i,,3i-:""i.:"lilff ',,iii.'ffi "ili

expenence
"nn Sea and in the Adriatic Sea'
-l]i-
dossiers'
tisting - e included in the data
Now the new failure rate is given by
'nw
l)
anil
;;":ri
';:;u;rt
Publ.war:
Jon Arne Grammeltvedt
";:::;:::"'
if:"tJ;i::ents
Gas
Detecton' ref'
/4/
Porsgnrnn' Norway
Norsk Hydro' Research Centre'
1994
IR name
data on catatvtic gas detectors'
Sea'
North
the
in
"-ry.-".:ifrom the Oseberg C patform
detectors an smoke detectors
ref' /5/
Process Safety Systems'
rerd
Methoil for
WLCAN - A Vulnerability Calculation
Lars Bodsbere
Author:
Norway
publisher: Nor*"giirirtituteofTechnology,Trondheim,
Publ.Year: 1993
detectors
railure data on fire and sas
';':r:;i::"?'' i#l;ffiT:serration incrudes experience
jl,;:;,gl*:m:,*:lJJff
rrom"J;,il;;;iglrlr:^.:
respect to ra
very comprehensive with
t" rt"i't
,nu,,n"
"iiit
in the oREDA
Phase
III
data'
l1"i:"1:
Systems
Reliability Data for Control and Salety
l6
1998
,@stltllllEm
NPRD-9L: Nonelectronic parts Reliability Data 1991, ref. /9/
Authors: william Denson, Greg chandler, william crowelr and
Rick wanner
Reliability Analysis Center, Rome, New york, USA
Publisher:
year:
PubI.
1991
on: Field experience

Description: The handbook provides failure
rate data for a wide variety of component types

incruding mechanicar, electromechanical, and discete
erectronic parts and
assemblies. Drta.represents a compilation of field
experience in military and
"Reliability hediction
of
nor.o";.J;t '--HDBK
Erectonic Equpment". outu
.îl^l:r:^**.es,
number of
chaacteristics.
ne\bilitl Datafor Computer-Based
LarsBodsberg
SINTEF Safety and Reliability, Tondheim, Norway
on:
Descriprton:
Field experience/expert judgement
11'l'r"r'-
2.3.1
rrFprobabilities
/g/
Authos:
Publisher:
PubI.year:
Data based
;i;;dbelow,
.Process
process Safety Systems,

re!.
1989
The report Presents field data and guide figures for prediction
of reliability of
computer-based process safety systems. Data is
based n eview of oil comiaay
data files, workshop with technical experts, interviews
with technical
questionnaires.
tffinrra
Descripton:
'
,".\-;1\, ",.,;..,,,
{.,.,:;r)
..,,;.-,,r."
itsJlf, essentiatly caused by human

probability, 10-3, is assigne io I switch
the sensing line (piping)' he TIF
it"i"A;ttc
ny
n"*O'
interyention (" g' "*t";tat
is carried out' which
u p"i"", funconal testing
probabiliry *uy lnr*" ,o 5.10-3, uniess
line'
also detects blocking of the sensing
expected to have even smaller
lIF'
Fire detectors
Itisassumedthata.detectorwiththe,,right,'detectiorrP'il"'Pl:is.applied(Smoke
d: *-i::nt^where flame ftres
fires t"
detectors are applied where smoke
gives a very low
"*p"tt"J*a
s a.possibility tiat a fue may occur which
e expected') Even so' there
Butterworth-HeinemannLtd.,Oxford,Eneland
orobabilityofdetectionbythedetectornuro"".i*.bo"tothisfactanintervalis
the fire, essentially
";:Th; ir uu. *u1n ;dt,i"; to the size of
provided for
Fourth edition, 1993
on: Mixture of field experience and expert judgement ,

Description: The rextbook "Reliabil, uatntanaw[ity and Risk - practical
'
.n
-
evaluated
David J. Smith
Methods
Engineers" (ref. lZt) have a specific chaptr and an appendix on-iailue,rate for
data:
The data presented are mainly compiled from varius sources, such as
MILHDBK-217, NpRD-r985 (i.e. rhe 85 vrsion of MRD-91) an opGoe
Handbook
1984. The failure rate data presented in the textbook is an extract.from
the database
FARADIP.THREE.
'
NotethatanewexpertjudgemensessionlgasperformeddurngthelggSstudy,givingTIF
the
*itt r"sp""i to detectoitype S point or line)'
values for g* a.t"ior. dfferentiated
probability for IR
TIF
ihe
inflo"n."
size of the leakage, and other .onaition*p"ja
was not
a, 1at-probability for catalic gas detectors
detectors. s". cri"pto i, "t"1..
relevant'
less
and
old
* tfo' t"n"ology is considered to be
Data based
,:
'rt--tt-o''-t
Gas detectors
F ARADI P.TH REE, ref. /7/
Author:
Publisher:
Publ. year:
tr-i:-1.1.:l),,:r,
"o*pl"t"'"tng,
The handbook_ (in swedish)
provides failue rate estimates for pumps, varves,

instruments and electropower components in Nordic nuclear
power flants. The data
are presented as constant failure ates, with respect to
the most significant failure
modes. Mean active repair times ae also ecorded.
;1 Y\r'rr'i--! ")\r.i
ilr';"'"'
i-\lo"-*'
th".1:i:Tî linesdetectecl bY the

have a "live signal"' Thus' bloc-king "f
"U,.ao a significa;t part of failures of the transmitter itself
operator - is ln.t," ,n
Thus' the lIF prob,,stuck,, failures) are detected by the operator anicontribute to 2",.
(all
are, due to mole
tansmitters
bus
and field
is less thr'th of the switch. smat
/6/
Publisher:
year:
i;;{
,\.,. .^ " {,,.t,s
ability
Authors: ATV-kansliet and Studsvik AB

Vattenfall, Sweden
Publ.
Version 3, 1992
Data based on: Field experience
t''''-'""
Processtmdre"rs
;p"*;
T-boken: Reliability Dat of componen in Nordic Nucrear power pran,

ref.
Somecomments'basedontheexpertjudgementsessionperfolle]:nngthe^previousandpresent
and coverage'
in partiuhr onihe given values for l/F
u1., include
.rti*ut", of
Data
of the column
input data to pDS analysis. The definition
Table 24summaise the recommended
2'1
Chapter
given in
fr*aingr r.tut", to the parameter definitions
2r7,
part
failue
failures, rotal operaring.toun, an detailed part
descriptions, quarity levers, apprication erwiionments,

point
11
2.3 Summary Table of PDS Input
Data based
industrial applicarions, and concenrraies on irems
Edtion.
*t li""t"t
ttt"-tJ*
"^.h
(indoor/outdoorl qrocess area/living
generally
depend on tne tocaor/envionmenr "r
detecto
19:t -pt:^l^"jtilt"ctors
quarter). n",
detectors are
Flame
grelter'
sigrrificantly
is
the value
serve as ,".onu iuri"., and
but oil fues in process
"
ir J;"n4_t""imalted ,IF = 3'104),
reliabte untess
as 0.5, could apply'
*"i"""' '*"t"
"t"
"f
*
d*"1;il;ir*"r.",
will
e
?Lprouuuiliry
as
high
systems
, - ^^ ^^+",'a .*^'q For dedic
^---"'T;;rIF
for the rogics is.essent4lt *:j.','J"::il""::rff:.t"#fiithlTH
Fo' standard
I
:*i,':"n::fff J l"ilii r'Jffi *md;;;,r,**" ""o's
PLC
systems, the estimate
/F
5{0-
appxes'
,,;*t},.-
lo
Safety Systems'
Reiability Data for Conlrol and
@)stlNTEF
18
1998
Edirion.
murtipricitv,gt-:'b:i:.^1":li:i'liltih::IJJJ;5':;:
0
H+
r' : ?0_Tfj"';3,.i;Ti'i:ffi:h',"i"in'iv ir'" uoth modures have

that just one mo(
As an exampre, consider the
Valves
The zIF probabiliry for ESVs witl depend on the type
of functional resring. If the ESV is
shut in completely and pressure teste, iryF
ir al*"* because of rhe
= 10-6'ithis
possibility of human elrors' e'g. related to bypass and """
improper testing). If the ,,functional
testing"just involves a check that the valve moves
lstarts closng on dman, the value 10
r
is suggested. This.?IF val,re also applies ioi
ol valves. AII these values include the
"ont
pilot valve. The major contibution to the llF probabiJity
for psVs is wrong set point due
to enor of the maintenance crew, and the same TIF vaJue
used for switches is suggested
(sensing line nor included).
;;;
probabilitY
failed is 0.10'
single SimultanousY
failure lalure ol A and B
Unit A
2.3.2 Coverages
Feliability
btk diagrm ot
B single
lailure
the redundant modules
Senson
Line testing gives a coverage of 20vo for switches, conventional
transmjtters and ESD push
In addition operato detect a significant
of p.o"".r-tanimitter failures
(transmitter being stuck), giving a total coverage
foi transrnitters which is significantly
higher. For gas detectors also drift are detected (low alarm)
an trris *-uy
trips to be
prevented. The given covefage for smoke detecrors
"uur"
applies for analog
buttons'
p*
sensors.
Control logic
For bus coupler and communication unit 1007o of rip tailures
actually gives trip. Further, it
is estimated that 957o of loss of safety failures e detected,
and a Fr iailure is prevented.
Valves
No automatic self-test for valves. It is estimated that o-pgqlo"rs detect

6^5/9 of critical
failures (stuck railures) for B-q9l-ygJ=vês. There ." ..ffiia
so failures on valves
detected by continuous condition miorl,ng in the ORED phase

fV data It is assumed
that these failures are detected by operators and thus included
in the So coverage.
Note that these values are

comments in Section 2-2-
23.3
p-factors
partially updated with the TREDA phase IV data, see also
the
_r.1,r,rn flq\a
When quantifying the reliability of.systems elnploying redundancy, e.g., duplicated

or triplicated
systems, it is essential to distinguish between indepentlent and, dependint
foior"r. Normal ageing
failures (see /141) are usually considercd as independenl failues. However,
both physical failures
due to excessive stresses/human interaction and alt firnctional failures are by nture
depend.ent
(common cause) failures. Dependent failues can lead to simultaneous
failur of more than one
module in the safety system, and thus educe the advantage of redundancy.
In PDS dependent failures ae accounted for by introdu cing a multiplicity ttisibution. The
m-ultiplicity distribution specifes the probability that - given that a failure has
ccurred - exactly ft
of the n redundanr modules fail. Here, & equals r,2, ... , n. The probability of k
modures failing
simultaneously is denoted
p.
components
distribution for iluplicated
Figure 3 Example of multiplicity
Table6plesentsrecommendedp.factordistributionsadoptedfrom/11/.Thedistributionsare
pr"il"i
r
r
r
dependency
,tte following degrees of
Low
Medium
High
ComPlete
Table5pfesentsguidelinesforselectingappropriatedegreeofdependency(adoptedfrom/11.
sullilem
20
)@
1ee8
Table 2 Failure rates, coverage and TIF probabilities

for input devices
Gomponent
Co verage
-i
;Pf{ 106
hs
cFrQ
.
Process Switch,
FlQ
"ndd;:'
':
.t .: 'i,
'I-.r per
:..
.so
1SO
Ln
Inpffice
,,
Edtlon.
21
probabilities for control logic

Table 3 Failure rates' coverage and TIF
10
.i lrs
So
Iff" || ^'nr
t
lL'*
Control logic units
3.4
90Vo
20Vo
2.1
0.2
0.9
l.lo3 - 5.10r
2)
l.J
9Vo
20Vo
1.6
0.1
0.4
3'104 - 5.104
3)
Level (displace)
Tansmitter
3.1
90Vo
50Vo
0.9
0.t
0.8
3.104
5.104
3)
Temperatue
Transmitter
I .8
60Vo
60Vo
0.6
0.3
0.4
3.104 - 5.104
3)
60Vo
5jVo
0.7
0.6
1.1
3.i0" - 5.104 3)
2.3
60Vo
4OVo
0.6
0.4
J .6
80Vo
7Vo
0.7
0.1
Conventional l)
Reiability Data for Control and Saf ety Systems
5.10-s - 5.104
2)
Pressure
Tansmitte
Field
_
Flow
Transmitte
Gas
detector,
catalytic
Gas detector IR
point
Gas detector IR
line
t1 .0
4)
3.104 - 0.1
6.10-3 _
bus
couPler
l)
t)
somewhat less than this value

Note that the value for one signal path is
por ftfv ceruned and standud system' respectively
probabilities for output devices

Table 4 Failure rates' coYerage an'l TIF
4,8)
l.l0_3
,E
80Vo
7jVo
11.0
0;l
0.1
40Vo
507o
0.5
0.8
1.2
6.10-2 _ 7.70-2
j IilO,.,
"ndr
so'-
per 106
Component
3.6
COYeraBe
'hrs
4.8)
crro..l
,,ffi'
cso
--l
.a" Per 10o
hrs
TU'
rff., I rf...
Outpul devices
Smoke
detector
lo-3 - o.o5
5)
ESV
Heat
detecto
2.4
50Vo
5OVo
0.6
0.5
1.3
0.05 - 0.5
6)
8.2
detector
5OVo
5OVo
1.0
2.1
2.1
3.10* - 0.5
7)
Push
button
1.0
20Vo
2OVo
0.3
0.2
0.6
l0-5
30To
1.1
0.8
0.5
r)
1O6 _ 10-s
1.6
OVo
Vo
+-3
1.3
0.3
lo{-105r)
20Vo
3O7o
0.7
4 .2
t.8
7.6
604o
'107o
17.8
2.8
0.1
10-s
,R
6O1o
'7j%o
3.0
0-8
u-
t0-
0Vo
5 .0
1.0
o.z2)
10-3
valve+actuator)
Pilot valve
ESD
OVo
X-Mas
Other ESV lmain
Flame
I .6
Control
valve,
small
)
2)
3)
4)
6)
1)
8)
Daa primarily apply for pressure swrtches

Wilhout/with the sensine line
For smarlconventional,iespectively
The rangc,gives values for lge ro smalt gas
leaks (large gas leala ae leak
> I kg/s)
For smoke and flame fres, respectively
lherange represents the occurence ofdifferent types
of fires (different locations)
Forflame and smoke frres, respectively
Average over ventilation type and besl,/worsr
conditions, see Chaoter
3
Control
val-ve,
lge
Pressure relief
valve, PSV
1.2
07o
respectively
testing'
For complete and incomPlete functional
lead to system [aP
ttote tna tnp of fSV does not necessarily
Safety Syslems
Reliability Data for Conlrol and
,@ SINTEF
22
1998
Edition.
23
Table 5 p-factors of various components
Fire/gas
detector
p-factol
te'rm
Component'.
tlistributions
Table 6 Recommended p-factor
:disfribution
=hl
Comment
r.'t.r.,..
d"pendence
-"er..
"f I Irigh
ruium
ut devices
mo
2: Medium
.so
dependence
contribute to CCFs
Ttr
<0.2
3: High
dependence
Same location and design give high fraction
TIF
4: Complete
>0.2
dependence
Almost complete dependence when the detectors

e applied in scenarios which they are not de_
Same manufacturer, environment and maintenance
CCFs
of
0.9800
0.0180
0.0015
signed to handle
Pressure switch
Pressure
atl
all
hansmitter
2: Medium
dependence
1:
[w
dependence
Same manufacturer, medium location and main_

tenance contribute to CCFs
Field data shows a significantly lower faction of
common cause failures
for
transmitters
as
compared to srilitches
Field bus
transmitters
all
1:
Low
dependence
2.4 Further Work
Application software has a lower fraction of CCFs
Boththeg5editionandthepresentstudyi]lustates,thatfurtherworkshouldbecarriedoutonfailufe
validity of reliabiliry analyses:
io inir".rJ tn" cr"iility and
data definitions/cf*rifr"ution
than the system software
probability
2.4.1 Variability of the TIF
PLC
all
"iO
2: Medium
dependence
System software errors gives a rather high contri_
bution to CCFs. Other fr:nctonal failures also
Forseveralcomponents(e.g.sensors)thereisobviouslyawiderarrgeofTlFvaluesthatmayapply'
such as
depending on various factors
conibute.
Ouut devices/Valves
Pilot valves on
aIl
2: Medium
dependence
all
1:
same valve
Pilot valves on
different valves
ESV
Low
dependence
all
1:
Low
dependence
Same design, location, contol

tenance contribute to CCFs
Lower fraction
of
fluid and main_
CCFs when pilots activates
all
l: Low
dependence
r)
process arealliving quarter)
;;;;s"(e'!'anaiogue/diqil4'Pginqn'].-,^^,,-line)
impulse
svstem boundary it'g' *ittt/*itttout
fype of functional testing erfecVtncomptere't
u*ount of self{esVmonitoring
different ESVs
Same design, medium ard maintenance conhibute
to CCFs. Field data indicate a relatively small

fraction of CCFs..
Couplers
location (e'g' indoor/outdoor'

detecdonPrinciPle
Application software has a lowe faction of CCFs

than system software
specifies which failure rate/probability rhe given distribution appries

for
Anefforthasbeenmadetomeetthischallenge,b.ytyfaronlyforgasdetectofs.However,itisan
*":"t'+;;"':"t:::t:i*l'r":*;mt"?ii:ttr#t'
obuiou, need to quantirv

value' rerlecung
or.* ,vp.t, so that an appropriate T/F
for actual studies'
testing
errors and human errors during
2.42 Distinguish between design
by
ItissuggestedthattheTlFprobabiityshouldberestrictedtoaccountforfac.*:'ll,arepresentfrom
These are failures caused
uuto*utl"f"".,1"J
in-ly
and which are
th-i|1{ errors introduced bv
d".:t:'.t:-t-t';;i;-suggested
be defined as
design enors, e.g' including
"f
iniquate testing) should
(e.g. by;pals ruilu,",
testing
should
upoi
models
crew
u"Jprov"d
the maintenance
U inctue i" ili'-p't"ility'
a separate category of f"ifor"s,--ar;d'no't
testing'
6r fitures inuouced during tunctional
day
l,
;;t.a
".""i';;#
*'" r""r*
"tt'
-J
\g
24
Beliability Data for Control and
tlNULqf
1998 Edition'
)
The above suggestions will make analyses more credible and
accurate (ptant specifrc), and it will
facilitate the communication.between analysts and
maintenance/operational personnel.
make analyses more informative with respet to identifying

factos that
identifuing means of improving system dpendability.
"rr""
ri"
It wili
also
i""-iliry, and rhus
3.
Saf ety Systems'
25
pnosnnIr.rrIps
PPLIcMIoN sPEcIFIc TIF
unrgoo roR oBTAINING
3.1 Introduction
parameters in quantitative dependability
data are used as input
In most RAMS analyses generic
;uu"'ug"
it is theiefore desired to establish
;;;;;;i
"*i;unJ
assessments. These generic
into account' In this report
conditions
to tut'
a method for adjusting th"'"-;;;;g;;alues
'pt"int
future repofts we aim at
In
t^git-iirryrrs.
f",
present
a
merhod
vr'e
"a-unut
"urrJt;r;;
parameters and equipment classes'
i oter
;.:";ffi;;iit""l"gv
by a step by
Firstthemethodisestab]ishedandcalibatedbasedontheresultsfromanexpertseminar.The
N.*t tt" orJoi ift *ttito is described
ir S".,..
*.
:.S.
*urn**i."
main resulrs
is given' see Sections 3'7-3'8'
step procedure, and an example
3.2 ConcePtual aPProach
conceptual model
A.conceptualhierarchicalmodelhasbeenestablishedrelatinginfluencin.gconditionstodirect
u, if*rt ui" irifig*" 4' This
failure causes and the
"rJ;-Tf;;"U,liry
zJr.r'* r"tutiu"
contains a set of baseline
direct failure
i,npo,iult t*tig"1 of the various
causes.
Generic baselne
TIF values from
expert
Tminar
\
High
High
Generic weights from

expert semlnar
DC,,
-V
(
(S)
APplication specific scores
structure
Figure 4 Conceptual hierarchical
-
Thetotall/FprobabilityisthesumofTlF-contributionsfromthefollowingcontributingclasses
GA:
r
.
.
TIF'
Design enors (CCr) giving
glvingTlFz
(CC
Wroig Iocation
Insufficient functional
't po""ao'"
giving
or human errors (CC)
?lF:'
..Behind,,eachcontributingclassasetofdirectfailurecauses(DC)are.defined,forexample
each direct failure cause
t-"sign" The impottun"" of
are
"forset to test" and "*'o'l' ""t"
(wn' ninty the direct failure causes
within a contributing
"r"""i'#"y
"v'eight
and Safely Syslems'

Reliabiily Data for Control
26
,@srNTEF
19eB
influenced by a set of influencing conditions (1Q. These are conditions

that are controllable by
the operator/designer of the installation.
/F values and the weights wee established during an expert seminar. In a

practical study the TIF probability is adjusted according to the
staL of a set of influencing
These beline
conditions..A "check list" procedure is applied, where for each pre-defined

influencing condition,
l t"of tl given representing the state for the particular applicatin. A scoe is a number between
represents the "worst
rhLt u, +1 represents ttre ;est case,,. See
Td 1l' A score of
"us"",
Table7 for an example.
-l
Edition.
27
Modifications
1,r.;ff::,:.:1t li;flft,l;
For each conrributins crass:,

iii;,il
of these direct causes a ret
class'
to 1007o for each contributins
l;;
i:th*I
iltillu*;;
a direct
inJluenc.ing on
Notethatadirectfailurecausedoesnotdirecdycorrespondtotheconditionsthatafecontrollable
focuses i.,r'""i,i"ns
by a designer. Therefore *;;;Jt*ically
ra'ur" caus". For example,r'.'i""'"i*,1"' "r
l"::* 1;Lj;l=*il.:T::"*:,t:?:tl';odi'":;
score w'r be
r" p'""ir" -arvsis

lii"i,ffi:of ;:i,::iliiin -]'fi{*4;l '
*;
assigned to each
'h"";;;'i;;' 1irre I:t:'ii"ff.#:f:;#''Jgli:"i
an
estabrish
to
r' possibre
i"Jlffi;;;;i'
rrri.Jlffi:il.f:"T'":fi
specrllc llr'
a
Table 7 Example of check list for TIF evaluation
application
Thereisnostraightforwdmannertoestablishafe]ationbetweenthescore.sandThreTlF.values'
on tt'" following principles:
rt r"iu,ioo p.";*"u *
"
equal TIF,on\f all S=
tti"i t"d;;;;"
3.3 Definitions
The following definitions will be used throughout this presentation:
o A contributing
t TIFshould
1'T1,
1/F,,n3r' if all 'fu = 1,lurthll'---.n,
-' ir' Ji""ia equal tne
*.* f the low ardhighrlF-vaiues'
the
;.11;;'; tqt o flF strould equal Seometr
o
class (CO
is a class of direct failure
causes that contribute
to the TIF
probability.
A direct failure cause (DQ is a specific and clearly defined cause within one contributing
class, influencing the IIF probability.
'
c
An Wuencing condition (1Q is a condition that influences the probability of failures

due to
the relevant direct failure cause.
A score (.f) denote the state of a specific influencing condition for a given application.
10
of this principle (TIFnign=
Figure 5 i'ustrates the implications
r' and rIF' = lo'3)'
:-+-
3.4 Method
o
The main idea is to establish rheTIF contribution from each of the contributing classes,
and then
next evaluate the diect causes within each contributing class. The following cntributing
classes
have been defined for gas detectors:
.
.
.
Design enors (CC1).

Wrong location (CCz)
Insufficient functional test procedure or human enors (CC3);
In the expert seminar baseline numerical T/F-values were established for each contributing
class,
CC, i = l;,'.,3. These baseline numercal /F-values represent the anticipated range
for TIF
values for vious conditions on an offshore installation. Notational we
leT TlFto*conesponds to
the "best case" and rlF,s cofiesponds to the "wost ce" for contributing
clasi.
.A set of direct failure causes are defined for each contributing class. For example
for the
contributing classwrong location the following diect failure
u.e,
Wrong location by design

Wrong documentation at installation
"ous"i
0.5
Sco
function of score values

Figure 5 TTF values as a
the
The formula for acljusting
.l+S, /
T, =iwDc, (TIF,,,"
and the total
rrn
IF for contributing
TIF
for
all
)T
(TIF,,
class i is given by:
(l)
al-S,
J'
given by:
contnbuting classes is
irq ='oc,fr",""
h*''.'
gives:
all influence conditions
Note that average scores on
(z)
psnmrnm
28
and Saf ety Systems

Reliabilily Ort" to' entrol
1998
rj--
TIF, = ) JTF,
r-'
Edition.
'i
Table 8 Overall results,
T.o,ro
29
'
TIF consiilerat"
t"t *
That is, 71Fa is the sum of geometric means for each of the contributing classes.
ouiP.u*"t"rsettings
(response time, sensitivitY etc'
3.5 Results from the expert seminar

Wrong ryPe ot detecror^
ioo"i."tioi
The objective of the expert seminar was to

Establish a set of "Contributing Classes" CC
Establish a set of "Direct Causes" DC for each CC
Establish a set of "Influencing Conditions" .tC fo each DC
Establish TIF and TIFrfor each CC
Establish elative weights wDCwithin each CC
6lith
heavy/li ght
"n"itonment2,
weather
@of
r
o
h.ûY or light gasses
Two diffeent detection systems wee considered:
Infrared (IR) point detector

lnfrared line detector
lnsriion
ln addition the following 8 different scenarios were considered:
o
o
.
.
r
.
o
r
Small gas leakage in open area

Small gas leakage in naturally ventilated area
Small gas leakage in mechanically ventilated aea
Small gas leakage in ventilation intake
Large gas leakage in open area
Large gas leakage in naturally ventilated area
Large g leakage in mechanically ventilated area
Large gas leakage in ventilation intake
where
Smail gas leakage, release ate <1
Large gas leakage, release rate 2 | kgls
kgls
air
<tu*ings, taglists'
@odification
$Gt-. -a Pto""dures for

and
@uuitiry
Gie-mandqualitatitelY/
rue.
ouantittively different from
plasuc oag'
emand (e'g., covered by
gas
wfong gas tyPe nd/of
Note that such a scenario consideation is only necessary for contributing class cc2 .,wrong
=
location".
On the expert semina focus was on the qualitative identification of direct failure causes and
influencing conditions. In addition, Z/F-values were stablished for each contributing class for
different detector types and scenarios. Based on the discussion on the expert semina SINTEF has
proposed numerical values fo the "weights" of each diect failure cause, and performed a
grouping of influencing conditions. The members of the "PDS-forum" have had this results for
comments. Table 8 summarises cci, DCs, ICs, wDCs and r/F-values established during the
expert seminar and the post processing of results.
'"i.dEf C"'u"t"or
ffidtit(ti*t
tesrcd'
forget to test" wfong documentatlon'
i@e'
mis-understandings)
(wron g- derecro
6Tvoussnot t"mo"ed
i'p"r*' forgel to remove bypass)
Wpassed
modes ae made
I
No consideration of failure
t T"moerature, pressure, flaring etc'
:i:m::ti;;!lation
with respect to heavv/right
gasses
P*ssure' working
accessibilitv
componens
{(P
30
1998
Edtion'
Table 9 TIF for CC2"V,lronglocation", IR point detector
Ventilation
type
Open
Naturally
ventilated aea
Mechanically
ventilated area
Ventilation
intake
Small sas leakase

Worst
Best
0.5
0.9
0.01
se\ffipaiJffi;:i,H:iir'iil::,:'1'i":r',ii';ilYl;
'Worst
{c,
It
0.1
0.1
0.3
5.10-3
5.102
5.10-3
0.1
l0-3
10-2
104
lo'2
104
10r
During the.expert
surr
and "global" effects'
lo"' eff ect, and'l 57o "global" effect
Large gas leakaee
Best
3l
Control and Saf ety Systems

Beliability Data for
st]l,lulsF
on-the density of
does not depend
f/F-contribution
"local"
the
that
is reasonable to assume
..
derectors. How
ever,,n"
"
'i' !p:ll *rifu:itf"mi"uiT
iff";;;;,i.: 1",,",jifii*lg'iJffJ,i",:i: fi: ffii;;;

l'"'#"r:"i":i" ?.,:* assumed
;r"1tr
berow
procedure suggested
TIF
Table 10 TIF for CCz r\ilrong location",IR line detector

Ventilatlon
tvDe
Open
Naturally
ventilated area
Mechanically
ventilted area
Ventilation
ntake
small ss leal(se
Larse sas leakase
Best
Wrst
Best
Worst
0.05
0.09
0.002
0.02
0.01
0.03
1.10-3
l.1o-2
5.10-4
0.01
2.lf
2.10-3
104
7o'2
104
'Local"
detector density
Figure 6 TIF versus
ro
simp,irv
try
number per detector'
,yi*Uk*
:ffffi":lJ$
follows:
i::i"" *tr, o:t:t"ôt
i:,p::::.hr'ciu
pragmatic, ano is as
v^..'----Te I ro..uure is
uev formurus.
n-3
new TIF number

the slanoarus
be used as usual with
r.
3.6 The relation between TIF and detector densitv

l0 were established the following question were
asked:
3.
"Assume that there is only one detector installed to detect a gas leakage. What s the TIFprobability of not detecting such a leakage related to contributing class 'wrong location'?"
o. Denote this
scenario,,ro:i",ff"j:,",:,:,*iiyjfffif:tm;:it'*ratreastone
-=
lfi;; -nly on" d.t."tot.
*,1ii::;#''_-,,'_
means
0
/(
- o ;1 5k)
detecror. =
= TIF r^,"tn"(t
"'" ":ri::li:; :,{}:
For a given
number
Note that when the values in Table 9 and Table
*j,p:'f-::iiJii,:lfr
/<,
where
ro
This is rePeatedboth
I{'*;;,i[]Xi.'
3.7 Using the methodologY
The f,rgures given therefore contain two types oflocation enors:
r
r
AstepbystepprocedureisproposedtoestablishTlF-probabilitiesforaspecificapplication.
"local" effects related to a detector in an area containing gas
"global" effects related to the fact that there might not be gas at all in the area where the
detector is placed.
For a specific analysis where only one detector is considered, the TIF values may be used
Step 1: Identificationofdetection
stated in Table 9 and Table 10. However, in the situations whee several detectors ae used, it is
not straight forward to use these results. When the total CSU is calculated, the "T1F-contribution"
from each detector depends on the dependency, or so-called '-factors", and it is reasonable to
assign different dependency factors for the "local" and the "global" l/F-contribution.
will determine
--:-r-^red line detector. This choice
i'ti"t,.*g"^"t"::lio',t#:'o1"l,'J"';i:i';
aole
whether Table 9
as
system
or'l
of gas leakage size

Step 2: Itlentification
iliril"*i"g definitions are used:

< ikgls
. Small gas leakage' release rate
2 lkgis
rate
release
. ;;" las leatage'
Syslems'
Reliability Data for Control and Safely
9suNTEF
1998
Edilon.
33
(CC)
TIF for each contributine class
Step 8: Calculation of adjusted
contribiution is calculated
the
Foieach contributing
Step 3: Identification of type of area

Data is available for the following types of ea:
t
r
r
tl^t
.,-
=-l'"''l
formula:
'l+S' /
OPen
Naturally ventilated area

Mechanically ventilated area
Ventilation intake
T,
=iw
DC u(Tr,.,,"
following
,l-S"
(Tr'0,
J'
3 in Table 12'
(S';) are ead from column 2 and
where the weights (wDC)and scores
TIF
Step 9: Calculation oftotal adjusted
class are sumnied up:
contributing
The TIF contributlons
"ut
Step 5: Gas leakage scenario

As discussed in chapter 3.,6 the TIFz,tow and TlF2,rvalues
in Table g or Table 10 represent the
TIF for a "single detecror". T\.Tr-c:ntriuution
derector i, tr",mlu* r.**y derectors
f
win be less than rhese values indicare. To adjust the TrF_varue
th; ;.d;t*;;rnr,,, o, shourd be
identified' we now define such that k ioovo 1 means
=
that .,it is likely,, the gas cloud will
=
reach at least one detector. & less than I mears it is likely
that there ir no'"t."to, in that
TIF=TIFr +TIFz+TIF
will
the
''F
Step 4: Establishing correct TlF.values for,.ocation errors,,

Based on the specifications.in s-teps r-3 it is possible to
look-up the corect values for TIF2,. artd
TIF2,. fom Table 9 or Table 10.
where the gas cloud
by
"o*
3.8 CalculationexamPle
highlight the content of each step'
A calculation example is given to
area
pas.
il1J;l*lrr3:iJ.i':ilii.':"
Now calculate new /F-values
a inrrared
used in
point detector' hence rabre e is
Step 4.
TIF2,bn = TI Fz nn(1 - 03 5k)
TIF2s= TIF2,g(7 - 0.75k)
These numbers ae then to be inserted
e
using rhe "rert" part or rabre
$i,3iJi:Xt'Iii:,"[tflT.t:"tiT,u," . lksls
in Tabre r2,see discussion in Step 6.
of area
Step 3: Identifcation of tvoe
a mechanically ventilated area
We assume that the gas'"utug" is in
Step 6: Identilication ofstate ofinfluencing conditions

Each influencing condition which h been identified should
be evaluated with respect to the state
for- the particular analysis. Table 12 may be used as a
starting point for this evaluation.
rightmosr corumn of rable 12 the apprication specific ..r"or"^"

following coding shategy may be used:
S = -1 - Worst state, i.e. no specific means has been
S = -Vz - Bad state
,hr"ld
In the
;; iiri.o, ,"r" tt"
identified
s = 0 - Average state, or no information about this condition

availabre
S
Yz
- Good state
- Best state, i.e. specific means have been implemented
An example how the scores are entered is shown in Table I
l.
Step 7: Calculation ofaverage scores for each direct failure

cause
The average score for each influencing condition relevant
for that cause should be calculated and
placed in column 3 of rabre 12- Tabre I r shows an
example of such average calcuation.
TIF-values for '.calion errord'

Step 4: Establishing correct
Jtuin TIF z r* = 5' 1 0-3 and
B ased on the
specification;
;;"
il;
Step 5: Gas leakage scenario
rIF 2's = o'r'
low densitv)' hence

= 0'33 (relativelv
:"d#;;;;;;:ti'
'"z'
3
TIF z ton = TIF 2.e*(1 - 0.7 5k) = ] 1']y-'
o'075
liF
;:;^ = TI Fz.eQ - o.?sk) =
ri,
These values are used in Table
1'
of influencing conditions
Step 6: Identification of state
Th scores are shown in Table I
I'
cause
scores for each direct failure
Step 7: Calculation of average
of avetage scores
See Tabe 1 I for calculation
(CC)
TIF.for.each^contributinB class
Step 8: Calculation of adjusted
on the formula:
based
is
contributing class inTable
The TIF contribution from-each
Il
@srNTEF
34
lL
.l+s,/,
T, =\wDCr(rm,.,,")' 1rm,,*
and Saiety Systems'

Reiability Data for Control
1998
Edition.
35
,l-sr
TablellExamplecalculation;adjustingtheTlFprobability
Step 9: Calculation oftotal adjusted TIF

The T1F contributions from each contributing class are summed up:
TIF = TIFI + T + TIF3 = 36.9.
lO-3
rj
r@srNTEF
36
and Saf ety Systems

Reliabilty Data for Control
Ediion.
1998
31
Table 12 Check list for influencing conditions
4. DemDossrnns
components'
control *d
the data dossiers of the
Y -sy-stem input data to
The following pages presents
"recomended" generic
the
4,
summarising
2-Table
Tab;
to
These are the input
PDS-II anaiYses'
e given in /13/ and
Thedatadossiersarebasedonthoseintheg5edition/13/,whichcontainsfailuremode
of these abbreviations
abbreviations no longer
l1'7 |
or.irn oREDA. Definitions
FollowingthedefinitionusedinoREDA,severaiseverityclassrypesarereferredtointhedata
are defined as follows:
dossiers. The various types
Critical failure
Afailurewhichcausesimmediateandcompletelossofasystem,scapabilityofprovidingits
outPut.
Degradedfailure i-:^^r
providing its output within

L,rr.which orevents the system from
mav
o" gradual or partiar' and
:"';li:l;l*:ii:J'i:::i'T;l'ili'ili";^,;"'n''
failure in time'
dru"lop into a critical
,;,tfo"'
no'immediatelv causes ross-ora
but which, if not utt"n"
t].""*
svstem's:'t*tl:tl1::viding
ts output'
failure in the nea future'

rrU t" a critical or egraded
Unknown
deduced'
recorded or could not be
Failure severiry was not
and quaitatively/
vely different
Notethatonlyfailuresclassifiedascritica]arepresentedandincluderltheestimatesofthe93
demand
edition.
Bypass not removed
1R
TIF3 r"-
Total all contribution classes
0.001;
"'",
0.02
TIF = TIFI +
*)
38
:Retiability:DuhDjI!4 :
snmunr
Reliablity Data for
) and Safety Systems'
39
1998 Edition.
Reliabitity rDri'Dossier:' PDS'ilata
PPQ&
Component: Process Switch, Conventional
Component:
Process Switch' Conventional
Dte of Revion
DescrtPfion
1999-01-1
TheTlF-probabilityisentirelybasedonexpertjudgements.Detailsontheexpertjudgementare
sensor and
Pressure switch including
foundintheappendix.AsummaryofsomeofthemainargumentsisprovidedinSection2'3.
pneumatic switch
Overall
failure rate
Recommenileil Vlues
for Calcultion
(per 106 hrs)

lJndetected
Total rate
FTO
SO
2.3 Per
Overall
3.4 Per
0.2 per 106 hrs
106 hrs
1.39
SO:
0.00
Phase
r)
103 - 5 . 103
106 hrs
IV Softwe /15/.
Data relevant for conventional process switches'
Filter:
0.9 per 106 hrs
1.1 Per 106 hrs
Inv. Equipment Class = PRocEss SENsoRs AND

iiv. Dsiln Class = Pressure
Observed:
cfro
100
Inv.Att.iype-processsensor=Switch ANDInv Phase=

aNn
4
Vo
System = Gas Processing

processingl
(nv.
Previously Recomtneniled'
Values
6.0 per 106
r)
Withoulwith the sensing line
ailur e Rate
il
(95 edition)
for Calculntion
= 1.0 Per 106 hrs

h",
l,FTo = 2.5 per 106 hrs
Iso
= 2'5 Per lo6 hrs
L,
FTO:
hrs
Fail. SeveritY Class = Critical
No. of inventories = 12
No. of critical FTO failures = 1
No. of critical SO failures = 0
Cal. time ='l19 I
Coverage
ag-pobability
FTO:
SO:
Other:
0.61
update of the previous
"ui*"*
oREDAphaseIIIdata(phaserVcontainsnodataonprocessswitches).Theestimatedcoverage
(1007o in
the observecl coverage
judgement lassuming ZOVo coverage)and
is based on expert
oREDAphaseIII).TherateofFTofailuresisestimatedassumingacoverageol90vo
III was IOO 7o)' The rate of SO
O"'i*''observed in OREDA Phase

(previousiy assumed
estimate, expert juclgcment)'
'o
a coverage of z0 7o (previous
failures is estimated assuming
T-boken
/6/:
Pressure switch
1.15
032
Pressure differential switch
For FTO: e=0'149 Per 10' demands
As s ess ment
Thegivenfailurerateessentiallyappliestopressure_switches.Thefailurerateestimateisan
and PDS I - with the complete
- *uinfy Uu'"a on OREDA-84
OR
ND
FTO:
SO:
Other:
2.28
T-boken
/6/:
T-boken
i6l:
T-boken
/6/: Level switch
Flow switch
0.32
0.37
0.61
0.15
2.O4
40
Reliability Data Dossier
Module:
uNUBLT
ano aIety
Reliabiily Data lor Control
1e98
Edition.
y5tErr1'
PS.data
RetiabilitYDaDo*t* t
Input Devices
Component: Process Switch, Conventional

Fniilui e Rle R ler e n ce s
Co*poo.nt,
Overall
DescriPtion
'
Dte
Failure mode
failure rate
Lo Med.
440
I Med.
320
5.6
Data source/comment
distributon
er 1 hrs)
Lo Me
1540
In Med.
2520
FTO:
0.25
SO:
0.15
T-boken
/6/: Temperature switch
Hi
FARADIP.THREE /7/: Pressure switch
Hi
FARADIP.THREE /7/: Level switch
Hi
FARADIP.THREE i7l: Flow switch
Hi
FARADIP.THREE /7/: Temperarure switch
FTOhys.
FTOlrorru
process isolation valves'
Undetected
Tol rate
FTO
SO
Overall
0.1 Per 106 hrs

0.4 Per 106 hrs
0'8 Per 106 hrs

0'5 Per 10" hrs
= 5. 104
1'3 Per 106 brs
(95 eiliton)
Values for Calculation
Previously Recommendeil
0.1
PDS I /8/: Pressure switch (normally energized)
2.1
ho =
o =
F
Iso =
Note! Both physical andfunctional failures are
SOhys.
1.5
SOunct.
2.0
SO/roret
3.5
Only criical failures are included.
0.9 Per 106
hrs
Coverage
0'60
0.1 per 106 hrs

0.5 Per 106 hrs
L, =
1'5 per 106
hrs
--^L^Lilit\'
TlF-probability
= 5'10'
-smartansm.= 3'104
OREDA-84 /3i: Pressure switch, Pneumatic, Iow

pressure (less than I 500 psig)
6.8
1999-01-11
;;i"t
included.
5.2
of Revson
includes the
The pressure transmitter
and the
electronics
element, local
FTOunct. 2.0
5;
Conu entional
Pressure Transmitter'
OREDA-84 /3/: Pressure switch; Pneumatic, high

pressure (1500 psig or grearer)
OREDA-84 /3/: Pessure switch, Electric
OREDA IY - /l3l: Pressure switch. total
ailur e Rate
Ass es
sment
previous estimate
is an update of the
The failure rate estimate
- mainly
based on
nnê Iv'
oREDA iII
The rate of
;;;' * '"ei'tt'". ;*o

t no *f"*l;t*;X"tl-*n:'Ti":lt'
failures is estimated """*;;;-';;""'
a coverag
assuming
failures is estimated
u^tJni"
with .REDA phase lV
* ^"
"t
to
FTo
.'
Reliability Data for
Qsnmuur
RetiabiiitY Data
Pressure
Component:
judgement are
rherlF-probabilitv
O
found in the appendix'
'o'o**
43
1998 Edtion.
Dossigl!!$e
Transnitteyy
is entireivbasedon
Saf etY Systems
,and
Module:
o.porr.nt,
C'
lts' Details on the expert

*o"i1,'-u11i::;;,*;t".""t""
in Sec
is provided
of some of the main arguments
''''
InPut Devices
Pressure Transmitter, Conventonal
Overall
failure rate
@er
hrs)
f-Uot* lOl, Ptessure
ffi
total
OREDA IV- /13/: Pressure switch'
Phase-Ivs"ftwae lr5l'
pressure transmitData relevant fof conventtonal
Filter:
inil"equip*"'" cls:
SENsoRs AND
T:cEss
k"ttY
lr
Inv. Dsign Clas =

Phase =
-,.unrrnitter D Inv.
sensor=
Inv. Att. Typeprocess
AND
Processing *"
= c's
Oil Drocesslng,
Fail. SeveritY Class = Crtical
ftn". sy.t"t
inventories = 205
No.
^r. of
.i"ti i. frO
o. of
"ti"
SO:
"r
ters.
Obsertted:
fto
100
ifl,
.t"rlu'
TAxcoD=sPR''Al'{D'
Vo
(Calculated'
including
tansmitters having
some kind of self'
rc$ arranEement
onlY,)
failures = o
SO failures = 0
PS3l-'
OREDA Phe III /1/ Database
pressure transmit'
conventional
i" ,"n"*,
FTO:
FuNcrN='oP'
No- of inventories 186

89
Total no. of failures hs
Cal. time
"' = 4 680 182
r itc al" ar e
s s ifi e d as " c
cla
s
r-i *, "tlure
n the faIure rate esttmates'
inclwletl
transmitter
snmrur
-.
Module:
Reliabilitf,Data'Dossier
- PDSdata
Input Devices
Component: I*vel (Dplacement) Transmitter, Conventinal

TI F -probablily
Date of Revision
1
Remarlts
isolation valves.
in
Only displacement level transmitters are included
the OREDA Phase
onnenile il Value for

s
III
and
[V data
Undetected
Coverage
1.4 Per 106 hrs
0.90
0.1 per 106 hrs
106 hrs
0.50
0.8 per 106 hrs
1.5 Per
TIF-probabItY
3.1 Per 106 hrs
F alur q' Rt ii::Rifp r enc e s
Overall
falure rate
(per 106 hrs)
C alculation
Total rate
Ass essment
The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is

found in the appendix. A summary of some of the main arguments are provided in Section 2.3.
The level transmitter includes the sensing

process
element, local electronics and the
Overall
1998 Edtion.
Module:
1999-01 -1
FTO
SO
and Safety Systems.
Jr
InPut Devices
Description
P.'DS-91!
Conventional
Component: l*vel (Disptacement) Transmitter'
Re
Relabilty Data for
= 5'
1.89
Failure mode
Data source/commenl
distribution
FTO:
0.00
SO:
1.89
OREDA Phase fV Software /15/.

Data relevant fo conventional dhplnc ement level
transmitters.
FIter:
Observed:
104
,so =
Inv. Equipment Class = PRocESs
t00
Vo
Level
lnv. Att. Level sens.
Previoasly Recommeniled' Values
Coverage =
L,
6.0 per 106
hrs
TlF-probability
smarttransm'
o'is
= : l:1
- 3'10-
AND
Transmitter AND
princ. = Displacement AND
Inv.Phase=4
(Inv. System = Gas processing
Oilprocessing)
for Calculaton (95 edition)
= 4.5 per 106 lrs

h",
l,Fro = 0.5 per 106 hrs
l,so = 1.0 per 106 hrs
SENsoRs AND
Inv. Design Class =

Inv. Att. Type process sensor =
AND
OR
AND
Fail. Severity Class = Critica.l
No. of inventories = l7
No. of critical SO failues = I
Cal. time = 530 208
6.17
FTO:
SO:
4.94
OREDA Phase III /1/ Database
1.23
Data relevant
PS31-.
for conventional dplncement leluel
transmitters.
Falure Rate Assessment
Filter criteria: TAxcoD=?sLE'.AND' FUNCTN='oP'
Observed:
l
Thefailurerateestimateisanupdateofthepreviousestimate-mainlybasedonoREDAIII.
withoREDAphaselVoata.TherateofFTofailuresisestimatedassumingacoverageof9ovo
(observedinOREDAPhaseIIIwasl00To).Therateofsofailuresisestimatedassumrnga
coverageof50To(previouslyassumedtobe2}Vo'observedinOREDAPhaselVwasl00T)'
cno =
100 7o
.OR,,GP'
including
Total no. of failures = 50
transmitters having
Cal. time
(CaIcuIated
some
kind of selfiest
arrangement only,)
FTO:
0.21
= | 620 l7'7 ttts

Note! OnIy failures classified as "critical" are
included in
T-boken
the
failure rdte
/6/: Level tansmrtter
esftmates'
SilMTEF
Reliability Data f or
Safetv Systems'
)and
1998 Edition.
tRetiabifitvDallPcrssier'
Transmitter'
o*porr"rrtt l*vet (Displncement)
PDS<!!
Rliability Dta Dossier
Module:
Conuentional
InPut Devices
Component: Temperature Transmitter, Conventional

Date of Revision
Description
1999-01-1
er l hrg
L,o Med.
10
- PDS-data "
irlng tZ' t-*el
transmitter
Hi
The temperature transmitter includes the

sensing element, Iocal electonics and the
orocess isolation valves.
Remarks
Note that the data material for temperature
estimate
ftansmitters is scarce, i e', the failure rate
20
total
OREDA IV- /13/: Pressure switch'
Recommendeil Values
for C alculntion
Coverage
0.60
0.60
Total rate
FTO
SO
0.7 Per 106 hrs
OveraII
1.8 Per 106 hrs
1.1 Per 106
trs
TlF-probabilitY
=
=
=
3.0 per 106
Lr,,
5.0 per 106
0'3 Per 106 hrs

0'4 Per 106 hrs
= 5' lOa
smaftansm'
Previously Recommendeil Values
h*
Fro
trso
IJndetected
- 3'10-
for Calcultion (95 edition)
hrs
Coverage
0.5 per 106 hrs

1.5 Per 106 hrs
hrs
TlF-probability
- smart tfansm'
=
=
5'104
3'104
F ailure Rat e As s e s s ment
Thefailurerateestimateisanupdateofthepreviousestimate-basedonoREDAPhaseIII
data' The
data - with OREDA phase fV

including some expert judg"*"nt do" to scarce
pressure
is based on the distribution for
so-failures
distribution between (undetected) FTO- and
andflowtransmitters.Theoverallcovelagegivenaboveisestimatedmainlybasedonexpert
Qsumunr
TIF -Prob
ab
ilitY
As
s es
stne
SafetV Systems'
,nd
Reliability Eat'Dossier
Reliability Data Dossier :.PD!:dat
Transmtter'
Component: Temperature
"1998 Edition.
Con'
- PDS'qala
Component: Temperature Transmtter' Conventional
lconveily
nt
judgement is
judgements' Details on the expert
entirely based on expert
is
TlF-probability
The
foundintheappendix.asunlmaryofsomeofthemainargumentsareprovidedinSection2.3.
T-boken
/6/:
Temperarure transrru$er
uarsFARADIP.THREE /7/: Temperature
ffiFh*"
ui"l"u-t
Iv software /15/'
ror conventional temperature
Filter:
inu. equip**,
Class = PRocEss SENsoRs

Inv. Design Class = TemPerarure
itp" pt*ess sensor = Transmitter
il;.
u'
Inv. Phase = 4
(Inv. SYstem = Gas Processrng
Oil processing)
No. of inventoriss = 19
FTO failures = 0
| o. of critic
0
I No. of critical SO failures =
FTO:
5'06
transmitter.
Obsented:
cfro
(
C alc ulate
ffansmitter
PS31-'
OREDA Phase III /l/ Database
temperature
conventional
for
Data relevant
100 7o
il includin g
s hav in g s ome
kind of self-test
arrangement onlY,)
Filter criteria: TAxcoD=srE'AND'

FUNCTN='OP'.OR' 'GP'
Cal. time = 197 808 hrs
lr", on, oilures classifietl

are included in
mdIes.
the
as
"critical"
Jailure rate esti'
)sumrun
50
Module:
'
Co,
'd Safety Systems.

51
1998 Editon.
ReliabilityData'Dossier,'
PDS:ilat
Module:
InPut Devices
-,,
PDS-.data
Input Devices
Component: Flow Transmitter, Conventional
TI F -pro b abilify As s e s sment
Date of Revision
Descrption
1999-01-l I
The flow transmitter includes the sensing
element, local electronics and the process
The TlF-probability is entirely based on expert judgements. Details on the expert judgement is
found in the appendix. A summary of some of the main arguments are provided in Secton 2.3.
Remarks
isolation valves.
F ailare :Rate Refere nc e s
OveraII
Recommeniled Values
fot Calculttion
Undetected
Coverage
Total rate
FTO
1.5 per 106 hrs
0.60
0.6 per 106 hrs
so
2.2 per 106 hrs
0.50
1.1 per 106 hrs
Overall
3.7 per 106 hrs
TIF-probability
- smaft transm
Previonsly Recommended Values
for Calculation
L",
1.5 per 106 hrs
},FTO
0.1
per
106 hrs
l.so
1.4 per
106 hrs
L,
3.0
106 hrs
per
failure rate
er 1 hrs)
Failure mode
distribution
5.70
FTO:
2.85
SO:
2.85
5.104
3.104
TIF-probability
- smart transm.
OREDA Phase IV Software /15/.

Data relevant for conventional flow transmit'
ters.
Filter:
Obsemed:
cfro =
"so =
(95 edition)
Coverage
Data source/comment
7Vo
100
Vo
0.50
Inv.EquipmentClass =PRocEssSENsoRs AND

AND
Inv. Design Class = Flow
Inv. Att. Type process sensor=Transmitter ND
AND
Inv.Phase=4
OR
(Inv. System = Gas processing
AND
Oil processing)
Fail. Severity Class = Critical
No. ofinventories = 10
No. of critical FTO failures = I
Cal. time = 350 640
5.104
3 . l0-4
2.89
FTO:
1.24
SO:
1.5
OREDA Phase III /1/ Database PS3l-.

Data relevant for conventional flow transmitters.
Failure Rate
Ass es srnent
on oREDA
The failure rate estimate is an update of the previous estimate based
Obsertted:
III - with
oREDAphaselVdata.TherateofFTofailuresisestimatedassumingacovelageof60vo
(observedinoREDAPhaseIIIandIVwas 10070 ando4o,respectively).TherateofFTO
Phase III and IV was

failures is estimated assuming a coverage of 60 vo (observed in OREDA
a coverage of 50 7o
assuming
100 7o and 0 7o, respectively). The rate ofso failures is estimated
(previouslyassumedtobe}}vo,observedinOREDAPhaselVwasl00To).lheSofailure
rate includes 'Erratic output' failures.
cno = 100 lo
(Calculated including
transmitters having
Filter criteria: TAXcoD=sFL' .AND. FUNcTN=L

oP'.oR.'GP'
Total no. of failues = 92
some kind of self-test
Cal- time
arrangement only,)
Note! Onlyfailures
=2422200hs
included in
classified as "critical" are
the
failure rate estimates.
rsrNTEF
52
Reliabilty Data for
Con
,iO
S"t"ty Systems.
1998 Edition.
53
PDS.data
.:il
Reliability.:Data Dossier
Input Devices
Module:
PDS.data

Fatre:
na
Component: Catalytic
Refere nc g s
Description
Overall
Failure mode
distribution
failure rate
(per 106 hrs)
FTO:
Lo Med.
Gas Detector, Conventionl
Date of Revision
1999-01-1
Data source/comment
0.25
T-boken
/6i:
Flow transmitte
FARADIP.THREE
/7 | :
The detector includes the sensor and local
electronics such as the address/interface

unit.
Flow transmitter
l5zu
Coverage
Total rate
0.7 per 106 fus
0.60
0.40
2.3 per 106 hrs
TlF-probability
1.6
per
106 hrs
Previously Recommended Valaes
for Cahalation
Llndetected
0.6 per 106 hrs
0.4 per 106 hrs
see secrion
...
(95 edition)
3.0 per 106 hrs
1.5
per 106hrs
1.0 per 106 hrs
I., =
5.5 pe 106
hs
TlF-probability
3 . lO4 - 0.1
r)
') Lurge to small gas leaks
Falure Rate Assessment

Due to dditional phase
III
data the failure rate esrimate is updated iterative. The previous
estimate is updated with rhe final phase
IrI data, and this estimate is finally updare using the
OREDA phase IV data. The rate of FTo failures is estimated assuming a coverage of 60 To
(previously assumed to be 90 7, observed in OREDA phase III was 38 vo). The rate of so
failures is estimated assuming a coverage
of.
4O Vo (previously assumed to be 20Vo, observed
OREDA phase III was 1007o). The FTO failure rate includes ,No output' and .Very low
output' failures.
in
SINTEF
54

'|
Reliability:Data Dossier
and Safety Systems.

55
998 Edtion.
PDS-data
Reliability:Da Dossier
Module:
Component: Cafalytic
Gas Detector, Conventonal
PDS-data
Input Devices
Component: Catalytic
Gas Detector, Conventonal
TI F -probabil As s e s s me nt
TlF-probability is entirely based on expert judgements. Details on the expert judgement is

found in the appendix. A summary of some of the main aguments are provided in Section 2.3.
The
''Falur e Rate Refer enc
Overall
failure rate
F ailure Rat e Refere nc e s
es
Failure mode
distribution
(per 106 hrs)
Frod"t:
Data source/comment
0.5
t
Irl'Oundet; 1.4 i"
SOo"t: 0.2
S6und"t: 0.4 e"t

Data relevant for conventional
catalytic gas
c
detectors.
r
.4, lt
i"
5Fs '.'-:r
lg
Fher:
Inv. Eq. Class = FIRE& CAs DETECToRS
Inv. Att. Sensing principle = Catalytic
Inv. Phase = 4
5.09
No. of critical SO failues = 0
OsebergC 14/.
Data elevant fo conventional
catalytic gas
detectors.
No. of failues = 85 (25 critical)
Time = 10 215 888 hrs
OnIy failures classified as "critical" are
Note!
included in the failure rate estimates.
FTOA{at.aging 3.83
VI.LCAN /5/:
FTO/Stress
0.06
Failure rates are splitted into, in addition to
FlOntervent.
0.1'7
FTOh)TAL
4.06
failure modes, failure categories, following the

"PDS-model".
SO/lrlat.aging 0.74
NOO:
SHH:
Sum
3.62
0.79
FTO:
4.41
OREDA Phase III /1/ Database FG31-.

Data relevant for conventional catalytic gas
detectors. More than 97 Eo of the detectors
have automatic loop test.
Filter criteria: TAXCoD=FGHC',
Cal. time = 49 185 5'72hrs
64
?o
detectors having some
kind of self+est
arrangement only)
Note!
Only failures classfied as
0.06
SOllnput
Solrort
0.17
FTOunct,
FTO/T}TAL
No. of inventories = 2 046

Total no. of failures = | 749
cno
0.06
SOllntervent.
"critical" are
included in the faiLure rate cstimates.
classiJed. as
"critical" are

PDS I /8/: Gas detector
2
3
SOhys.
SOunct.
SO/roTAL
Note! Onlyfailures
1.03
FTOlPhys. I
SENSPRI=TATALYTIC'
Observed:
SO/Stress
Note!
Both physical and functional failures

are included.
OnIy critical failures are included.
snmrnr
56
),1
and Safety Systems
5l
1998 Edtion.
- PDS.data
Reliabilify,ata Dossier
Module:
Input Devices
Module:
- PDS.data
Input Devices
Component: IR Gas Detector, Conventional

Component: IR Gas Detector, Conventional
Date of Revision
Description
1999-01-
The detector includes the sensor and
TI F -probahlity Ass es sment
1 1
Remarks
loca.l electronics such as the address/-
interface unit.
'F
ail ur e,: Rat e, Rfer e n c e s
Overall
Recotnmended Values
for C alculation
Total rate
failure rate
Coverage
Undetected
FTO
3.3 per 106 tus
0.80
0.7 per
106 hrs
so
0.3 per 106 hrs
0.70
0.1 per
106 hrs
Overall
3.6 per 10o hrs
TlF-probablity
Failure mode
@er 1 hrs)
distribution
Data source/comment
3.49
FTO:
3.49
SO:
0.00

Data relevant for conventional IR gas detectors.
Observed:
seesection
,no
cso
Previously Recommended Values for Calculation (95 edtion)
Filter:
=
=
I00Vo
}Vo
Inv.Eq.Class =FrRE&GAsDETEsroRs
AND
Inv.Phase=3
AND
(Inv.Att. Sensingprinciple=IR OR
Inv.Att. Sensingprinciple=lR/W) AND
14",
l)
2.9 per 106 hrs
2rFTO
1.0 per 106 hrs
so
0.1 per 10 hrs
L, =
4.0 per 106 hrs
Coverage
0.70
TIF-probability
3.lo4-o.lr)
Large to small gas leaks
Failure Rate
Ass essment
The failure ate estimate is an updte of the previous estimate - essentially based the Oseberg C
data j with OREDA phase fV data. The rate of FTO failures is estimated assuming a coverage
of 8O 7o (previously assumed tobe70Vo, observed in OREDA Phase IV was 100 Vo).The rate
of S O failures is estimated assuming a coverage of 70 Vo (previous estimate). The FTO failure
rate includes 'No output' failures.
Cal. time = 147 176
4.1
FIOdd:
FIOUn&r:
SO"'':
soono.r:
2.9
Oseberg C /4/.
1.2
0
0
tectors.
IR
gas de-
No. ofinventories = 4l
Total no. of failures = 26 (4 critical)
Time=977 472lus
Note!
Only
failures classified as "critical" are

the failure rate estimates.
included in
Qsnmrum
'' ':|:
Reliability Dat.Dos5ier.
Modufe:
and Safety Systems.

59
1998 Edition.
Reliability,,D Ds:sier- -. PDj
- PDSdata
Input Devices
Module:
InPut Devices
da
Component: Smoke Detector, Conventional
Component: Smoke Detector, Conventional
TI F -probabil Ass essment

Dte of Revision
Description
1999-01-1
The detector includes the sensor and local

electronics such
as the
address/interface
unit.
,F alur,Rte Referenc
es
Overall
Recommended Values
for Calculation
FTO
SO
rate
1.3 per 106 hrs
2.4 per 106 hrs
overall
3.7 per 106
failure rate
Coverage
0.40
0.50
Total
hrs
TlF-probability
@er
lJndetected
10-3 -
hrs)
3.70
0.8 per 106 hrs

1.2 per
10'hrs
0'05
r)
1.5 per
hrs
=
=
=
L,
= 4.0 per 106 hrs
106
1.31
SO:
2.39
Data source/comment

smokdcombustion detectors.
Filter:
=
"no
,to =
for Calculntion (95 edfion)
L*
Fro
fso
FTO:
Obsemed:
represents the occurrenee of different tYPes of fires (smok

') The range
Previously Recommended Values
Failure mode
distribution
50
Vo
98
7o

Cal. time = 61 11098/.
o-5 Perlo6hrs
2.0 Per 106 hrs
r)The range represents the occurence
r)
3.73
FTO:
1.01
SPO:
2.72
Observed:
Failure Rate
Asses sment
Phase Itr data

The failure rate estimate is an update of the previous,estimate - based on OREDA
is
failures
of
FTO
The
rate
phase
tV).
in
(no
inventories
- with complete OREDA IU data
Phase
complete
and
(observed
incomplete
in
OREDA
Vo
of.4O
assuming a coverage
estimated
a coverage
29Vo and50 Vo,respectively). The rate of SO failures is estimated assuming
was
98 7o)'
III
(complete)
Phase
in
OREDA
observed
robe2\Vo,
of 60 7o (previously assumed
lllwas
Inv.Phase=4
Coverage
TlF-probability = lO3 - 0'05

ofdifferelttypes offires (smoke/fl
Inv.Eq.Class =FIRE&GAsDE'rEcroRs AND

Inv. Att. Sens. princ. = Smoke/Combustion AND
AND
cno = 29 Vo
OREDA Phase trI /1/ Database FG31-.

Data relevant for smoke/combustion detec'
tors. Both conventional (65 7o) and addres'
sable (35 7o) detectors are included. 56
automatic loop test, 35
Vo
have a
have
built.in self-test, rest (97o) have
of loop and
deteclors having some
no self-test feature.
kind of self-test
Filte criteria: TAXCoD=FGFS'

No. of inventories = i 897
arrangement only)
7o
combination
Totat no. of failures = 218

Cal. time = 50 374 800 hrs
Note!
OnIy

the failure rate estmates'
included in
.QsrNTEF
60
Reliability Data
for'
and SafetV Systems.
o_t
1998 Edton.
Reliability Data Dossier - PDS.data
Reliability,Data,Dossier
Module:
Component: Smoke Detector, Conventonl
PDS.data
Input Devices
Component: Het Detector, Conventional
t..,
..., :::..
F ailuie,Rate Rlpr enc e s,
'
1999-01-1
failure rate
er
Date of Revision
Description
Overall
hrs)
iocal electronics such

Oseberg C /4/.
as the address/-
interface unit.
Data relevant for smoke detectors.
No. of failures = 4 (l critical)
Recommended Values
Time= 12'l8528hus
Note!
OnIy
falures classified as "critical" are

the faIure rate estimates-
rate
hrs
1.5 per 106 hrs
VULCAN/5/:
FTO/Stress

failure modes, failure categories' following the
0.13
FTO/Intervent.0.03
0.97
FTO/ror,t
Covrage
0.50
0.50
Total
included in
FTO/1.{at.aging 0.8i
for Calculntion
0.9 per 10
Overall
t)
"PDS-model".
2.4 per 106
hrs
TlF-probabitity
0.87
SO/Stress
0.43
SOllntervent.
0.03
SO/Input
SOlrorAL
4.39
OnIy failures classified as
included in
the
"critical" are
failure rate estimates.
5.72
PDS.I /8/: Smoke detector
FTO/Phys. 0.4
FTOunct.
0.4
FTOlrorAL
0.8
SO/Phys.
Note!
l)
106 hrs
106 hrs
0-05 - 0.5
r)
The range represents the occurence of different types of fires (smoke/flame)
SO{at.aging
Undetected
0.5 Per
1.3 per
1.0 per 106 hrs
L.,
=
IFro =
?rso =
0.5 per 106 bs
L,
2.5
for Calcalation
(95 edition)
Coverage =
0.40
1.0 per lo6hrs

per
106
hrs
TlF-probability
0.05 - 0'5
r)
The range represents the occulrence of different types of fires (smoke/flame)
F ailur e Rate As s e s srnent
Note! Both physical and functional failures
SOlFunct.
are included.
SOlror,r
Only critical failures are included.
The failure rate estimate is an update of the previous estimate - based on OREDA Phase III
is
data - with complete OREDA trI data (no inventories in phase IV). The late of FTO failures
estimated assuming a coverage of 50 Vo (observed in OREDA incomplete and complete Phase
7o, respectively). The rate of SO failures is estimated assuming a
(previously assumed to be 2OVo, obsewed in OREDA (complete) Phase III
III was 50 Vo and36

coverage of 50
was 98
Vo).
Vo
snmrer
Reliability Data
for
,)rl and Safety Systems.
1998 Editon.

Module:
OJ
PDS-data
Reliability,Data Dossier -,PDS.data
Input Devices
Component: Heat Detector, Conventional

Component: Heat Detector, Conventional
TI F -pro bability
As s es s me
nt
The TlF-probabiliry is entirely based on expertjudgements. Details on the expertjudgement

is found in the appendix. A summary of some of the main arguments are provided in section
F ailur e Rate Relerenc
es
Overall
failure rate
@er ld
hrs)
2.35
FTO/Irlat.aging
1.28
VULCAN /5/:
FTO/Stress
0.14
FTOllntervent.0.05
Failure mode
distibution
Data source/comment
FTo/rorer
FTO:
0.88
SO:
1.47
OREDA Phase IV Softwae /15/.

Data relevant fo conventional het detectons.
SO/Stress
Observed:
36
98
Vo
Vo
lnv. Eq. Class = FIRE & GAs

Inv. Att. Sens. princ. =
Inv.Phase=4
DETEcroRs AND
Hear
AND
AND
No. of inventoies = 994

Cal. time = 27 260 832
FTO:
SPO:
0.82
1.39
Observed:
: cno=50Vo
OREDA Phase III /i/ Database FG3l_.

Data elevant for conventional heat detectors. Both rate-ofrise (23 7o) andratecompensated (71 7o) detecfors are included.
Of the detectors,S9 Vohave automatic loop

test, rest (llVo) have no self-test feature.
deteetors having some
Further, 77
kind of self+est
energized", 29 Vo as "normally energized"

Filter criteria: TAXCoD=FGFH'
arrangement only)
Vo
e reported as "normally de-
Total no. offailures = 79

Ca.l. time = 24 470 588 hrs
Note!
1.47

"PDS-model".
SO/l.lat.aging 0.49
0.32
SO/ftrtervent. 0.14
Filter:
"fro =
cso
=
a t
F ailure Rate lieferences
Only failures clussifietl a.r "t:ritical" are

itcluled in thc ftLiLure r( tina!$.
SO/Input
SOh'orAL
0.51
Note! Onlyfailures clnssifi.ed as "critical" are
1.46
included.
FTOhys. 0.1
FTOlFunct. 0.2
FTO/1rAL 0.i
SO/Phys.
PDS I
/8i: Heat detector
SOlFunct.
are included.
SO/rort
Onlv critical failures are included.
@snmunm
o+
Reliability:Data Dossier
Module:
Reliabrlity Data
Input Devices
TI F -probability Asses sment
Date of Revion
1999-01-1
The TlF-probability is entirely based on expef judgements. Details on the expert judgement is
Remarks
'
''. :
_:ir :
F ailu e :Rat e: R.efq r e l9 s
Coverage
0.50
0.50
rate
hrs
4.1 per 106 hrs
Total
4.2 per 106
Overall
8.3 per 106
l)
hrs
TlF-probabitity
Undetectd
2.1 per 106 hrs
OREDA Phase fV Software /15/Data relevant for conventional flame detectors'
2.1 per 106 hrs
3 ' 104 - 0.5
r)
Filter:
,oo =
cso =
Previously Recomtnended Values for Cbulation (95 edition)
l)
2.5
per l0 hrs
Fro
1.5 per 106 hrs
7"so
3.0 per 106 hrs
Lr,
7.0 per 106
hrs
50
7o
100
Vo
'
104 - 0'5
FTO:
SPO:
r)
3.20
3.98
The range represents the occuence of different types of fires (smoke/flame)
Failure Rate
Observed:
Ass es sment
The failurp rate estimate is an update oi the previous estimate - based on OREDA Phase III
data - with complete OREDA III data (no inventories in phase IV). The rate of FTO failures is
estimated suming a coverage of 40 7o (observed in OREDA incomplet and.complete Phase
III was 48 Vo and 50 Vo, respectvely). The rate of SO failures is estimated assuming a
coverage of50 Vo (previously assumed tobe2OVo, observed in OREDA (complete) Phase
was 100
7o).
Flame
Inv. Ait- Sens. princ. =

Inv.
Fail. Severity Cls = Critical
Phase=4
AND
AND
AND

No. of critical FTO failures = I 19
Cal. time =28 5l'1
0.40
Coverage
TlF-probability
Inv.Eq.Class =FIRE&GAsDETEcroRs
Obsened:
The range represents the occunence of different types of fires (smoke/flame)
L",
for Calculation
Recomtnended Vlues
FTO
SO
- PDS-data
Component: Flame detector, Conventional
Component: Flnme detector, Conventional
local electronics such as the addressiinterface unit.
65
Module:
\trol and Safety Systems
/I
PDS:iIata
Input Devices
Description
fr
1998 Edtion.
III
cfro = 48 Vo
kind of self-test
Lrrangemenr only)
OREDA Phase trI /1/ Database FG31-'

Data relevant for conventional flame detectors'
Both IR (52 %o),W (13 Vo) and combined
IR/IIV (35 7o) detectors are included' Ofthe
detectors, 'r-5 Tohave automatic loop test, 3 7o
built-in self'test, 15 Tohave combination

of automatic loop anil buitt-in self-test' rest
(ll%o) have no self-test feature.
have
Filter criteria: TAXcoD=FGFF

No. of inventoris5 = 1 010
No. of failures = 292
Cal. time =23 136820hrs
Note!
Only failures classified as
included in
the
"critcal" are
failure rate est'mates'
@snmrnr
66
Reliability'Data Dossier
'
{rol
and Safety Systems'
o/
1998 Edition.
PDS'data
Reiability Data DO$liei
Module:
PDSdata
InPut Devices
Component: Flame iletector, Conventional

Component: ESD Push button
Date of Revion
Description
1999-01-l
Pushbutton including wiring
Remarks
No data available in OREDA Phase fV'
@er 1 hrs)
Oseberg C /4/.
Data relevant for IR flame detectors'

No. of inventori es = 162
Reconmended Values
No. of failures = 30 (18 critical)

Time = 3 978240hrs
Note! It is assumed that only failures classified
as "critical" are included in the failure
1.77
VI.JLCAN/5/:
FTO/Stress
O.l2
FTO/Intervent.0.12
FTOftort
"PDS-model".
2.01
SO/Stress
O.l2
SO/Intervent.
0.12
SO/Input
SO/rorAL
2.9'7
FTolrorer
SO/PhYs.
SO/Funct
SO/ror't
0.2 per 106 hrs

0.6 per 106 hrs
0.20
0.20
TIF-probabilitY
10-5
for Calculation (1995)
0.2 per 106 hrs
Coverage
0.20
TlF-probabilitY
lOs
0.2 per 106 hrs
rSO
0.6 per 106 hrs
I
I
I
L,
Note!
3.37
are
OnIy failures classified as "critical"
included.
1.0 per 106 hrs
I
I
1.1
FTOunct.
1.0 Per 106 fus
FTO
F ailur e Rt e As s es sment
FTO/PhYs.
OveraII
h.,
r
SO{at.aging
0.3 Per 106 hrs

0.8 per 106 brs
Previously Recommendeil Valaes
0.16
FTO
SO
lJndetected
Coverage
Total rate
rate estimates.
FTO/t{at.aging
for Calculaion
0.2
thexpert
sources, taking into account
The failure rate is estimated based on all listed data
I
I
I
I
I
I
1.3
N ot
ar e
B oth physic aI and functional failures
judgements.Theoverallcoveragegivenaboveisestimatedasiheaverageforbothfaiiure
judgement'
modes, also taken into account the expef
I
I
included'
O
nLy c
ritical failure s ar e include d'
I
I
TI F -prob abilitY
As s es sm
ent
expert judgements' Details on

The TlF-probability is entirely based on
i
I
I
I
I
I
I
I
I
found in the appendix. A
tu*ûry
of
to*"
of th"
-dn *g
provided in Section 2'3'
@snmunm
68
Reliability Data
fc
)rtrot
and Safery Systems

69
1998 Edition.
Reliability Data Dossier .. PDS-data
Module:
Input Devices
PDS-data
Component: ESD Push button

Component: PLC System
Faihe Rate R_efuqences
Description
Date of Revion
Overall
1999-01-1
Failure mode
dstribution
failure rate
er I hrs)
In Med.
Hi
0.
10
r 0.5
Data source/comment
FARADIP.THREE /7/: Pushbutton
PLC system includes input/output cards,

CPU incl. memory and watchdog,
controlles (int. bus, comm. etc.), system
bus and power supply.
5.8
NPRD-9l: Switch, Push button, ground fixed,

commercial quality
Recommended Values
0.13
NPRD-91: Switch, Push button, ground fixed,

military qualiry
FTO
SO
OveraII
l)
for Calculation
Total rate
16 per 106 hrs
l6per
Coverage
106hrs
32 per 106
hrs
Undetected
0.90
1.6 per 106 hrs
0.90
1.6 per 106 fus
TlF-probablity
5.lo-s-5.lo4r)
For TV certified and standard system, respectively
Previoasly Recommended Values

72.0 per
106
for Calculation
(95 edition)
hrs
2.0 per 106 hrs

6.0 per 106 hrs
L,i,
r)
80.0 per 106 hs
For TV certified and standad svstem.
F ailure Rate As s essment

The failure rate estimate,is an update of the previous estimate - based on OREDA Phase
- with complete OREDA
III
data (no inventories in phase
IV), taking into
III
data
account the aspects
discussed below: It is assumed that some of the observed FTO-failures in OREDA III is
included in the TlF-probabiiity. Further, for FTO-failures, only the current loop (i.e. one I-card,
etc.), not the entire PLC System, is required for a shut-down to be initiated. Thus, the estimated
rate of FTO-failures is reduced by approx. 7O Vo comparcd to the OREDA
III
data. The overall
coverage is set by expertjudgement ad observed coverage. The SO failure rate includes
'Enatic output' failures.
@snmuen
'10
Reliabilif,y Data Dossier
Reliability Data tor

1998 Edtion.
'
1cl
and Safety Systems
1l
PDS-data
Control Logic Uni
Module:
Component: PLC System

TI F -probabil As s e s sment
'
F dilur
tRate,
Refeie nc es
The TlF-probability is entirely based on expertjudgements. Details on the expertjudgement is

found in the appendix. A summary of some of the main uguments e provided in Section 2.3.
er
Failur e Rate Refer e nc e S
Id
hrs)
Per ch. 0.28
OveraII
failure rate
Failure mode distribu-
(per
tion
106
hrs)
75.0
PDS I /8/:
FTO/unct.
channel
are incluiled.
0.05
Only critical failures are included'
FTO/Phys.
0.09
PDS I /8/: Inpuf/analog, failure rate per
FTOunct.
0.05
channel
FTOIT1TAL
0.14
SOlPhys.
0.12
are included.
SOunct.
0.05
SO/rorAL
0.17
OnIy critical failures are included'
Fail. Severity Cls = Critical
No. of inventories = 7 I
FTO/Phys.

Cal. time = | 733 664
FTOunct.
I
I
OREDA Phase
SO:
15.6
Data relevant for for control logic
QO Vo) and
F&G systems (30
Inv.Phase=4
16.3
Obseried:
cno = 91
7o
Pe ch. 0.31
7o).
OREDA Phase
Loclc
UNITS
AND
AND
III /1/ Database CL3l-.
for control logic units including

VO-cards. Both PLCs (19 Vo) and computers
(81 To) arc included. The contol logic units are
used both in control systems (54 %)' ESD
F&G systems (33 7o). .
system (13 7o) and

kind of self-test
arrangement onlY)
Cal. time
164 384 hrs
Only
failures classified as "critical" and
with
failure
modes FTO or SO are
included in the failure rate cstimates.
Per ch. 0.21
PDS
I/8/: CPUMemorY
Note! Both physical
FTOITOTAL
Data elevant
Note!
0.14
Inv. Eq. Class = CoNTRoL
SO:
units
including I/O-cards. Both PLCs (14 Vo) and

computers (86 Vo) are included. The contol
logic units are used both in ESD/PSD system
Filter:
'14:7
Both physical and functional failures
0.09
59.4
FTO:
Note!
SO/Phys.
SOlFunct.
SOnorAL
IV Software i l5/.
FTO:
,fro = 9i 7o
,so = 88 7o
InpuVdigitl' failure rate per
FTO/T)TAL
Data sourcelcbmment
Observed:
91.0
FTO/Phys.
SO/Phys.
SO/Funct.
SO/TqTAL
FTO/Phys. 0.02
FTOunct. 0.01
FTo/rorAL 0.03
and functional failures

are included.
Only critical failures are included'
PDS I /8/:
Outpuldigital, normally ener-
gized, failure rate Per channel
Note! Both physical
and
functional failures
are included.
OnIy crtical faIures are included'
@smunr
Module:
and Safety Systems.
Reliability Data
)ntrol
1998 Edition.
PSdata
Reliabilily Data Dossier
Control Logic Units
Component: PLC
Module:
SYstem
- PDS.dt
Control Logic Units
Component: Field Bus Coupler

F lue' Rt e Relerenc e s
Date of Revision
1999-01-1
Overall
failure rate
@er 1 hrs)
Per ch. 0.21
Failure mode distribution
Remarks
No data available in OREDA Phase IV
Data source/comment
FTO/Phys.
FTO/Funct.
0.17
PDS I /8/: OutpuUdigital, normally de'ener'
0.01
gized, failure rate per channel
FTO/TOTAL
O.]8
Recommended Values
Note! Both physical andfunctional farilures

SOlPhys.
0.02
SOunct.
0.01
SO/|OTAL
0.03
are included.
Total rate
Only critical failures are included.
0.01 per
0.2 per
Overall
for Cqlculatian
106
tus
0.18 per
0-001 per
0.02
0.90
0.001 per
0.90
0.02 per
TIF-probabIity
0.2 per 106 tus
0.2
Unetected
Coverage
106 hrs
106 hrs
106 hns
10-s
for Calculation (95 etlition)
106 hrs
106 hrs
per l0 hrs
per
106 hrs
TlF-probabilitY
10-5
F ailure Rate Assessment

based on expert
No sources of failure iate data ae identified. The failure rates afe estimated
system'
judgement and the failure rate data found for PLC
T IF
-probability
Ass es s ment
the expert judgement ts

The TlF-probability is entirely based on expert judgements. Details on
in Section 2'3'
provided
are
found in the appendix. A summary of some of the main arguments
@snmunm
'74
and Safety Systems
Reliability Data f
1998 Edition.
Rliaility oa,Dossier - PDS.data
Module:
Reliability Data;Dossiei
Control I'ogic Uni
Output Devices
Component: Fiel' Bus CPUlCommunication Unit
Component: ESV, X-mas Tree
1999-01-1
No data available in OREDA Phase
FTO
SO
Overall
0.01 per 106 hrs
0.90
0.001 per
0.2 per 106 hrs
0.90
0.02 per 106 hrs
TIF-probability
0.2 per 106 hrs
Previously Reconmended Vlues
h., =
IFro =
lso -
0.18
L, -
0.2
per
0.001 per
for Calculntion
IV'
Undetected
Coverage
Hydraulically operated production

master, wing and swab valves'
Recommended Values
for Calculation
10 hrs
10-5
(95 edfon)
10 hrs
FTO
SO
Total rate
0.8 per 106 hrs
0.7 per 106,hrs
Overall
1.6 per 106
1)
Coverage
hrs
106 hrs
106 hrs
IJndetected
0.00
0.8 per 106 hrs
0.30
0.5 per
TlF-probability
10-6 _
106
l0-s
hrs
r)
For complete and incomplete functional testing respectively'
Previously Recommendeil Yalues
o.o2 per lo6 hrs

per
Date of Revision
Description
Remarks
.Total rate
- PDSidta
Valves
Date of Revision
1999-01-1
t)
;ntrol
=
h",
)"Fro =
Iso
=
0-0 Per 106
o,
3.5 per 106
3.0 per
for Calculation (95 etlition)
hrs
Coverage
106 hrs
0.5 Per 106 hrs
F ailure Rate Ass essment
t)
based on expert
No sourcs of failure rate data are identified. The failure rates are estimated
system'
judgement and the failure rate data found for PLC
hrs
TlF-probability
10-6
10-s
r)
For complete and incomplete functional testing
- based on oREDA Phase III

The failure rare estimate is an update of the previous estimate
based on observed
*rn*o nhase IV dutu. Th" so coverage given above is estimated
coverage.
the expert judgement ts

The T.IF-probability is entirely based on expert judgements. Details on
in Section 2 3'
provided
are
arguments
the
main
of
of
some
summary
A
found in ihe appendix.
T I F -probabilitY As
es s
ment
judgement rs
judgements. Details on the expert
The TlF-probability is entirely based on expert
Section 2'3
in
provided
aguments ae
found in the appendix. A summary of some of the maln
Qsnmrnr
76
Reliabitity Data Dossier
Reliablity Data for
I and Safety Systems.

7',7
1998 Edition.
PDS-data
:
Module:
Reliabilify Data Dossier
-,
PDS-dat
Output Devices / Valves

Module:
OuQtut Devices
Valves

'F
alr e' R ate Rfer enc es

F ailure Rale References
Overall
failure rate
(per 106 hrs)
1.1
Overall
F ailur e mo de di s t rib
FTO:
ution Data source/comment

OREDA Phase lV Software /15/.
Data relevant for hydraulically operatetl
wellhead master valves, swab valves and wing
valves. The previous f,rlter does not apply to the
OREDA v.5 software.
0.00
SO: l.l1
Observed:
,so =
failure rate
100
er 1 hrs)
9 .17
Vo
Fiher:
Inv. Eq. Class = \ilElIIADs AND X-MAS TREES ND
(Inv. System = Gas
OR
AND
Inv. System = Oil
production
Production)
Inv.Phase=4
op.
op.
(Fail. Item Failed = Prod. master valve, hyd.

Fail. Item Failed = Prod. swab valve, hyd.
Fail. Item Failed = hod. wing valve, hyd. op.)
AND
AI\'D
OR
OR
No. of critical FIO failures = 0
No. of critical SO failures = I
Cal. time = 902 544
7.36
DOP:
EXL:
FTC:
FTOpen:
INL:
LCP:
PLU:
1.84
OREDA Phase trI /1/ Database VA31-.

Data relevant for wellhead ESDSD valves,
037
main valve or acfuator.
0.46
Filter criteria: FUNgTN='ow' oR'clv',
2.30
APPUC=tsSD/PSD" MATIEM=bODY' OR VALVSEAT'
1.69
OR
0.15

Total no. offailures = 120
0.15
SEAIJ'OR ACTUATOR'.
Cal. time = 6 518 058 hrs

Note! Onlylfailures classified as "critical" are
included in the failure rate estimdtes.
14
F ailure mode distribution Data source/commenl
EXL:
FTC:
FTOpen:
INL:
OVH:
SEL:
SEP:
SIL:
SPO:
UNK:
0.28
OREDA Phase Il
3.81
for topside ESD valves. Note!

Includes also control and monitoring unit.
2.1,2
0.14
/21 ,
P. 89, Valves ESD-
Data relevant
0.28
No of inventories =322
No. of failures = 151
0.14
Cal. time = 6 406 500 hrs
O.l4
1.12
Note!
Only

the failure rate estimates.
included in
0.43
0.14
I /8/: ESD valve. Note! Includes also pilot
FTOhys.
PDS
FTOunct.
valve etc.
FTO/ror,qt
I
N ote
SO/Phys.
SOunct.
SOlrorr
Both physical and functional failure

included.
Only critical failures are ncluded.
are
snmrur
't8
,R.U"lil!.itv'P4tq Po*l",
Module:
OutPut Devices
'
PDS'dat-
Ouut Devices / Valves
Date of Revision
1999-01 -1
TheTlF-probabilityisentirelybasedonexpertjudgements.DetailsontheexPertjudgementls
urgum"nts ar" p@
found in the appendix. A summary of some of th'e main
Remarks
F ailure Rate,References
and monitoring.
Recommended Values
for Clculation
Undetected
rate
Coverage
1.3 per 106
0'00
1.3 per 106 hrs
0'00
0.3 per 106 hrs
Total
hrs
0.3 Per 106hrs
1.6per
106hrs
TlF-probability
10-6 _ 10-s
FTO:
1.06
SO:
0.26
OREDA Pil'.s" IV Software /15/'

Oui"t"u*t for process ESDSD valves'
*.i"ing tft" pilot anil control & monitoring'
Filter:
Inv. Eq. Class = VALvES
(Inv. Syslem = Gas exPort.
Inv. System = Gas Processlng
Inv. System = Oil exPort .
Inv. System = Oil Processlng)
Inv. Phe = 4
Inv. Att, PPtication = ESD/PSD
(Fail. Item Failed <> Pilot valve
r)
For complete and incomplete functional testing respectively
for Calculntion (95 edition)
,*"-r,
^t--***tlues
= 0.0 Per 106 hs
L",
IFro = 3.0 per 106 hrs
Xso = 0.5 Per lo hrs
Li,
t)
19
1998 Edition.
Component: Other ESV
Main valve including actuator. Nof

including pilot valve and local control
l)
and Safety Systems

.)
Reliabtity Data Dossir
Valves
Description
Overall
FTO
SO
3.5 per 106
hrs
Coverage
TlF-probability
uil. Suuunit
No. ofinventoriss = 106

0.00
10-6.10sr)
For complete and incomplete functional testing respectively'
f*fed o contol & Monitoring)
FTOpen:
LCP:
1.12
1.12
OREDA Phase III /1/ Database VA31-'

valves'
Data relevant for process ESD/PSD
main valve or actuator'
Filter criteria: RjNctl'='op'
ot
'cp"
OR
APPLIC=tsSD/PSD" MAffEM= tsODY'
Failure Rate
Ass essment
prevtous
data the failure rate estimte is an iterative updated' The
the
using
update
finally
is
estimate
esrimate is updared with the final phase III data, and this
of
coverage
a
assuming
estimated
oREDA phase IV data. The rate of FTO and so failures is
clefrrciency''
and
'structural
'Fail
on
demand'
to closc
0 vo .TheFTO failure rate incudes
Due to additional phase
III
vALvsEAT' oR SEALS' oR Ac'uAToR''

Total no. of failures - 20
Note!
are included
OnIyfailures classfied as "crtical"
in
the
falure rate
eslimt*
@snmunr
80
Module:
Output Devices
'
and SafetV Systems.
ol
8i
1998 Editon.
PDS-data
Retibility:Data Dossier - PDS'data
Valves
Module:

F iliir e'.R.at
Reliablty Data for
Output Devices
Valves
Component: Pilot Valve
e R ete r e n c e s
Date
Description
Overall
failare rate
er I hrs)
9.17
t4
FaIure mode
EXL:
FTC:
FTOpen:
INL:
OVH:
SEL:
SEP:
SIL:
SPO:
UNK:
FTO/Phys.
0.28
OREDA Phasefr.l2l, p. 89, Valves ESD.
3.81
Data relevant for topside ESD valves. Note!
2.12
Includes also pilot valve etc.
0.14
No of inventories.= 322
0.28
No. of failures
0.14
Cal. time = 6 406 500 hs
Note! Onlyfailures
included in
0.43
Recommended Values
classified as "crilical" are
the
PDS
for Calculnton
FTO
SO
1.7 per 106 hrs
0.20
Undetected
1.4 per 106 hrs
2.5 per 106 hrs
0.30
1.8 per 106 hrs
Overall
4.2 per 106 hrs
Coverage
Total rate
faIure rate estimates.
0.14
shut-off or ESD/PSD valves.
151
0.14
l.l2
Pilot valve on hydraulically or pneumatically operated, process or wellhead,
Data source/comment
tion
of Revion
1999-01-1
dtribu'
TlF-probability =
I /8/: ESD valve. Note! Includes also pilot
FTOlFunct.
FTOftoTAL
SO/Phys.
included.
SOlFunct.
Only critical failure s are included.
Softorn
valve etc.
for Calcalation
(95 edition)
Note! Both physical
and
functional failures are
0.0 per 106 hrs

0.6 per 106 hrs
0.4 per 106 hrs
1.0 per 106 hrs
Failure Rate
TlF-probabilitY =
Ass essnent
data the failure rate estimate is an iterative updated. The previous

using the
esrimate is updated wirh the final phase Itr data, and this estimate is finally update
Due to additional phe
III
of 2O 7o
OREDA phase IV data. The ate of FTO failures is estimated assuming a coverage
III was
Phase
complete
and
(previously assumed tobe0 To,observed in OREDA incomplete
of 30
coverage
a
assuming
The rate of SO failures is estimated
40 Vo and 67 7o, rcspectively).
7o (previously assumed to be 0
in OREDA incompiete and complete Phase III was

and
20 vo and 94 7o, respectively). The FTO failure rate includes 'Fail to close on demand'
'Fai[ to open on demand' failures.
To, observed
Reliability Data
@snmrem
82
f'
)rtrol
and Safety Systems

83
1998 Edition.
Reliabiliw'Data Dossie
PDSrdata
Reliabitity DCta,DoSiCi;'
Moduf
e:
Output Devices
Psiilata
Valves
Ouut Devfues /Valves
Module:

TIF -prohability As s es s ment
F aiture: Rate Rfere nc es
The TIF-probabiliry is entirely based on expert judgements. Details on the expert judgement is
F alure, Rate Referenc
Overall
failure rate
@er I
es
0.45
Overall
failure rate
@er
ld
hrs)
hrs)
4.52
Data source/comment
FTO:
T-boken
0.45
Failure mode distribuData soturcelcomment
tion
FTO:
1.69
SO:
2.83
"fro =
"so =
FTO:
0.11
Vo
94
7o
VALvEs
ESD/PSD
Shut-of
Phase=4
Critical
valve
Inv. Eq. Class =

(Inv. Att. Application =
Inv. Att. Application =
Inv.
Fail. Severity Class =
(Fail. ItemFailed=Pilot
Fail. Subunit Failed = Control & Monitoring)
Lo Med.
0.4 14
AND
OR
VA3l-.
0.07
OREDA Phase III /1/ Database
0.36
Data relevant for
0.07
or pneumatically operated, process or

wellhead, shut-off or ESD/PSD valves.
pilot valve on hydraulically
Filter criteria: ACrUAT=IYDRAULIC' .oR.
Nuuerrc', AppLIc=5HUT-on' .oR. bsD/PSD',

MITEM='ACTUATION'.
No. of inventoies = 516

Cal. time = 13 156 654 hrs
Note!
/6/: Solenoid valve, normally de'

energized. The failure mode used in the source
T-boken
preted as FTO.
ND
OR
AND
AND

No. of critical FTO failues = 10
No. of citical SO failures = 17
Cal. time = 6 023 256
FTC:
FTOpen:
SO:
0.11
is "Failed to change state". This has been inter-
Filter:
67
Solenoid valve, normally ener'

gized. The failure mode used in the source is
"Missing function". This has been interpreted as
/6/:
FTO.
OREDA Phase IV Softwae /15/.

Data relevant pilot valves with control &
monitoring in ESDSD applications.
Observed:
0.51
Allfailures are included, i.e. both "Critical",

"Degraded" arul "lncipient" failures, since the
failure classif.catiott
is given on system" level.
i
:
Hi
FARADIP.THREE /7/: Solenoid.
snmrnr
84
Reliabilty Data
for
-!ol and Safety Systems.
.:"Reliabify;Data Dossiei - PS.dta
Reliability Data Dossier - PD,S-data
Module:
85
1998 Edtion.
Module:
Ouut Devices / Valves
Outout Devices / Valves
Component: Process Control Valve
Component: Process ControlValve
TI F -p ro b ability A
Date of Revon
Description
1999-01-1
including actuator, pilot valve and local controVmonitoring. Both large and small control
Process control valves
s s ess
ent
judgement is
The TlF-probability is entirely based on expert judgements. Details on the expert
found in the appendix. A summary of some of the main arguments tt" plgytd:g tn Jgttion3'3'
Remnrks
F aluie Rae,Refi: e nc e s'',
valves ae included.
Recommended Values
for Calculation
Total rate
Small
FTO
'1
so
0.4
Overall
.1
.6
Coverage
- Iarge Valves
2.1per 106 hrs
0.60
SmaII- Large Valves

2.8 - 0.8 per 106 tus
0.7 per 106 tus
0.70
O.l -0.2per
2.8 per 106 hrs
Previoasly Recommended Values
L.,
Undetected
TIF-probability
for Calculation
- Largevalves
- 8.0 per l06hrs
9.0 - 4.0 per 106 hrs
0.1 - 2-0 per106hrs
FTO:
3.97
SO:
l.O2
OREDA Phase IV Software /15/'

Data relevant for Data relevant for process
con'
trol valves including pilot valYe etc' Note! All
Vo of the registered valves
inches. Thus, 53 7o are
<
10
i.e.,
size
ae small,
sizes are
Obsemed:
^FO _-
106 hrs
,so =
.r<
LJ
oj^
'V
100
Vo
10-s
r FTO
(95 edition)
lL=
SO
L,
27.0
F ailur e Rate As s e s sme
l4.O per 109hrs
Coverage
0.65
failure modes FTC
> l0
inches.
FIter (small valves):
No. of critical FTO failures = 10'5
TIF-probability
1o-5
nt
The failure rate estimate is an update of the previous estimate - based on OREDA Phase III with OREDA phase IV data. Total rate of FTO-failures estimated by including the OREDA
and
large, with size
Inv. Eq. Class = VALvES

(Inv. System = Gas export
Inv. System = Gas processing
Inv. System = Oil exPof
Inv. System = Oil processing)
Inv. Phase = 4
Inv. Att. Application = Process Control
Small
18.0
includ ed. 47
LCP, and 50 Vo of the DOP-and EXl-failures. The rate of FTO failures
is estimated assuming a coverage of 50 Vo (previously assumed to be 65 7o, observed
in
OREDA Phase IV was 25 Vo). The rate of SO failures is estimated assuming a coverage of 80
7o (previously assumed to be 65 %, observed in OREDA Phase IV was 100 7o).
DOP:
EXL:
FID:
FIC
FTOpen:
LCP
oTH
ovH
PLU
SO:
/1/ Database VA31-'

process control vlves
0.72
OREDA Phase
III
0.36
Data relevant
for
1.79
including pilot valve etc. Note! All sizes are
4.29
included.
2.15
Filter criteria: APPLIc=Roc crRL', FLrNcrN='oP'
1.43
.oR.
3.22
2.50

Cai. time =2'796745 hrs
0.07
Note!
0;72
'GP'.
Only
in
included
failures classified as "crtcal" are
failure rate eslimates
the
Qsnmrum
86
Reliahility,Data:Dossier
Module:
Overall failure rate
hrs)
27.0'1
Module:
OuQtut Devices
Valves
Date of Revion
Failure mode distribu

tion
DOP:
FID:
Frc
FTOpen:
LCP
oTH
ovH
PLU
1999-01-l I
Data source/comment
1.04
OREDA Phase
III /1/ Database VA3l-.
4.17
Data relevant
for process control valves
5.21
l.M
including pilot valve etc. Note! Only sizes less

than 5" are included in this run.
3.12
Filte criteria: A?pLIc=Roc crRL', FuNcrN='op'
3.12
.oR.'cP', srzE<=5.000.
2.o8
7.29
DOP:
0.54
OREDA Phase Itr
EXL:
FID:
0.54
Data relevant
0.54
/l/
Database
VA3l_.
for process control valves
FTC
3.81
including pilot valve etc. Note! Only sizes

larger than 5" are included in this run.
FTOpen:
2.72
Filter criteria: AppLIc=Roc crRL'. FUNcTN='op'
LCP
0.54
.oR. 'cP"
OTH
3.n
.18

8 .6
T-boken
/6/: Motor-operated control valve.
The failure mode used in the source is "Failed to

change position". This has been interpreted as
Ffo.
rate
Coverage
hrs
t)
0.2 per 106 hrs
OveraII
1.2
l)
1.0
per
per
106
106
hrs
1.0 per 106 fus
0.oo
0.2 per
TlF-probabitity
t)
Undetected
0.00
106 hrs
1o-3
Note that trip of PSV does not necessarily lead to system
h", ?lFTo =
l,so =
0.0 per 106
L,
1-0
for Calculatinn (95 eilition)
hrs
Coverage
0.00
0.1 per l06hrs

0.9 per 106 hs
120
= I 836 425 trs
Note! Onlyfailures
FTO:
for Calculation
FTO
so
slz>5.000.
No. offailures
Cai. time
Recommendeil Values
Total
SO:
Daoqsier :'PDS'dt.
Component: Pressure Relief Valve
Note! Onlyfailures
8.6
8'l
Relib,ility
14.16
and Safety Systems.
}rol
Output Devices / Valves
F alie Rate Rferencs
fo
1998 Edition.
PDS-data
Component: Process Control Valve
(per
Reliablty Data
per
106
r)
hrs
TlF-probability
l0
Note that trip of PSV does not necessarily lead to system trip
III'
The failure rate estimate is an update of the previous estimate - based on OREDA Phase
'Fail
to
as
classified
failures
OREDA 84 and other souces - with OREDA phase IV data. Only
'
ae considered FTO failures.
T I F -p ro
ba
bility As s e s s m e nl
judgement is
The TlF-probabiliry is entirely based on expert judgements. Details on the expert
foundintheappendix.Asummaryofsomeofthemainarcu@
snmrnr
88
Reliabilty Data
fo.
lrol and Safety Systems.

89
1998 Edition.
PDS.data
,
Module:
Output Devices
Reliability-:Date :Dossier
P-DS.iIta
Valves
Module:
Output Devices
Valves

F ailur e,'Rate,Relere nc es
F ailure Rat e, Referenie s
Overall
failure rate
er Id hrs)
failure rate
Overall
L .27
Data source/comment
FlO:
SO:
OREDA Phase fV Softwae /15i.

Data reievant for self-acting or self-acting/pilot
2.14
0.13
@er ld
4.4
Filter;
,fto = |vo
,so = 07o
VALvES
Inv. Phase=4
Inv. Att. Application = Relief
Inv. Eq. Class =
AND
AND
ANI)
No. of inventories = 2'1 5

No. ofcritical FlO failures = 17
No. of critical SO failures = I
Cal. time ='l 493 448
INL/Degr.
22.06
INI-/Degr.
1.58
Sum/Degr. 23.63
OREDA Phase III /l/ Database VA31-.

Data relevant for self-acting or self-acting/pilot
actuated relief valves.
Filter criteria: AppLrc=.ELIEF', AcruAT=5ELF
EXl-/lncip.
1.58
EXl/krcip.
1.58
Sumllncip.
3.15
Total no. offailures
Note!
Also "Degraded" and
" In c ipent"
fai lures ar e
includeed, since no
" C ritic al "
ACT'.OR. 3.e.U-Or'.
17
Opr. time = 634 730 hrs

Cal. time = I 119 360 hs
Note! Operational time is used in
the
failure rate
estimates.
failur es ar e
observed.
Lo Med.
28
Hi
t.5i
actuated relief valves.
Observed:
o .78
hrs)
FARADIP.THREE /7/: Valve. Relief
Data sourcelcomment
NPRD-9l l9l'.Yalve, relief, Ground, unknown

quality
OREDA-84 /3/, Pilot operated safety relief
valve.
)snmrun
Reliabilty Dala
/t6l
ril
t17
OREDA Phase III, computerised database on topsde equipment, OREDA Participants

(mutticlient project on collection of offshore reliability data).
1REDA Handbook; offshore Reliability Data Hanboo&, 2nd edition, oREDA

Participants (mutticlient project on collection ofoffshore reliability data)' 1992
13/
OREDA Handbook; ffishore Reliabiliry Data Hanlbook,lst edition, OREDA Participants

(multiclient project on collection ofoffshore reliability data)' 1984
l4l
Jon Ame Grammeltvedt, u&P; oseberg c - Gjennomgang av erfartngsdatafor brann- og

gassd.etelctorer p Oseberg C. Forslng til testintervallerfor detektorene, rcWrt from Norsk
Hydro, Forskningssenteret Porsgn:nn, 1994-07-28 (in Norwegian).
l5l
Lars Bodsberg, VULCAN - AVulnerability CalculartonMethodfor Process Safety Systems,

Doctoral dissertation, Norwegian Institute of Technology, Dep. of Mathematical Sciences,
Trondheim, 1993.
NI\-
16/
T-bolcen, Version 3: Titfrltlighetsdata fr komponenter i nordislca krafirealaorer,

kansliet and Studsvik AB, publisehd by Vattenfall, Sweden, 1992 (n Swedish)'
nl
David J. Sflit}^, Retiability, MaintainabIty and Risk - Practical Methods for Engineers,
tgl
Butterworth-Heinemann Ltd., Oxford, England, Fouth edition, 1993'
Lars Bodsberg, Relabitity Data
for
Computer-Based Process Safety Systems' SINTEF
Report STF75 F89025, 1989.
lgt
ll}t
a1., NPRD-9L: Nonelectronic Parts Reliability Data 1991, Reliability

Analysis Center, Rome, New York, USA' l99l-
William Denson et
Ragnar
Systems,
Aar/ et aI,
Reliability Prediction Handbook. Computer-Based Process Safety

SINTEF Report STF75 489023' 1989.
lt
Lars Bodsberg
tl2l
K.
ll3l
per
)rot and Safety Systems.
91
Harry F. Maftz and Ray A. \ffaller, Bayesian Reliability Analysis, IGieger Publishing
Company,1982.
REFERENCES
llt
fo
1998 Edtion.
et aI, Reliability Quantification of Control and Safety
Systems.
The PDS-II
method. SINTEF Report STF75 493064' 1994'
report
ien and P. R. Hokstad. Handbook for performing exPert iudgmenL. SINTEF
sTF38 498419, 1998.
Hoktad and Ragnar Aa, Retiability Data for Control and Safety Systems, Revision
l.
SINTEF report STF75 F94056, January 1995.
41
Geir Klingenberg Hansen and Ragnar A, Reliability Quantification of Computer-Based

Safety Systems- An Introduction to PDS. SINETF report STF38 A97434, December 1997.
tlst
OREDA Phose IV, computerised database on topside equipmcnt, OREDA Participants

(multiclient project on collection ofoffshore reliability data).
1REDA Handbook; Affshore Retnbility Data Handbook, 3rd edition, oREDA Pafiicipants
(multiclient project on collection ofoffshoe reliability data)' 1997.
The PDS Forum was initiated in 1995, and follows up the PDS projects.
The main objective of the PDS Forum is to maintain a professional forum
for exchange of experience between Norwegian vendors and users of
control and safety systems. The primary focus is on safety and reliabilty
aspects of such systems. Research results are transferred, and personal
contacts between those working with offshore control and safety systems
are encouraged. Topics of the forum are:
Use of new standards for control and safetv svstems
.
.
.
Use of acceptance criteria
Exchange and use of reliability field data

Exchange of information on new technology
The main activity of the PDS Forum in 1998 was to update the so-called
"PDS-recommended data". The present report summarizes the results from
this activity. For information regarding the PDS Forum please visit the web
s ite http ://www.s i ntef . n o/s i paalp rosjekt/pds-foru m.
The OREDA project is also acknowledged for allowing OREDA phase lV
data to be used in preparation of the present report. For information
regarding OREDA please visit the web site www.oreda.com
The PDS-method is an analytical method for quantification of reliability,

safety and Life Cycle Cost (LCC) for control and safety systems, and therebr
to perform an overall evaluation of such systems. The method was
developed for the offshore industry, where it has gained a widespread use.
The method supports the reliability analyses in the international standard
IEC 61508: Functional Safety of E/E/PE Safety Related Systems. lt is also
referred to in the NORSOK standards for Safety and Automation Systems as
a method to be used for verification of safety systems.
SINTEF lndustrial Management, Dept. of Safety and Reliability has
developed a computer program "PDS-Tool" to support PDS calculations.
Sydvest Software has from March 1999 taken over the responsibility for
PDS-Tool. Sydvest Software has been established to develop and market
software tools aimed at preventing losses caused by accidents and other
undesired events. SINTEF lndustrial Management, Dept of Safety and
Reliability is one of the initiators and main owners of Sydvest Software.
For information regarding the PDS-Tool please visit the web site of
Sydvest Software at www.sydvest.com.

STF38 Reliability Data For Control and Safety Systems 1998

Uploaded by

Copyright:

Available Formats

STF38 Reliability Data For Control and Safety Systems 1998

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

STF38 Reliability Data For Control and Safety Systems 1998

Uploaded by

Copyright:

Available Formats

STF38 A98445

Classif ication: Unrestricted

ReliabilitY Data for Control and

SINTEF Industrial Management

EnterPrise No.: NO 948 007 029 MVA

various sources, ..g.'oRr,oe

to TIF probablities for IR gas detectors'

and SafetY SYstems

;it";,ryr,*:,g"lt'::.."f f T'Jf t:#:H#,''-Tiif:'i:":3"i:i"T

the web site

Geir Klingenberg Hansen

PDS Forum ParticiPants 1998

mocoNorwaY Oil ComPanY

OREDA ParticiPants 1998

and Safety Syslems'

Relability Dala for Conlro and Safety Systems

Rate (S7R) depends on

(unless detected and prevented from causing critical

fu-lor.r. ih"o',atiL t'?$'r{,,\r : '}kl\"

is shown in Table l '

\:*- *::. '."$.I INSTRIIMENTATION AND ELECTRICAL TECHMCAL

AND ENGINEERING SERVICES

Overall SafetY Requirements

the overan safety Integnty Requ'ements

Bs EN IEC 61508-5 contains

Safetv tntegrit-v Levels (SIL)

> t0-5 to < 10*

It is expected rhat the normar engineering procedure

(sIS) for each component

I.R llitchen BA(TIons) C.Eng" MIEE'

61508) Part One

Table 1 Relation between different 2 _ values

Some of these parameters, in particular the

iniated. The contribution

Loss of safety failures. Detected by

Trip failure, immediately

Functional test interval

Figure 2 Contributions to CSU

Insufficient fct. testptocedure

Figure 1 Interpretation of reliability parameters

t!1obability that acomponent, which has just been tesred,

"tto"r" will have a critical failure'

pproach and Data Sources

Failure rate dnta in the 95 edition is mainly bed on the

previously recommended estimates

The idea is to let the estimates from the 95 edition

t: specify the parameters of the prior dishibution by speciffing its

is the number of failues obsewed in OREDA phase rv,

rhar this method can

data and rhe OREDA phase

Also, for some types of equipment, there are no inventories

there are no,faitures registered in phase rV(f

data, using the

There h been no new expert judgements in this project,

been changed since the 95 edition.

o'-i- g detectors, have

rel' /1/' /2/' /3/' /15/' /17/

oREDA Particants' distributed

\:- ::. '."$.I INSTRIIMENTATION AND ELECTRICAL TECHMCAL