Reliability data for safety instrumented systems : PDS data handbook [2010 ed.] 9788214048490, 8214048494

Citation preview

SINTEF REPORT TITLE

SINTEF Technology and Society Safety research Address: Location: Telephone: Fax:

NO-7465 Trondheim, NORWAY S P Andersens veg 5 NO-7031 Trondheim +47 73 59 27 56 +47 73 59 28 96

Enterprise No.: NO 948 007 029 MVA

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

AUTHOR(S)

Stein Hauge and Tor Onshus CLIENT(S)

Multiclient - PDS Forum REPORT NO.

CLASSIFICATION

CLIENTS REF.

SINTEF A13502 Unrestricted CLASS. THIS PAGE

ISBN

PROJECT NO.

Unrestricted

978-82-14-04849-0

504091.17

ELECTRONIC FILE CODE

FILE CODE

NO. OF PAGES/APPENDICES

116

PROJECT MANAGER (NAME, SIGN.)

CHECKED BY (NAME, SIGN.)

Stein Hauge

Per Hokstad

DATE

APPROVED BY (NAME, POSITION, SIGN.)

2009-12-18

Lars Bodsberg, Research Director

ABSTRACT

This report provides reliability data estimates for components of control and safety systems. Data dossiers for input devices (sensors, detectors, etc.), control logic (electronics) and final elements (valves, etc.) are presented, including some data for subsea equipment. Efforts have been made to document the presented data thoroughly, both in terms of applied data sources and underlying assumptions. The data are given on a format suitable for performing reliability analyses in line with the requirements in the IEC 61508 and IEC 61511 standards. As compared to the former 2006 edition, the following main changes are included: • • •

A general review and update of the failure rates, coverage values, β-values and other relevant parameters; Some new equipment groups have been added; Data for control logic units have been updated and refined.

KEYWORDS GROUP 1 GROUP 2 SELECTED BY AUTHOR

ENGLISH

Safety Reliability Data Safety Instrumented Systems (SIS) SIL calculations

NORWEGIAN

Sikkerhet Pålitelighet Data Instrumenterte sikkerhetssystemer SIL beregninger

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

PREFACE The present report is an update of the 2006 edition of the Reliability Data for Control and Safety Systems, PDS Data Handbook [12]. The handbook presents data in line with the latest available data sources as well as data for some new equipment. The work has been carried out as part of the research project “Managing the integrity of safety instrumented systems”. 1 Trondheim, December 2009 Stein Hauge PDS Forum Participants in the Project Period 2007 - 2009 Oil Companies/Operators • A/S Norske Shell • BP Norge AS • ConocoPhillips Norge • Eni Norge AS • Norsk Hydro ASA • StatoilHydro ASA (Statoil ASA from Nov. 1st 2009) • Talisman Energy Norge • Teekay Petrojarl ASA • TOTAL E&P NORGE AS Control and Safety System Vendors • ABB AS • FMC Kongsberg Subsea AS • Honeywell AS • Kongsberg Maritime AS • Bjørge Safety Systems AS • Siemens AS • Simtronics ASA Engineering Companies and Consultants • Aker Kværner Engineering & Technology • Det Norske Veritas AS • Lilleaker Consulting AS • NEMKO AS • Safetec Nordic AS • Scandpower AS Governmental Bodies • The Directorate for Civil Protection and Emergency Planning (Observer) • The Norwegian Maritime Directorate (Observer) • The Petroleum Safety Authority Norway (Observer)

1

This user initiated research project has been sponsored by the Norwegian Research Council and the PDS forum participants. The project work has been carried out by SINTEF.

3

ABSTRACT This report provides reliability data estimates for components of control and safety systems. Data dossiers for input devices (sensors, detectors, etc.), control logic (electronics) and final elements (valves, etc.) are presented, including some data for subsea equipment. Efforts have been made to document the presented data thoroughly, both in terms of applied data sources and underlying assumptions. The data are given on a format suitable for performing reliability analyses in line with the requirements in the IEC 61508 and IEC 61511 standards. As compared to the former 2006 edition, the following main changes are included: • • •

4

A general review and update of the failure rates, coverage values, β-values and other relevant parameters; Some new equipment groups have been added; Data for control logic units have been updated and refined.

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Table of Contents ........................................................................................................................... 3 PREFACE ABSTRACT .................................................................................................................................... 4 1

INTRODUCTION ................................................................................................................... 9 1.1 Objective and Scope ......................................................................................................... 9 1.2 Benefits of Reliability Analysis – the PDS Method ......................................................... 9 1.3 The IEC 61508 and 61511 Standards ............................................................................. 10 1.4 Organisation of Data Handbook ..................................................................................... 10 1.5 Abbreviations ................................................................................................................. 10

2

RELIABILITY CONCEPTS ................................................................................................. 13 2.1 The Concept of Failure ................................................................................................... 13 2.2 Failure Rate and Failure Probability............................................................................... 13 2.2.1 Failure Rate Notation ...................................................................................... 13 2.2.2 Decomposition of Failure Rate........................................................................ 14 2.3 Reliability Measures and Notation ................................................................................. 15 2.4 Reliability Parameters .................................................................................................... 16 2.4.1 Rate of Dangerous Undetected Failures .......................................................... 16 2.4.2 The Coverage Factor, c ................................................................................... 17 2.4.3 Beta-factors and CMooN .................................................................................... 17 2.4.4 Safe Failure Fraction, SFF............................................................................... 18 2.5 Main Data Sources ......................................................................................................... 18 2.6 Using the Data in This Handbook .................................................................................. 19

3

RELIABILITY DATA SUMMARY ..................................................................................... 21 3.1 Topside Equipment ......................................................................................................... 21 3.2 Subsea Equipment .......................................................................................................... 27 3.3 Comments to the PDS Data ............................................................................................ 28 3.3.1 Probability of Test Independent Failures (PTIF) .............................................. 28 3.3.2 Coverage .......................................................................................................... 29 3.3.3 Fraction of Random Hardware Failures (r) ..................................................... 30 3.4 Reliability Data Uncertainties – Upper 70% Values ...................................................... 32 3.4.1 Data Uncertainties ........................................................................................... 32 3.4.2 Upper 70% Values........................................................................................... 33 3.5 What is “Sufficient Operational Experience“? – Proven in Use .................................... 34

4

MAIN FEATURES OF THE PDS METHOD ...................................................................... 37 4.1 Main Characteristics of PDS .......................................................................................... 37 4.2 Failure Causes and Failure Modes ................................................................................. 37 4.3 Reliability Performance Measures ................................................................................. 39 4.3.1 Contributions to Loss of Safety ....................................................................... 40 4.3.2 Loss of Safety due to DU Failures - Probability of Failure on Demand (PFD)40 4.3.3 Loss of Safety due to Test Independent Failures (PTIF)................................... 40 4.3.4 Loss of Safety due to Downtime Unavailability – DTU ................................. 41 4.3.5 Overall Measure for Loss of Safety– Critical Safety Unavailability .............. 41

5

DATA DOSSIERS ................................................................................................................. 43 5.1 Input Devices .................................................................................................................. 44 5.1.1 Pressure Switch ............................................................................................... 44 5.1.2 Proximity Switch (Inductive) .......................................................................... 46 5.1.3 Pressure Transmitter ........................................................................................ 47 5

5.1.4 Level (Displacement) Transmitter................................................................... 49 5.1.5 Temperature Transmitter ................................................................................. 51 5.1.6 Flow Transmitter ............................................................................................. 53 5.1.7 Catalytic Gas Detector..................................................................................... 55 5.1.8 IR Point Gas Detector...................................................................................... 57 5.1.9 IR Line Gas Detector ....................................................................................... 59 5.1.10 Smoke Detector ............................................................................................... 61 5.1.11 Heat Detector ................................................................................................... 63 5.1.12 Flame Detector ................................................................................................ 65 5.1.13 H2S Detector .................................................................................................... 68 5.1.14 ESD Push Button ............................................................................................. 70 5.2 Control Logic Units ........................................................................................................ 72 5.2.1 Standard Industrial PLC .................................................................................. 73 5.2.2 Programmable Safety System ......................................................................... 79 5.2.3 Hardwired Safety System ................................................................................ 85 5.3 Final Elements ................................................................................................................ 88 5.3.1 ESV/XV........................................................................................................... 88 5.3.2 ESV, X-mas Tree ............................................................................................ 92 5.3.3 Blowdown Valve ............................................................................................. 95 5.3.4 Pilot/Solenoid Valve........................................................................................ 97 5.3.5 Process Control Valve ................................................................................... 100 5.3.6 Pressure Relief Valve .................................................................................... 103 5.3.7 Deluge Valve ................................................................................................. 105 5.3.8 Fire Damper ................................................................................................... 106 5.3.9 Circuit Breaker .............................................................................................. 108 5.3.10 Relay.............................................................................................................. 109 5.3.11 Downhole Safety Valve – DHSV.................................................................. 110 5.4 Subsea Equipment ........................................................................................................ 111 6

6

REFERENCES..................................................................................................................... 116

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

List of Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6

Decomposition of critical failure rate, λcrit ........................................................................15 Performance measures and reliability parameters .............................................................15 Failure rates, coverages and SFF for input devices ...........................................................21 Failure rates, coverages and SFF for control logic units ...................................................22 Failure rates, coverages and SFF for final elements..........................................................23 PTIF for various components ..............................................................................................24

Table 7 β-factors for various components ......................................................................................25 Table 8 Numerical values for configuration factors, CMooN ...........................................................26 Table 9 Failure rates for subsea equipment - input devices, control system units and output devices ........................................................................................................................27 Table 10 Estimated upper 70% confidence values for topside equipment .....................................33 Table 11 Discussion of proposed subsea data ..............................................................................111

List of Figures Figure 1 Figure 2 Figure 3 Figure 4

Decomposition of critical failure rate, λcrit .......................................................................15 Illustration of failure rate with confidence level of 70% .................................................32 Failure classification by cause of failure ..........................................................................38 Contributions to critical safety unavailability (CSU).......................................................42

7

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

1

INTRODUCTION

Safety standards like IEC 61508, [1] and IEC 61511, [2], require quantification of failure probability for operation of safety systems. Such quantification may be part of design optimization or verification that the design is according to stated performance requirements. The use of relevant failure data is an essential part of any quantitative reliability analysis. It is also one of the most challenging parts and raises a number of questions concerning the availability and relevance of the data, the assumptions underlying the data and what uncertainties are related to the data. In this handbook recommended data for reliability quantification of Safety Instrumented Systems (SIS) are presented. Efforts have been made to document the presented data thoroughly, both in terms of applied data sources and underlying assumptions. Various data sources have been applied when preparing this handbook, the most important source being the OREDA database and handbooks (ref. section 2.5).

1.1

Objective and Scope

When performing reliability quantification, the analyst will need information on a number of parameters related to the equipment under consideration. This includes basic failure rates, distribution of critical failure modes, diagnostic coverage factors and common cause factors. In this handbook best estimates for these reliability parameters are presented for selected equipment. The data are given on a format suitable for performing analyses in line with the requirements in the IEC 61508/61511 standards and the PDS method, [10]. As compared to the former 2006 edition, [12], the following main changes are included: • • •

1.2

A general update / review of the failure rates, coverage values, β-values and other relevant parameters; Some new equipment groups have been added; Data for control logic units have been updated and refined.

Benefits of Reliability Analysis – the PDS Method

Instrumented safety systems such as emergency shutdown systems, fire and gas systems and process shutdown systems, are installed to prevent abnormal operating conditions from developing into an accident. High reliability of such systems is therefore paramount with respect to safe - as well as commercial - operation. Reliability analysis represents a systematic tool for evaluating the performance of safety instrumented systems (SIS) from a safety and production availability point of view. Some main applications of reliability analysis are: • • •

Reliability assessment and follow-up; verifying that the system fulfils its safety and reliability requirements; Design optimisation; balancing the design to get an optimal solution with respect to safety, production availability and lifecycle cost; Operation planning; establishing the optimal testing and maintenance strategy; 9

•

Modification support; verifying that planned modifications are in line with the safety and reliability requirements.

The PDS method has been developed in order to enable the reliability engineer and non-experts to perform such reliability considerations in various phases of a project. The main features of the PDS method are discussed in chapter 4.

1.3

The IEC 61508 and 61511 Standards

The IEC 61508 and IEC 61511 standards, [1] and [2], present requirements to safety instrumented systems (SIS) for all the relevant lifecycle phases, and have become leading standards for SIS specification, design, implementation and operation. IEC 61508 is a generic standard common to several industries, whereas IEC 61511 has been developed especially for the process industry. These standards present a unified approach to achieve a rational and consistent technical policy for all SIS systems. The Norwegian Oil Industry Association (OLF) has developed a guideline to support the use of IEC 61508/61511, [19]. The PDS method is in line with the main principles advocated in the IEC standards, and is a useful tool when implementing and verifying quantitative (SIL) requirements as described in the IEC standards.

1.4

Organisation of Data Handbook

In chapter 2 important reliability aspects are discussed and definitions of the applied notations are given. The recommended reliability data estimates are summarised in chapter 3 of this report. A split has been made between input devices, logic solvers and final elements. Chapter 4 gives a brief summary of the main characteristics of the PDS method. The failure classification for safety instrumented systems is presented together with the main reliability performance measures used in PDS. In chapter 5 the detailed data dossiers providing the basis for the recommended reliability data are given. As for previous editions of the handbook, some data are scarcely available in the data sources, and it is necessary to, partly or fully, rely on expert judgements.

1.5

Abbreviations

CCF CSU DTU FMECA FMEDA IEC JIP MTTR NDE NE OLF OREDA 10

-

Common cause failure Critical safety unavailability Downtime unavailability Failure modes, effects, and criticality analysis Failure modes, effects, and diagnostic analysis International Electro technical Commission Joint industry project Mean time to restoration Normally de-energised Normally energised The Norwegian oil industry association Offshore reliability data

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

PDS PFD RNNP

-

SIL SIS SFF STR TIF

-

Norwegian acronym for “reliability of computer based safety systems” Probability of failure on demand Project: Risk level in Norwegian petroleum production www.ptil.no Safety integrity level Safety instrumented system Safe failure fraction Spurious trip rate Test independent failure

Additional abbreviations (equipment related) AI BDV CPU DO ESV DHSV XV

-

Analogue input Blowdown valve Central Processing Unit Digital output Emergency shutdown valve Downhole safety valve Production shutdown valve

11

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

2

RELIABILITY CONCEPTS

In this chapter some selected concepts related to reliability analysis and reliability data are discussed. For a more detailed discussion reference is made to the updated PDS method handbook, ref. [10].

2.1

The Concept of Failure

A failure is in IEC 61508-4 defined as the termination of the ability of a functional unit to perform a required function. The two main functions of a safety system are [10]; the ability to shut down or go to a predefined safe state when production is not safe and the ability to maintain production when it is safe. Hence, a failure may have two facets; (1) loss of the ability to shut down or go to a safe state when required or (2) loss of the ability to maintain production. From a safety point of view, the first category will be the more critical and such failures are defined as dangerous failures (D), i.e. they have the potential to result in loss of the ability to shut down or go to a safe state when required. Loss of the ability to maintain production is normally not so critical to safety and such failures have therefore in PDS traditionally been denoted spurious trip (ST) failures whereas IEC 61508 categorise such failures as ‘safe’ (S). In the forthcoming update of the IEC 61508 standard the definition of safe failures is more in line with the PDS interpretation. Therefore PDS have in this updated version also applied the notation ‘S’ (instead of ‘ST’ failures). It should be noted that a given failure may be classified as either dangerous or safe depending on the intended application. E.g. loss of hydraulic supply to a valve actuator operating on-demand will be dangerous in an energise-to-trip application and safe in a de-energise-to-trip application. Hence, when applying the failure data, the assumptions underlying the data as well as the context in which the data shall be used must be carefully considered.

2.2

Failure Rate and Failure Probability

The failure rate (numbers of failures per time unit) for a component is essential for the reliability calculations. In section 2.2.1, definitions and notation related to the failure rate are given, whereas in section 2.2.2 the decomposition of this failure rate into its various elements is further discussed. 2.2.1

λcrit

Failure Rate Notation

= Rate of critical failures; i.e., failures that may cause loss of one of the two main functions of the component/system (see above). Critical failures include dangerous (D) failures which may cause loss of the ability to shut down production when required and safe (S) failures which may cause loss of the ability to maintain production when safe (i.e. spurious trip failures). Hence:

λcrit = λD + λS (see below) λD

= Rate of dangerous (D) failures, including both undetected as well as detected failures. λD = λDU + λDD (see below) 13

λDU

= Rate of dangerous undetected failures, i.e. failures undetected both by automatic self-test or personnel

λDD

= Rate of dangerous detected failures, i.e. failures detected by automatic self-test or personnel

λS

= Rate of safe (spurious trip) failures, including both undetected as well as detected failures. λS = λSU + λSD (see below)

λSU

= Rate of safe (spurious trip) undetected failures, i.e. undetected both by automatic self-test and personnel

λSD

= Rate of safe (spurious trip) detected failures, i.e. detected by automatic self-test or personnel

λundet

= Rate of (critical) failures that are undetected both by automatic self-test and by personnel (i.e., detected in functional testing only). λundet = λDU + λSU

λdet

= Rate of (critical) failures that are detected by automatic self-test or personnel (independent of functional testing). λdet = λDD + λSD

c

= Coverage: percentage of critical failures detected either by the automatic self-test or (incidentally) by personnel observation

cD

= Coverage of dangerous failures. cD = (λDD / λD ) · 100% Note that λDU then can be calculated as: λDU = λD · (1- cD / 100%)

cS

= Coverage of safe (spurious trip) failures. cS = (λSD / λS) ·100% Note that λSU then can be calculated as: λSU = λS · (1- cS / 100%)

r

= Fraction of dangerous undetected (DU) failures originating from random hardware failures (1-r will then be the fraction originating from systematic failures)

SFF

= Safe failure fraction = (1 - λDU / λ

β

= The fraction of failures of a single component that causes both components of a redundant pair to fail “simultaneously”

CMooN

= Modification factor for voting configurations other than 1oo2 in the beta-factor model (e.g. 1oo3, 2oo3 and 2oo4 voting logics)

2.2.2

rit )

· 100 %

Decomposition of Failure Rate

Some important relationships between different fractions of the critical failure rate are illustrated in Table 1 and Figure 1.

14

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Table 1 Decomposition of critical failure rate, λcrit Spurious trip failures

Dangerous failures

Sum

Undetected

λSU

λDU

λundet

Detected

λSD

λDD

λdet

Sum

λS

λD

λcrit

λDU

Dangerous failure, undetected by automatic self-test or personnel

λSU

Safe (spurious trip) failure, undetected by automatic self-test or personnel

λundet λcrit

λDD λdet

Contribute to SFF (Safe Failure Fraction)

λSD Figure 1 Decomposition of critical failure rate, λcrit

2.3

Reliability Measures and Notation

Table 2 lists some performance measures for safety and reliability, and some other main parameters in the PDS method. A more complete description is found in the updated PDS Method Handbook, 2010 Edition, [10]. Table 2 Performance measures and reliability parameters Term

Description

PFD

Probability of failure on demand. This is the measure for loss of safety caused by dangerous undetected failures, see section 4.3.

PTIF

Probability of a test independent failure. This is the measure for loss of safety caused by a failure not detectable by functional testing, but occurring upon a true demand (see section 4.3).

CSU

Critical safety unavailability, CSU = PFD + PTIF

15

Term

Description

MTTR

Mean time to restoration. Time from failure is detected/revealed until function is restored, ("restoration period"). Note that this restoration period may depend on a number of factors. It can be different for detected and undetected failures: The undetected failures are revealed and handled by functional testing and could have shorter MTTR than the detected failures. The MTTR could also depend on configuration, operational philosophy and failure multiplicity.

STR

Spurious trip rate. Rate of spurious trips of the safety system (or set of redundant components), taking into consideration the voting configuration.

τ

Interval of functional test (time between functional tests of a component)

2.4

Reliability Parameters

In this section some of the reliability parameters defined above is further discussed. 2.4.1

Rate of Dangerous Undetected Failures

As discussed in section 2.2.2, the critical failure rate, λ rit are split into dangerous and safe failures, (i.e. λcrit = λD + λS) which are further split into detected and undetected failures. When performing safety unavailability calculations, the rate of dangerous undetected failures, λDU, is of special importance, since this parameter - together with the test interval - to a large degree governs the prediction of how often a safety function is likely to fail on demand. Equipment specific failure data reports prepared by manufacturers (or others) often provide λDU estimates being an order of magnitude (or even more) lower than those reported in generic data handbooks. There may be several causes for such exaggerated claims of performance, including imprecise definition of equipment- and analysis boundaries, incorrect failure classification or too optimistic predictions of the diagnostic coverage factor (see e.g. [20]). When studying the background data for generic failure rates (λDU) presented in data sources such as OREDA and RNNP, it is found that these data will include both random hardware failures as well as systematic failures. Examples of the latter include incorrect parameter settings for a pressure transmitter, an erroneous output from the control logic due to a failure during software modification, or a PSV which fails due to excessive internal erosion or corrosion. These are all failures that are detectable during functional testing and therefore illustrate the fact that systematic failures may well be part of the λDU for generic data. Since failure rates provided by manufacturers frequently tend to exclude all types of failures related to installation, commissioning or operation of the equipment (i.e. systematic type of failures), a mismatch between manufacturer data and generic data appears. Our question then becomes - since systematic failures inevitably will occur - why not include these failures in predictive reliability analyses? In order to elucidate the fact that the failure rate will comprise random hardware failures as well as systematic failures, the parameter r has therefore been defined as the fraction of dangerous undetected failures originating from random hardware failures. Rough estimates of the r factor are given in the detailed data sheets in chapter 5. For a more thorough discussion and arguments concerning the r factor, reference is made to [10].

16

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

2.4.2

The Coverage Factor, c

Modules often have built-in automatic self-test, i.e. on-line diagnostic testing to detect failures prior to an actual demand 2. The fraction of failures being detected by the automatic self-test is called the fault coverage and quantifies the effect of the self-test. Note that the actual effect on system performance from a failure that is detected by the automatic self-test will depend on system configuration and operating philosophy. In particular it should be considered whether the detected failure is configured to only raise an alarm or alternatively bring the system to a safe state. It is often seen that failures classified as dangerous detected only raise an alarm and in such case it must be ensured that the failure initiates an immediate response in the form of a repair and/or introduction of risk reducing measures. In addition to the diagnostic self-test, an operator or maintenance crew may detect dangerous failures incidentally in between tests. For instance, the panel operator may detect a transmitter that is “stuck” or a sensor that has been left in by-pass. Similarly, when a process segment is isolated for maintenance, the operator may detect that one of the valves will not close. The PDS method also aims at incorporating this effect, and defines the total coverage factor; c reflecting detection both by automatic self-test and by operator. Further, the coverage factor for dangerous failures is denoted cD whereas the coverage factor for safe failures is denoted cS. Critical failures that are not detected by automatic self-testing or by observation are assumed either to be detectable by functional (proof) testing 3 or they are so called test independent failures (TIF) that are not detected during a functional test but appear upon a true demand (see section 2.3 and chapter 4 for further description). It should be noted that the term “detected safe failure” (of rate λS), is interpreted as a failure which is detected such that a spurious trip is actually avoided. Hence, a spurious closure of a valve which is detected by, e.g., flow metering downstream the valve, can not be categorised as a detected safe failure. On the other hand, drifting of a pressure transmitter which is detected by the operator, such that a shutdown is avoided, will typically be a detected safe failure. 2.4.3

Beta-factors and CMooN

When quantifying the reliability of systems employing redundancy, e.g., duplicated or triplicated systems, it is essential to distinguish between independent and dependent failures. Random hardware failures due to natural stressors are assumed to be independent failures. However, all systematic failures, e.g. failures due to excessive stresses, design related failures and maintenance errors are by nature dependent (common cause) failures. Dependent failures can lead to simultaneous failure of more than one (redundant) component in the safety system, and thus reduce the advantage of redundancy. Traditionally, the dependent or common cause failures have been accounted for by the β-factor approach. The problem with this approach has been that for any M-out-of-N (MooN) voting (M 1 kg/s)

2)

λcrit = 3.6 λD / λST = 11

λDU = 0.7 per 106 hrs λSTU = 0.1 per 106 hrs

Average over ventilation type and worst conditions

Recommended values for calculation in 2003edition, [14] 1)

-3

-3 1,2)

PTIF = 1·10 – 6·10

Range gives values for small to large gas leaks (large gas leaks are leaks > 1 kg/s)

2)

λcrit = 5.7

Average over ventilation type and worst conditions

λD = 1.8 per 106 hrs λS = 3.9 per 106 hrs

OREDA phase V-VI database, [6], [8] Data relevant for IR gas detectors

Observed:

Filter: Inv. Equipment class = Fire & Gas Detectors (Inv. OREDA Phase = 5 Inv. Phase = 6) Inv. Equipment type = Hydrocarbon gas Inv. Att. Sensing principle = IR

CD = 70% CS = N/A

AND OR AND AND

No. of inventories = 221 No. of critical failures = 41 No. of critical D failures = 13 No. of critical S failures = 28 Surveillance Time (hours) = 7 209 840

3.5

D: 3.5 ST: 0.0

OREDA phase IV database, [6] Data relevant for IR gas detectors.

Observed: cD = 100 % cST = NA

Filter: Inv. Equipment class = Fire & Gas Detectors (Inv. Att. Sensing principle = IR Inv. Att. Sensing principle = IR/UV) Inv. Phase = 4 Fail. Severity Class = Critical

λDU = 0.4 per 106 hrs

4.1

58

SFF = 78% Ddet: Dundet: STdet: STundet:

2.9 1.2 0 0

AND OR AND AND

No. of inventories = 54 No. of critical D failures = 4 No. of critical ST failures = 0 Cal. time = 1 148 472

Exida [15]: Generic IR gas detector Oseberg C, [18] Data relevant for conventional IR gas detectors. No. of inventories = 41 Total no. of failures = 26 (4 critical) Time = 977 472 hrs Note! Only failures classified as "critical" are included in the failure rate estimates.

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.1.9

IR Line Gas Detector

Module: Input Devices Component: IR Line Gas Detector

PDS Reliability Data Dossier

Description / equipment boundaries The detector includes the sensor and local electronics such as the address-/ interface unit.

Date of Revision 2009-12-18 Remarks

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 2.8 per 106 hrs

cD = 0.75

λDU = 0.7 per 106 hrs

λS = 2.2 per 106 hrs

cS = 0.50

λSU = 1.1 per 106 hrs

λcrit = 5.0 per 106 hrs

PTIF r

= 1 · 10-3 = 0.4

Assessment The failure rate estimate is an update of the previous estimate in the 2006 handbook and is based on previous estimates as well as additional information on IR detectors from OREDA phase VI (only new data on IR point detectors). It should be noted that data on IR line detectors are scarce, and therefore experience from IR point detectors has been applied. As for IR point detectors the rate of DU failures has been estimated assuming coverage for dangerous failures of 75%, whereas for safe failures coverage of 50 % has been assumed. The coverage values are given assuming that the detectors have built-in self-test and monitoring of the optical path. It is then implicitly assumed that the connected system has the ability to discriminate detected failures without shutting down (e.g. a 3mA signal gives an alarm not a shutdown). The PTIF is based on expert judgements and is based on the assumption that the detectors are exposed. The estimated r value is based on observed failure causes for critical detector failures (40% “expected wear and tear” and 60% “maintenance errors”). A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 5.3

Failure mode distribution

Data source/comment

λD = 3.3 per 106 hrs λDU = 0.7 per 106 hrs λSTU = 0.6 per 106 hrs

Recommended values for calculation in 2006edition, [12]

PTIF = 1·10-3

Assumed cD = 80%

59

Module: Input Devices Component: IR Line Gas Detector

λcrit = 5.3

PDS Reliability Data Dossier

λD = 3.3 per 106 hrs λDU = 0.7 per 106 hrs λSTU = 0.6 per 106 hrs PTIF = 1·10-2 – 6·10-2

Recommended values for calculation in 2004edition [13] 1,2)

Assumed cD = 80% 1)

Range gives values for small to large gas leaks (large gas leaks are leaks > 1 kg/s)

2)

λcrit = 3.6 λD / λST = 11

λDU = 0.7 per 106 hrs λSTU = 0.1 per 106 hrs

Average over ventilation type and worst conditions

Previously recommended values for calculation in 2003-edition [14] 1)

-2

PTIF = 1·10 – 6·10

-2 1,2)

Range gives values for small to large gas leaks (large gas leaks are leaks > 1 kg/s)

2)

4.1

Average over ventilation type and worst conditions

D: 4.1 ST: 0.0

OREDA phase IV+V database [6], [4] Data relevant for conventional IR gas detectors.

Observed: cD = 100 % cST = N/A

Filter: Inv. Equipment class = Fire & Gas Detectors Inv. Design Class = Hydrocarbon gas Inv. Att. Sensing principle = PH-EL BEAM Inv. OREDA Phase = 4 + 5 Fail. Severity Class = Critical No. of inventories = 55 No. of critical D failures = 5 No. of critical ST failures = 0 Cal. time = 1 202 472

60

AND AND AND AND

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.1.10 Smoke Detector Module: Input Devices Component: Smoke Detector

PDS Reliability Data Dossier

Description / equipment boundaries The detector includes the sensor and local electronics such as the address-/ interface unit.

Date of Revision 2009-12-18 Remarks Fire central not included

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 1.2 per 106 hrs

cD = 0.40

λDU = 0.7 per 106 hrs

λS = 2.0 per 106 hrs

cS = 0.30

λSU = 1.4 per 106 hrs

λcrit = 3.2 per 106 hrs

PTIF r

= 1 · 10-3 = 0.4

Assessment The failure rate estimate is an update of the 2006 figure which was primarily based on OREDA phase III as well as some phase V data. The rate of DU failures is estimated still assuming coverage of 40 % (observed in OREDA incomplete and complete phase III were 29% and 50%, respectively). The rate of dangerous and safe failures has been slightly decreased based on observations from failure reviews and later OREDA phases. For safe failures 30 % coverage mainly based on OREDA phase III observations as well as expert judgement - has been assumed. It should be noted that for some type of smoke detectors with more extensive self test, the coverage may be significantly higher. This must be assessed for each specific detector type. The PTIF is based on expert judgements and is based on the assumption that the detectors are exposed. The estimated r value is based on observed failure causes for critical detector failures (40% “expected wear and tear” and 60% “maintenance errors”). A summary of some of the main arguments is provided in section 3.3. Failure Rate Reference Overall failure rate (per 106 hrs) λcrit = 3.7

Failure mode distribution

Data source/comment

λD = 1.3 per 106 hrs λDU = 0.8 per 106 hrs λSTU = 1.4 per 106 hrs

Recommended values for calculation in 2006-edition, [12]

PTIF = 10-3 λcrit = 3.7

λD = 1.3 per 106 hrs λDU = 0.8 per 106 hrs λSTU = 1.2 per 106 hrs PTIF = 10-3 – 0.05

1)

Assumed cD = 40% Recommended values for calculation in 2004- and 2003-edition, [13], [14] Assumed cD = 40% 1)

The range represents different types of fires (smoke/flame)

61

Module: Input Devices Component: Smoke Detector

0.0

D: 0.0 ST: 0.0 Observed: cD = N/A cST = N/A

PDS Reliability Data Dossier

OREDA phase V database [6] Data relevant for smoke/combustion detectors.

Filter: Inv. Equipment class = Fire & Gas Detectors Inv. Design Class = Smoke/Combustion Inv. Phase = 5 Fail. Severity Class = Critical

AND AND AND

No. of inventories = 103 No. of critical D failures = 0 No. of critical ST failures = 0 Surveillance Time (hours) = 3 238 320

3.7

D: 1.0 SPO: 2.7 Observed: cD = 29 % (Calculated including detectors having some kind of self-test arrangement only)

λDU = 0.3 per 106 hrs

OREDA phase III database, [8]. Data relevant for smoke/combustion detectors. Both conventional (65 %) and addressable (35 %) detectors are included. 56 % have automatic loop test, 35 % have a combination of loop and built-in self-test, the residual (9 %) have no self-test feature. No. of inventories = 1 897 Total no. of failures = 218 Cal. time = 50 374 800 hrs Note! Only failures classified as "critical" are included in the failure rate estimates.

Data from review of safety critical failures on Norwegian onshore plant. Data applicable for optical smoke detectors No. of inventories = 807 detectors (460 early warning) No. of critical DU failures = 2 1) Cal. time = 7 069 320 hrs 2) 1)

The failure review focused on DU failures, but classification of other failure modes was also performed. No DD or safe failures registered. 2) One year of operation

λDU = 0.6 per 106 hrs

Data from review of safety critical failures on Norwegian semi-submersible platform. Data applicable for optical smoke detectors No. of inventories = 788 detectors No. of critical DU failures = 8 1) Cal. time = 13 805 760 hrs 2) 1)

The failure review focused on DU failures. In addition 10 DD and 14 safe failures were also registered 2) Two years of operation

λDU = 1.65 per 106 hrs λSU = 3.85 per 106 hrs SFF = 70 %

62

Exida [15]: Generic smoke (ionization) detector

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.1.11 Heat Detector Module: Input Devices Component: Heat Detector

PDS Reliability Data Dossier

Description The detector includes the sensor and local electronics such as the address-/ interface unit.

Date of Revision 2009-12-18 Remarks It is assumed that the heat detectors have a digital on/off output

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 1.0 per 106 hrs

cD = 0.40

λDU = 0.6 per 106 hrs

λS = 1.5 per 106 hrs

cS = 0.40

λSU = 0.9 per 106 hrs

λcrit = 2.5 per 106 hrs

PTIF r

= 1 · 10-3 = 0.4

Assessment The failure rate estimate is an update of the figures in the 2006 handbook. The rate of D failures is estimated assuming coverage of 40% (observed in OREDA phase III incomplete and complete to be 50% and 36%, respectively). The rate of safe failures is estimated assuming coverage of 40% (previously assumed to be 20%, observed in OREDA (complete) phase III to be significantly higher). The PTIF is based on expert judgements given the assumption that the detector is exposed. The estimated r value is based on observed failure causes for critical detector failures (40% “expected wear and tear” and 60% “maintenance errors”). A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 2.5

Failure mode distribution

Data source/comment

λD = 1.0 per 106 hrs λDU = 0.6 per 106 hrs λSTU = 0.9 per 106 hrs

Recommended values for calculation in 2006edition, [12]

PTIF = 10-3 λcrit = 2.4

λD = 0.9 per 106 hrs λDU = 0.5 per 106 hrs λSTU = 0.8 per 106 hrs PTIF = 0.05 – 0.5

1)

Assumed cD = 50% Recommended values for calculation in 2004edition, [13] Assumed cD = 50% 1)

The range represents the occurrence of different types of fires (smoke/flame)

63

Module: Input Devices Component: Heat Detector

λcrit = 2.4 λD / λST = 0.6 0.00

PDS Reliability Data Dossier

λDU = 0.5 per 106 hrs λSTU = 0.75 per 106 hrs

1)

PTIF = 0.05 – 0.5

1)

D: 0.00 ST: 0.00 Observed: cD = N/A cST = N/A

2.21

D: 0.82 SPO: 1.39 Observed: cD = 50 % (Calculated including detectors having some kind of self-test arrangement only)

λDU = 1.9 per 106 hrs λSU = 3.6 per 106 hrs SFF = 65%

64

Previously recommended values for calculation in 2003-edition [12] The range represents the occurrence of different types of fires (smoke/flame)

OREDA phase V database [6] Data relevant for heat detectors.

Filter: Inv. Equipment class = Fire & Gas Detectors Inv. Design Class = Heat Inv. Phase = 5 Fail. Severity Class = Critical No. of inventories = 23 No. of critical D failures = 0 No. of critical ST failures = 0 Surveillance Time (hours) = 723 120

AND AND AND

OREDA phase III database [8] Data relevant for conventional heat detectors. Both rate-of rise (23 %) and rate-compensated (77 %) detectors are included. Of the detectors, 89 % have automatic loop test, the residual (11 %) have no self-test feature. No. of inventories = 865 Total no. of failures = 79 Cal. time = 24 470 588 hrs Note! Only failures classified as "critical" are included in the failure rate estimates.

Exida [15]: Generic heat detector

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.1.12 Flame Detector Module: Input Devices Component: Flame Detector

PDS Reliability Data Dossier

Description The detector includes the sensor and local electronics such as the address/interface unit.

Date of Revision 2006-01-27 Remarks Combined sample of IR, UV and IR/UV detectors.

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 2.7 per 106 hrs

cD = 0.70

λDU = 0.8 per 106 hrs

λS = 3.8 per 106 hrs

cS = 0.50

λSU = 1.9 per 106 hrs

λcrit = 6.5 per 106 hrs

PTIF r

= 1 · 10-3 = 0.4

Failure Rate Assessment The failure rate estimate is an update of the previous estimate in the 2006 handbook [12] (primarily based on OREDA phase III data). The rate of dangerous failures has been slightly reduced as compared to the 2006 estimate due to input from operational reviews. Coverage for D failures has been assumed to be 70 % based on expert judgement. The rate of safe failures is estimated assuming coverage of 50 %. It should be noted that these coverage values assume that the detectors have built-in self-test and monitoring of the optics. The PTIF is based on expert judgements and has been updated based on the fact that the detectors are now assumed exposed. The estimated r value is based on observed failure causes for critical detector failures (50% “expected wear and tear” and 50% “maintenance errors”). A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 6.8

Failure mode distribution

Data source/comment

λD = 3.0 per 106 hrs λDU = 095 per 106 hrs λSTU = 1.5 per 106 hrs

Recommended values for calculation in 2006-edition, [12]

PTIF = 1·10-3 λcrit = 2.4

λD = 0.9 per 106 hrs λDU = 0.5 per 106 hrs λSTU = 0.8 per 106 hrs PTIF = 3·10-4 – 0.5

1)

Assumed cD = 70% Recommended values for calculation in 2004-edition, [13] Assumed cD = 60% 1)

The range represents the occurrence of different types of fires (smoke/flame)

65

Module: Input Devices Component: Flame Detector

λcrit = 8.3 λD / λST = 1.0 0.7

PDS Reliability Data Dossier

λDU = 2.1 per 106 hrs λSTU = 2.1 per 106 hrs

1)

-4

PTIF = 3·10 – 0.5

1)

D: 0.0 ST: 0.7 Observed: cD = N/A cST,Casual = N/A

7.2

Previously recommended values for calculation in 2003-edition [14]

D: 3.2 SPO: 4.0 Observed: cD = 48 % (Calculated including detectors having some kind of self-test arrangement only)

λDU = 1.4 per 106 hrs

The range represents the occurrence of different types of fires (smoke/flame)

OREDA phase V database [6] Data relevant for conventional flame detectors. Filter: Inv. Equipment class = Fire & Gas Detectors Inv. design Class = Flame Inv. Phase = 5 Fail. Severity Class = Critical

AND AND AND

No. of inventories = 27 No. of critical D failures = 0 No. of critical ST failures = 1 Surveillance Time (hours) = 1 686 096

OREDA phase III database [8] Data relevant for conventional flame detectors. IR (52 %), UV (13 %) and combined IR/UV (35 %) detectors are included. Of the detectors, 75 % have automatic loop test, 3 % have built-in self-test, 15 % have combination of automatic loop and built-in selftest, the residual (11 %) has no self-test feature. No. of inventories = 1 010 No. of failures = 292 Cal. time = 23 136 820 hrs Note! Only failures classified as "critical" are included in the failure rate estimates.

Data from review of safety critical failures on Norwegian onshore plant. Data applicable for IR flame detectors No. of inventories = 580 detectors No. of critical DU failures = 7 1) Cal. time = 5 080 800 hrs 2) 1)

The review focused on DU failures, but classification of other failure modes was also performed; 2 DD and 43 safe failures were also registered. 2) One year of operation

λDU = 0.2 per 106 hrs 1) Data from review of safety critical failures on Norwegian semi-submersible platform. Data applicable for IR flame detectors 1)

when assuming one failure (occurring tomorrow)

No. of inventories = 241 detectors No. of critical DU failures = 0 2) Cal. time = 4 222 321 hrs 3) 2)

The failure review focused on DU failures, but classification of other failure modes was also performed; 3 DD and 3 safe failures were also registered. 3) Two years of operation

66

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Input Devices Component: Flame Detector

λDU = 1.8 per 106 hrs

4.5

SFF = 69% D: 2.0 ST: 2.5

PDS Reliability Data Dossier

Exida [15]: Generic fire/flame detector Oseberg C report [18] Data relevant for IR flame detectors. No. of inventories = 162 No. of failures = 30 (18 critical) Time = 3 978 240 hrs Note! It is assumed that only failures classified as "critical" are included in the failure rate estimates.

67

5.1.13 H2S Detector Module: Input Devices Component: Catalytic H2S Detector

Description / equipment boundaries The detector includes the sensor and local electronics such as the address-/ interface unit. Recommended Values for Calculation Total rate

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks

Coverage

Undetected rate

λD = 1.0 per 106 hrs

cD = 0.50

λDU = 0.5 per 106 hrs

λS = 0.3 per 106 hrs

cS = 0.30

λSU = 0.2 per 106 hrs

λcrit = 1.3 per 106 hrs

PTIF r

= 5 · 10-4 = 0.4

Failure Rate Assessment The failure rate estimate is based on OREDA phase V data as well as expert judgement and other data sources. The rate of DU failures is primarily based on reported “Fail to function on demand” failures although these failures in OREDA phase V have been reported as degraded instead of critical failures. The coverage factors for dangerous and safe failures are assumed similar as for catalytic gas detectors. The same distribution between dangerous and safe failures as for catalytic gas detectors is also assumed. The PTIF is based on expert judgements and on the assumption that the detectors are exposed. The estimated r value is assumed the same as for catalytic gas detectors. A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs)

Failure mode distribution λDU = 0.4 per 106 hrs (based on reported “Fail to function on demand” failures)

Data source/comment OREDA phase V database, [6] Data relevant for H2S gas detectors Filter: Inv. Equipment class = Fire & Gas Detectors Inv. Equipment type = H2S gas Inv. Att. Sensing principle = H2S gas Inv. Phase = 5 No. of inventories = 542 No. of critical failures = 0 No. of degraded failures = 157

No. of fail to function failures = 6 Surveillance time = 16 769 160

68

AND AND AND AND

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Input Devices Component: Catalytic H2S Detector

λDU = 0.4 per 106 hrs λSU = 0.2 per 106 hrs SFF = 93% λDU = 1.95 per 106 hrs λSU = 0.2 per 106 hrs SFF = 67%

PDS Reliability Data Dossier

Exida [15]: Toxic (electrochemical) gas sensor Infrequent presence of toxic gas Exida [15]: Toxic (electrochemical) gas sensor Normal presence of toxic gas

69

5.1.14 ESD Push Button Module: Input Devices Component: ESD Push Button

PDS Reliability Data Dossier

Description / equipment boundaries Pushbutton including wiring

Recommended Values for Calculation Total rate

Date of Revision 2009-12-18 Remarks It is assumed that line monitoring and termination resistors are implemented. Coverage

Undetected rate

λD = 0.5 per 106 hrs

cD = 0.20

λDU = 0.4 per 106 hrs

λS = 0.3 per 106 hrs

cS = 0.10

λSU = 0.3 per 106 hrs

λcrit = 0.8 per 106 hrs

PTIF r

= 1 · 10-5 = 0.8

Failure Rate Assessment The failure rate is based on all listed data sources, also taking into account some expert judgements. As compared to the 2006 estimate some additional experience from two operational reviews has been added. The PTIF as well as the r values are entirely based on expert judgements. A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 0.9

λcrit = 1.1

70

Failure mode distribution

Data source/comment

λD = 0.5 per 106 hrs λDU = 0.4 per 106 hrs λSTU = 0.4 per 106 hrs PTIF = 10-5

Previously recommended values for calculation in 2006-edition

λD = 0.3 per 106 hrs λDU = 0.2 per 106 hrs λSTU = 0.6 per 106 hrs PTIF = 10-5

Previously recommended values for calculation in 2003- and 2004 editions [13] and [14]

Assumed cD = 20%

Assumed cD = 20%

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Input Devices Component: ESD Push Button

λDU = 1.2 per 106 hrs

PDS Reliability Data Dossier

Data from review of safety critical failures on Norwegian onshore plant. Data applicable for manual initiators / pushbuttons No. of inventories = 93 No. of critical DU failures = 1 Cal. time = 814 680 hrs 2)

1)

1)

The review focused on DU failures, no failures were classified as DD or safe. 2) One year of operation

λDU = 0.2 per 106 hrs 1) λS = 0.2 per 106 hrs 1) 1)

when adding the experience from onshore plant and offshore installation together

Data from review of safety critical failures on Norwegian semi-submersible platform. Data applicable for manual initiators / pushbuttons No. of inventories = 203 No. of critical DU failures = 0 Cal. time = 3 556 560 hrs 3)

2)

2)

The failure review focused on DU failures, 1 additional failure was classified as safe. 3)

λDU = 0.8 per 106 hrs λSU = 0.2 per 106 hrs SFF = 20%

Exida [15]: Generic push button

71

5.2

Control Logic Units

Below, reliability figures for control logic units are given. Data are given for standard industrial PLC, programmable safety systems and hardwired safety systems respectively. The following general assumptions and notes apply throughout section 5.2.1- 5.2.3: • • • • • •

72

A single system with analogue input, CPU/logic and digital output configuration is generally assumed; For the input and output part, figures are given for one channel plus the common part of the input/output card (except for hardwired safety system where figures for one channel only are given); Single CPU / logic part is assumed throughout If the figures for input and output are to be used for redundant configurations, separate input cards and output cards must be used since the given figures assume a common part on each card; If separate Ex barriers or other interface devices are used, figures for these must be added separately; The systems are generally assumed used in de-energised to trip functions, i.e. loss of power or signal will result in a safe state.

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.1

Standard Industrial PLC

5.2.1.1

Analogue Input

Module: Control Logic Units – Standard Industrial PLC Component: Analogue Input

Description / equipment boundaries Analogue input part of standard industrial PLC including one analogue input channel and common part of input card.

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a non SIL rated standard industrial PLC, used for de-energised to trip functions

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 1.8 per 106 hrs

cD = 0.6

λDU = 0.7 per 106 hrs

λS = 1.8 per 106 hrs

cS = 0.2

λSU = 1.4 per 106 hrs

λcrit = 3.6 per 106 hrs

PTIF r

= N/A * = 0.1

Assessment The presented failure rates are updated values from the 2006 handbook, [12], where a common failure rate was presented for input, logic and output. Since no new OREDA data for control logic has been collected during the latter years, the 2006 figures were based on manufacturer data as well as judgements made by the project group. In this new edition of the handbook safety system manufacturers (ABB, HIMA, Kongsberg and Siemens) have again been asked to provide their “best estimate failure rates” including percentagewise distribution between the different elements. Based on these estimates as well as additional judgements, updated failure rates have been provided based on an assumed distribution between input, logic and output of 15%, 70% and 15% respectively. The estimated coverage factors, PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. *Note that for control logic units only a PTIF for the CPU is given. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 30

Failure mode distribution

Data source/comment

λD = 15 per 106 hrs λDU = 5.0 per 106 hrs λSTU = 12 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (standard industrial PLC - single system)

PTIF = 5·10-4

Assumed coverage cD = 67% 73

Module: Control Logic Units – Standard Industrial PLC Component: Analogue Input

λDU = 0.3 per 106 hrs λDD = 0.8 per 106 hrs λSU = 0.2 per 106 hrs λSD = 0.9 per 106 hrs

74

1) 1) 1)

PDS Reliability Data Dossier

Exida [15]: Analogue in - general purpose PLC (1oo1) 1)

Includes one analogue in module and one channel

1)

SFF = 84 % (analogue input module + 3 ch’s.)

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.1.2

Central Processing Unit (CPU)

Module: Control Logic Units – Standard Industrial PLC Component: CPU

Description / equipment boundaries Logic part of standard industrial PLC including single CPU, memory, watchdog, electronics, bus, communication, etc.

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a non SIL rated standard industrial PLC, used for de-energised to trip functions

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 8.8 per 106 hrs

cD = 0.6

λDU = 3.5 per 106 hrs

λS = 8.8 per 106 hrs

cS = 0.2

λSU = 7.0 per 106 hrs

λcrit = 17.6 per 106 hrs

PTIF r

= 5 · 10-4 = 0.1

Assessment The presented failure rates are updated values from the 2006 handbook, [12], where a common failure rate was presented for input, logic and output. Since no new OREDA data for control logic has been collected during the latter years, the 2006 figures were based on manufacturer data as well as judgements made by the project group. In this new edition of the handbook safety system manufacturers (ABB, HIMA, Kongsberg and Siemens) have again been asked to provide their “best estimate failure rates” including percentagewise distribution between the different elements. Based on these estimates as well as additional judgements, updated failure rates have been provided based on an assumed distribution between input, logic and output of 15%, 70% and 15% respectively. The estimated coverage factors, PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 30

Failure mode distribution

Data source/comment

λD = 15 per 106 hrs λDU = 5.0 per 106 hrs λSTU = 12 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (standard industrial PLC - single system)

PTIF = 5·10-4

Assumed coverage cD = 67%

75

Module: Control Logic Units – Standard Industrial PLC Component: CPU

λcrit = 32

λD = 16 per 106 hrs λDU = 1.6 per 106 hrs λSTU = 1.6 per 106 hrs PTIF = 5·10-5 - 5·10-4

75.0

PDS Reliability Data Dossier

Recommended values for calculation in 2003edition, [13] 1)

D: 59.4 ST: 15.6

Assumed coverage cD = 90% 1)

For TÜV certified and standard system, respectively

OREDA phase IV database [6] Data relevant for control logic units including I/O-cards. Both PLCs (14 %) and computers (86 %) are included. The control logic units are used both in ESD/PSD system (70 %) and F&G systems (30 %).

Observed: cD = 93 % cST = 88 %

Filter: Inv. Equipment class = Control Logic Units Inv. Phase = 4 Fail. Severity Class = Critical

λDU = 1.5 per 106 hrs λDD = 3.7 per 106 hrs λSU = 0.7 per 106 hrs λSD = 9.1 per 106 hrs

1) 1) 1) 1)

No. of inventories = 71 No. of critical D failures = 103 No. of critical ST failures = 27 Cal. time = 1 733 664

Exida: Main processor – general purpose PLC (1oo1) 1)

Includes main processor and power supply

SFF = 85% (main processor) = 99.7 % (power supply)

76

AND AND

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.1.3

Digital Output

Module: Control Logic Units – Standard Industrial PLC Component: Digital Output

PDS Reliability Data Dossier

Description / equipment boundaries Date of Revision Digital output part of standard industrial 2009-12-18 PLC including one digital output Remarks channel and common part of output card. The data is applicable for a non SIL rated standard industrial PLC, used for de-energised to trip functions. If a relay output is used, figures for a relay should be added. Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 1.8 per 106 hrs

cD = 0.6

λDU = 0.7 per 106 hrs

λS = 1.8 per 106 hrs

cS = 0.2

λSU = 1.4 per 106 hrs

λcrit = 3.6 per 106 hrs

PTIF r

= N/A * = 0.1

Assessment The presented failure rates are updated values from the 2006 handbook, [12], where a common failure rate was presented for input, logic and output. Since no new OREDA data for control logic has been collected during the latter years, the 2006 figures were based on manufacturer data as well as judgements made by the project group. In this new edition of the handbook safety system manufacturers (ABB, HIMA, Kongsberg and Siemens) have again been asked to provide their “best estimate failure rates” including percentagewise distribution between the different elements. Based on these estimates as well as additional judgements, updated failure rates have been provided based on an assumed distribution between input, logic and output of 15%, 70% and 15% respectively. The estimated coverage factors, PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. *Note that for control logic units only a PTIF for the CPU is given. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 30

Failure mode distribution

Data source/comment

λD = 15 per 106 hrs λDU = 5.0 per 106 hrs λSTU = 12 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (standard industrial PLC - single system)

PTIF = 5·10-4

Assumed coverage cD = 67% 77

Module: Control Logic Units – Standard Industrial PLC Component: Digital Output

λDU = 0.2 per 106 hrs λDD = 0.4 per 106 hrs λSU = 0.1 per 106 hrs λSD = 0.5 per 106 hrs

1) 1) 1) 1)

PDS Reliability Data Dossier

Exida [15]: Digital out - general purpose PLC (1oo1) 1)

Includes one digital out low module and one channel

SFF = 80% (digital out low module + 2 ch’s.)

78

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.2

Programmable Safety System

5.2.2.1

Analogue Input

Module: Control Logic Units – Programmable Safety System Component: Analogue Input

Description / equipment boundaries Analogue input part of programmable safety system including one analogue input channel and common part of input card.

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a SIL certified programmable safety system, used for de-energised to trip functions

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 1.6 per 106 hrs

cD = 0.9

λDU = 0.16 per 106 hrs

λS = 1.6 per 106 hrs

cS = 0.2

λSU = 1.3 per 106 hrs

λcrit = 3.2 per 106 hrs

PTIF r

= N/A * = 0.4

Assessment The presented failure rates are updated values from the 2006 handbook, [12], where a common failure rate was presented for input, logic and output. Since no new OREDA data for control logic has been collected during the latter years, the 2006 figures were based on manufacturer data as well as judgements made by the project group. In this new edition of the handbook safety system manufacturers (ABB, HIMA, Kongsberg and Siemens) have again been asked to provide their “best estimate failure rates” including percentagewise distribution between the different functional parts. Based on these estimates as well as additional judgements, updated failure rates have been provided based on an assumed distribution between input, logic and output of 20%, 60% and 20% respectively. The estimated coverage factors, PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. *Note that for control logic units only a PTIF for the CPU is given. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 20

Failure mode distribution

Data source/comment

λD = 10 per 106 hrs λDU = 1.0 per 106 hrs λSTU = 8 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (programmable safety system - single system)

PTIF = 5·10-5

Assumed coverage cD = 90% 79

Module: Control Logic Units – Programmable Safety System Component: Analogue Input

λDU = 0.1 per 106 hrs 1) λDD = 0.9 per 106 hrs 1) λSU = 0.1 per 106 hrs 1) λSD = 1.0 per 106 hrs 1)

80

PDS Reliability Data Dossier

Exida [15]: Analogue in – generic SIL2 certified PLC (1oo1D) 1)

Includes one analogue in module and one channel

SFF = 95 % (analogue input module + 1 channel)

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.2.2

Central Processing Unit (CPU)

Module: Control Logic Units – Programmable Safety System Component: CPU

Description / equipment boundaries Logic part of programmable safety system including single CPU, memory, watchdog, electronics, bus, communication, etc.

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a SIL certified programmable safety system, used for de-energised to trip functions

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 4.8 per 106 hrs

cD = 0.9

λDU = 0.48 per 106 hrs

λS = 4.8 per 106 hrs

cS = 0.2

λSU = 3.8 per 106 hrs

λcrit = 9.6 per 106 hrs

PTIF r

= 5 · 10-5 = 0.4

Assessment The presented failure rates are updated values from the 2006 handbook, [12], where a common failure rate was presented for input, logic and output. Since no new OREDA data for control logic has been collected during the latter years, the 2006 figures were based on manufacturer data as well as judgements made by the project group. In this new edition of the handbook safety system manufacturers (ABB, HIMA, Kongsberg and Siemens) have again been asked to provide their “best estimate failure rates” including percentagewise distribution between the different functional parts. Based on these estimates as well as additional judgements, updated failure rates have been provided based on an assumed distribution between input, logic and output of 20%, 60% and 20% respectively. The estimated coverage factors, PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 20

Failure mode distribution

Data source/comment

λD = 10 per 106 hrs λDU = 1.0 per 106 hrs λSTU = 8 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (programmable safety system - single system)

PTIF = 5·10-5

Assumed coverage cD = 90%

81

Module: Control Logic Units – Programmable Safety System Component: CPU

λcrit = 32

λD = 16 per 106 hrs λDU = 1.6 per 106 hrs λSTU = 1.6 per 106 hrs

Recommended values for calculation in 2003edition, [13] Assumed coverage cD = 90%

PTIF = 5·10-5 - 5·10-4

1)

1)

75.0

PDS Reliability Data Dossier

D: 59.4 ST: 15.6

For TÜV certified and standard system, respectively

OREDA phase IV database [6] Data relevant for control logic units including I/O-cards. Both PLCs (14 %) and computers (86 %) are included. The control logic units are used both in ESD/PSD system (70 %) and F&G systems (30 %).

Observed: cD = 93 % cST = 88 %

Filter: Inv. Equipment class = Control Logic Units Inv. Phase = 4 Fail. Severity Class = Critical

λDU = 0.2 per 106 hrs λDD = 2.9 per 106 hrs λSU = 0.1 per 106 hrs λSD = 9.2 per 106 hrs

1) 1) 1)

No. of inventories = 71 No. of critical D failures = 103 No. of critical ST failures = 27 Cal. time = 1 733 664

Exida: Main processor – generic SIL 2 certified PLC (1oo1D) 1)

Includes main processor and power supply

1)

SFF = 98.5% (main processor) = 100 % (power supply)

82

AND AND

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.2.3

Digital Output

Module: Control Logic Units – Programmable Safety System Component: Digital Output

Description / equipment boundaries Digital output part of programmable safety system including one digital output channel and common part of output card.

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a SIL certified programmable safety system, used for de-energised to trip functions. If a relay output is used, figures for a relay should be added.

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 1.6 per 106 hrs

cD = 0.9

λDU = 0.16 per 106 hrs

λS = 1.6 per 106 hrs

cS = 0.2

λSU = 1.3 per 106 hrs

λcrit = 3.2 per 106 hrs

PTIF r

= N/A * = 0.4

Assessment The presented failure rates are updated values from the 2006 handbook, [12], where a common failure rate was presented for input, logic and output. Since no new OREDA data for control logic has been collected during the latter years, the 2006 figures were based on manufacturer data as well as judgements made by the project group. In this new edition of the handbook safety system manufacturers (ABB, HIMA, Kongsberg and Siemens) have again been asked to provide their “best estimate failure rates” including percentagewise distribution between the different functional parts. Based on these estimates as well as additional judgements, updated failure rates have been provided based on an assumed distribution between input, logic and output of 20%, 60% and 20% respectively. The estimated coverage factors, PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. *Note that for control logic units only a PTIF for the CPU is given. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 20

Failure mode distribution

Data source/comment

λD = 10 per 106 hrs λDU = 1.0 per 106 hrs λSTU = 8 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (programmable safety system - single system)

PTIF = 5·10-5

Assumed coverage cD = 90% 83

Module: Control Logic Units – Programmable Safety System Component: Digital Output

PDS Reliability Data Dossier

λDU = 0.01 per 106 hrs 1) Exida [15]: Digital out – generic SIL 2 certified λDD = 0.25 per 106 hrs 1) PLC (1oo1D) λSU = 0.01 per 106 hrs 1) 1) Includes one digital out low module and one channel λSD = 0.93 per 106 hrs 1) SFF = 99% (digital out low module + 1 ch.)

84

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.3

Hardwired Safety System

5.2.3.1

Trip Amplifier / Analogue Input

Module: Control Logic Units – Hardwired Safety System Component: Trip Amplifier / Analogue Input

Description / equipment boundaries Input part of hardwired safety system including one analogue input channel

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a SIL certified hardwired safety system, used for de-energised to trip functions

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 0.04 per 106 hrs

cD = 0

λDU = 0.04 per 106 hrs

λS = 0.4 per 106 hrs

cS = 0

λSU = 0.4 per 106 hrs

λcrit = 0.44 per 106 hrs

PTIF r

= N/A * = 0.8

Assessment Based on the estimate in the 2006-handbook and input from system vendor (Bjørge Safety System), a distribution between analogue input, logic and digital output of 40%, 30% and 30% respectively has been assumed. The hardwired safety system is assumed to be a fail safe design without diagnostic coverage, i.e. failures will either be dangerous undetected or they will result in a trip action (SU). Hence, the coverage for both dangerous and safe failures is assumed to be zero. The PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. *Note that for control logic units only a PTIF for the logic unit is given. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 2

Failure mode distribution

Data source/comment

λD = 1 per 106 hrs λDU = 0.1 per 106 hrs λSTU = 1.0 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (hardwired safety system - single system)

PTIF = 5·10-5

Assumed coverage cD = 90%

85

5.2.3.2

Logic

Module: Control Logic Units – Hardwired Safety System Component: Logic

Description / equipment boundaries Logic part of hardwired safety system including AND-, OR circuits etc. and wiring.

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a SIL certified hardwired safety system, used for de-energised to trip functions

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 0.03 per 106 hrs

cD = 0

λDU = 0.03 per 106 hrs

λS = 0.3 per 106 hrs

cS = 0

λSU = 0.3 per 106 hrs

λcrit = 0.33 per 106 hrs

PTIF r

= 5 · 10-6 = 0.8

Assessment Based on the estimate in the 2006-handbook and input from system vendor (Bjørge Safety System), a distribution between analogue input, logic and digital output of 40%, 30% and 30% respectively has been assumed. The hardwired safety system is assumed to be a fail safe design without diagnostic coverage, i.e. failures will either be dangerous undetected or they will result in a trip action (SU). Hence, the coverage for both dangerous and safe failures is assumed to be zero. The PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 2

86

Failure mode distribution

Data source/comment

λD = 1 per 106 hrs λDU = 0.1 per 106 hrs λSTU = 1.0 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (hardwired safety system - single system)

PTIF = 5·10-5

Assumed coverage cD = 90%

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.2.3.3

Digital Output

Module: Control Logic Units – Hardwired Safety System Component: Digital Output

Description / equipment boundaries Output part of hardwired safety system including one digital output channel

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks The data is applicable for a SIL certified hardwired safety system, used for de-energised to trip functions. If a relay output is used, figures for a relay should be added.

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 0.03 per 106 hrs

cD = 0

λDU = 0.03 per 106 hrs

λS = 0.3 per 106 hrs

cS = 0

λSU = 0.3 per 106 hrs

λcrit = 0.33 per 106 hrs

PTIF r

= N/A * = 0.8

Assessment Based on the estimate in the 2006-handbook and input from system vendor (Bjørge Safety System), a distribution between analogue input, logic and digital output of 40%, 30% and 30% respectively has been assumed. The hardwired safety system is assumed to be a fail safe design without diagnostic coverage, i.e. failures will either be dangerous undetected or they will result in a trip action (SU). Hence, the coverage for both dangerous and safe failures is assumed to be zero. The PTIF and r values are based on expert judgements. A summary of some of the main arguments is provided in section 3.3. *Note that for control logic units only a PTIF for the logic unit is given. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 2

Failure mode distribution

Data source/comment

λD = 1 per 106 hrs λDU = 0.1 per 106 hrs λSTU = 1.0 per 106 hrs

Recommended values for calculation in 2006edition, [12]. Apply for input, logic and output (hardwired safety system - single system)

PTIF = 5·10-5

Assumed coverage cD = 90%

87

5.3 5.3.1

Final Elements ESV/XV

Module: Final Elements Component: ESV/XV (ex. pilot)

Description / equipment boundaries Main valve including actuator. Not including pilot valve. Valve/actuator assumed to be spring return to closed position. Recommended Values for Calculation Total rate

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks ESV/XV incl. actuator (ex. pilot). Full stroke with tight shut off Coverage

λD = 3.0 per 106 hrs

cD = 0.30

λDU = 2.1 per 106 hrs

λS = 2.3 per 106 hrs

cS = 0.10

λSU = 2.1 per 106 hrs

λcrit = 5.3 per 106 hrs

PTIF = 1 · 10-4 (standard functional testing) r

88

Undetected rate

= 0.5

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Final Elements Component: ESV/XV (ex. pilot)

PDS Reliability Data Dossier

Assessment The failure rate estimate is an update of the previous estimate in the 2006 handbook [12]. Data from OREDA phase V-VII indicates a higher rate of dangerous failures as compared to the previous estimate. Also, the data (and other sources) indicates a somewhat lower proportion of safe failures as compared to the 2006 estimate. Data from RNNP for the period 2003-2008 for riser ESVs has also been reviewed. In total some 6239 valve tests have been performed during this period, resulting in 96 failures. Based on this a λDU = 1.8 · 10-6 (incl. pilot valve) can be estimated. It should be noted that this only include failures revealed through functional testing. As seen there is a relatively big difference between the failure rate indicated by the RNNP data and the rate obtained from the OREDA phase V-VII data. The data from RNNP include only riser ESV data which may be one explanation (tighter follow-up of riser valves). The main reason however is assumed to be the fact that OREDA data includes a large portion of dangerous failures revealed in-between tests by other detection methods, whereas RNNP only report test data. The coverage for dangerous failures have been slightly increased to 30% due to information from OREDA phase V-VII where it appears that a high fraction of dangerous failures (more than 50%) are detected by operator observation. It should be noted that this is not diagnostic coverage in its true meaning (e.g. ref. IEC definition) but will however imply that dangerous fault are detected in between testing. For valves that are never operated except for testing, the coverage should therefore be lower. The size of the PTIF will vary depending on the completeness of the functional testing. Here, a standard functional test where the valve is fully closed but not tested for internal leakage has been assumed.

The estimated r is based on reported failure causes in OREDA as well as expert judgements. A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs)

λcrit = 5.4

Failure mode distribution Data source/comment λD = 2.7 per 106 hrs λDU = 2.0 per 106 hrs λSTU = 2.7 per 106 hrs PTIF = 1 · 10-5 = 1 · 10-4 = 1 · 10-3

Recommended values for calculation in 2006edition [12] Assumed cD = 25% 1)

For extended, standard and incomplete functional testing respectively.

89

Module: Final Elements Component: ESV/XV (ex. pilot)

λcrit = 5.4

PDS Reliability Data Dossier

λD = 2.7 per 106 hrs λDU = 2.0 per 106 hrs λSTU = 2.7 per 106 hrs PTIF = 10-6 - 10-5

1)

Recommended values for calculation in 2004edition [13] Assumed cD = 25% 1)

For complete and incomplete functional testing respectively.

λcrit = 1.6

λD / λST = 4.3

λcrit = 12.3

λDU = 1.3 per 106 hrs λSTU = 0.3 per 106 hrs

Previously recommended values for calculation in 2003-edition [14]

PTIF = 10-6 - 10-5

1)

1)

λD = 8.5 λS = 3.8 Observed: cD = 55% 1) cST = 24% 1) 1)

OREDA reporting on detection method partly incomplete, especially on safe failures, so additional judgements required.

For complete and incomplete functional testing respectively.

OREDA phase V - VII database Data relevant for topside ESD, ESD/PSD and PSD valves, excluding the pilot and control & monitoring. Filter: Inv. Equipment class = VALVES (Inv. System = Gas export Inv. System = Gas processing Inv. System = Oil export Inv. System = Oil processing Inv. System = Condensate processing Inv. System = Crude oil handling Inv. System = Gas (re)injection Inv. OREDA Phase = 5-7 Inv. Att. Application = ESD Inv. Att. Application = ESD/PSD Inv. Att. Application = ESDPSD Inv. Att. Application = PSD (Fail. Item Failed Pilot valve Fail. Subunit Failed Control & Monitoring) Fail. Severity Class = Critical No. of installations = 13 No. of inventories = 125 No. of critical D failures = 47 No. of critical ST failures = 21 Surveillance Time (hours) = 5 517 120

90

AND OR OR OR OR OR OR AND AND AND AND AND AND AND AND

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Final Elements Component: ESV/XV (ex. pilot)

3.1

PDS Reliability Data Dossier

D: 2.4 ST: 0.7

OREDA phase IV database [6] Data relevant for process ESD/PSD valves, excluding the pilot and control & monitoring.

Observed: cD = 40 % cST = N/A

Filter: Inv. Equipment class = VALVES (Inv. System = Gas export Inv. System = Gas processing Inv. System = Oil export Inv. System = Oil processing Inv. System = Emergency shutdown) Inv. Phase = 4 Inv. Att. Application = ESD/PSD Fail. Severity Class = Critical (Fail. Item Failed Pilot valve Fail. Subunit Failed Control & Monitoring)

λDU = 3.2 per 106 hrs 1) λSU = 0.5 per 106 hrs 1) λDD = 0.7 pr 106 hrs 2) λDU = 2.5 pr 106 hrs 2) λSD = 0.5 pr 106 hrs 2)

AND OR OR OR OR AND AND AND AND AND

No. of inventories = 140 No. of critical D failures = 11 No. of critical ST failures = 3 Cal. time = 4 495 272

Exida [15]: Generic air operated ball valve, hard seat, spring return (data includes critical failure modes related to full stroke with tight shut-off) 1) 2)

normal operation Including partial stroke testing

SFF = 14% (normal operation) SFF = 32% (partial stroke testing) λDU = 2.4 per 106 hrs λSU = 0.5 per 106 hrs

1) 1)

λDD = 0.6 per 106 hrs 2) λDU = 1.8 pr 106 hrs 2) λSD = 0.5 per 106 hrs 2)

λDU = 3.1 per 106 hrs 1) λSU = 0.5 per 106 hrs 1) λDD = 0.7 per 106 hrs 2) λDU = 2.5 pr 106 hrs 2) λSD = 0.5 per 106 hrs 2)

Exida [15]: Generic air operated gate valve, spring return (data includes critical failure modes related to full stroke with tight shut-off) 1) 2)

Normal operation Including partial stroke testing

SFF = 17% (normal operation) SFF = 38% (partial stroke testing) Exida [15]: Generic hydraulic operated ball valve, spring return (data includes critical failure modes related to full stroke with tight shut-off) 1) 2)

normal operation Including partial stroke testing

SFF = 13% (normal operation) SFF = 31% (partial stroke testing)

91

5.3.2

ESV, X-mas Tree

Module: Final Elements Component: ESV, X-mas Tree Valve (ex. pilot)

Description / equipment boundaries Hydraulically operated production master, wing and swab valves. Main valve including actuator. Not including pilot valve. Recommended Values for Calculation Total rate

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks Topside X-mas tree ESV incl. actuator (ex. pilot). Full stroke with tight shut off. Coverage

Undetected rate

λD = 1.1 per 106 hrs

cD = 0.30

λDU = 0.8 per 106 hrs

λS = 0.9 per 106 hrs

cS = 0.10

λSU = 0.8 per 106 hrs

λcrit = 2.0 per 106 hrs

PTIF = 1 · 10-4 (standard functional testing) r

= 0.5

Assessment The failure rate estimate is an update of the previous 2006 estimate [12] (which was based primarily on OREDA phase III, with some OREDA phase IV data). Additional data from phase VII on X-mas tree valves indicate a somewhat lower dangerous failure rate than the OREDA phase III data, but the aggregated exposure time is lesser in phase VII than for phase III. Data from RNNP for the period 2003-2008 for X-mas tree wing and master valves has also been reviewed. In total some 29032 valve tests have been performed during this period, resulting in 317 failures. Based on this a λDU = 1.2 · 10-6 can be estimated. It should be noted that this only include failures revealed through functional testing. Also, note that RNNP data include the entire valve, i.e. also the pilot valve, and is therefore not directly comparable to the OREDA data where the pilot valve has been excluded. Based on new data from OREDA and RNNP, it appears that the rate of dangerous failures may be somewhat lower than previously assumed. The amount of new OREDA data is however somewhat scarce and the RNNP data is not directly comparable. The rate of DU failures has therefore been kept in line with the 2006 estimate. For similar reasons as the ESV/XV valves the coverage for dangerous failures has been slightly increased from 25% to 30%. As for ESV/XV’s the proportion of safe failures (as compared to dangerous failures) have been reduced in line with data from OREDA and other sources. The size of the PTIF will vary depending on the completeness of the functional testing. Here, a standard functional test where the valve is fully closed but not tested for internal leakage has been assumed.

The estimated r is based on reported failure causes in OREDA as well as expert judgements. A summary of some of the main arguments is provided in section 3.3.

92

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Final Elements Component: ESV, X-mas Tree Valve (ex. pilot)

PDS Reliability Data Dossier

Failure Rate References Overall failure rate (per 106 hrs)

λcrit = 2.1

Failure mode distribution λD = 1.1 per 106 hrs λDU = 0.8 per 106 hrs λSTU = 1.0 per 106 hrs PTIF = 1 · 10-5 = 1 · 10-4 = 1 · 10-3

λcrit = 2.1

λcrit = 1.5

λD / λST = 1.1

λcrit = 0.8

Recommended values for calculation in 2006-edition [12] Assumed cD = 25% 1)

For extended, standard and incomplete functional testing respectively.

λD = 1.1 per 106 hrs λDU = 0.8 per 106 hrs λSTU = 1.0 per 106 hrs PTIF = 10-6 - 10-5

Data source/comment

1)

Recommended values for calculation in 2004-edition [13] cD = 25% 1)

For complete and incomplete functional testing respectively.

λDU = 0.8 per 106 hrs λSTU = 0.5 per 106 hrs

Previously recommended values for calculation in 2003-edition [13]

PTIF = 10-6 - 10-5

1)

1)

For complete and incomplete functional testing respectively.

λD =0.8 per 106 hrs

OREDA phase VII database [6] Data relevant for x-mas tree production and injection valves

Observed: cD = N/A cS = N/A

Filter: Inv. Eq. Class = Valves Inv. Phase = 7 (Inv. Att Application = PROD MASTER (Inv. Att Application = PROD WING (Inv. Att Application = PROD SWAB (Inv. Att Application = INJ MASTER) (Fail. Item Failed Pilot valve Fail. Subunit Failed Control & Monitoring)

AND AND OR OR OR AND AND

No. of inventories = 148 No. of critical D failures = 2 (no critical safe failures) Cal. time = 2 578 488

93

Module: Final Elements Component: ESV, X-mas Tree Valve (ex. pilot)

1.1

D: 0.0 ST: 1.1

PDS Reliability Data Dossier

OREDA phase IV database [6] Data relevant for hydraulically operated wellhead master valves, swab valves and wing valves.

Observed: cD = N/A cS = N/A

Filter: Inv. Eq. Class = Wellheads And X-mas Trees (Inv. System = Gas production Inv. System = Oil Production Inv. System = Gas re-injection) Inv. Phase = 4 Fail. Severity Class = Critical (Fail. Item Failed = Prod. master valve, hyd. op. Fail. Item Failed = Prod. swab valve, hyd. op. Fail. Item Failed = Prod. wing valve, hyd. op.)

AND OR OR AND AND AND OR OR

No. of inventories = 18 No. of critical D failures = 0 No. of critical ST failures = 1 Cal. time = 902 976

Crit: 7.36

94

DOP: EXL: FTC: FTO: INL: LCP: PLU:

0.15 1.84 0.77 0.46 2.30 1.69 0.15

OREDA phase III database [8] Data relevant for wellhead ESD/PSD valves, main valve or actuator. No. of inventories = 349 Number of critical failures = 48 Cal. time = 6 518 058 hrs

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.3.3

Blowdown Valve

Module: Final Elements Component: Blowdown Valve (ex. pilot)

PDS Reliability Data Dossier

Description / equipment boundaries Blowdown valve including actuator. Not including pilot valve. Valve/actuator assumed to be spring return to open position.

Date of Revision 2009-12-18 Remarks Blowdown valve incl. actuator (ex. pilot). Valve deenergised to open.

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 2.6 per 106 hrs

cD = 0.20

λDU = 2.1 per 106 hrs

λS = 1.3 per 106 hrs

cS = 0

λSU = 1.3 per 106 hrs

λcrit = 3.9 per 106 hrs

PTIF = 1 . 10-4 r

= 0.5

Assessment The failure rate for blowdown valves is an update of the previous estimate in the 2006 handbook, [12] based on new data from OREDA phase V and VI as well as data from RNNP. Data from RNNP for the period 2004-2008 for blowdown valves has been reviewed. In total some 15392 valve tests have been performed during this period, resulting in 397 failures. Based on this a λDU = 2.9 · 10-6 (incl. pilot valve) can be estimated. This is in line with the DU estimate for blowdown valves given in the 2006 PDS handbook. Data from OREDA phase V-VII on the other hand indicates a lower rate of dangerous (and safe) failures as compared to the 2006 estimate which was primarily based on OREDA phase IV data. Recorded data from phase V-VII is however significantly less than for phase IV (approximately half the surveillance time). Based on the above, the rate of DU failures has been kept approximately the same as in the 2006 edition whereas the rate of safe failures has been somewhat reduced. The coverage for dangerous failures have been reduced to 20% since blowdown valves will rarely be operated in-between tests and therefore few dangerous failures will be detected by operator observation. The PTIF and the r values are assumed the same as for ESV/XV valves (where the PTIF is given assuming a normal/average functional testing standard). Failure Rate References Overall failure rate (per 106 hrs)

Failure mode distribution

Data source/comment

95

Module: Final Elements Component: Blowdown Valve (ex. pilot)

λcrit = 5.4

λcrit = 3.7

λD = 2.7 per 106 hrs λDU = 2.0 per 106 hrs λSTU = 2.7 per 106 hrs PTIF = 10-4 λD = 2.7 per 106 hrs λDU = 2.0 per 106 hrs λSTU = 1.0 per 106 hrs -6

λcrit = 2.0

1)

PTIF = 10 - 10 λD = 1.6 per 106 hrs λS = 0.4 per 106 hrs Observed: cD = N/A cST = N/A

6.40

-5

D: 5.52 ST: 0.88 Observed: cD = N/A cST = N/A

PDS Reliability Data Dossier

Recommended values for calculation in 2006edition [12]

Recommended values for calculation in 2004edition [13] 1)

For complete and incomplete functional testing respectively

OREDA phase V-VII database, [4] and [6] Data relevant for blowdown valves. Note: these data also include the pilot valve Filter: Inv. Equipment class = VALVES Inv. Att. Application = BLOWDOWN Inv. OREDA Phase = 5 - 7 Fail. Severity Class = Critical No. of inventories = 50 No. of critical D failures = 4 No. of critical S failures = 1 Surveillance Time (hours) = 2 442 984

OREDA phase IV database [6] Data relevant for blowdown valves. Note: these data also include the pilot valve Filter: Inv. Equipment class = VALVES Inv. Att. Application = BLOWDOWN Inv. OREDA Phase = 4 No. of inventories = 92 No. of critical D failures = 25 No. of critical S failures = 4 Surveillance Time (hours) = 4 532 640

96

AND AND AND

AND AND

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.3.4

Pilot/Solenoid Valve

Module: Final Elements Component: Pilot/Solenoid Valve

PDS Reliability Data Dossier

Description Pilot/solenoid valve on hydraulically or pneumatically operated valves.

Date of Revision 2009-12-18 Remarks Valve de-energised to bleed-off

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 1.1 per 106 hrs

cD = 0.30

λDU = 0.8 per 106 hrs

λS = 1.9 per 106 hrs

cS = 0.10

λSU = 1.7 per 106 hrs

λcrit = 3.0 per 106 hrs

PTIF = r

N/A *

= 0.4

Assessment The failure rate estimate is an update of the previous 2006 estimate based on new data from OREDA phase VI and VII as well as other sources. Note that part of the failures reported under "control and monitoring" (approx. 50%) are included as part of the valve itself. The distribution between dangerous failures and safe failures has been kept the same as in the previous edition. The coverage factor for D failures has been estimated to 30%, due to registered detection methods in OREDA phase IV and V-VII. As for ESV/XV valves this coverage include some manual observation by operators. Based on the above and the new data on solenoids, the rate of DU failures have been slightly reduced as compared to the 2006 estimate whereas the rate of safe failures has been kept the same. *The PTIF for pilot valve is included as part of the PTIF for the valve itself. The estimated r is based on reported failure causes in OREDA as well as expert judgements. A summary of some of the main arguments is provided in section 3.3. Failure Rate References Overall failure rate (per 106 hrs)

λcrit = 3.2

Failure mode distribution λD = 1.3 per 106 hrs λDU = 0.9 per 106 hrs λSTU = 1.9 per 106 hrs 1)

Data source/comment Recommended values for calculation in 2006-edition [12] 1)

PTIF for pilot valve included in PTIF for main valve.

97

Module: Final Elements Component: Pilot/Solenoid Valve

λcrit = 3.2

PDS Reliability Data Dossier

λD = 1.3 per 106 hrs λDU = 0.9 per 106 hrs λSTU = 1.3 per 106 hrs

Recommended values for calculation in 2004-edition [13] 1)

1)

λcrit = 4.2

λD / λST = 0.7

λcrit = 2.8

λDU = 1.4 per 106 hrs λSTU = 1.8 per 106 hrs

Recommended values for calculation in 2003-edition [14]

1)

1)

λD = 1.6 per 106 hrs λS = 1.2 per 106 hrs

1)

Observed: cD = 40% cST = N/A 1)

The D failure rate includes ‘Fail to close on demand’ failures. When calculating the failure rate for pilot valves it has been assumed that 55% of the valves have two solenoids

4.5

PTIF for pilot valve included in PTIF for main valve.

D: 1.7 ST: 2.8 Observed: cD = 67 % cST = N/A

PTIF for pilot valve included in PTIF for main valve.

OREDA phase V-VII database, [4] and [6] Data relevant for pilot valves with control & monitoring in ESD/PSD applications Filter: Inv. Equipment class = VALVES (Inv. Att. Application = ESD/PSD/…. Inv. Att. Application = BLOWDOWN) Inv. OREDA Phase = 5 - 7 (Fail. Item Failed = Pilot valve Fail. Subunit Failed = Control & Monitoring) Fail. Severity Class = Critical

No. of inventories = 175 valves (assumed 272 solenoids) No. of critical failures = 35 No. of critical D failures = 20 No. of critical S failures = 15 Calendar time (hours) = 7 960 104

OREDA phase IV database [6]. Data relevant for pilot valves with control & monitoring in ESD/PSD applications. Filter: Inv. Equipment class = VALVES (Inv. Att. Application = ESD/PSD Inv. Att. Application = Shut-off Inv. Phase = 4 Fail. Severity Class = Critical (Fail. Item Failed = Pilot valve Fail. Subunit Failed = Control & Monitoring) No. of inventories = 184 No. of critical D failures = 10 No. of critical ST failures = 17 Calendar time (hours) = 6 023 256

98

AND OR AND AND OR AND

AND OR AND AND AND OR

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Final Elements Component: Pilot/Solenoid Valve

PDS Reliability Data Dossier

λDU = 0.3 per 106 hrs (λD = 0.5 per 106 hrs) (λS = 1.8 per 106 hrs)

Data from review of safety critical failures on Norwegian onshore plant. Data applicable for solenoid valves on ESVs, BDVs and XVs. No. of inventories = 438 No. of critical DU failures = 1 Cal. time = 3 836 880 hrs 2)

1)

1)

The review focused on the DU failures; 1 failure was classified as DU, i.e. a stuck solenoid causing fail to close of associated ESV. In addition, 1 failure was classified as DD and 7 failures were classified as safe. 2) One year of operation

Funct. 0.38 Fail. to change position 0.30 λDU = 0.6 per 106 hrs 1) λSU = 1.0 per 106 hrs 1)

T-Book [16]: Solenoid valve, normally activated T-Book [16]: Solenoid valve, normally not activated Exida [15]: Generic solenoid valve 1)

λDU = 0.6 per 10 hrs λSU = 1.0 per 106 hrs

2) 2)

2-way solenoid 3-way solenoid 3) 4-way solenoid

λDU = 0.6 per 106 hrs λSU = 1.0 per 106 hrs

3)

SFF = 72%

6

2)

3)

99

5.3.5

Process Control Valve

Module: Final Elements Component: Process Control Valve

PDS Reliability Data Dossier

Description / equipment boundaries Process control valves used in combined control- and shutdown service. Not including pilot valve*. Recommended Values for Calculation Total rate

Date of Revision 2009-12-18 Remarks The dangerous failure mode considered is failed to close failures. Coverage

λD = 4.4 per 106 hrs

cD = 0.50

λS = 2.5 per 106 hrs

cS = 0.50

λcrit = 6.9 per 106 hrs

PTIF = 1 . 10-4 r

= 0.6

Assessment The figures for control valves have been updated as compared to the 2006 handbook, [12]. The failure rate estimates are based on a “weighted” average of the OREDA phase III – V data. Included in the λD failures are all ‘fail to close’ (FTC) failures, 50% of the ‘delayed operation’ (DOP) failures and 25% of the ‘fail to regulate’ (FTR) failures. Hence, only the failure modes assumed relevant for shutdown purposes are included. Included in the safe failures (S) are ‘spurious operation’ and ‘fail to open’ failures as well as 25% of the ‘fail to regulate’ failures (i.e. we assume that only 50% of the FTR failures are critical with respect to spurious operation or valve closure). Note that no split has been made between small and large control valves (as was done in [13] and [14]). Based on the registered observation method for the relevant failure modes, as well as expert judgement, coverage for both dangerous and safe failures of 50% has been estimated. It is then implicitly assumed that the control valve is used in normal operation resulting in a relatively high coverage. For some cases (e.g. on some onshore plants) selected control valves may be used solely for shutdown purposes. In this case the valves will be operated infrequently, resulting in a significantly lower coverage factor. For control valves used only as shutdown valves, the coverage is suggested reduced to 20%, giving λDU and λSU estimates of 3.5 per 106 hrs and 2.0 per 106 hrs respectively. The PTIF and r values are entirely based on expert judgements. A summary of some of the main arguments is provided in section 3.3. *Data for control valves are mainly collected for valves in control service and not from applications where control valves are used for on/off shutdown service. The solenoid valves will normally not be part of the control function and therefore no solenoid valve failures are registered under control valves in OREDA. When considering failure rates for control valves used for shutdown purposes, the failure rate of a solenoid valve should therefore be added. Failure Rate References 100

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Final Elements Component: Process Control Valve

Overall failure rate (per 106 hrs)

λcrit = 5.6

PDS Reliability Data Dossier

Failure mode distribution λD = 3.8 per 106 hrs λDU = 2.7 per 106 hrs λSTU = 1.3 per 106 hrs

Data source/comment Previously recommended values for calculation in 2006-edition, [12] Assumed cD = 30%

PTIF = 10-4 Small valves: λcrit = 7.5 Large valves: λcrit = 2.8

Small valves: λD = 7.1 per 106 hrs λDU = 2.8 per 106 hrs λSTU = 0.1 per 106 hrs

Previously recommended values for calculation in 2003- and 2004-edition, [13] and [14] Assumed cD = 60%

Large valves: λD = 2.1 per 106 hrs λDU = 0.8 per 106 hrs λSTU = 0.2 per 106 hrs PTIF = 10-5

2.9

FTC FTO FTR LCP

0.41 0.82 1.23 0.41

OREDA phase V database [6] Data relevant for process control valves including pilot valve etc. Note! All sizes are included. Filter: Inv. Equipment class = VALVES (Inv. System = Gas export Inv. System = Gas processing Inv. System = Oil export Inv. System = Oil processing Inv. System = Condensate processing Inv. System = Gas (re)injection Inv. System = Gas production Inv. System = Gas treatment Inv. System = Oil production) Inv. OREDA Phase = 5 Inv. Att. Application = Process Control

AND OR OR OR OR OR OR OR OR AND AND

No. of inventories = 54 No. of critical failures = 7 Calendar time (hours) = 2 446 080

101

Module: Final Elements Component: Process Control Valve

16.9

FTC FTO FTR EXL DOP SPO STD

PDS Reliability Data Dossier

4.45 2.23 7.64 1.59 0.32 0.32 0.32

Observed: cD = 60 % cST = N/A (Only one observation)

18.6

DOP: EXL: FID: FTC FTO: LCP OTH PLU SPO:

0.72 0.36 1.79 4.29 2.15 1.43 3.94 2.50 1.43

OREDA phase IV database [6] Data relevant for process control valves including pilot valve etc. Note! All sizes are included. Filter (small valves): Inv. Equipment class = VALVES (Inv. System = Gas export Inv. System = Gas processing Inv. System = Oil export Inv. System = Oil processing Inv. System = Condensate processing Inv. System = Gas (re)injection Inv. System = Gas production Inv. System = Gas treatment Inv. System = Oil production) Inv. Phase = 4 Inv. Att. Application = Process Control Fail. Severity Class = Critical No. of inventories = 107 No. of critical failures = 53 Calendar time (hours) = 3 140 856

OREDA phase III database [8] Data relevant for process control valves including pilot valve etc. Note! All sizes are included. Filter criteria: APPLIC='PROC CTRL', FUNCTN='OP' .OR. 'GP'. No. of inventories = 100 No. of critical failures = 52 Cal. time = 2 796 745 hrs

Fail. to change position: T-Book [16]: Motor-operated control valve 9.1 Exida [15]: Generic control valve λDU = 1.2 per 106 hrs 6 λSU = 0.5 per 10 hrs

102

AND OR OR OR OR OR OR OR OR AND AND AND AND

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.3.6

Pressure Relief Valve

Module: Final Elements Component: Pressure Relief Valve

PDS Reliability Data Dossier

Description / equipment boundaries Complete PSV. Data includes both self acting and pilot operated valves.

Date of Revision 2009-12-18 Remarks The dangerous failure rate relates to a failure to open within 20% of the set point pressure.

Recommended Values for Calculation Total rate

Coverage

λD = 2.2 per 106 hrs

cD = 0

λS = 1.1 per 106 hrs

cS = 10%

λcrit = 3.3 per 106 hrs 1) For fail to open before test pressure failures, a failure rate of λDU = 1.1 per.106 hours is suggested

PTIF = 1 . 10-3 r

= 0.5

Assessment The failure data for PSV is an update of the 2006-edition, [12]. The failure rates are based on OREDA phase IV - VII data, data from RNNP, as well as data from a student investigation into PSV data, [17]. For OREDA data only failures classified as ‘fail to open’ are considered as D failures. For safe failures, the critical failure modes ‘spurious operation’, ‘leakage in closed position’ and ‘fail to close’ have been included. Note that for relief valves, operational time is used in the failure rate estimates. Based on all OREDA data from phase IV-VII a weighted dangerous failure rate of 1.9 per 106 hours can be estimated. Similarly, a weighted average for safe failure of 1.0 per 106 hours can be found. In the RNNP project, data on PSVs are available for the period 2004-2008. A total of 53347 valve tests have been performed resulting in 2226 failures. Assuming annual testing, these data gives an estimated λDU of 4.8.10-6 per hour. On many installations the PSVs are only tested every second year. Assuming a test interval of 2 years, a λDU of 2.4.10-6 per hour results. As seen, the data from RNNP gives somewhat higher λDU values than the latest OREDA data. Since the amount of RNNP data is very extensive, the rate of dangerous failures for PSVs has been slightly increased as compared to the 2006 estimate. The rate of safe failures has been kept approximately the same. The given λDU applies for a fail to open failure within 20% of the set point pressure. If a critical failure is defined as fail to open at a higher pressure, a reduced failure rate may be applied. For the failure mode ‘fail to open before test pressure’, a λDU = 1.1.10-6 per hour is suggested (i.e. a 50% reduction as compared to the rate of failures to open within 20% of the set point , ref [17]). The PTIF and r values are entirely based on expert judgements. A summary of some of the main arguments is provided in section 3.3.

103

Module: Final Elements Component: Pressure Relief Valve

PDS Reliability Data Dossier

Failure Rate References Overall failure rate (per 106 hrs)

λcrit = 3.2

Failure mode distribution λD = 2.0 per 106 hrs λDU = 2.0 per 106 hrs λSTU = 1.0 per 106 hrs -3

Data source/comment Previously recommended values for calculation in 2006-edition, [12] cD = 0%

PTIF = 10

λcrit = 1.2

λD = 1.0 per 106 hrs λDU = 1.0 per 106 hrs λSTU = 0.2 per 106 hrs 1) -3

PTIF = 10

λcrit = 1.0

λD = 0.7 per 106 hrs λS = 0.3 per 106 hrs Observed: cD = N/A cST = N/A

Previously recommended values for calculation in 2003- and 2004-edition, [13] and [14] cD = 0% 1)

Trip of PSV does not necessarily lead to system trip

OREDA phase V-VII database [4], [6] Data relevant for self-acting or self-acting/pilot actuated relief valves. Filter: Inv. Equipment class = VALVES Inv. Att. Application = Relief Inv. OREDA Phase = 5 - 7

AND AND

No. of inventories = 130 No. of critical fail to open failures = 2 No. of critical safe failures = 1 Operational time (hours) = 3 032 299

3.7

D: 2.4 ST: 1.3 Observed: cD = 0 % cST = 11 %

OREDA phase IV database [6] Data relevant for self-acting (86%) or pilot actuated (14%) relief valves. Filter: Inv. Equipment class = VALVES Inv. Phase = 4 Inv. Att. Application = Relief Fail. Severity Class = Critical

AND AND AND

No. of inventories = 275 No. of critical fail to open on demand failures = 17 No. of critical valve leakage in closed position = 8 No. of critical spurious operation failures = 1 Operational time (hours) = 7 062 366

104

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.3.7

Deluge Valve

Module: Final Elements Component: Deluge Valve

PDS Reliability Data Dossier

Description / equipment boundaries Deluge valve including actuator, solenoid and pilot valve. Assumed energised to open.

Date of Revision 2009-12-18 Remarks

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 3.0 per 106 hrs

cD = 0

λDU = 3.0 per 106 hrs

λS = 1.5 per 106 hrs

cS = 0

λSU = 1.5 per 106 hrs

PTIF = 1 . 10-3

λcrit = 4.5 per 106 hrs

r

= 0.6

Assessment The failure rate applies for deluge valves and is based on data from RNNP as well as OREDA (limited population with only diaphragm type of valves), taking into account some expert judgements. The coverage for both D and S failures has been assumed to be zero. In the RNNP project, test data for deluge valves for the period 2004-2008 are available. A total of 17284 deluge valve tests have been performed resulting in 163 failures. With 6 and 12 monthly testing, these data gives an estimated λDU of 2.2.10-6 and 1.1.10-6 per hours respectively. The RNNP data is assumed to include both diaphragm and inbal type of deluge valves. The PTIF and r values for deluge valves are entirely based on expert judgements. Failure Rate References Overall failure rate (per 106 hrs) λcrit = 8.8

Failure mode distribution λD = 8.8 per 106 hrs

Data source/comment 1)

Observed: cD = 0% cST = N/A 1)

OREDA phase VI, [4] Filter: Inv. Equipment class = Valves Inv. Att. Application = DELUGE Inv. OREDA Phase = 6

The limited population only includes diaphragm type deluge valves from one installation. 7 of the dangerous failures were due to improper design.

No. of inventories = 43 No. of critical fail to open failures = 10 No. of critical safe failures = 0 Operational time (hours) = 1 130 040

λDU = 4.7 .10-6 / hour

OLF 070 (based on PDS-BIP data), [19]

AND AND

105

5.3.8

Fire Damper

Module: Final Elements Component: Fire Damper

PDS Reliability Data Dossier

Description / equipment boundaries Fire damper including solenoid valve. Assumed de-energised to close.

Date of Revision 2009-12-18 Remarks Available data is limited

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 3.2 per 106 hrs

cD = 0

λDU = 3.2 per 106 hrs

λS = 2.3 per 106 hrs

cS = 0

λSU = 2.3 per 106 hrs

λcrit = 5.5 per 106 hrs

PTIF = 1 . 10-3 r

= 0.7

Assessment The failure rate applies for fire dampers and is based on data from different installations, taking into account some expert judgements. The coverage for both D and S failures has been assumed to be zero. The PTIF and r values for fire dampers are entirely based on expert judgements. Failure Rate References Overall failure rate (per 106 hrs)

Failure mode distribution

Data source/comment

λDU = 3.8 per 106 hrs

Failure rate used on Norwegian offshore project, based on input from different sources.

λDU = 3.0 per 106 hrs λS = 1.0 per 106 hrs

Data from review of safety critical failures on Norwegian semi-submersible platform. Data applicable for fire dampers including solenoid valve. No. of inventories = 57 No. of critical DU failures = 3 Cal. time = 998 640 hrs

1)

1)

2)

The failure review focused on DU failures, 1 additional failure was classified as safe. 2) Two years of operation

106

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Module: Final Elements Component: Fire Damper

λDU = 2.5 per 106 hrs λS = 3.1 per 106 hrs

PDS Reliability Data Dossier

Data from review of safety critical failures on Norwegian onshore plant. Data applicable for fire dampers including solenoid valve. No. of inventories = 92 fire dampers No. of critical DU failures = 4 1) Cal. time = 1 611 840 hrs 2) 1)

The review focused on DU failures, but classification of other failure modes was also performed; 1 DD, 5 safe failures and 12 failures classified as not relevant were also registered. 2) Two years of operation

λDU = 7.3 .10-6 / hour

OLF 070 (based on PDS-BIP data), [19]

107

5.3.9

Circuit Breaker

Module: Final Elements Component: Circuit Breaker

PDS Reliability Data Dossier

Description Circuit Breaker. Assumed de-energised to open.

Date of Revision 2009-12-18 Remarks Includes internal relay / solenoid. Any external relays etc. must be added.

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 0.3 per 106 hrs

cD = 0

λDU = 0.3 per 106 hrs

λS = 0.5 per 106 hrs

cS = 0

λSU = 0.5 per 106 hrs

λcrit = 0.8 per 106 hrs

PTIF = 5 . 10-5 r

= 0.6

Assessment The failure rate applies for large circuit breakers and is based on the listed data sources, taking into account some expert judgements. The coverage for both D and S failures has been assumed to be zero. The PTIF and r values for circuit breaker are entirely based on expert judgements. Failure Rate References Overall failure rate (per 106 hrs)

108

Failure mode distribution

Data source/comment

λDU = 0.2 .10-6 / hour

T-Book [16]: Circuit Breaker, 6kV – 10kV

λDU = 0.6 per 106 hrs λSU = 0.9 per 106 hrs

Exida [15]: Generic motor starter SFF = 60%

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.3.10 Relay Module: Final Elements Component: Relay

PDS Reliability Data Dossier

Description Relay. Assumed de-energised to open.

Date of Revision 2009-12-18 Remarks

Recommended Values for Calculation Total rate

Coverage

Undetected rate

λD = 0.2 per 106 hrs

cD = 0

λDU = 0.2 per 106 hrs

λS = 0.3 per 106 hrs

cS = 0

λSU = 0.3 per 106 hrs

λcrit = 0.5 per 106 hrs

PTIF = 5 . 10-5 r

= 0.6

Assessment The failure rate applies for relays and smaller circuit breakers and is based on the listed data sources, taking into account some expert judgements. The coverage for both D and S failures has been assumed to be zero. The PTIF and r values for relay are entirely based on expert judgements. Failure Rate References Overall failure rate (per 106 hrs)

Failure mode distribution

Data source/comment

λDU = 0.15 .10-6 / hour

T-Book [16]: Circuit Breaker, < 660V

λDU = 0.6 per 106 hrs λSU = 0.9 per 106 hrs

Exida [15]: Generic relay SFF = 60%

109

5.3.11 Downhole Safety Valve – DHSV Module: Final Elements Component: Downhole Safety Valve – DHSV

Description Downhole Safety Valve incl. actuation device

PDS Reliability Data Dossier

Date of Revision 2009-12-18 Remarks Full stroke with tight shut off.

Recommended Values for Calculation Total rate Coverage

Undetected rate

λD = 3.2 per 106 hrs

cD = 0

λDU = 3.2 per 106 hrs

λS = 2.4 per 106 hrs

cS = 0

λSU = 2.4 per 106 hrs

λcrit = 5.6 per 106 hrs

PTIF = 1 . 10-4 r

= 0.5

Assessment The updated failure rates for DHSV is based on two main sources: •

internal SINTEF data which gives an estimated λD of 2.0 per 106 hrs, and

•

updated test data from RNNP for the period 2003-2008. Here, 25926 valve tests have been performed, resulting in 764 failures. Assuming an average test interval of 6 month, this gives an estimated λDU of 6.7 per 106 hrs. If tested annually, the corresponding λDU becomes 3.4 per 106 hrs

Furthermore, the same distribution between dangerous and safe failures as for topside ESV/XV valves is assumed. Zero coverage has been assumed both for S and D failures. PTIF and r is based on expert judgements. Failure Rate References Overall failure rate (per 106 hrs) 2.0 3.4 – 6.7

Failure mode distribution

Data source/comment

Fail to close

Internal SINTEF data

Fail to close or too high internal leakage rate

Data from RNNP, [9]

λDU = 3.6 per 106 hrs

Data from review of safety critical failures on Norwegian semi-submersible platform. No. of inventories = 16 No. of critical DU failures = 1 Cal. time = 280 320 hrs

1)

1)

2)

Focus on DU failures. Reporting on other failure types questionable 2) Two years of operation

110

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

5.4

Subsea Equipment

As part of the PDS-BIP work in 2004, a recommended data set for subsea equipment was established and provided as input to the updated OLF 070 guideline, [19], as well as to the PDS 2006 data handbook, [12]. The data were mainly based on the OREDA 2002 handbook, [5], and input from and discussions with experts. In the present version of the PDS data handbook, additional subsea data from the new OREDA 2009 Handbook have been utilised, thus providing a much better basis for the suggested values. It should however be noted that for some equipment groups the population is still limited. For the subsea equipment, focus has been on dangerous failures and only values for the coverage factor for dangerous failures cD is specified. Hence, the rate of undetected spurious trip failures, λSU, is not given. Values for the safe failure fraction (SFF) have been indicated. It should be noted that the SFF figures are mainly based on the reported failure mode distributions in OREDA subsea (as well as some additional expert judgements) and will therefore rely on the quality of the failure reporting in OREDA. Higher (or lower) SFFs than given in the tables may therefore apply for specific equipment types and this should in such case be documented separately. Furthermore, specific β and PTIF values for subsea components are not given. As a starting point, estimates for topside equipment can be used for these unspecified parameters. They should, however, be assessed on a case by case basis depending on their specific (subsea) application. Table 11 briefly summarizes the discussion underlying the proposed data for subsea equipment. For more detailed descriptions about the equipment configurations, the equipment boundaries and the data, reference is made to the new OREDA 2009 subsea handbook, [3]. For comments or feedback concerning the OREDA subsea data; contact the OREDA project manager or one of the participating companies, ref. http://www.oreda.com.

Table 11 Discussion of proposed subsea data Component ESD/PSD logic including analogue input and digital output

λcrit 1) λD 1) 15.6

8.0

cD λDU 1) SFF Reference/comments (%) (%) 90

0.8

95

* Topside located ESD/PSD node which may communicate with the subsea equipment via the master control station (MCS).

Located topside* MCS - Master control station Located topside*

Ref. section 5.2.2. Data for programmable topside safety system (single system) referred.

9.4

2.8

60

1.1

88

OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Master control station (25 off, 11 crit. failures). Based on reported critical failures in OREDA a distribution between safe and dangerous failures of 70% / 30% has been assumed. Further, a coverage of 60% for dangerous failures has been assumed. * This is the topside unit communicating with the SEM. In addition, there will normally be a topside located ESD/PSD node which performs the safety actions via the master control station.

111

Component SEM – subsea electronic module (located in subsea control module, SCM)

λcrit 1) λD 1) 9.9

4.0

cD λDU 1) SFF Reference/comments (%) (%) 70

1.2

84

OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Subsea electronic module (461 off, 138 crit. failures). Assuming a distribution between safe and dangerous failures of 60% / 40% and coverage for dangerous failures of 70%.

Solenoid control valves (located in subsea control module, SCM)

0.40*

0.16

0

0.16

60

Note that the number of reported critical failures is uncertain. Also note that there may be redundant SEMs in the same subsea control module (SCM). OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Solenoid control valve (4718 off, 48 crit. failures) Based on reported OREDA failures and some additional expert judgements, a distribution between safe and dangerous failures of 60% / 40% has been assumed. Further, zero coverage for subsea valves has generally been assumed.

Pressure sensor

Temperature sensor

0.62

0.30

0.37

0.18

60

60

0.15

0.07

76

76

*The failure rate includes different types of solenoid control valves. The OREDA data handbook does not differentiate between e.g. mono stable (continuously energized) and bistable (energized to shift) solenoids. OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Pressure sensor (1890 off, 34 crit. failures). Assuming 40% / 60% distribution between safe and dangerous failures and 60% coverage for dangerous failures. OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Temperature sensor (272 off, 2 crit. failures) Assuming 40% / 60% distribution between safe and dangerous failures and 60% coverage for dangerous failures.

Combined pressure and temperature sensor

2.5 *

1.25

60

0.5

80

Note that due to the relatively low number of components in the population and the higher failure rate of a combined pressure/temperature sensor, the total critical failure rate has been slightly increased (one additional critical failure has been assumed). OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Combined pressure and temperature sensor (303 off, 16 crit. failure) Based on the reported failure modes in OREDA a 50% / 50% distribution between safe and dangerous failures has been assumed. Further, coverage of 60% for dangerous failures has been assumed.

Flow sensor

112

2.0*

1.4

60

0.56

72

*The failure rate represents a failure of either the pressure or the temperature measurement. OREDA Subsea Handbook 2009, [3], Tax. No. 5.1, Flow sensor (336 off, 11 crit. failures).

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

Component

λcrit 1) λD 1)

cD λDU 1) SFF Reference/comments (%) (%) The reported OREDA failures indicate a distribution between safe and dangerous failures of some 30% / 70%. Further, coverage for dangerous failures of 60% has been assumed.

Umbilical hydraulic/chemical line (per line)

0.31

0.22

80

0.04

87

*The OREDA data handbook does not differentiate between different technologies such as e.g. a simple Venturi device (with DP cell) and a more advanced multiphase flow meter. OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Static umbilical, hydraulic/chemical line (803 off, 9 crit. failures) λDU has been based on critical failures of hydraulic/chemical lines in static umbilicals. Assuming 70% dangerous failures and a coverage of 80%, since the majority of failures should be detectable immediately.

Umbilical power/signal line (per line)

Process isolation valves (located on subsea manifold)

0.51

1.32

0.36

0.40

80

0

0.07

0.40

86

70

OREDA Subsea Handbook 2009, [3], Tax. No. 5.1. Static umbilical, power/signal line (407 off, 8 crit. failures) λDU has been based on critical failures of power/signal lines in static umbilicals. Assuming 70% dangerous failures and a coverage of 80%, since the majority of failures should be detectable immediately. OREDA Subsea Handbook 2009, [3], Tax. No. 5.3. Process isolation valves (1111 off, 62 critical failures) The OREDA subsea figures indicate a distribution between safe and dangerous failures of approximately 70 % / 30 %. Zero coverage generally assumed for subsea valves.

Subsea isolation valve, SSIV (part of subsea isolation system, SSIS)

0.52*

0.21

0

0.21

60

OREDA Subsea Handbook 2009, [3], Tax. No. 5.4. Valve subsea isolation (149 off, 0 crit. failures) Assuming zero coverage and a 60% / 40% distribution between safe and dangerous failures. * The critical failure rate estimate has been obtained by including the 2 critical failures reported for process isolation valves also included as part of the subsea isolation system.

Production master valve, (PMV) Production wing valve, (PWV)

0.26

0.18

0

0.18

30

OREDA Subsea Handbook 2009, [3], Tax. No. 5.8. Subsea X-mas tree; Valve process isolation (2267 off, 19 crit. failures). The reported critical failure modes for X-mas tree process isolation valves indicate a

113

Component

λcrit 1) λD 1)

cD λDU 1) SFF Reference/comments (%) (%) distribution between safe and dangerous failures of approximately 30 % / 70 %. Zero coverage generally assumed for subsea valves.

Chemical injection valve, (CIV)

0.37*

0.22

0

0.22

40

OREDA Subsea Handbook 2009, [3], Tax. No. 5.8. Subsea X-mas tree; Valve utility isolation (928 off, 4 crit. failures) When interpreting the reported critical failure modes for X-mas tree utility isolation valves conservatively, a distribution between safe and dangerous failures of some 40 % / 60 % can be assumed.

Downhole safety valve, (DHSV) 1)

114

5.6

All failure rates given per 106 hours

3.2

0

3.2

42

*For this particular case the multi-sample estimator from OREDA has (conservatively) been applied due to possible lack of reporting of critical failures. Ref. section 5.3.11

6

REFERENCES

[1]

IEC 61508 Standard. “Functional safety of electrical/electronic/programmable electronic (E/E/PE) safety related systems”, part 1-7, Edition 1.0 (various dates).

[2]

IEC 61511 Standard. “Functional safety - safety instrumented systems for the process industry sector”, part 1-3. 2003

[3]

OREDA participants, OREDA; Offshore Reliability Data Handbook, Volume 1 - topside data and Volume 2 – subsea data. 5th edition, 2009.

[4]

OREDA participants, OREDA phases VI and VII, Computerised database on topside equipment, (data collected during the period 2000-2003).

[5]

OREDA participants, OREDA Handbook; Offshore Reliability Data Handbook, 4th edition, 2002.

[6]

OREDA participants, OREDA phases IV and V, Computerised database on topside equipment, (data collected during the period 1993-2000).

[7]

OREDA Participants, OREDA Handbook; Offshore Reliability Data Handbook, 3rd edition, 1997.

[8]

OREDA participants, OREDA phase III, Computerised database on topside equipment, (data collected during the period 1990-1992).

[9]

Norwegian Petroleum Safety Authorities, Risikonivået i Norsk Petroleumsindustri (RNNP). Reported safety barrier data from 2003 - 2008.

[10] Hauge, S., Lundteigen, M.A., Hokstad, P., and Håbrekke, S., Reliability Prediction Method for Safety Instrumented Systems – PDS Method Handbook, 2010 Edition. SINTEF report A13503 [11] Hauge, S., Hokstad, P., Langseth, H. and Øien K., Reliability Prediction Method for Safety Instrumented Systems – PDS Method Handbook, 2006 Edition. SINTEF report STF50 A06031 [12] Hauge, S., Langseth, H. and Onshus T., Reliability Data for Safety Instrumented Systems – PDS Data Handbook, 2006 Edition. SINTEF report STF50 A06030 [13] Hauge, S. and Hokstad, P., Reliability Data for Safety Instrumented Systems, PDS Data Handbook, 2004 Edition. SINTEF report STF38 A04423 [14] Albrechtsen, E. and Hokstad, P., Reliability Data for Safety Instrumented Systems, PDS Data Handbook, 2003 Edition. SINTEF report STF38 A02421. [15] EXIDA, Safety Equipment Reliability Handbook, 3rd edition, Volume 1 – 3, exida.com, 2007 [16] T-Book, Version 5, Reliability Data of Components in Nordic Nuclear Power Plants. TUDoffice and Pörn Consulting, 2000. [17] Lunde, M., Ytelsesvurdering av sikkerhetsventiler (evaluation of pressure safety valve performance), NTNU, november 2004 [18] Grammeltvedt, J.A., Oseberg C – Gjennomgang av erfaringsdata for brann- og gassdetektorer på Oseberg C. Forslag til testintervaller for detektorene. Report from Norsk Hydro, Forskningssenteret Porsgrunn (in Norwegian), 1994. 116

Reliability Data for Safety Instrumented Systems PDS Data Handbook, 2010 Edition

[19] OLF Guideline 070: “Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry”. The Norwegian Oil Industry Association, rev. 02, 2004. [20] Angela Summers (2008). IEC Product Approval – Veering Off Course. Article posted 11.06.08 in www.controlglobal.com [21] Centre for Chemical Process Safety (CCPS): Guidelines for safe and reliable instrumented protective systems, Wiley, 2007 [22] Béla G. Lipták (Editor): Instrument Engineers Handbook – Process Control and Optimisation, fourth edition, Taylor & Francis, 2006 [23] Guidelines for follow-up of Safety Instrumented Systems (SIS) in the operating phase. SINTEF report A8788, Rev. 01, 01.12.2008 (Web: http://www.sintef.no/project/PDS/Reports/PDS%20ReportSIS follow up guideline final v01.pdf) [24] Hauge, S., Lundteigen M.A and Rausand M., Updating failure rates and test intervals in the operational phase: A practical implementation of IEC 61508 and IEC 61511, ESREL September 2009, Prague, Czech Republic

117