DCL-14-034, 993754-1-819 (-NP), Revision 0, Reliability Analysis
ML14205A038 | |
Person / Time | |
---|---|
Site: | Diablo Canyon |
Issue date: | 10/11/2013 |
From: | Frederickson T Invensys/Triconex |
To: | Office of Nuclear Reactor Regulation |
Shared Package | |
ML14205A031 | List:
|
References | |
3500897372, 993754, DCL-14-034 993754-1-819 (-NP), Rev 0 | |
Download: ML14205A038 (83) | |
Text
n v e. n s* . . i r: 'Ii e. r: 5'.:1 S* Operat i ons Management
-;-. I Proiect: Purchase Order No.: Project Sales Order: ( I,r-*
- ....... , ,--. ,/ E. iL*JI lei\ PG&E PROCESS PROTECTION SYSTEM REPLACEMENT-----, ,3500897372 993754 PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT RELIABILITY ANALYSIS Document No. 993754-1-819 Revision 0 October 11, 2013 Name -.------+"'-----'-------I--":.;,p----,-::r-n:----:------f------------j Author: T. Frederickson Reviewer:
Ted Quinn IREN&V: Bill Hannaman Dan Head
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 2 of 83 Date: 10/11/13 Document Change History Revision Date Change Author A 7/17/13 Initial Issue for Review T. Frederickson 0 10/11/2013 Rev 0 Issue T. Frederickson
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 3 of 83 Date: 10/11/13 Table of Contents 1 Introduction .......................................................................................................................................... 6 1.1 Project Overview ....................................................................................................................... 6 Table 1-1: V10 Tricon PPS Protection Set Channel Safety Functions ....................................... 8 1.2 Purpose ...................................................................................................................................... 9 2 Summary of Results ........................................................................................................................... 10 Table 2-1: Summary of Reliability Analysis - Critical 2oo4 & 2oo3 PPS Safety Functions 13 Table 2-2: Summary of PFDavg and MTTFspurious for Critical PPS Safety Functions . 14 3 Input and Design Criteria .................................................................................................................. 15 3.1 Process Protection System ....................................................................................................... 15 3.2 Tricon Component Failure Rates ............................................................................................ 16 Table 3-1: Tricon Version 10.5 Module Failure Rates ............................................................. 17 3.3 ........................................................................................................ 18 3.4 Acronyms and Symbols ........................................................................................................... 18 3.5 Definitions of Key Terminology ............................................................................................. 20 3.5.1 Availability ................................................................................................................. 20 3.5.2 Average Probability of Failure on Demand (PFDavg) ............................................... 20 3.5.3 Common Cause Failure .............................................................................................. 20 3.5.4 Dangerous Failure ...................................................................................................... 20 3.5.5 Dangerous Detected Failure ....................................................................................... 20 3.5.6 Dangerous Undetected Failure ................................................................................... 20 3.5.7 Dangerous Systematic Failure .................................................................................... 21 3.5.8 Detected ...................................................................................................................... 21 3.5.9 Diagnostic Coverage .................................................................................................. 21 3.5.10 Failure......................................................................................................................... 21 3.5.11 Fault ............................................................................................................................ 21 3.5.12 MooN ......................................................................................................................... 21 3.5.13 Mean Time between Failure (MTBF) ........................................................................ 21 3.5.14 Mean Time to Fail Spurious (MTTFspurious) ........................................................... 21 3.5.15 Mean Time to Repair (MTTR) ................................................................................... 22 3.5.16 Proof Test ................................................................................................................... 22 3.5.17 Probability of Failure on Demand (PFD) ................................................................... 22 3.5.18 Probability of Failure on Demand (PFD) Analysis .................................................... 22 3.5.19 Redundancy ................................................................................................................ 23 3.5.20 Safe Failure ................................................................................................................ 23 3.5.21 Safe Detected Failure ................................................................................................. 23 3.5.22 Safe Undetected Failure ............................................................................................. 23 3.5.23 Safety Integrity ........................................................................................................... 23 3.5.24 Spurious Failure ......................................................................................................... 23 3.5.25 Undetected .................................................................................................................. 23 4 Assumptions ........................................................................................................................................ 24 4.1 Overall System Assumptions .................................................................................................. 24 4.2 Mean Time between Failure (MTBF) Assumptions................................................................ 24
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 4 of 83 Date: 10/11/13 4.3 Mean Time to Repair (MTTR) Assumptions .......................................................................... 25 4.4 PPS Tricon 2oo4 Reliability Assumptions .............................................................................. 25 4.5 PPS Tricon 2oo3 Reliability Assumptions .............................................................................. 25 5 Method of Analysis ............................................................................................................................. 27 5.1 Triconex Tricon Version 10.5 EXCEL Spreadsheets ............................................................. 27 5.2 Spreadsheets for Reliability Calculation of Redundant Tricon Configurations ...................... 28 6 Reliability Calculations ...................................................................................................................... 29 7 References ........................................................................................................................................... 46 7.1 PG&E Documents ................................................................................................................... 46 7.2 NRC Documents...................................................................................................................... 46 7.3 Reliability Methodology .......................................................................................................... 46 7.4 Vendor component specifications and reliability data ............................................................ 47 8 Conclusion/Discussion ........................................................................................................................ 48 Attachment A: Markov Models for Tricon Version 10.5 ..................................................... 49 Attachment B: Estimating Common Cause Factors Using IEC 61508-6 Standard .......... 79
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 5 of 83 Date: 10/11/13 Table of Figures Figure 1-1: Westinghouse PWR Reactor Protection Concept [Ref. 7.1.2]
6Figure 2-1: PFDavg versus TI for the PPS Tricons in a 2oo4 Configuration 11Figure 2-2: PFDavg versus TI for the PPS Tricons in a 2oo3 Configuration 12Figure 6-1: PPS I Tricon - Fail-to-Function 30Figure 6-2: PPS I Tricon - Fail-Safe 31Figure 6-3: PPS II Tricon - Fail-to-Function 32Figure 6-4: PPS II Tricon - Fail-Safe 33Figure 6-5: PPS III Tricon - Fail-to-Function 34Figure 6-6: PPS III Tricon - Fail-Safe 35Figure 6-7: PPS IV Tricon - Fail-to-Function 36Figure 6-8: PPS IV Tricon - Fail-Safe 37Figure 6-9: 2oo4 OTDT Reactor Trip Safety Function - Fail-to-Function 38Figure 6-10: 2oo4 OTDT Reactor Trip Safety Function - Fail-Safe 39Figure 6-11: PFDavg and MTTFspurious for 2oo4 Tricon Configuration Error! Bookmark not defined.Figure 6-12: Symbols Used to Calculate PFD and MTTF for 2oo4 Configuration 41Figure 6-13: 2oo3 Steamline Isolation Function - Fail-to-Function 42Figure 6-14: 2oo3 Steamline Isolation Function - Fail-Safe Error! Bookmark not defined.Figure 6-15: PFDavg & MTTF Calculation for 2oo3 Steamline Function 43Figure 6-16: Symbols for Calculation for 2oo3 Steamline Isolation Function 45Figure A1 - Part 1 Fail-to-Function Markov Model For TRICON V10.5 TMR Controller 50Figure A1 - Part 2: Fail
-to-Function Markov ModelFor TRICON V10.5 TMR Controller 51Figure A1 - Part 3: Fail
-to-Function Markov Model for TRICON V10.5 TMR Controller 52Figure A2: Generic Fail
-Safe Markov Model Using Detected and Undetected Safe Failure Rates 68Figure A3: Generic Fail
-Safe Markov Model Using Total Safe Failure Rates 69Figure A4 - Part 1: Fail-Safe Markov Model for TRICON Version 10.5 TMR Controller 70Fi gure A4 - Part 2: Fail-Safe Markov Model For TRICON Version 10.5 TMR Controller 71Figure A4 - Part 3: Fail
-Safe Markov Model for TRICON Version 10.5 TMR Controller 72
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 6 of 83 Date: 10/11/13 1 Introduction 1.1 Project Overview The Pacific Gas & Electric (PG&E) Diablo Canyon Power Plant (DCPP) Process Protection System (PPS) Replacement Project upgrades the existing Westinghouse Eagle 21 safety system. The scope of the equipment replacement is shown in the red box in Figure 1-1, on the following page. The red box represents the Process Protection racks that contain the safety
-related equipment.
The PPS monitors plant parameters, compares them against setpoints and provides signals to the Solid State Protection System (SSPS). The SSPS evaluates the signals a nd performs Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS) functions to mitigate the event that is in progress. The SSPS, RTS, and ESFAS functions are not within the scope of the PPS Replacement Project.
Figure 1-1: Westinghouse PWR Reactor Protection Concept [Ref. 7.1.2]
The PPS comprises four Protection Sets in sixteen racks. Separation of redundant process channels begins at the process sensors and is maintained in the field wiring,
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 7 of 83 Date: 10/11/13 containment penetrations, and process Protection Sets to the two redundant trains in the SSPS logic racks. Redundant process channels are separated by locating the electronics in different Protection Sets.
The four replacement Protection Sets (I thru IV) each comprise the V10 Tricon, the Westinghouse Advanced Logic System (ALS) platform, the Maintenance Workstation, and various interface devices, such as the NetOptics Network Aggregator Tap and instrument loop isolators. The ALS is not within IOM scope of supply. However, the ALS converts sensor inputs to a signal type compatible with the V10 Tricon hardware.
Specifically, the ALS processes resistance temperature detector (RTD) inputs and converts them to 4-20 milliamp signals. This conversion is necessary to satisfy Diablo Canyon Power Plant loop accuracy requirements.
The V10 Tricon portion of the PPS Replacement System comprises three V10 Tricon chassis per Protection Set: one safety
-related Main Chassis, one safety
-related Remote Expansion Chassis (RXM), and one non safety related RXM chassis. The Network Aggregator Tap, which is intended as an isolation device between the Tricon and the non-safety plant network, is provided by PG&E to IOM for factory acceptance testing. The media converter, between the Tricon Main Chassis and the Network Aggregator Tap, will be provided by IOM and is necessary to convert the fiber optic medium at the output of the Tricon Communication Module (TCM) to copper medium at the input of the Network Aggregator Tap.
The Maintenance Workstation is a non safety device developed separately from the PPS Replacement Project under a separate PG&E Purchase Order, budget, and staff.
Development of the Maintenance Workstation is handled under a different project plan and by a separate project team. However, the Maintenance Workstation is part of the
factory acceptance test of the V10 Tricon Protection Sets, as discussed in the Validation Test Plan, 993754-1-813. The technical requirements for the Tricon-to-Maintenance Workstation interface are provided in PG&E Interface Requirements Specification [Ref. 7.1.4].
The functions required in each V10 Tricon Protection Set are listed in Table 1-1 on the next page. See the Functional Requirements Specification for additional details on the protection functions and their design bases. As can be seen in Table 1-1, the PPS Protection Sets do not have the same channel safety functions. The Conceptual Design Document [Ref 7.1.2] and Functional Requirements Specification have additional detail on the hardware configuration of the PPS.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 8 of 83 Date: 10/11/13 Channel(s)
Purpose Protection Set Function I II III IV Wide Range Reactor Coolant Temperature Channels Input to Low Temperature Overpressure Protection System (LTOPS)
Provides protection against over
-pressurization at low plant temperature X X Wide Range Reactor Coolant Pressure Channels Input to LTOPS Provides protection against over
-pressurization at low plant temperature X X Input to Residual Heat Removal (RHR) valve interlock circuit Provides protection against improper operation of RHR isolation valves X X Delta-T / Tavg (DTTA) Channels Overtemperature Delta
-T (OTDT) Reactor Trip Provides DNB protection X X X X Overpower Delta
-T (OPDT) Reactor Trip Provides protection against excessive power (fuel rod rating protection)
X X X X Low-Low T avg P-12 Blocks steam dump to prevent undesired cooldown X X X X Low T avg Feedwater Isolation Prevents excessive cooling after trip to maintain shutdown margin X X X X Pressurizer Level Channels Pressurizer High Water Level Reactor Trip Provides backup protection to the Pressurizer High Pressure Reactor Trip, and Prevents the pressurizer from becoming water solid during low
-worth and
-power rod withdrawal accidents X X X Pressurizer Vapor Temperature Channel Pressurizer Vapor Space Temperature Low RHR valve V-8701 interlock circuit input X Steam Generator Steam Flow Channel Steam Flow Indication Provide safety
-related outputs for post
-accident monitoring (S/G 1 thru 4)
X X Steamline Break Protection Channels Steamline Pressure Low SI and Steamline Isolation Initiate the automatic starting of boron injection and decay heat removal systems and Provide protection against steamline break accidents X X X X Steamline Pressure High Negative Rate Steamline Isolation Provide protection in the case of a steamline break when Pressurizer Pressure is less than the P
-11 setpoint and Low Steamline Pressure SI is blocked X X X X Steam Generator Narrow Range Level Channels Steam Generator (S/G) High
-High Level Turbine Trip and Feedwater Isolation (P
-14, S/G High Level Permissive)
Provides protection against S/G overfill and damage to the main steamlines or main turbine X X X X S/G Low-Low Level Reactor Trip and Auxiliary Feedwater (AFW) Pump Start Protects the reactor from loss of heat sink in the event of loss of feedwater to one or more S/Gs or a major feedwater line rupture X X X X Turbine Impulse Chamber Pressure Channels Turbine Impulse Chamber Pressure High to P
-13 Interlock Provide an input to P
-7 indicative of low turbine power when less than the setpoint P-7 permissive disables selected Reactor Trip signals at low power levels X X Table 1-1: V10 Tricon PPS Protection Set Channel Safety Functions
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 9 of 83 Date: 10/11/13 1.2 Purpose The purpose of this calculation is to document the methodology and results of the Reliability Analysis, where applicable, for the PPS Replacement Safety System Architecture.
The intent of the Reliability Analysis is to provide a quantitative reliability analysis of the Tricons (the logic solver) performing the reactor trips and the Engineered Safety Features Actuation (ESFAS) functions. The goal is to demonstrate that the IOM electronic hardware portions of the PPS can achieve a very low unavailability factor and a MTTFspurious larger than thousands of years. The unavailability parameter calculated is the average probability of failure on demand (PFDavg).
The PFDavg achieved by the PPS safety functions should meet the requirements of the highest hardwar e Safety Integrity Level (SIL) of SIL 4. SIL 4 requires a PFDavg for a complete safety function that includes the sensors, logic solver, and final elements to be in the range of 1.0E-05 to 1.0E-04. See IEC 61508-1 for information on SIL 4. Since the PFDavg for the sensors and final elements are typically much higher than the logic solver PFDavg, the PFDavg for the Tricons PPS safety functions should be in the range of 1.0E-06 to 1.0E-05.
The Reliability Analysis encompasses all IOM system safety critical application hardware (Tricons) as detailed in the PPS Architecture (Reference 7.4.3 and 7.4.4), PPS drawings and/or PPS BOM. Sensors and final elements are the responsibility of PG&E and are not provided by Invensys as part of the PPS contract. This analysis addresses the reliability of the hardware components provided by Invensys as part of the PPS Replacement contract. Since sensors and final elements are the responsibility of PG&E, their data is not included in the calculations. ALS is the responsibility of Westinghouse.
This is a NUCLEAR SAFETY RELATED document.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 10 of 83 Date: 10/11/13 2 Summary of Results The PFDavg is calculated for four Tricons in a 2oo4 voting configuration. The I/O modules analyzed are for the most complex 2oo4 safety function, Over Temperature Delta - T (OTDT). The PFDavg is computed for a proof test interval (TI) from 1 to 30 months. Figure 2-1 shows the PFDavg for the (OTDT) 2oo4 safety function. The most complex 2oo4 safety function is determined based on the largest number of modules required to perform a safety function within the scope of the system modification.
The PFDavg is also calculated for three Tricons in a 2oo3 voting configuration. The I/O modules analyzed are for the most complex 2oo3 safety function, Steamline Isolation. Figure 2-2 shows the PFDavg for the Steamline Isolation 2oo3 safety function.
The following Table 2-1 summarizes the results of the reliability analysis for the most complex 2oo3 and 2oo4 safety functions. The following Table 2-2 summarizes the results of the reliability analysis for all the complex 2oo3 and 2oo4 safety functions.
Attachment B explains the common cause factors used in the analysis of the various Tricon configurations.
This PPS replacement design meets the design requirements for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Mean Time To Repair(MTTR) for fault conditions identified through diagnostic coverage for a 30 month proof test interval. Therefore, no additional design modifications are required.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 11 of 83 Date: 10/11/13 Figure 2-1: PFDavg versus TI for the PPS Tricons in a 2oo4 Configuration 0.00E+00 1.00E-07 2.00E-07 3.00E-07 4.00E-07 5.00E-07 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 PFDavg TI - Proof Test Interval - Months PFDavg for Over Temperature Delta - T OTDT Reactor Trip
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 12 of 83 Date: 10/11/13 Figure 2-2: PFDavg versus TI for the PPS Tricons in a 2oo3 Configuration 0.00E+001.00E-072.00E-073.00E-074.00E-075.00E-07 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930PFDavgTI -Proof Test Interval
-MonthsPFDavg for Low Steamline Pressure SI vs TI
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 13 of 83 Date: 10/11/13 Table 2-1: Summary of Reliability Analysis - Critical 2oo4 & 2oo3 PPS Safety Functions VotingPeriodic TestMTTFspurious Tricon ConfigurationLogicInterval - MonthsPFDavgYearsAvailability2oo4 PPS Safety Function 2oo4303.80E-07221,417
>99.99999OTDT Reactor TripTricon Protection Set I2oo3306.09E-051,332
>99.999Tricon Protection Set II2oo3306.09E-051,332
>99.999Tricon Protection Set III2oo3306.09E-051,429
>99.999Tricon Protection Set IV2oo3306.09E-051,429
>99.999 2oo3 PPS Safety Function2oo3304.91E-0764,541
>99.99999Loop 1 Steamline IsolationTricon Protection Set I2oo3303.14E-051,332
>99.999Tricon Protection Set II2oo3303.14E-051,332
>99.999Tricon Protection Set IV2oo3303.14E-051,429
>99.999 2oo3 PPS Safety Function2oo3304.91E-0764,541
>99.99999Loop 2 Steamline IsolationTricon Protection Set I2oo3303.14E-051,332
>99.999Tricon Protection Set II2oo3303.14E-051,332
>99.999Tricon Protection Set III2oo3303.14E-051,429
>99.999 2oo3 PPS Safety Function2oo3304.91E-0764,541
>99.99999Loop 3 Steamline IsolationTricon Protection Set I2oo3303.14E-051,332
>99.999Tricon Protection Set II2oo3303.14E-051,332
>99.999Tricon Protection Set III2oo3303.14E-051,429
>99.999 2oo3 PPS Safety Function2oo3304.91E-0764,541
>99.99999Loop 4 Steamline IsolationTricon Protection Set I2oo3303.14E-051,332
>99.999Tricon Protection Set II2oo3303.14E-051,332
>99.999Tricon Protection Set IV2oo3303.14E-051,429
>99.999Note: The data on the lines starting with Tricon Protection Set are for the single Tricon.PG&E Diablo Canyon Power Plant Units 1 & 2
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 14 of 83 Date: 10/11/13 Table 2-2: Summary of PFDavg and MTTFspurious for Critical PPS Safety Functions VotingMTTFActionProtection SetsLogicPFDavgSpurious (Years)Over Temperature Delta- T (OTDT) Reactor TripPPS I, II,III, IV2oo43.801E-07221,417
Over Power Delta- T (OPDT) Reactor TripPPS I, II,III, IV2oo43.801E-07221,417
Pressurizer Hjgh Water LevelReactor TripPPS I, II,III2oo34.91E-0764,541
Loop 1 Steamline Pressure LowIsolationPPS I, II, IV2oo34.91E-0764,541
Loop 2 Steamline Pressure LowIsolationPPS I, II,III2oo34.91E-0764,541
Loop 3 Steamline Pressure Low IsolationPPS I, II,III2oo34.91E-0764,541
Loop 4 Steamline Pressure LowIsolationPPS I, II, IV2oo34.91E-0764,541
Loop 1 Steamline Pressure High Negative RateIsolationPPS I, II, IV2oo34.91E-0764,541
Loop 2 Steamline Pressure High Negative RateIsolationPPS I, II,III2oo34.91E-0764,541
Loop 3 Steamline Pressure High Negative RateIsolationPPS I, II,III2oo34.91E-0764,541
Loop 4 Steamline Pressure High Negative RateIsolationPPS I, II, IV2oo34.91E-0764,541
Steam Generator 1 High High LevelTurbine TripPPS II, III, IV2oo34.91E-0764,541
Steam Generator 2 High High LevelTurbine TripPPS I, III, IV2oo34.91E-0764,541
Steam Generator 3 High High LevelTurbine TripPPS I ,III, IV2oo34.91E-0764,541
Steam Generator 4 High High LevelTurbine TripPPS II, III, IV2oo34.91E-0764,541
Steam Generator 1 Low Low LevelReactor TripPPS II, III, IV2oo34.91E-0764,541
Steam Generator 2 Low Low LevelReactor TripPPS I, III, IV2oo34.91E-0764,541
Steam Generator 3 Low Low LevelReactor TripPPS I ,III, IV2oo34.91E-0764,541
Steam Generator 4 Low Low LevelReactor TripPPS II,III, IV2oo34.91E-0764,541
Safety FunctionDIABLO CANYON NUCLEAR POWER PLANT UNITS 1 & 2PFDavg and MTTFspurious for PPS Safety Functions
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 15 of 83 Date: 10/11/13 3 Input and Design Criteria 3.1 Process Protection System The four Protection Sets have different hardware and software requirements. The Main Chassis in each Protection Set executes the TriStation 1131 application code (the PT2 file); therefore the PPS requires four application programs (four PT2 files). The application programs are developed as nuclear safety
-related Software Integrity Level 4 (SIL4) software.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 16 of 83 Date: 10/11/13 3.2 Tricon Component Failure Rates Failure rates are calculated per MIL
-HDBK-217F where available. Where not available, failure rates were computed using Bellcore Issue 6 database, parts count method (method I case 1), assuming nominal 40 degrees C junction temperature, 50% electrical stress, ground benign, controlled environment, quality class II. The "parts count" or "Black Box" method is very similar to and was modeled from the MIL-HDBK-217 standard. Although the Bellcore/Telcordia standard was originally developed for the telecommunications industry, it is also widely accepted in industrial and process automation as it is considered to match specific application conditions closer to those actually experienced than the MIL
-HDBK-217 values. Typically the military standard has more conservative failure rates than Telcordia. However, the failure mode conditions identified in the FMEA (Reference 7.4.2) are quantified in the Diagnostic Coverage, depending on the actual device design Telcordia in certain cases gives the more conservative values.
Conditions for MTBF Calculations - Used Software tool: Relex 7.7 - Used database: Telcordia (Bellcore Issue 6)
- Used method: Parts counts method (Method 1). This means that only the conservative database values are taken into account and no credit is taken for laboratory or field data
Failure Mode and Effect Analysis quantified the Diagnostic Coverage and the Safe Failure Fraction in accordance with IEC 61508-6 Annex C.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 17 of 83 Date: 10/11/13 Table 3-1: Tricon Version 10.5 Module Failure Rates
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 18 of 83 Date: 10/11/13 3.3 These factors are applied in accordance with the IEC 61508-6 Annex D for quantifying the effect of hardware-related common cause failures.
Attachment B shows how the Beta factors for the Tricons were developed using the IEC 61508-6 Annex D.
Attachment B also lists the common cause Beta factors used in the reliability analysis for Triple and Quad Tricons 3.4 Acronyms and Symbols
The following is a list of the various acronyms used in this document:
AI - Analog Input AO - Analog Output BOM - Bill of Material CC - Common Cause CCF - Common Cause Failure DD - Dangerous Detected DI - Digital Input DO - Digital Output DU - Dangerous Undetected FMEA - Failure Modes and Effects Analysis FPH - Failures per Hour FPMH - Failures per Million Hours IEC - International Electrotechnical Commission IEEE - Institute of Electrical and Electronics Engineers ESFAS - Engineered Safety Features Actuation Systems I/O - Input/Output MooN - M out of N Architecture (i.e. 2oo4) MP - Main Processor MTTF - Mean Time to Failure MTTFspurious - Mean Time to Fail Spurious MTTR - Mean Time to Repair MTTRot - Mean Time to Repair
-On Line PFD - Probability of Failure on Demand PFDavg - Average Probability of Failure on Demand PPS - Process Protection System PFH - Probability of Failure per Hour RO - Relay Output RPS - Reactor Protection Systems RT - Reactor Trip RTB - Reactor Trip Breaker
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 19 of 83 Date: 10/11/13 RTS - Reactor Trip System SD - Safe Detected SU - Safe Undetected SFF - Safe Failure Fraction SIF - Safety Instrumented Function SIL - Safety Integrity Level SIS - Safety Instrumented System SSPS - Solid State Protection System TI - Periodic Offline Test or Proof Test Interval TMR - Triple Modular Redundant
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 20 of 83 Date: 10/11/13 3.5 Definitions of Key Terminology
3.5.1 Availability
Availability is the characteristic of an item expressed by the probability that it will be operational at a randomly selected future instant in time. This metric assumes unplanned down time associated with a component failure and average MTTR only. It does not take into account planned down time such as: Preventive maintenance activities, Planned upgrades and Planned down time. 3.5.2 Average Probability of Failure on Demand (PFDavg) The PFDavg is the average probability of failure on demand for an individual SIF (Safety Instrumented Function) for the defined Test Interval. IEC 61508 / IEC 61511 and ANSI S-84.01 require that the SIL calculation for each individual SIF include the PFDavg of the Logic Solver. Typically, a SIF will comprise of approximately 3 to 8 I/O points, and the Triconex Logic Solver will be shared by several SIF. By using the I/O for the most complex SIF (worst case), the PFDavg value obtained for the Logic Solver can conservatively be used for each individual SIF. The PFDavg obtained is an appropriate value to be used in the QRA (Quantitative Risk Assessment) validation process of the SIL for each independent SIF. Note that the calculation of PFDavg is conservative for all SIF architectures. As a result, the calculation for MooN can be more conservative than the calculation for 1oo1. (MooN refers to a voted M out of N SIF architecture, as defined in IEC61508. 1oo1 refers to single-channel SIS architecture.)
3.5.3 Common Cause Failure A failure, which is the result of one or more events, causing failures of two or more separate channels in a multiple channel system, leading to system failure. 3.5.4 Dangerous Failure A failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state.
3.5.5 Dangerous Detected Failure A detected failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state. Dangerous detected failures do not include hardware failures and software faults identified during proof testing. 3.5.6 Dangerous Undetected Failure An undetected failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state. Dangerous undetected failures do not include hardware failures and software faults identified during proof testing.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 21 of 83 Date: 10/11/13 3.5.7 Dangerous Systematic Failure An error that results in a dangerous failure that originates during specification, design, implementation, commissioning or maintenance actions. This failure exhibits a non
-random pattern of failures that exist at a discrete time 0 and remain failed throughout the full mission time of the SIS.
3.5.8 Detected In relation to hardware failures and software faults, detected by the diagnostic tests or through normal operation. This does not include hardware failures and software faults identified during proof testing.
3.5.9 Diagnostic Coverage The percentage of the total failure rate of the component or subsystem that is detected by built in diagnostic tests. Diagnostic coverage does not include any faults detected by proof tests. 3.5.10 Failure The termination of the ability of a functional unit to perform a required function.
3.5.11 Fault An abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function. 3.5.12 MooN A safety instrumented system, or part thereof, made up of "
N" independent channels, which are so connected, that "
M" channels are sufficient to perform the safety instrumented function.
3.5.13 Mean Time between Failure (MTBF)
The Mean Time between Failures is the average time between successive failures of a system which can be repaired or restored through the replacement of a failed component.
This differs from MTTF (Mean time to Failure) in which the system/component repair/restoration time (MTTR) is not a consideration. The mathematical relationship between the two is MTBF = MTTF + MTTR. 3.5.14 Mean Time to Fail Spurious (MTTFspurious)
The MTTFspurious relates to the nuisance or spurious trip rate of the SIS (Safety Instrumented System). All the "Safety Critical" I/O modules are included in the MTTFspurious section of the spreadsheet. Annunciator points and other I/O that will not trip the process automatically are not included. Power supplies are considered in the
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 22 of 83 Date: 10/11/13 MTTFspurious calculation of de-energize to trip safety systems, as a false trip can occur if the power fails. By considering the total number of chassis', we account for the dual logic power supplies. Field power supply failures are accounted for separately when the calculations are done for the whole SIF including field elements (this is not part of the logic solver reliability calculations). The MARKOV model based reliability calculation tool developed by Triconex and reviewed by TÜV provides the PFDavg and the MTTFspurious calculations for the Logic Solver, including the three Main Processors, the Logic Power Supplies, all the chassis and all the conventional TMR safety related I/O modules. The Mean Time to Fail Spurious is the average time between successive events triggered by detected faults in a safety instrumented system. 3.5.15 Mean Time to Repair (MTTR)
The Mean Time to Repair is that time required on average to detect a failed component within the system and complete those actions necessary to restore full system function. The times listed assume:
- Repair by replacement
- Availability of at least 1 on-site spare for each listed component.
MTTR includes the time necessary to diagnose the fault, stabilize the system prior to component swap out as well as the time to bring the system back on line to full functionality. In cases where a system or subsystem is comprised of multiple components, the MTTR for the system or subsystem will be comprised of the worst case
MTTR of the components comprising the system or subsystem.
3.5.16 Proof Test A test performed to reveal undetected faults in a safety instrumented system so that, if necessary, the system can be restored to its designed functionality. Note: Also known as Periodic Offline Test.
3.5.17 Probability of Failure on Demand (PFD) The probability that safety instrumented system is in a functional state in the event of a process demand necessitating a transition to a safe-state. 3.5.18 Probability of Failure on Demand (PFD) Analysis PFD analysis techniques employ systematic methodologies that decompose a complex system into its basic components. The performance and interactions of these basic components are combined into reliability models (such as simplified equations, fault trees and Markov models) to determine the overall system safety availability.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 23 of 83 Date: 10/11/13 3.5.19 Redundancy The use of multiple elements or systems to perform the same function; redundancy can be implemented by identical elements (identical redundancy) or by diverse elements (diverse redundancy).
3.5.20 Safe Failure A failure which does not have the potential to put the safety instrumented system in a hazardous or fail-to-function state.
3.5.21 Safe Detected Failure A detected failure which does not have the potential to put the safety instrumented system in a hazardous or fail-to-function state. Safe detected failures do not include hardware failures and software faults identified during proof testing.
3.5.22 Safe Undetected Failure An undetected failure which does not have the potential to put the safety instrumented system in a hazardous or fail
-to-function state.
3.5.23 Safety Integrity Safety integrity is defined as "The probability of a Safety Instrumented Function satisfactorily performing the required safety functions under all stated conditions within a stated period of time." Safety integrity consists of two elements: 1) hardware safety integrity and 2) systematic safety integrity. Hardware safety integrity can usually be estimated by modeling the component failure rates and the associated architecture (1oo1, 1oo2 etc). The result of this analysis yields a resulting PFD value which can be contrasted with the target (or specified) failure measure. Systematic safety integrity is difficult to quantify due to the diversity of potential causes of failure. Systematic failures may be introduced during the specification, design, implementation, operational and modification phases and may impact hardware as well as software.
3.5.24 Spurious Failu re The definition is the same as a safe failure. A failure which does not have the potential to put the safety instrumented system in a hazardous or fail-to-function state. 3.5.25 Undetected In relation to hardware and software faults not found by the diagnostic tests or during normal operation.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 24 of 83 Date: 10/11/13 4 Assumptions 4.1 Overall System Assumptions The analysis assumes:
- The unavailability factor PFDavg applies to the logic solver and its I/O mo dules only (the Tricons). - Component failure and repair rates are assumed to be constant over the life of the component. - Once a component has failed in one of the possible failure modes it cannot fail again in one of the remaining failure modes. It can only fail again after it has been repaired.
- The analysis assumes the same independent failure rates for identical redundant components - The logic solver failure rate included input modules, logic solver, output modules and Tricon chassis power supplies. - The Proof Test Interval (TI) is assumed to be much shorter than the Mean Time to Failure (MTTF).
- Proof testing and repair of components (e.g., replacement of modules) in the system are assumed to return the system to a perfect or "as new" condition. - All Tricon components have been properly specified based on the process application. - All chassis power supply failures are assumed to be in the de-energized state.
- The Beta factor model is used to treat possible common cause failures (CCFs). Se e Appendix B - All failure rates will be per 1.0E-06 hours unless otherwise specified. - Field power supplies are not included in the reliability analysis.
- Input sensors are not shared between channels.
4.2 Mean Time between Failure (MTBF) Assumptions The analysis assumes:
- Failures are independent of each other
- Failures occur randomly at a constant rate over time.
- Repairs/replacements return the system to a "good as new" condition
- 35C max ground benign environment (unless otherwise noted) - Component failure rates as listed in the Telcordia standard unless otherwise specified. These failure rates are assumed to be conservative relative to failure data from returns to Invensys. - Wiring, interconnects, nests, racks and similar components are not considered in this analysis because their failure rate is much lower than the components on the modules.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 25 of 83 Date: 10/11/13 4.3 Mean Time to Repair (MTTR) Assumptions The analysis assumes:
- Repair by replacement.
- Personnel will be available to repair all failures within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. - Availability of at least one module on site as spare for each module type. Additional modules may be required if they have a high failure rate and/or the time to replace used spares is significant.
- MTTR includes the time necessary to diagnose the fault, stabilize the system prior to component swap out, perform the swap out, test and bring the system back on line to full functionality.
In cases where a system or subsystem is comprised of multiple components, the MTTR for the system or subsystem will be comprised of the worst case MTTR of the components comprising the system or subsystem - Since the MTTR =
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reliability analysis assumes the detected failures being repaired can be ignored.
4.4 PPS Tricon 2oo4 Reliability Assumptions The assumptions used to calculate the reliability for the PPS Tricons in a 2oo4 configuration are: 1) The TI maximum is 21,900 hours0.0104 days <br />0.25 hours <br />0.00149 weeks <br />3.4245e-4 months <br /> (30 months) 2) The Mean Time to Repair - Online (MTTRot) is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 3) The Most Significant Instrumented Function used for the Fail-to- Function calculations was identified as Over-temperature - Delta T function - DTTA and requires 3 AI modules (two 3721 and one 3703) and 1 DO module (one 3601). (From Reference 7.1.3 Section 3.2.5 and 7.4.3 Table 10, 11, 12 and 18). 4) All I/O modules in RXM chassis are not included in the Fail-Safe calculations.
- 5) The common cause Beta factors are Beta_2oo3 = 1.5%, Beta_Tricons_2oo4 = 0.6%. 6) Unused I/O on Tricon components is assumed to be non-contributors to the failure rate. 4.5 PPS Tricon 2oo3 Reliability Assumptions The assumptions used to calculate the reliability for the PPS Tricons in a 2oo3 configuration are: 1) The TI is 21,900 hours0.0104 days <br />0.25 hours <br />0.00149 weeks <br />3.4245e-4 months <br /> (30 months) 2) The Mean Time to Repair - Online (MTTRot) is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 3) The Most Significant Safety Instrumented Function used for the Fail-to-Function calculations was identified as Steam Line Break Protection and requires 1 AI module(one 3721) and 1 DO module(one 3603). (From Reference 7.13 Section 3.2.10 and 7.4.3 Table 12 and 14) 4) All I/O modules in RXM chassis are not included in the Fail-Safe calculations.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 26 of 83 Date: 10/11/13 5) The common cause Beta factors are Beta_2oo3 = 1.5% and Beta_Tricons_2oo3= 1.5%
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 27 of 83 Date: 10/11/13 5 Method of Analysis 5.1 Triconex Tricon Version 10.5 EXCEL Spreadsheets The Tricon reliability analysis is based on the Tricon Reliability Calculation Spreadsheets that use Markov based models developed by Triconex and reviewed/approved by TUV Rheinland. These spreadsheets provide the necessary system reliability calculations for the Tricon logic solver, including 3 main processors, logic solver power supplies, all the common chassis and conventional safety rated I/O modules. Common cause calculations are included in the spreadsheets. Annunciator points and other I/O that will not trip the process automatically are not considered in the scope of this analysis and are not included in the spreadsheet results. While the calculation spreadsheets account for dual chassis power supplies, field power supplies are not included in the Tricon Reliability Calculation Spreadsheet scope.
The current Tricon Version 10.5 Reliability Calculation Spreadsheet is TRICONV10.5_1110 and is used to calculate the PFDavg and MTTFspurious for a single Tricon configuration. Two new versions of the spreadsheet have been developed to add the calculation of PFDavg and MTTFspurious for a 2oo4 configuration with four Tricons and a 2oo3 configuration with three Tricons. A third version of the spreadsheet has been developed for single versions of the Tricon. The new versions of the EXCEL Workbook files are: TRICONV10.5_1110_DIABLO_CANYON_2oo4.xlsx TRICONV10.5_1110_ DIABLO_CANYON_2oo3,xlsx TRICONV10.5_1110_ DIABLO_CANYON.xlsx
Spreadsheet PFD & MTTF in the TRICONV10.5_1110_ DIABLO_CANYON_2oo4.xlsx file calculates PFDavg and MTTFspurious for a 2oo4 configuration of four Tricons and also a single Tricon.
Spreadsheet PFD & MTTF in the TRICONV10.5_1110_ DIABLO_CANYON_2oo3.xlsx file calculates PFDavg and MTTFspurious for a 2oo3 configuration of three Tricons and also a single Tricon.
Spreadsheet PFD & MTTF in the TRICONV10.5_1110_ DIABLO_CANYON.xlsx file calculates PFDavg and MTTFspurious for each of the single Tricon s.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 28 of 83 Date: 10/11/13 5.2 Spreadsheets for Reliability Calculation of Redundant Tricon Configurations Spreadsheets for the calculation of PFDavg and MTTFspurious for Tricon 2oo3 and 2oo4 configurations are used to show the additional calculations required for redundant Tricon configurations. Spreadsheets labeled 2oo4 Tricons and 2oo3 Tricons are in the workbook TRICONV10.5_1110_DIABLO_CANYON_2oo4 file and TRICONV10.5_1110_DIABLO_CANYON_2oo3 file. Printouts of these spreadsheets are shown in Section 6.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 29 of 83 Date: 10/11/13 6 Reliability Calculations The reliability calculations for each of the Tricons used the Triconex Tricon Version 10.5 Spreadsheet with Diablo Canyon configuration inputs itemized in the Assumptions Section 4. The first eight Figures (spreadsheets) show the values of PFDavg and MTTFspurious for each of the PPS Tricons. Figures 6-9 and 6-10 show the PFDavg and MTTFspurious values for the 2oo4 PPS functions. Figures 6-11 and 6-12 show the additional calculations for the 2oo4 Tricon configuration. Figures 6-13 through 6-16 show the calculation for 2oo3 PPS functions.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 30 of 83 Date: 10/11/13 Figure 6-1: PPS I Tricon - Fail-to-Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 31 of 83 Date: 10/11/13 Figure 6-2: PPS I Tricon - Fail-Safe
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 32 of 83 Date: 10/11/13 Figure 6-3: PPS II Tricon - Fail-to-Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 33 of 83 Date: 10/11/13 Figure 6-4: PPS II Tricon - Fail-Safe
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 34 of 83 Date: 10/11/13 Figure 6-5: PPS I II Tricon - Fail-to-Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 35 of 83 Date: 10/11/13 Figure 6-6: PPS I II Tricon - Fail-Safe
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 36 of 83 Date: 10/11/13 Figure 6-7: PPS IV Tricon - Fail-to-Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 37 of 83 Date: 10/11/13 Figure 6-8: PPS IV Tricon - Fail-Safe
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 38 of 83 Date: 10/11/13 Figure 6-9: 2oo4 OTDT Reactor Trip Safety Function - Fail-to-Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 39 of 83 Date: 10/11/13 Figure 6-10: 2oo4 OTDT Reactor Trip Safety Function - Fail-Safe
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 40 of 83 Date: 10/11/13 Figure 6-11: PFDavg and MTTFspurious for 2oo4 Tricon Configuration
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 41 of 83 Date: 10/11/13 Figure 6-12: Symbols Used to Calculate PFD and MTTF for 2oo4 Configuration
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 42 of 83 Date: 10/11/13 Figure 6-13: 2oo3 Steamline Isolation Function - Fail-to-Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 43 of 83 Date: 10/11/13 Figure 6-14: 2oo3 Steamline Isolation Function - Fail Safe
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 44 of 83 Date: 10/11/13 Figure 6-15: PFDavg & MTTF Calculation for 2oo3 Steamline Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 45 of 83 Date: 10/11/13 Figure 6-16: Symbols for Calculation for 2oo3 Steamline Isolation Function
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 46 of 83 Date: 10/11/13 7 References The following are referenced within this document or were used to develop this document:
7.1 PG&E Documents
7.1.1 PG&E Purchase Order 3500897372
7.1.2 PG&E Process Protection System Replacement Conceptual Design Document, R4
7.1.3 PG&E Functional Requirements Specification, 08-0015-SP-001, R5 7.1.4 PG&E Process Protection System Replacement Interface Requirements Specification including Appendix 3.1, I/O Listing, R6 7.2 NRC Documents
7.2.1 NUREG-0800, Standard Review Plan, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Chapter 7 - Instrumentation and Controls, U.S. Nuclear Regulatory Commission 7.3 Reliability Methodology 7.3.1 Telcordia (Bellcore) TR
-NWT-000332, Issue 6 December 1997, "Reliability Prediction Procedure for electronic equipment" 7.3.2 Relex version 7.7 for calculation of component data
7.3.3 IEC 61513 - 2001, "Nuclear Power Plants-Instrumentation and Control for Systems Important to Safety-General Requirements for Systems" 7.3.4 IEC 61508 - 2009, "Functional safety of electrical/electronic/programmable electronic safety-related systems" Parts 1 through 6
7.3.5 Mil-HDBK-217F, "Reliability Prediction of Electronic Equipment, Method I case 1 (parts count) to generate failure rate
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 47 of 83 Date: 10/11/13 7.3.6 ANSI S84.01-1996 "Application of Safety Instrumented Systems for the Process Industries" 7.3.7 ANSI/ISA TR84.00.02-2002 "Safety Instrumented Functions (SIF) - Safety Integrity Level (SIL) Evaluation Techniques Part 1: Determining the SIL of a SIF via Simplified Equations"
7.3.8 IEEE Standard No.762 "Definitions for Use in Reporting Electric Generating Unit Reliability, Availability and Productivity
7.3.9 IEEE Standard 352-1987,IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems
7.3.10 IEEE Standard 577-2004, IEEE Standard Requirements for Reliability Analysis in the Design and Operation of Safety Systems for Nuclear Facilities 7.4 Invensys component specifications and reliability data 7.4.1 Triconex Reliability / Availability Spreadsheet for TRICON version 10.5 TMR Controller - PFDavg & MTTFspurious Calculation 7.4.2 Invensys Document No. 993754-1-811, Rev A., Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Power Plant-Failure Modes and Effects Analysis, March 15, 2013.
7.4.3 Invensys Document No. 993754-11-807, Rev. 1, Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Power Plant Hardware Requirements Specification (HRS) Protection Set I, September 12, 2013.
7.4.4 Invensys Document No. 993754-11-917 Rev. 0, Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Plant Hardware Design Description (HDD)
Protection Set I, April 25, 2013.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 48 of 83 Date: 10/11/13 8 Conclusion/Discussion The reliability analysis shows the PFDavg is in the 1.0E-07 to 1.0E-06 range for the 2 oo3 and 2oo4 Tricon configurations for a proof test interval (TI) of 30 months. The MTTFspurious is in the many thousands of years for the 30 month proof test interval.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 49 of 83 Date: 10/11/13 Attachment A: Markov Models for Tricon Version 10.5 The MARKOV model based reliability calculation spreadsheet developed by Triconex and reviewed by TUV provides: 1. A quantitative analysis of the Safety Availability in the form of a PFDavg (Average Probability of Failure on Demand) using a Fail
-To-Function Markov Model
- 2. A quantitative analysis of the Fail Safe Reliability in the form of an MTTFspurious (Mean Time to Fail Spurious) using a Fail-Safe Markov Model PROBABILITY OF FAILURE ON DEMAND CALCULATIONS USING TRICON VERSION 10.5 FAIL
-TO-FUNCTION MARKOV MODEL A Fail-to-Function Markov Model for the TRICON Version 10.5 is shown in Figure A1 - Part 1, Figure A 1 - Part 2 and Figure A 1 - Part 3. State 1 is the initial state where there are no failures of any of the modules in the system. Because of the triplicated architecture of the TRICON, at least two dangerous failures must occur to put the system in a fail
-to-function state. State 44 is an absorbing fail
-to-function state where multiple dangerous undetected failures have occurred and the system is in a fail
-to-function condition. States 2 through 22 are intermediate states where a dangerous undetected failure of a portion of a subsystem has occurred but the system is not in a fail
-to-function state. States 23 through 43 are states where a second dangerous failure (a dangerous detected failure) has occurred that has put the system in a temporary fail
-to-function state. These states are temporary because the dangerous detected failures can be repaired and returned to the dangerous undetected failure states (2 through 22). The Fail
-to-Function Markov Model was derived from the ISA Technical Report TR84.0.02 Part 5 developed by the SP84 Committee. The sections following the Markov Model Figures define the states in the Markov Model and show the equations for the transition rates ( s) in the Markov Model. The PFDavg calculations for the TRICON are in an EXCEL spreadsheet TRICONV10.5_1110. The results of the PFDavg and calculations are shown on Sheet 2 of the spreadsheet.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 50 of 83 Date: 10/11/13 Figure A1 - Part 1 Fail-to-Function Markov Model For TRICON V10.5 TMR Controller
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 51 of 83 Date: 10/11/13 Figure A1 - Part 2: Fail-to-Function Markov Model For TRICON V10.5 TMR Controller
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 52 of 83 Date: 10/11/13 Figure A1 - Part 3: Fail-to-Function Markov Model for TRICON V10.5 TMR Controller Fail-to-Function Markov Model States for TRICON V10.5 TMR Controller State 1 No Failures (Initial State after Complete Repair)
State 2 Dangerous Undetected Failure of a Digital Input Common Processing Circuit State 3 Dangerous Undetected Failure of a Digital Input Circuit State 4 Dangerous Undetected Failure of an Analog Input Common Processing Circuit State 5 Dangerous Undetected Failure of an Analog Input Circuit State 6 Dangerous Undetected Failure of an Isolated Analog Input Processing Circuit
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 53 of 83 Date: 10/11/13 State 7 Dangerous Undetected Failure of an Isolated Analog Input Circuit State 8 Dangerous Undetected Failure of an Analog Output Common Processing Circuit State 9 Not used (Analog Output Point failure rate is very small because of triplicated DACs on each AO point and can be neglected)
State 10 Dangerous Undetected Failure of a Main Processor State 11 Dangerous Undetected Failure of a 24 VDC Digital Output Common Processing Circuit State 12 Dangerous Undetected Failure of a 24 VDC Digital Output Switch State 13 Dangerous Undetected Failure of a 115 VAC Digital Output Common Processing Circuit State 14 Dangerous Undetected Failure of a 115 VAC Digital Output Switch State 15 Dangerous Undetected Failure of a High Density Digital Input Common Processing Circuit State 16 Dangerous Undetected Failure of a High Density Digital Input Circuit State 17 Dangerous Undetected Failure of a High Density Analog Input Common Processing Circuit State 18 Dangerous Undetected Failure of a High Density Analog Input Circuit State 19 Dangerous Undetected Failure of a Pulse Input Common Processing Circuit State 20 Dangerous Undetected Failure of a Pulse Input Circuit State 21 Not used (reserved for addition of an I/O module) State 22 Not used (reserved for addition of an I/O module) State 23 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a Digital Input Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or Digital Input Module on 2 nd Leg State 24 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a Digital Input Circuit plus Additional Dangerous Detected Failure of Processor or Digital Input Module on 2 nd Leg State 25 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of an Analog Input Common Processing Circuit plus Additional Dangerous Detected Failure of Processor or Analog Input Module on 2 nd Leg State 26 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of an Analog Input Circuit plus Additional Dangerous Detected Failure of Processor or Analog Input Module on 2 nd Leg State 27 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of an Isolated Analog Input Common Processing Circuit plus Additional Dangerous Detected Failure of Processor or Isolated Analog Input Module on 2 nd Leg State 28 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of an Isolated Analog Input Circuit plus Additional Dangerous Detected Failure of Processor or Isolated Analog Input Module on 2 nd Leg State 29 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of an Analog Output Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or Analog Output Module on 2 nd Leg State 30 Not used (Analog Output Point failure rate is very small because of triplicated DACs on each AO point and can be neglected)
State 31 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a Main Processor plus Additional Dangerous Detected Failure of Processor or Other I/O Module on 2 nd Leg
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 54 of 83 Date: 10/11/13 State 32 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a 24 VDC Digital Output Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or 24 VDC Digital Output Module on 2 nd Leg State 33 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a 24 VDC Digital Output Switch Plus Additional Dangerous Detected Failure of Processor or 24 VDC Digital Output Module on 2 nd Leg State 34 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a 115 VAC Digital Output Common Processing Plus Additional Dangerous Detected Failure of Processor or 115 VAC Digital Output Module on 2 nd Leg State 35 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a115 VAC Digital Output Switch Plus Additional Dangerous Detected Failure of Processor or 115 VAC Digital Output Module on 2 nd Leg State 36 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a High Density Digital Input Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Digital Input Module on 2 nd Leg State 37 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a High Density Digital Input Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Digital Input Module on 2 nd Leg State 38 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a High Density Analog Input Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Analog Input Module on 2 nd Leg State 39 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a High Density Analog Input Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Analog Input Module on 2 nd Leg State 40 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a Pulse Input Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or Pulse Input Module on 2 nd Leg State 41 Repairable Fail
-to-Function State Due to Dangerous Undetected Failure of a Pulse Input Circuit Plus Additional Dangerous Detected Failure of Processor or Pulse Input Module on 2 nd Leg State 42 Not used (reserved for addition of an I/O module) State 43 Not used (reserved for addition of an I/O module) State 44 Final Absorbing Fail-to-Function State Due to Dangerous Undetected Failures on Two Legs
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 55 of 83 Date: 10/11/13 Calculation of PFDavg for Low Demand Mode PFD = ( 12 223 + 13 324 + 14 425 + 15 526 + 16 627 + 17 728 + 18 829 + 19 930 + 110 1031 + 111 1132 + 112 1233 +113 1334 +114 1435 + 115 1536 +116 1637 + 117 1738 + 118 1839 + 119 1940 +120 2041 +121 2142 + 122 2243)MTTRt + 1 44t + (11 144 +12 244+ 13 344+14 444+15 544+16 644+17 744 +18 844+ 1 9 944+ 1 10 1044+ 1 11 1144+ 1 12 1244+ 1 13 1344+ 1 14 1444 + 1 15 1544+ 1 16 1644+ 1 17 1744+ 1 18 1844+ 1 19 1944+120 2044+ 1 212144 + 1 22 2244)t 2/2
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 56 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for High Demand Modes with Repair of Dangerous Detected Failures 12 = 3*nsf*FR_IP_DU 13 = 3*nsf*ndipts*FR_IC_DU 14 = 3*nasf*FR_AIP_DU 15 = 3*nasf*ndaipts*FR_AIC_DU 16 = 3*niaisf*FR_IAIP_DU 17 = 3*niaisf*niaipts*FR_IAIC_DU 18 = 3*masf*FR_AOP_DU 19 = 0 110 = 3*FR_MP_DU 111 = 3*msf*FR_OP_DU 112 = 4*msf*ndopts*FR_OC_DU 113 = 3*mhvsf*FR_HVOP_DU 114 = 4*mhvsf*nhvdopts*FR_HVOC_DU 115 = 3*nhdsf*FR_HDIP_DU 116 = 3*nhdsf*nhddipts*FR_HDIC_DU 117 = 3*nahdsf*FR_HDAIP_DU 118 = 3*nahdsf*nhdaipts*FR_HDAIC_DU 119 = 3*npsf*FR_PIP_DU 120 = 3*npsf*npipts*FR_PIC_DU
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 57 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for High Demand Modes with Repair of Dangerous Detected Failures (Continued) 144 = Beta*ccf3legs*(FR_MP_DU + nsf
- FR_ISF_DU + nhdsf*FR_HDISF_DU + nasf
- FR_AISF_DU + nahdsf*FR_HDAISF_DU + niaisf
- FR_IAISFS_DU + maosf*FR_AO_DU + msf*FR_OSF_DU + mhvsf*FR_HVOSF_DU+
npsf*FR_PISF_DU) +
BetaD*ccf3legs*(FR_MP_DD + nsf
- FR_ISF_DD + nhdsf*FR_HDISF_DD + nasf
- FR_AISF_DD + nahdsf*FR_HDAISF_DD + niaisf
- FR_IAISFS_DD + maosf*FR_AO_DD+ msf*FR_OSF_DD + mhvsf*FR_HVOSF_DD
+ npsf*FR_PISF_DD) 223 = 2* (FR_MP_DD + FR_ISF_DD) 244 = 2* (FR_MP_DU + FR_ISF_DU) 324 = 2*(FR_MP_DD + FR_IP_DD + FR_IC_DD) 344 = 2*(FR_MP_DU + FR_IP_DU + FR_IC_DU) 425 = 2*(FR_MP_DD + FR_AISF_DD) 444 = 2*(FR_MP_DU + FR_AISF_DU) 526 = 2*(FR_MP_DD + FR_AIP_DD + FR_AIC_DD) 544 = 2*(FR_MP_DU + FR_AIP_DU + FR_AIC_DU) 627 = 2*(FR_MP_DD + FR_IAISF_DD) 644 = 2*(FR_MP_DU + FR_IAISF_DU) 728 = 2*(FR_MP_DD + FR_IAIP_DD + FR_IAIC_DD) 744 = 2*(FR_MP_DU + FR_IAIP_DU + FR_IAIC_DU) 829 = 2*(FR_MP_DD + FR_AO_DD) 844 = 2*(FR_MP_DU + FR_AO_DU)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 58 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for High Demand Modes with Repair of Dangerous Detected Failures (Continued) 930 = 0 944 = 0 1031 = 2*(FR_MP_DD + nsf
- FR_ISF_DD + nasf
- FR_AISF_DD + niaisf*FR_IAISF_DD + maosf
- FR_AO_DD + msf
- FR_OSF_DD + mhvsf*FR_HVOSF_DD + nhdsf
- FR_HDISF_DD + nahdsf*FR_HDAISF_DD+ npsf
- FR_PISF_DD) 1044 = 2*(FR_MP_DU + nsf
- FR_ISF_DU + nasf
- FR_AISF_DU + niaisf*FR_IAISF_DU + maosf
- FR_AO_DU + msf
- FR_OSF_DU + mhvsf*FR_HVOSF_DU + nhdsf
- FR_HDISF_DU + nahdsf*FR_HDAISF_DU+ npsf*FR_PISF_DU) 1132 = 2*(FR_MP_DD + FR_OSF_DD) 1144 = 2*(FR_MP_DU + FR_OSF_DU) 1233 = 2*(FR_MP_DD + FR_OP_DD + FR_OC_DD) 1244 = 2*(FR_MP_DU + FR_OP_DU + FR_OC_DU) 1334 = 2*(FR_MP_DD + FR_HVOSF_DD) 1344 = 2*(FR_MP_DU + FR_HVOSF_DU) 1435 = 2*(FR_MP_DD + FR_HVOP_DD + FR_HVOC_DD) 1444 = 2*(FR_MP_DU + FR_HVOP_DU + FR_HVOC_DU) 1536 = 2* (FR_MP_DD + FR_HDISF_DD) 1544 = 2* (FR_MP_DU + FR_HDISF_DU) 1637 = 2*(FR_MP_DD + FR_HDIP_DD + FR_HDIC_DD) 1644 = 2*(FR_MP_DU + FR_HDIP_DU + FR_HDIC_DU) 1738 = 2*(FR_MP_DD + FR_HDAISF_DD)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 59 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for High Demand Modes with Repair of Dangerous Detected Failures (Continued) 1744 = 2*(FR_MP_DU + FR_HDAISF_DU) 1839 = 2*(FR_MP_DD + FR_HDAIP_DD + FR_HDAIC_DD) 1844 = 2*(FR_MP_DU + FR_HDAIP_DU + FR_HDAIC_DU) 1940 = 2*(FR_MP_DD + FR_PISF_DD) 1944 = 2*(FR_MP_DU + FR_PISF_DU) 2041 = 2*(FR_MP_DD + FR_PIP_DD + FR_PIC_DD) 2044 = 2*(FR_MP_DU + FR_PIP_DU + FR_PIC_DU) 232 = 243 = 254 = 265 = 276 = 287 = MU_OT 298 = 309 = 3110 = 3211 = 3312 = 3413 = 3514 = MU_OT 3615 = 3716 = 3817 = 3918 = 4019 = 4120 = 4221 = 4322 = MU_OT
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 60 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for Continuous and Very High Demand Modes with No Repair of Dangerous Detected Failures For Continuous and Very High Demand Mode there is No Repair and Hence the States 23 through 43 are Not Used.
12C = 3*nsf*FR_IP_D 13C = 3*nsf*ndipts*FR_IC_D 14C = 3*nasf*FR_AIP_D 15C = 3*nasf*ndaipts*FR_AIC_D 16C = 3*niaisf*FR_IAIP_D 17C = 3*niaisf*niaipts*FR_IAIC_D 18C = 3*masf*FR_AOP_D 19C = 0 110C = 3*FR_MP_D 111C = 3*msf*FR_OP_D 112C = 4*msf*ndopts*FR_OC_D 113C = 3*mhvsf*FR_HVOP_D 114C = 4*mhvsf*nhvdopts*FR_HVOC_D 115C = 3*nhdsf*FR_HDIP_D 116C = 3*nhdsf*nhddipts*FR_HDIC_D 117C = 3*nahdsf*FR_HDAIP_D 118C = 3*nahdsf*nhdaipts*FR_HDAIC_D 119C = 3*npsf*FR_PIP_D 120C = 3*npsf*npipts*FR_PIC_D 121C = 0 122C = 0
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 61 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for Continuous and Very High Demand Modes with No Repair of Dangerous Detected Failures (Continued) 144C = Beta*ccf3legs*(FR_MP_DU + nsf
- FR_ISF_DU + nhdsf*FR_HDISF_DU
+ nasf*FR_AISF_DU + nahdsf*FR_HDAISF_DU + niaisf
- FR_IAISFS_DU + maosf*FR_AO_DU + msf
- FR_OSF_DU + mhvsf
- FR_HVOSF_DU
+ npsf*FR_PISF_DU) + BetaDccf3legs* (FR_MP_DD +
nsf*FR_ISF_DD + nhdsf
- FR_HDISF_DD + nasf
- FR_AISF_DD + nahdsf*FR_HDAISF_DD + niaisf
- FR_IAISFS_DD + maosf*FR_AO_DD + msf
- FR_OSF_DD + mhvsf
- FR_HVOSF_DD + npsf*FR_PISF_DD) 244C = 2* (FR_MP_D + FR_ISF_DU+ FR_ISF_DD) 344C = 2*(FR_MP_D + FR_IP_D + FR_IC_D) 444C = 2*(FR_MP_D + FR_AISF_DU + FR_AISF_DD) 544C = 2*(FR_MP_D + FR_AIP_D + FR_AIC_D) 644C = 2*(FR_MP_D + FR_IAISF_DU + FR_IAISF_DD) 744C = 2*(FR_MP_D + FR_IAIP_D + FR_IAIC_D) 844C = 2*(FR_MP_D + FR_AO_D) 944C = 0 1044C = 2*(FR_MP_D + nsf
- FR_ISF_DU + nasf
- FR_AISF_DU + niaisf*FR_IAISF_DU + maosf
- FR_AO_DU + msf
- FR_OSF_DU + mhvsf*FR_HVOSF_DU + nhdsf
- FR_HDISF_DU + nahdsf*FR_HDAISF_DU+ npsf
- FR_PISF_DU nsf
- FR_ISF_DD + nasf*FR_AISF_DD + niaisf
- FR_IAISF_DD + maosf
- FR_AO_DD + msf*FR_OSF_DD + mhvsf
- FR_HVOSF_DD + nhdsf*FR_HDISF_DD + nahdsf
- FR_HDAISF_DD+ npsf*FR_PISF_DD)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 62 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for Continuous and Very High Demand Modes with No Repair of Dangerous Detected Failures (Continued) 1144C = 2*(FR_MP_D + FR_OSF_DU + FR_OSF_DD) 1244C = 2*(FR_MP_D + FR_OP_D + FR_OC_D) 1344C = 2*(FR_MP_D + FR_HVOSF_DU+ FR_HVOSF_DD )
1444C = 2*(FR_MP_D + FR_HVOP_D + FR_HVOC_D) 1544C = 2* (FR_MP_D + FR_HDISF_DU + FR_HDISF_DD) 1644C = 2*(FR_MP_D + FR_HDIP_D + FR_HDIC_D) 1744C = 2*(FR_MP_D + FR_HDAISF_DU + FR_HDAISF_DD) 1844C = 2*(FR_MP_D + FR_HDAIP_D + FR_HDAIC_D) 1944C = 2*(FR_MP_D + FR_PISF_DU+ FR_PISF_DD) 2044C = 2*(FR_MP_D + FR_PIP_D + FR_PIC_D) 2144C = 0 2244C = 0 232 = 243 = 254 = 265 = 276 = 287 = 0 298 = 309 = 3110 = 3211 = 3312 = 3413 = 3514 = 0 3615 = 3716 = 3817 = 3918 = 4019 = 4120 = 4221 = 4322 = 0
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 63 of 83 Date: 10/11/13 Definition of Terms nsf = Number of 32 Point Digital Input Modules for Largest Safety Function ndipts = Number of Digital Input Points per Module for Largest Safety Function nhdsf = Number of 64 Point HD Digital Input Modules for Largest Safety Function nhddipts = Number of HD Digital Input Points per Module for Largest Safety Function nasf = Number of 32 Point Diff. Analog Input Modules for Largest Safety Function ndaipts = Number of Diff. Analog Input Points per Module for Largest Safety Function nahdsf = Number of 64 Point HD Analog Input Modules for Largest Safety Function nhdaipts = Number of HD Analog Input Points per Module for Largest Safety Function niaisf = Number of 16 Point Isolated Analog Input Modules for Largest Safety Function niaipts = Number of Isolated Analog Input Points per Module for Largest Safety Function msf = Number of 32 Point 24 VDC Digital Output Modules for Largest Safety Function ndopts = Number of 24 VDC Digital Output Points per Module for Largest Safety Function mhvsf = Number of 16 Point 115 VAC Digital Output Modules for Largest Safety Function nhvdopts = Number of 115 VAC Digital Output Points per Module for Largest Safety Function maosf = Number of Analog Output Modules for Largest Safety Function npsf = Number of Pulse Input Modules for Largest Safety Function npipts = Number of Pulse Input Points per Module for Largest Safety Function nic = Number of Input Points on Digital Input and Analog Input Modules (32 points) nhdic = Number of Input Points on High Density DI and AI Modules (64 points) niaic = Number of Input Points on Isolated Analog Input Modules (16 points) noc = Number of Output Points on 115 VAC Digital Output Modules (16 points) nhdoc = Number of Output Points on 24 VDC Digital Output Modules (32 points) npc = Number of Pulse Input Points on Pulse Input Modules (8 points)
FR_AI = Failure Rate of a Diff. Analog Input Module Leg FR_AISF= Failure Rate of a Diff. Analog Input Module with Input Circuits for Largest Safety Function FR_AI_DU =
Dangerous Undetected Failure Rate of a Diff. Analog Input Module Leg FR_AI_DD =
Dangerous Detected Failure Rate of a Diff. Analog Input Module Leg FR_AIP = Failure Rate of a Diff. Analog Input Module Common Processing Circuit FR_AIP_DU =
Dangerous Undetected Failure Rate of an Analog Input Module Common Processing Circuit FR_AIC = Failure Rate of a Diff. Analog Input Circuit FR_AIC_DU =
Dangerous Undetected Failure Rate of a Diff. Analog Input CircuitFR_AOP = Failure Rate of a Diff. Analog Output Module Common Processing Circuit FR_AOP_DD = Dangerous Detected Failure Rate of an Analog Output Module Common Processing Circuit
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 64 of 83 Date: 10/11/13 FR_AOP_DU = Dangerous Undetected Failure Rate of an Analog Output Module Common Processing Circuit FR_HDAI =
Failure Rate of a High Density Analog Input Module Leg FR_HDAISF = Failure Rate of a High Density Analog Input Module with Input Circuits for Largest Safety Function FR_HDAI_DU = Dangerous Undetected Failure Rate of a High Density Analog Input Module Leg FR_HDAI_DD =
Dangerous Detected Failure Rate of a High Density Analog Input Module Leg FR_HDAIP = Failure Rate of a High Density Analog Input Module Common Processing Circuit FR_HDAIP_DU Dangerous Undetected Failure Rate of a High Density Analog Input Module Common Processing Circuit FR_HDAIC = Failure Rate of a High Density Analog Input Circuit FR_HDAIC_DD Dangerous Undetected Failure Rate of a High Density Analog Input Circuit FR_HDI = Failure Rate of a High Density Digital Input Module Leg FR_HDISF =
Failure Rate of a High Density Digital Input Module with Input Circuits for Largest Safety Function FR_HDI_DU = Dangerous Undetected Failure Rate of a High Density Digital Input Module Leg FR_HDI_DD =
Dangerous Detected Failure Rate of a High Density Digital Input Module Leg FR_HDIP = Failure Rate of a High Density Digital Input Module Common Processing Circuit FR_HDIP_DU = Dangerous Undetected Failure Rate of a High Density Digital Input Module Common Processing Circuit FR_HDIC =
Failure Rate of a High Density Digital Input Circuit FR_HDIC_DU =
Dangerous Undetected Failure Rate of a High Density Digital Input Circuit FR_HVO = Failure Rate of a 115 VAC Digital Output Module Leg FR_HVOSF = Failure Rate of a 115 VAC Digital Output Module with Output Circuits for Largest Safety Function FR_HVO_DU = Dangerous Undetected Failure Rate of a 115 VAC Digital Output Module Leg FR_HVO_DD = Dangerous Detected Failure Rate of a 115 VAC Digital Output Module Leg FR_HVOP = Failure Rate of a 115 VAC Digital Output Module Common Processing Circuit FR_HVOP_DU Dangerous Undetected Failure Rate of a 115 VAC Digital Output Module Common Processing Circuit FR_HVOC =
Failure Rate of a 115 VAC Digital Output Switch FR_HVOC_DU Dangerous Undetected Failure Rate of a 115 VAC Digital Output Switc h FR_IAI = Failure Rate of an Isolated Analog Input Module Leg FR_IAISF = Failure Rate of an Isolated Analog Input Module with Input Circuits for Largest Safety Function FR_IAI_DU = Dangerous Undetected Failure Rate of an Isolated Analog Input Module Leg FR_IAI_DD =
Dangerous Detected Failure Rate of an Isolated Analog Input Module Leg FR_IAIP = Failure Rate of an Isolated Analog Input Module Common Processing Circuit FR_IAIP_DU = Dangerous Undetected Failure Rate of an Isolated Analog Input Module Common Processing Circuit FR_IAIC = Failure Rate of an Isolated Analog Input Module Input Circuit
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 65 of 83 Date: 10/11/13 FR_IAIC_DU =
Dangerous Undetected Failure Rate of an Isolated Analog Input Circuit FR_I = Failure Rate of a 24 VDC Digital Input Module Leg FR_ISF = Failure Rate of a 24 VDC Digital Input Module with Input Circuits for Largest Safety Function FR_I_DU = Dangerous Undetected Failure Rate of a 24 VDC Input Module Leg FR_I_DD =
Dangerous Detected Failure Rate of a 24 VDC Input Module Leg FR_IP = Failure Rate of a 24 VDC Input Module Common Processing Circuit FR_IP_DU = Dangerous Undetected Failure Rate of a 24 VDC Input Module Common Processing Circuit FR_IC = Failure Rate of a 24 VDC Digital Input Circuit FR_IC_ DU =
Dangerous Undetected Failure Rate of a 24 VDC Input Circuit FR_MP = Failure Rate of a Main Processor FR_MP_DD =
Dangerous Detected Failure Rate of a Main Processor FR_MP_DU =
Dangerous Undetected Failure Rate of a Main Processor FR_O = Failure Rate of a 24 VDC Digital Output Module Leg FR_OSF = Failure Rate of a 24 VDC Digital Output Module with Output Circuits for Largest Safety Function FR_O_DU =
Dangerous Undetected Failure Rate of a 24 VDC Digital Output Module Leg FR_O_DD = Dangerous Detected Failure Rate of a 24 VDC Digital Output Module Leg FR_OP = Failure Rate of a 24 VDC Digital Output Module Common Processing Circuit FR_OP_DU = Dangerous Undetected Failure Rate of a 24 VDC Digital Output Module Common Processing Circuit FR_OC = Failure Rate of a 24 VDC Digital Output Switch FR_OC_DU = Dangerous Undetected Failure Rate of a 24 VDC Digital Output Switch FR_PI = Failure Rate of a Pulse Input Module Leg FR_PISF = Failure Rate of a Pulse Input Module with Input Circuits for Largest Safety Function FR_PI_DU = Dangerous Undetected Failure Rate of a Pulse Input Module Leg FR_PI_DD = Dangerous Detected Failure Rate of a Pulse Input Module Leg FR_PIP = Failure Rate of a Pulse Input Module Common Processing Circuit FR_PIP_DU =
Dangerous Undetected Failure Rate of a Pulse Input Module Common Processing Circuit FR_PIC =
Failure Rate of a Pulse Input Circuit FR_PIC_ DU =
Dangerous Undetected Failure Rate of a Pulse Input Circuit Beta = Common Cause Factor for Dangerous Undetected Failures (0.015 or 1.5%) ccf3legs Fraction of Common Cause Failures that affect all 3 Tricon legs (0.25)
BetaD = Common Cause Factor for Dangerous Detected Failures (0.005 or 0.5%)
FR_ISF_DD = FR_IP_DD + ndipts
- FR_IC_DD FR_ISF_DU = FR_IP_DU + ndipts
- FR_IC_DU
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 66 of 83 Date: 10/11/13 FR_AISF_DD =
FR_AIP_DD + naipts
- FR_AIC_DD FR_AISF_DU =
FR_AIP_DU + naipts
- FR_AIC_DU FR_IAI SF_DD= FR_IAIP_DD + niaipts
- FR_IAIC_DD FR_IAI SF_DU= FR_IAIP_DU + niaipts
- FR_IAIC_DU FR_OSF_DD =
FR_OP_DD + 4/3
- ndopts*FR_OC_DD, 4/3 for quad output voter. FR_OSF_DU =
FR_OP_DU + 4/3
- ndopts*FR_OC_DU, 4/3 for quad output voter. FR_HVOSF_DD =
FR_HVOP_DD + 4/3
- nhvdopts*FR_HVOC_DD, 4/3 for quad output voter. FR_HVOSF_DU =
FR_HVOP_DU + 4/3
- nhvdopts*FR_HVOC_DU, 4/3 for quad output voter FR_AO = FR_AOP, FR_AOC can be ignored because the output circuit failure rate is very small due to the triplicated DACs in each output circuit.
FR_HDAISF_DD = FR_HDAIP_DD + nhdaipts
- FR_HDAIC_DD FR_HDAISF_DU = FR_HDAIP_DU + nhdaipts
- FR_HDAIC_DU FR_HDISF_DD = FR_HDIP_DD + nhddipts
- FR_HDIC_DD FR_HDISF_DU = FR_HDIP_DU + nhddipts
- FR_HDIC_DU FR_PISF_DD =
FR_PIP-DD + npipts
- FR_PIC_DD FR_PISF_DU =
FR_PIP-DU + npipts
- FR_PIC_DU
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 67 of 83 Date: 10/11/13 MEAN TIME TO FAILURE - SPURIOUS CALCULATIONS USING TRICON Version 10.5 FAIL
-SAFE MARKOV MODEL The Fail Safe Markov Model for the TRICON Version 10.5 is shown in Figure A2. It should be noted that the Markov states 1 D , 1 U , 2 D , 2 U ,-,N D , N U are intermediate states where one safe failure has occurred but since the TRICON has three legs a second safe failure must occur before the system is in the fail safe state (state 0). It should also be noted that states 1 D , 2 D ,..,N D are for detected safe failures that are repaired on
-line with repair rate OT. States 1 U , 2 U,.., N U are for undetected safe failures that are repaired during periodic off
-line testing with a repair rate PT. The Markov Model can be simplified by using the total safe failure rates of the subsystems and an effective repair rate i of the subsystems. This simplified model is shown in Figure A3. There is a closed form solution for MTTFspurious when the Markov Model is of the form shown in Figure A3. The equation for MTTFspurious is as follows:
Where i is the first subsystem failure to an intermediate (derated) state, i is the failure rate from the derated state i to the fail safe state, i is the effective repair rate of subsystems in the derated state. The expression 1/( i+ i) in the MTTFspurious equation can be computed using the following equation: 1/( i+ i) = C i/( OT+ i) + (1-C i) /( PT+ i) Where C i is the diagnostic coverage for the subsystem.
Figure A4 - Part 1, Figure A4 - Part 2 and Figure A4 - Part 3 show the Fail Safe Markov Model for the TRICON Version 10.5 TMR Controller. Subsequent sections of the document contain the equations for the expressions in the Fail Safe Markov Model. The last section of the document contains a definition of terms. The MTTFspurious calculations for the TRICON i iii n i i i i n i+++1=usMTTFspurio1 1
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 68 of 83 Date: 10/11/13 Version 10.5 are in an EXCEL spreadsheet TRICONV10.5_1110. The results of the MTTFspurious calculations are shown on Sheet 3 of the spreadsheet.
Figure A2: Generic Fail-Safe Markov Model Using Detected and Undetected Safe Failure Rates
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 69 of 83 Date: 10/11/13 Figure A3: Generic Fail-Safe Markov Model Using Total Safe Failure Rates
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 70 of 83 Date: 10/11/13 Figure A4 - Part 1: Fail-Safe Markov Model for TRICON Version 10.5 TMR Controller
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 71 of 83 Date: 10/11/13 Figure A4 - Part 2: Fail-Safe Markov Model For TRICON Version 10.5 TMR Controller
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 72 of 83 Date: 10/11/13 Figure A4 - Part 3: Fail-Safe Markov Model for TRICON Version 10.5 TMR Controller
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 73 of 83 Date: 10/11/13 Fail-Safe Markov Model States for TRICON Version 10.5 TMR Controller State 0 Fail Safe State (False Trip) Due to Safe Failures on Two Legs State 1 Safe Failure of a Digital Input Common Processing Circuit State 2 Safe Failure of a Digital Input Circuit State 3 Safe Failure of a High Density Digital Input Common Processing Circuit State 4 Safe Failure of a High Density Digital Input Circuit State 5 Safe Failure of an Analog Input Common Processing Circuit State 6 Safe Failure of an Analog Input Circuit State 7 Safe Failure of a High Density Analog Input Common Processing Circuit State 8 Safe Failure of a High Density Analog Input Circuit State 9 Safe Failure of an Isolated Analog Input Common Processing Circuit State 10 Safe Failure of an Isolated Analog Input Circuit State 11 Safe Failure of an Analog Output Common Processing Circuit State 12 Not Used State 13 Safe Failure of a 24 VDC Digital Output Common Processing Circuit State 14 Safe Failure of a 24 VDC Digital Output Switch State 15 Safe Failure of a 115 VAC Digital Output Common Processing Circuit State 1 6 Safe Failure of a 115 VAC Digital Output Switch State 17 Safe Failure of a Main Processor State 18 Safe Failure of a Power Supply State 19 Safe Failure of a Pulse Input Common Processing Circuit State 20 Safe Failure of a Pulse Input Circuit State 22 No Failures (Initial State after Complete Repair)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 74 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-Safe Markov Model 1 = 3*n*FR_IP_S 2 = 3*n*nic*FR_IC_S 3 = 3*nhd*FR_HDIP_S 4 = 3*nhd*nhdic*FR_HDIC_S 5 = 3*na*FR_AIP_S 6 = 3*na*nic*FR_AIC_S 7 = 3*nahd*FR_HDAIP_S 8 = 3*nahd*nhdic*FR_HDAIC_S 9 = 3*niai*FR_IAIP_S 10 = 3*niai*niaic*FR_IAIC_S 11 = 3*mao*FR_AOP_S 12 = 0 13 = 3*m*FR_OP_S 14 = 4*m*nhdoc*FR_OC_S 15 = 3*mhv*FR_HVOP_S 16 = 4*mhv*noc*FR_HVOC_S 17 = 3*FR_MP_S 18 = 2*l*FR_PS_S 19 = 3*np*FR_PIP_S 20 = 3*np*npc*FR_PIC_S 21 = Beta*ccf3legs* (FR_MP_SU + n
- FR_I_SU + nhd
- FR_HDI_SU + na
- FR_AI_SU + nahd*FR_HDAI_SU + niai
- FR_IAI_SU+ mao
- FR_AOP_SU + m
- FR_O_SU + mhv*FR_HVO_SU + np
- FR_PI_SU) +Beta*ccf3legs*((FR_MP - FR_MP_DU - FR_MP_SU)
+ n*(FR_I - FR_I_DU - FR_I_SU) + nhd*(FR_HDI-FR_HDI_DU-FR_HDI_SU)
+ na*(FR_AI - FR_AI_DU - FR_AI_SU) + nahd*(FR_HDAI - FR_HDAI_DU - FR_HDAI_SU)
+ niai*(FR_IAI - FR_IAI_DU - FR_IAI_SU)
+ m*(FR_O - FR_O_DU - FR_O_SU) + mhv*(FR_HVO - FR_HVO_DU - FR_HVO_SU) + np
- (FR_PI - FR_PI_DU - FR_PI_SU) + mao*(FR_AOP - FR_AOP_DU - FR_AOP_SU)) + Beta
- l*FR_PS_S 1 = 2*(FR_MP_S + FR_I_S) 2 = 2*(FR_MP_S + FR_IP_S + FR_IC_S) 3 = 2*(FR_MP_S + FR_HDI_S) 4 = 2*(FR_MP_S + FR_HDIP_S + FR_HDIC_S)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 75 of 83 Date: 10/11/13 5 = 2*(FR_MP_S + FR_AI_S) 6 = 2*(FR_MP_S + FR_AIP_S + FR_AIC_S) 7 = 2*(FR_MP_S + FR_HDAI_S) 8 = 2*(FR_MP_S + FR_HDAIP_S + FR_HDAIC_S) 9 = 2*(FR_MP_S + FR_IAI_S) 10 = 2*(FR_MP_S + FR_IAIP_S + FR_IAIC_S) 11 = 2*(FR_MP_S + FR_AOP_S) 12 = 0 13 = 2*(FR_MP_S + FR_OP_S) + 5/3
- nhdoc*FR_OC_S 14 = 5/4*(FR_MP_S + FR_OP_S) + FR_OC_S 15 = 2*(FR_MP_S + FR_HVOP_S) + 5/3
- noc*FR_HVOC_S 16 = 5/4*(FR_MP_S + FR_HVOP_S) + FR_HVOC_S 17 = 2*(FR_MP_S + n
- FR_I_S + nhd
- FR_HDI_S + na
- FR_AI_S + nahd*FR_HDAI_S
+ niai*FR_IAI_S + mao
- FR_AOP_S + m
- FR_O_S+ mhv
- FR_HVO_S + np*FR_PI_S) 18 = FR_PS_S 19 = 2*(FR_MP_S + FR_PI_S) 20 = 2*(FR_MP_S + FR_PIP_S + FR_PIC_S)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 76 of 83 Date: 10/11/13 FR_I = FR_IP + nic
- FR_IC, FR_AI = FR_AIP + nic
- FR_AIC FR_HDI = FR_HDIP + nhdic
- FR_HDIC, FR_HDAI = FR_HDAIP + nhdic
- FR_HDAIC FR_IAI = FR_IAIP + niaic
- FR_IAIC FR_O = FR_OP + 4/3
- nhdoc*FR_OC, Factor of 4/3 is because of quad output voter. FR_HVO = FR_HVOP + 4/3
- noc*FR_HVOC, Factor of 4/3 is because of quad output voter. FR_AO = FR_AOP, FR_AOC can be ignored because of 3 DACs per point. FR_PI = FR_PIP + npc
- FR_PIC 1/( i+ i) Term in the MTTFspurious Equation 1/( 1E+ 1) = C 1/( OT+ 1) + (1-C 1) /( PT+ 1) 1/( 2E+ 2) = C 2/( OT+ 2) + (1-C 2) /( PT+ 2) 1/( 3E+ 3) = C 3/( OT+ 3) + (1-C 3) /( PT+ 3) 1/( 4E+ 4) = C 4/( OT+ 4) + (1-C 4) /( PT+ 4) 1/( 5E+ 5) = C 5/( OT+ 5) + (1-C 5) /( PT+ 5) 1/( 6E+ 6) = C 6/( OT+ 6) + (1-C 6) /( PT+ 6) 1/( 7E+ 7) = C 7/( OT+ 7) + (1-C 7) /( PT+ 7) 1/( 8E+ 8) = C 8/( OT+ 8) + (1-C 8) /( PT+ 8) 1/( 9E+ 9) = C 9/( OT+ 9) + (1-C 9) /( PT+ 9) 1/( 10E+ 10) = C10/( OT+ 10) + (1-C 10) /( PT+ 10) 1/( 11E+ 11) = C11/( OT+ 11) + (1-C 11) /( PT+ 11) 1/( 12E+ 12) = C12/( OT+ 12) + (1-C 12) /( PT+ 12) 1/( 13E+ 13) = C13/( OT+ 13) + (1-C 13) /( PT+ 13) 1/( 14E+ 14) = C14/( OT+ 14) + (1-C 14) /( PT+ 14) 1/( 15E+ 15) = C15/( OT+ 15) + (1-C 15) /( PT+ 15) 1/( 16E+ 16) = C16/( OT+ 16) + (1-C 16) /( PT+ 16) 1/( 17E+ 17) = C17/( OT+ 17) + (1-C 17) /( PT+ 17) 1/( 18E+ 18) = C18/( OT+ 18) + (1-C 18) /( PT+ 18) 1/( 19E+ 19) = C19/( OT+ 19) + (1-C 19) /( PT+ 19) 1/( 20E+ 20) = C20/( OT+ 20) + (1-C 20) /( PT+ 20) C 1 = C_IP_S, C 2 = C_IC_S, C 3 = C_HDIP_S, C 4 = C_HDIC_S C 5 = C_AIP_S, C 6 = C_AIC_S, C 7 = C_HDAIP_S, C 8 = C_HDAIC_S C 9 = C_IAIP_S, C 10 = C_IAIC_S, C 11 = C_AOP_S, C 12 = 0 C 13 = C_OP_S, C 14 = C_OC_S, C 15 = C_HVOP_S, C 16 = C_HVOC_S C 17 = C_MP_S, C 18 = C_PS_S, C 19 = C_PIP_S, C 20 = C_PIC_S
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 77 of 83 Date: 10/11/13 Definition of Markov Model Terminology l = Number of Redundant Power Supply Modules (= Number of Chassis) m = Number of NG 24 VDC Digital Output Modules mao = Number of Analog Output Modules mhv = Number of 115 VAC Digital Output Modules n = Number of 24 VDC Digital Input Modules nhd = Number of High Density Digital Input Modules na = Number of NG Diff. Analog Input Modules nahd = Number of NG High Density Analog Input Modules niai = Number of Isolated Analog Input Modules np = Number of Pulse Input Modules
nic = Number of Input Points on Digital Input and Analog Input Modules (32 points) nhdic = Number of Input Points on High Density Modules (64 points) niaic = Number of Input Points on Isolated Analog Input Modules (16 points) noc = Number of Output Points on 115 VAC Digital Output Modules (16 points) nhdoc= Number of Output Points on NG 24 VDC Digital Output Modules (16 points) npc = Number of Input Points on Pulse Input Module (8 points)
FR_AI = Failure Rate of an Analog Input Module Leg FR_AI_DU = Dangerous Undetected Failure Rate of an Analog Input Module Leg FR_AI_SU = Safe Undetected Failure Rate of an Analog Input Module Leg FR_AI_S = Safe Failure Rate of an Analog Input Module Leg FR_AIP_S = Safe Failure Rate of an Analog Input Module Common Processing Circuit FR_AIC_S =
Safe Failure Rate of an Analog Input CircuitFR_AOP = Failure Rate of an Analog Output Module Leg FR_AOP_DU = Dangerous Undetected Failure Rate of an Analog Output Module Leg FR_AOP_SU =
Safe Undetected Failure Rate of an Analog Output Module Leg FR_AOP_S =
Safe Failure Rate of an Analog Output Module Common Processing Circuit FR_HDAI = Failure Rate of a High Density Analog Input Module Leg FR_HDAI_DU = Dangerous Undetected Failure Rate of a High Density Analog Input Module Leg FR_HDAI_SU =
Safe Undetected Failure Rate of a High Density Analog Input Module Leg FR_HDAI_S =
Safe Failure Rate of a High Density Analog Input Module Leg FR_HDAIP_S = Safe Failure Rate of a High Density Analog Input Module Common Processing Circuit FR_HDAIC_S =
Safe Failure Rate of a High Density Analog Input Circuit FR_HDI = Failure Rate of a High Density Digital Input Module Leg FR_HDI_DU = Dangerous Undetected Failure Rate of a High Density Digital Input Module Leg FR_HDI_SU =
Safe Undetected Failure Rate of a High Density Digital Input Module Leg FR_HDI_S = Safe Failure Rate of a High Density Digital Input Module Leg FR_HDIP_S =
Safe Failure Rate of a High Density Digital Input Module Common Processing Circuit FR_HDIC_S =
Safe Failure Rate of a High Density Digital Input Circuit FR_HVO = Failure Rate of a 115 VAC Digital Output Module Leg FR_HVO_DU = Dangerous Undetected Failure Rate of a 115 VAC Digital Output Module Leg
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 78 of 83 Date: 10/11/13 FR_HVO_SU =
Safe Undetected Failure Rate of a 115 VAC Digital Output Module Leg FR_HVO_S =
Safe Failure Rate of a 115 VAC Digital Output Module Leg FR_HVOP_S = Safe Failure Rate of a 115 VAC Digital Output Module Common Processing Circuit FR_HVOC_S = Safe Failure Rate of a 115 VAC Digital Output Switch FR_IAI = Failure Rate of an Isolated Analog Input Module Leg FR_IAI_DU = Dangerous Undetected Failure Rate of an Isolated Analog Input Module Leg FR_IAI_SU = Safe Undetected Failure Rate of an Isolated Analog Input Module Leg FR_IAI_S =
Safe Failure Rate of an Isolated Analog Input Module Leg FR_IAIP_S =
Safe Failure Rate of an Isolated Analog Input Module Common Processing Circuit FR_IAIC_S =
Safe Failure Rate of an Isolated Analog Input Circuit FR_I_DU = Dangerous Undetected Failure Rate of a 24 VDC Input Module Leg FR_I_SU = Safe Undetected Failure Rate of a 24 VDC Input Module Leg FR_I_S = Safe Failure Rate of a 24 VDC Input Module Leg FR_IP_S = Safe Failure Rate of a 24 VDC Input Module Common Processing Circuit FR_I = Failure Rate of a 24 VDC Input Module Leg FR_IC_ S = Safe Failure Rate of a 24 VDC Input Circu it FR_MP = Failure Rate of a Main Processor FR_MP_S =
Safe Failure Rate of a Main Processor FR_MP_SU =
Safe Undetected Failure Rate of a Main Processor FR_MP_DU =
Dangerous Undetected Failure Rate of a Main Processor FR_O = Failure Rate of a 24 VDC Digital Output Module Leg FR_O_DU = Dangerous Undetected Failure Rate of a 24 VDC Digital Output Module Leg FR_O_SU =
Safe Undetected Failure Rate of a 24 VDC Digital Output Module Leg FR_O_S = Safe Failure Rate of a 24 VDC Digital Output Module Leg FR_OP_S =
Safe Failure Rate of a 24 VDC Digital Output Module Common Processing Circuit FR_OC_S =
Safe Failure Rate of a 24 VDC Digital Output Switch FR_PS_S =
Safe Failure Rate of a Power Supply FR_PI = Failure Rate of an Pulse Input Module Leg FR_PI_DU = Dangerous Undetected Failure Rate of an Pulse Input Module Leg FR_PI_SU =
Safe Undetected Failure Rate of an Pulse Input Module Leg FR_PI_S =
Safe Failure Rate of an Pulse Input Module Leg FR_PIP_S =
Safe Failure Rate of an Pulse Input Module Common Processing Circuit FR_PIC_S =
Safe Failure Rate of an Pulse Input Circuit Beta = Common Cause Factor (0.015 or 1
.5%) ccf3legs = Common Cause Factor affecting all three legs of module (0.25)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 79 of 83 Date: 10/11/13 Attachment B: Estimating Common Cause Factors Using IEC 61508-6 Standard The -factor is calculated for the sensors, the logic subsystem and the final elements separately.
In order to minimize the probability of occurrence of common cause failures, one should first establish which measures lead to an efficient defence against their occurrence. The implementation of the appropriate measures in the system lead to a reduction in the value of the -factor used in estimating the probability of failure due to common cause failures.
Table B1 lists the measures and contains associated values, based on engineering judgement, which represent the contribution each measure makes in the reduction of common cause failures. Table B1 has been modified by removing the X and Y values for the sensors and final elements. In their place are the X LS and Y LS for the Tricon logic subsystem. Extensive diagnostic tests may be incorporated into programmable electronic systems that allow the detection of non
-simultaneous common cause failures. To allow diagnostic tests to be taken into account in the estimation of the -factor, the overall contri bution of each measure in Table B1 is divided, using engineering judgement, into two sets of values, X and Y. For each measure, the X: Y ratio represents the extent to which the measure's contribution against common clause failures can be improved by diagnostic testing. The user of Table B1 should ascertain which measures apply to the system in question, and sum the corresponding values shown in each of columns X LS and Y LS for the logic subsystem, the sums being referred to as X and Y, respectively.
Table B2 is used to determine a factor Z from the frequency and coverage of the diagnostic tests. The score S is then calculated using the following equations, as appropriate (see previous clause):
- YXS to obtain the value of int (the -factor for undetected failures); and
- Y1ZXS D to obtain the value of D int (the -factor for detected failures).
Here S or S D is a score which is used in Table B3 to determine the appropriate int -factor. int and D int are the values of the common cause failure prior to considering the effect of different degrees of redundancy.
The Tricon values for X and Y determined from Table B1 are X = 35.5 and Y = 42.75. And thus S = 78.25. The Z factor for the Tricon is 2 (See Table B
- 2) The S D factor is S D = 149.25. Using the S and S D factors in Table B 3 , int and D int are 1% and 0.5% respectively
.
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 80 of 83 Date: 10/11/13 Table B1 - Scoring programmable electronics
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 81 of 83 Date: 10/11/13 Table B1 (continued)
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 82 of 83 Date: 10/11/13 Table B2 - Value of Z: programmable electronics Diagnostic Diagnostic test interval coverage Less than 1 min Between 1 min and 5 min Greater than 5 min 99 % 2,0 1,0 0 90 % 1,5 0,5 0 60 % 1,0 0 0 Table B3 - Calculation of int or D int Score (S or S D) Corresponding value of int or D int for the: Logic subsystem Sensors or final elements 120 or above 0,5 % 1 % 70 to 120 1 % 2 % 45 to 70 2 % 5 % Less than 45 5 % 10 % NOTE 1 The maximum levels of D int shown in this table are lower than would normally be used, reflecting the use of the techniques specified elsewhere in this standard for the reduction in the probability of systematic failures as a whole, and of common cause failures as a result of this.
NOTE 2 Values of D int lower than 0,5
% for the logic subsystem and 1
% for the sensors would be difficult to justify.
The int derived from Table B3 is the common cause failure associated with a 1oo2 system. For other levels of redundancy (MooN) this int value will change as given in Table B4 to yield the final value of
Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 83 of 83 Date: 10/11/13 Table B4 - Calculation of for systems with Levels of redundancy greater than 1oo2 MooN N 2 3 4 5 M 1 int0.5 int 0.3 int 0.2 int 2 - 1.5 int 0.6 int 0.4 int 3 - - 1.75 int 0.8 int 4 - - 2.0 int Beta values used for the Tricon configurations are shown in the Table below.
Tricon Configuration Beta Value Single PPS Tricon (2oo3) 1.5% Four 2oo4 PPS Tricons 0.6% Three 2oo3 PPS Tricons 1.5%
Note 1: These Beta's are applied to each Tricon PFDavg and MTTFspurious calculations