Document No. 993754-1-819 October 11, 2013the Tricon Communication Module (TCM) to copper medium at the input of the Network Aggregator Tap. The Maintenance Workstation is a non safety

n v e. n s·.~ s· . . i r: 'Ii e. r: 5'.:1 S·

Operat ions Management -;- .

I Proiect: Purchase Order No.: Project Sales Order:

( I,r-· ~ ,-.~ : ....... , ,--. ,/ E. iL·JI lei\

PG&E PROCESS PROTECTION SYSTEM REPLACEMENT-----, ,3500897372 993754

PACIFIC GAS & ELECTRIC COMPANY

NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM

REPLACEMENT DIABLO CANYON POWER PLANT

RELIABILITY ANALYSIS

Document No. 993754-1-819

Revision 0

October 11, 2013

Name -.------+"'-----'-------I--":.;,p----,-::r-n:----:------f------------j Author: T. Frederickson Reviewer: Ted Quinn IREN&V: Bill Hannaman

_.~eP.!,!y.~~: Dan Head

gary.mcdonald

Proj Non-Prop Copy

gary.mcdonald

Number Suffix (-NP)

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 2 of 83 Date: 10/11/13 Document Change History Revision Date Change Author A 7/17/13 Initial Issue for Review T. Frederickson 0 10/11/2013 Rev 0 Issue T. Frederickson

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 3 of 83 Date: 10/11/13

Table of Contents 1 Introduction .......................................................................................................................................... 6

1.1 Project Overview ....................................................................................................................... 6 Table 1-1: V10 Tricon PPS Protection Set Channel Safety Functions ....................................... 8

1.2 Purpose ...................................................................................................................................... 9 2 Summary of Results ........................................................................................................................... 10

Table 2-1: Summary of Reliability Analysis - Critical 2oo4 & 2oo3 PPS Safety Functions13 Table 2-2: Summary of PFDavg and MTTFspurious for Critical PPS Safety Functions . 14

3 Input and Design Criteria .................................................................................................................. 15 3.1 Process Protection System ....................................................................................................... 15 3.2 Tricon Component Failure Rates ............................................................................................ 16

Table 3-1: Tricon Version 10.5 Module Failure Rates ............................................................. 17 3.3 Common Cause β factors ........................................................................................................ 18 3.4 Acronyms and Symbols ........................................................................................................... 18 3.5 Definitions of Key Terminology ............................................................................................. 20

3.5.1 Availability ................................................................................................................. 20 3.5.2 Average Probability of Failure on Demand (PFDavg) ............................................... 20 3.5.3 Common Cause Failure .............................................................................................. 20 3.5.4 Dangerous Failure ...................................................................................................... 20 3.5.5 Dangerous Detected Failure ....................................................................................... 20 3.5.6 Dangerous Undetected Failure ................................................................................... 20 3.5.7 Dangerous Systematic Failure .................................................................................... 21 3.5.8 Detected ...................................................................................................................... 21 3.5.9 Diagnostic Coverage .................................................................................................. 21 3.5.10 Failure......................................................................................................................... 21 3.5.11 Fault ............................................................................................................................ 21 3.5.12 MooN ......................................................................................................................... 21 3.5.13 Mean Time between Failure (MTBF) ........................................................................ 21 3.5.14 Mean Time to Fail Spurious (MTTFspurious) ........................................................... 21 3.5.15 Mean Time to Repair (MTTR) ................................................................................... 22 3.5.16 Proof Test ................................................................................................................... 22 3.5.17 Probability of Failure on Demand (PFD) ................................................................... 22 3.5.18 Probability of Failure on Demand (PFD) Analysis .................................................... 22 3.5.19 Redundancy ................................................................................................................ 23 3.5.20 Safe Failure ................................................................................................................ 23 3.5.21 Safe Detected Failure ................................................................................................. 23 3.5.22 Safe Undetected Failure ............................................................................................. 23 3.5.23 Safety Integrity ........................................................................................................... 23 3.5.24 Spurious Failure ......................................................................................................... 23 3.5.25 Undetected .................................................................................................................. 23

4 Assumptions ........................................................................................................................................ 24 4.1 Overall System Assumptions .................................................................................................. 24 4.2 Mean Time between Failure (MTBF) Assumptions................................................................ 24


4.3 Mean Time to Repair (MTTR) Assumptions .......................................................................... 25 4.4 PPS Tricon 2oo4 Reliability Assumptions .............................................................................. 25 4.5 PPS Tricon 2oo3 Reliability Assumptions .............................................................................. 25

5 Method of Analysis ............................................................................................................................. 27 5.1 Triconex Tricon Version 10.5 EXCEL Spreadsheets ............................................................. 27 5.2 Spreadsheets for Reliability Calculation of Redundant Tricon Configurations ...................... 28

6 Reliability Calculations ...................................................................................................................... 29 7 References ........................................................................................................................................... 46

7.1 PG&E Documents ................................................................................................................... 46 7.2 NRC Documents...................................................................................................................... 46 7.3 Reliability Methodology .......................................................................................................... 46 7.4 Vendor component specifications and reliability data ............................................................ 47

8 Conclusion/Discussion ........................................................................................................................ 48 Attachment A: Markov Models for Tricon Version 10.5 ..................................................... 49 Attachment B: Estimating Common Cause Factors Using IEC 61508-6 Standard .......... 79


Table of Figures Figure 1-1: Westinghouse PWR Reactor Protection Concept [Ref. 7.1.2] 6Figure 2-1: PFDavg versus TI for the PPS Tricons in a 2oo4 Configuration 11Figure 2-2: PFDavg versus TI for the PPS Tricons in a 2oo3 Configuration 12Figure 6-1: PPS I Tricon - Fail-to-Function 30Figure 6-2: PPS I Tricon - Fail-Safe 31Figure 6-3: PPS II Tricon - Fail-to-Function 32Figure 6-4: PPS II Tricon - Fail-Safe 33Figure 6-5: PPS III Tricon - Fail-to-Function 34Figure 6-6: PPS III Tricon - Fail-Safe 35Figure 6-7: PPS IV Tricon - Fail-to-Function 36Figure 6-8: PPS IV Tricon - Fail-Safe 37Figure 6-9: 2oo4 OTDT Reactor Trip Safety Function - Fail-to-Function 38Figure 6-10: 2oo4 OTDT Reactor Trip Safety Function - Fail-Safe 39Figure 6-11: PFDavg and MTTFspurious for 2oo4 Tricon Configuration Error! Bookmark not defined.Figure 6-12: Symbols Used to Calculate PFD and MTTF for 2oo4 Configuration 41Figure 6-13: 2oo3 Steamline Isolation Function - Fail-to-Function 42Figure 6-14: 2oo3 Steamline Isolation Function - Fail-Safe Error! Bookmark not defined.Figure 6-15: PFDavg & MTTF Calculation for 2oo3 Steamline Function 43Figure 6-16: Symbols for Calculation for 2oo3 Steamline Isolation Function 45Figure A1 – Part 1 Fail-to-Function Markov Model For TRICON V10.5 TMR Controller 50Figure A1 – Part 2: Fail-to-Function Markov ModelFor TRICON V10.5 TMR Controller 51Figure A1 – Part 3: Fail-to-Function Markov Model for TRICON V10.5 TMR Controller 52Figure A2: Generic Fail-Safe Markov Model Using Detected and Undetected Safe Failure Rates 68Figure A3: Generic Fail-Safe Markov Model Using Total Safe Failure Rates 69Figure A4 - Part 1: Fail-Safe Markov Model for TRICON Version 10.5 TMR Controller 70Figure A4 - Part 2: Fail-Safe Markov Model For TRICON Version 10.5 TMR Controller 71Figure A4 - Part 3: Fail-Safe Markov Model for TRICON Version 10.5 TMR Controller 72

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 6 of 83 Date: 10/11/13 1 Introduction

1.1 Project Overview The Pacific Gas & Electric (PG&E) Diablo Canyon Power Plant (DCPP) Process Protection System (PPS) Replacement Project upgrades the existing Westinghouse Eagle 21 safety system. The scope of the equipment replacement is shown in the red box in Figure 1-1, on the following page. The red box represents the Process Protection racks that contain the safety-related equipment. The PPS monitors plant parameters, compares them against setpoints and provides signals to the Solid State Protection System (SSPS). The SSPS evaluates the signals and performs Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS) functions to mitigate the event that is in progress. The SSPS, RTS, and ESFAS functions are not within the scope of the PPS Replacement Project.

Figure 1-1: Westinghouse PWR Reactor Protection Concept [Ref. 7.1.2]

The PPS comprises four Protection Sets in sixteen racks. Separation of redundant process channels begins at the process sensors and is maintained in the field wiring,


containment penetrations, and process Protection Sets to the two redundant trains in the SSPS logic racks. Redundant process channels are separated by locating the electronics in different Protection Sets. The four replacement Protection Sets (I thru IV) each comprise the V10 Tricon, the Westinghouse Advanced Logic System (ALS) platform, the Maintenance Workstation, and various interface devices, such as the NetOptics Network Aggregator Tap and instrument loop isolators. The ALS is not within IOM scope of supply. However, the ALS converts sensor inputs to a signal type compatible with the V10 Tricon hardware. Specifically, the ALS processes resistance temperature detector (RTD) inputs and converts them to 4-20 milliamp signals. This conversion is necessary to satisfy Diablo Canyon Power Plant loop accuracy requirements. The V10 Tricon portion of the PPS Replacement System comprises three V10 Tricon chassis per Protection Set: one safety-related Main Chassis, one safety-related Remote Expansion Chassis (RXM), and one non safety related RXM chassis. The Network Aggregator Tap, which is intended as an isolation device between the Tricon and the non-safety plant network, is provided by PG&E to IOM for factory acceptance testing. The media converter, between the Tricon Main Chassis and the Network Aggregator Tap, will be provided by IOM and is necessary to convert the fiber optic medium at the output of the Tricon Communication Module (TCM) to copper medium at the input of the Network Aggregator Tap. The Maintenance Workstation is a non safety device developed separately from the PPS Replacement Project under a separate PG&E Purchase Order, budget, and staff. Development of the Maintenance Workstation is handled under a different project plan and by a separate project team. However, the Maintenance Workstation is part of the factory acceptance test of the V10 Tricon Protection Sets, as discussed in the Validation Test Plan, 993754-1-813. The technical requirements for the Tricon-to-Maintenance Workstation interface are provided in PG&E Interface Requirements Specification [Ref. 7.1.4]. The functions required in each V10 Tricon Protection Set are listed in Table 1-1 on the next page. See the Functional Requirements Specification for additional details on the protection functions and their design bases. As can be seen in Table 1-1, the PPS Protection Sets do not have the same channel safety functions. The Conceptual Design Document [Ref 7.1.2] and Functional Requirements Specification have additional detail on the hardware configuration of the PPS.


Channel(s) Purpose Protection Set Function I II III IV Wide Range Reactor Coolant Temperature Channels Input to Low Temperature Overpressure Protection System (LTOPS)

Provides protection against over-pressurization at low plant temperature X X

Wide Range Reactor Coolant Pressure Channels Input to LTOPS Provides protection against over-pressurization at low

plant temperature X X

Input to Residual Heat Removal (RHR) valve interlock circuit

Provides protection against improper operation of RHR isolation valves X X

Delta-T / Tavg (DTTA) Channels Overtemperature Delta-T (OTDT) Reactor Trip Provides DNB protection X X X X Overpower Delta-T (OPDT) Reactor Trip Provides protection against excessive power (fuel rod

rating protection) X X X X

Low-Low Tavg P-12 Blocks steam dump to prevent undesired cooldown X X X X Low Tavg Feedwater Isolation Prevents excessive cooling after trip to maintain

shutdown margin X X X X

Pressurizer Level Channels Pressurizer High Water Level Reactor Trip • Provides backup protection to the Pressurizer High

Pressure Reactor Trip, and • Prevents the pressurizer from becoming water solid

during low-worth and -power rod withdrawal accidents

X X X

Pressurizer Vapor Temperature Channel Pressurizer Vapor Space Temperature Low RHR valve V-8701 interlock circuit input X Steam Generator Steam Flow Channel Steam Flow Indication Provide safety-related outputs for post-accident

monitoring (S/G 1 thru 4) X X

Steamline Break Protection Channels Steamline Pressure Low SI and Steamline Isolation • Initiate the automatic starting of boron injection and

decay heat removal systems and • Provide protection against steamline break accidents

X X X X

Steamline Pressure High Negative Rate Steamline Isolation

Provide protection in the case of a steamline break when Pressurizer Pressure is less than the P-11 setpoint and Low Steamline Pressure SI is blocked

X X X X

Steam Generator Narrow Range Level Channels Steam Generator (S/G) High-High Level Turbine Trip and Feedwater Isolation (P-14, S/G High Level Permissive)

Provides protection against S/G overfill and damage to the main steamlines or main turbine X X X X

S/G Low-Low Level Reactor Trip and Auxiliary Feedwater (AFW) Pump Start

Protects the reactor from loss of heat sink in the event of loss of feedwater to one or more S/Gs or a major feedwater line rupture

X X X X

Turbine Impulse Chamber Pressure Channels Turbine Impulse Chamber Pressure High to P-13 Interlock

• Provide an input to P-7 indicative of low turbine power when less than the setpoint

• P-7 permissive disables selected Reactor Trip signals at low power levels

X X

Table 1-1: V10 Tricon PPS Protection Set Channel Safety Functions

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 9 of 83 Date: 10/11/13 1.2 Purpose

The purpose of this calculation is to document the methodology and results of the Reliability Analysis, where applicable, for the PPS Replacement Safety System Architecture. The intent of the Reliability Analysis is to provide a quantitative reliability analysis of the Tricons (the logic solver) performing the reactor trips and the Engineered Safety Features Actuation (ESFAS) functions. The goal is to demonstrate that the IOM electronic hardware portions of the PPS can achieve a very low unavailability factor and a MTTFspurious larger than thousands of years. The unavailability parameter calculated is the average probability of failure on demand (PFDavg). The PFDavg achieved by the PPS safety functions should meet the requirements of the highest hardware Safety Integrity Level (SIL) of SIL 4. SIL 4 requires a PFDavg for a complete safety function that includes the sensors, logic solver, and final elements to be in the range of 1.0E-05 to 1.0E-04. See IEC 61508-1 for information on SIL 4. Since the PFDavg for the sensors and final elements are typically much higher than the logic solver PFDavg, the PFDavg for the Tricons PPS safety functions should be in the range of 1.0E-06 to 1.0E-05. The Reliability Analysis encompasses all IOM system safety critical application hardware (Tricons) as detailed in the PPS Architecture (Reference 7.4.3 and 7.4.4), PPS drawings and/or PPS BOM. Sensors and final elements are the responsibility of PG&E and are not provided by Invensys as part of the PPS contract. This analysis addresses the reliability of the hardware components provided by Invensys as part of the PPS Replacement contract. Since sensors and final elements are the responsibility of PG&E, their data is not included in the calculations. ALS is the responsibility of Westinghouse. This is a NUCLEAR SAFETY RELATED document.


2 Summary of Results The PFDavg is calculated for four Tricons in a 2oo4 voting configuration. The I/O modules analyzed are for the most complex 2oo4 safety function, Over Temperature Delta - T (OTDT). The PFDavg is computed for a proof test interval (TI) from 1 to 30 months. Figure 2-1 shows the PFDavg for the (OTDT) 2oo4 safety function. The most complex 2oo4 safety function is determined based on the largest number of modules required to perform a safety function within the scope of the system modification. The PFDavg is also calculated for three Tricons in a 2oo3 voting configuration. The I/O modules analyzed are for the most complex 2oo3 safety function, Steamline Isolation. Figure 2-2 shows the PFDavg for the Steamline Isolation 2oo3 safety function. The following Table 2-1 summarizes the results of the reliability analysis for the most complex 2oo3 and 2oo4 safety functions. The following Table 2-2 summarizes the results of the reliability analysis for all the complex 2oo3 and 2oo4 safety functions. Attachment B explains the common cause factors used in the analysis of the various Tricon configurations. This PPS replacement design meets the design requirements for a 24 hour Mean Time To Repair(MTTR) for fault conditions identified through diagnostic coverage for a 30 month proof test interval. Therefore, no additional design modifications are required.


Figure 2-1: PFDavg versus TI for the PPS Tr icons in a 2oo4 Configuration

0.00E+00

1.00E-07

2.00E-07

3.00E-07

4.00E-07

5.00E-07

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

PFDa

vg

TI - Proof Test Interval - Months

PFDavg for Over Temperature Delta - T OTDT Reactor Trip


Figure 2-2: PFDavg versus TI for the PPS Tr icons in a 2oo3 Configuration

0.00E+00

1.00E-07

2.00E-07

3.00E-07

4.00E-07

5.00E-07

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

PFD

avg

TI - Proof Test Interval - Months

PFDavg for Low Steamline Pressure SI vs TI


Table 2-1: Summary of Reliability Analysis - Critical 2oo4 & 2oo3 PPS Safety Functions

Voting Periodic Test MTTFspurious Tricon Configuration Logic Interval - Months PFDavg Years Availability

2oo4 PPS Safety Function 2oo4 30 3.80E-07 221,417 >99.99999OTDT Reactor Trip

Tricon Protection Set I 2oo3 30 6.09E-05 1,332 >99.999Tricon Protection Set II 2oo3 30 6.09E-05 1,332 >99.999Tricon Protection Set III 2oo3 30 6.09E-05 1,429 >99.999Tricon Protection Set IV 2oo3 30 6.09E-05 1,429 >99.999

2oo3 PPS Safety Function 2oo3 30 4.91E-07 64,541 >99.99999Loop 1 Steamline IsolationTricon Protection Set I 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set II 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set IV 2oo3 30 3.14E-05 1,429 >99.999

2oo3 PPS Safety Function 2oo3 30 4.91E-07 64,541 >99.99999Loop 2 Steamline IsolationTricon Protection Set I 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set II 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set III 2oo3 30 3.14E-05 1,429 >99.999

2oo3 PPS Safety Function 2oo3 30 4.91E-07 64,541 >99.99999Loop 3 Steamline IsolationTricon Protection Set I 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set II 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set III 2oo3 30 3.14E-05 1,429 >99.999

2oo3 PPS Safety Function 2oo3 30 4.91E-07 64,541 >99.99999Loop 4 Steamline IsolationTricon Protection Set I 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set II 2oo3 30 3.14E-05 1,332 >99.999Tricon Protection Set IV 2oo3 30 3.14E-05 1,429 >99.999

Note: The data on the lines starting with Tricon Protection Set are for the single Tricon.

PG&E Diablo Canyon Power Plant Units 1 & 2


Table 2-2: Summary of PFDavg and MTTFspurious for Critical PPS Safety Functions

Voting MTTFAction Protection Sets Logic PFDavg Spurious (Years)

Over Temperature Delta- T (OTDT) Reactor Trip PPS I, II,III, IV 2oo4 3.801E-07 221,417

Over Power Delta- T (OPDT) Reactor Trip PPS I, II,III, IV 2oo4 3.801E-07 221,417

Pressurizer Hjgh Water Level Reactor Trip PPS I, II,III 2oo3 4.91E-07 64,541

Loop 1 Steamline Pressure Low Isolation PPS I, II, IV 2oo3 4.91E-07 64,541

Loop 2 Steamline Pressure Low Isolation PPS I, II,III 2oo3 4.91E-07 64,541

Loop 3 Steamline Pressure Low Isolation PPS I, II,III 2oo3 4.91E-07 64,541

Loop 4 Steamline Pressure Low Isolation PPS I, II, IV 2oo3 4.91E-07 64,541

Loop 1 Steamline Pressure High Negative Rate Isolation PPS I, II, IV 2oo3 4.91E-07 64,541

Loop 2 Steamline Pressure High Negative Rate Isolation PPS I, II,III 2oo3 4.91E-07 64,541

Loop 3 Steamline Pressure High Negative Rate Isolation PPS I, II,III 2oo3 4.91E-07 64,541

Loop 4 Steamline Pressure High Negative Rate Isolation PPS I, II, IV 2oo3 4.91E-07 64,541

Steam Generator 1 High High Level Turbine Trip PPS II, III, IV 2oo3 4.91E-07 64,541

Steam Generator 2 High High Level Turbine Trip PPS I, III, IV 2oo3 4.91E-07 64,541

Steam Generator 3 High High Level Turbine Trip PPS I ,III, IV 2oo3 4.91E-07 64,541

Steam Generator 4 High High Level Turbine Trip PPS II, III, IV 2oo3 4.91E-07 64,541

Steam Generator 1 Low Low Level Reactor Trip PPS II, III, IV 2oo3 4.91E-07 64,541

Steam Generator 2 Low Low Level Reactor Trip PPS I, III, IV 2oo3 4.91E-07 64,541

Steam Generator 3 Low Low Level Reactor Trip PPS I ,III, IV 2oo3 4.91E-07 64,541

Steam Generator 4 Low Low Level Reactor Trip PPS II,III, IV 2oo3 4.91E-07 64,541

Safety Function

DIABLO CANYON NUCLEAR POWER PLANT UNITS 1 & 2PFDavg and MTTFspurious for PPS Safety Functions


3 Input and Design Criteria

3.1 Process Protection System The four Protection Sets have different hardware and software requirements. The Main Chassis in each Protection Set executes the TriStation 1131 application code (the PT2 file); therefore the PPS requires four application programs (four PT2 files). The application programs are developed as nuclear safety-related Software Integrity Level 4 (SIL4) software.

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 16 of 83 Date: 10/11/13 3.2 Tricon Component Failure Rates

Failure rates are calculated per MIL-HDBK-217F where available. Where not available, failure rates were computed using Bellcore Issue 6 database, parts count method (method I case 1), assuming nominal 40 degrees C junction temperature, 50% electrical stress, ground benign, controlled environment, quality class II. The “parts count” or “Black Box” method is very similar to and was modeled from the MIL-HDBK-217 standard. Although the Bellcore/Telcordia standard was originally developed for the telecommunications industry, it is also widely accepted in industrial and process automation as it is considered to match specific application conditions closer to those actually experienced than the MIL-HDBK-217 values. Typically the military standard has more conservative failure rates than Telcordia. However, the failure mode conditions identified in the FMEA (Reference 7.4.2) are quantified in the Diagnostic Coverage, depending on the actual device design Telcordia in certain cases gives the more conservative values. Conditions for MTBF Calculations

- Used Software tool: Relex 7.7 - Used database: Telcordia (Bellcore Issue 6) - Used method: Parts counts method (Method 1). This means that only the

conservative database values are taken into account and no credit is taken for laboratory or field data

Failure Mode and Effect Analysis quantified the Diagnostic Coverage and the Safe Failure Fraction in accordance with IEC 61508-6 Annex C.


Table 3-1: Tricon Version 10.5 Module Failure Rates

gary.mcdonald

Proj P Area Designator


3.3 Common Cause β factors These factors are applied in accordance with the IEC 61508-6 Annex D for quantifying the effect of hardware-related common cause failures. Attachment B shows how the Beta factors for the Tricons were developed using the IEC 61508-6 Annex D. Attachment B also lists the common cause Beta factors used in the reliability analysis for Triple and Quad Tricons

3.4 Acronyms and Symbols The following is a list of the various acronyms used in this document:

AI – Analog Input AO – Analog Output BOM – Bill of Material CC – Common Cause CCF – Common Cause Failure DD – Dangerous Detected DI – Digital Input DO – Digital Output DU – Dangerous Undetected FMEA – Failure Modes and Effects Analysis FPH – Failures per Hour FPMH – Failures per Million Hours IEC – International Electrotechnical Commission IEEE – Institute of Electrical and Electronics Engineers ESFAS – Engineered Safety Features Actuation Systems I/O – Input/Output MooN – M out of N Architecture (i.e. 2oo4) MP – Main Processor MTTF – Mean Time to Failure MTTFspurious – Mean Time to Fail Spurious MTTR – Mean Time to Repair MTTRot – Mean Time to Repair-On Line PFD – Probability of Failure on Demand PFDavg – Average Probability of Failure on Demand PPS – Process Protection System PFH – Probability of Failure per Hour RO – Relay Output RPS – Reactor Protection Systems RT – Reactor Trip RTB – Reactor Trip Breaker


RTS – Reactor Trip System SD – Safe Detected SU – Safe Undetected SFF – Safe Failure Fraction SIF – Safety Instrumented Function SIL – Safety Integrity Level SIS – Safety Instrumented System SSPS – Solid State Protection System TI – Periodic Offline Test or Proof Test Interval TMR – Triple Modular Redundant


3.5 Definitions of Key Terminology

3.5.1 Availability Availability is the characteristic of an item expressed by the probability that it will be operational at a randomly selected future instant in time. This metric assumes unplanned down time associated with a component failure and average MTTR only. It does not take into account planned down time such as: Preventive maintenance activities, Planned upgrades and Planned down time.

3.5.2 Average Probability of Failure on Demand (PFDavg) The PFDavg is the average probability of failure on demand for an individual SIF (Safety Instrumented Function) for the defined Test Interval. IEC 61508 / IEC 61511 and ANSI S-84.01 require that the SIL calculation for each individual SIF include the PFDavg of the Logic Solver. Typically, a SIF will comprise of approximately 3 to 8 I/O points, and the Triconex Logic Solver will be shared by several SIF. By using the I/O for the most complex SIF (worst case), the PFDavg value obtained for the Logic Solver can conservatively be used for each individual SIF. The PFDavg obtained is an appropriate value to be used in the QRA (Quantitative Risk Assessment) validation process of the SIL for each independent SIF. Note that the calculation of PFDavg is conservative for all SIF architectures. As a result, the calculation for MooN can be more conservative than the calculation for 1oo1. (MooN refers to a voted M out of N SIF architecture, as defined in IEC61508. 1oo1 refers to single-channel SIS architecture.)

3.5.3 Common Cause Failure A failure, which is the result of one or more events, causing failures of two or more separate channels in a multiple channel system, leading to system failure.

3.5.4 Dangerous Failure A failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state.

3.5.5 Dangerous Detected Failure A detected failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state. Dangerous detected failures do not include hardware failures and software faults identified during proof testing.

3.5.6 Dangerous Undetected Failure An undetected failure which has the potential to put the safety instrumented system in a hazardous or fail-to-function state. Dangerous undetected failures do not include hardware failures and software faults identified during proof testing.

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 21 of 83 Date: 10/11/13 3.5.7 Dangerous Systematic Failure

An error that results in a dangerous failure that originates during specification, design, implementation, commissioning or maintenance actions. This failure exhibits a non-random pattern of failures that exist at a discrete time 0 and remain failed throughout the full mission time of the SIS.

3.5.8 Detected In relation to hardware failures and software faults, detected by the diagnostic tests or through normal operation. This does not include hardware failures and software faults identified during proof testing.

3.5.9 Diagnostic Coverage The percentage of the total failure rate of the component or subsystem that is detected by built in diagnostic tests. Diagnostic coverage does not include any faults detected by proof tests.

3.5.10 Failure The termination of the ability of a functional unit to perform a required function.

3.5.11 Fault An abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function.

3.5.12 MooN A safety instrumented system, or part thereof, made up of “N” independent channels, which are so connected, that “M” channels are sufficient to perform the safety instrumented function.

3.5.13 Mean Time between Failure (MTBF) The Mean Time between Failures is the average time between successive failures of a system which can be repaired or restored through the replacement of a failed component. This differs from MTTF (Mean time to Failure) in which the system/component repair/restoration time (MTTR) is not a consideration. The mathematical relationship between the two is MTBF = MTTF + MTTR.

3.5.14 Mean Time to Fail Spurious (MTTFspurious) The MTTFspurious relates to the nuisance or spurious trip rate of the SIS (Safety Instrumented System). All the “Safety Critical” I/O modules are included in the MTTFspurious section of the spreadsheet. Annunciator points and other I/O that will not trip the process automatically are not included. Power supplies are considered in the


MTTFspurious calculation of de-energize to trip safety systems, as a false trip can occur if the power fails. By considering the total number of chassis', we account for the dual logic power supplies. Field power supply failures are accounted for separately when the calculations are done for the whole SIF including field elements (this is not part of the logic solver reliability calculations). The MARKOV model based reliability calculation tool developed by Triconex and reviewed by TÜV provides the PFDavg and the MTTFspurious calculations for the Logic Solver, including the three Main Processors, the Logic Power Supplies, all the chassis and all the conventional TMR safety related I/O modules. The Mean Time to Fail Spurious is the average time between successive events triggered by detected faults in a safety instrumented system.

3.5.15 Mean Time to Repair (MTTR) The Mean Time to Repair is that time required on average to detect a failed component within the system and complete those actions necessary to restore full system function. The times listed assume: - Repair by replacement - Availability of at least 1 on-site spare for each listed component. MTTR includes the time necessary to diagnose the fault, stabilize the system prior to component swap out as well as the time to bring the system back on line to full functionality. In cases where a system or subsystem is comprised of multiple components, the MTTR for the system or subsystem will be comprised of the worst case MTTR of the components comprising the system or subsystem.

3.5.16 Proof Test A test performed to reveal undetected faults in a safety instrumented system so that, if necessary, the system can be restored to its designed functionality. Note: Also known as Periodic Offline Test.

3.5.17 Probability of Failure on Demand (PFD) The probability that safety instrumented system is in a functional state in the event of a process demand necessitating a transition to a safe-state.

3.5.18 Probability of Failure on Demand (PFD) Analysis PFD analysis techniques employ systematic methodologies that decompose a complex system into its basic components. The performance and interactions of these basic components are combined into reliability models (such as simplified equations, fault trees and Markov models) to determine the overall system safety availability.

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 23 of 83 Date: 10/11/13 3.5.19 Redundancy

The use of multiple elements or systems to perform the same function; redundancy can be implemented by identical elements (identical redundancy) or by diverse elements (diverse redundancy).

3.5.20 Safe Failure A failure which does not have the potential to put the safety instrumented system in a hazardous or fail-to-function state.

3.5.21 Safe Detected Failure A detected failure which does not have the potential to put the safety instrumented system in a hazardous or fail-to-function state. Safe detected failures do not include hardware failures and software faults identified during proof testing.

3.5.22 Safe Undetected Failure An undetected failure which does not have the potential to put the safety instrumented system in a hazardous or fail-to-function state.

3.5.23 Safety Integrity Safety integrity is defined as “The probability of a Safety Instrumented Function satisfactorily performing the required safety functions under all stated conditions within a stated period of time.” Safety integrity consists of two elements: 1) hardware safety integrity and 2) systematic safety integrity. Hardware safety integrity can usually be estimated by modeling the component failure rates and the associated architecture (1oo1, 1oo2 etc). The result of this analysis yields a resulting PFD value which can be contrasted with the target (or specified) failure measure. Systematic safety integrity is difficult to quantify due to the diversity of potential causes of failure. Systematic failures may be introduced during the specification, design, implementation, operational and modification phases and may impact hardware as well as software.

3.5.24 Spurious Failure The definition is the same as a safe failure. A failure which does not have the potential to put the safety instrumented system in a hazardous or fail-to-function state.

3.5.25 Undetected In relation to hardware and software faults not found by the diagnostic tests or during normal operation.

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 24 of 83 Date: 10/11/13 4 Assumptions

4.1 Overall System Assumptions The analysis assumes:

- The unavailability factor PFDavg applies to the logic solver and its I/O modules only (the Tricons).

- Component failure and repair rates are assumed to be constant over the life of the component.

- Once a component has failed in one of the possible failure modes it cannot fail again in one of the remaining failure modes. It can only fail again after it has been repaired.

- The analysis assumes the same independent failure rates for identical redundant components

- The logic solver failure rate included input modules, logic solver, output modules and Tricon chassis power supplies.

- The Proof Test Interval (TI) is assumed to be much shorter than the Mean Time to Failure (MTTF).

- Proof testing and repair of components (e.g., replacement of modules) in the system are assumed to return the system to a perfect or “as new” condition.

- All Tricon components have been properly specified based on the process application.

- All chassis power supply failures are assumed to be in the de-energized state. - The Beta factor model is used to treat possible common cause failures (CCFs). See

Appendix B - All failure rates will be per 1.0E-06 hours unless otherwise specified. - Field power supplies are not included in the reliability analysis. - Input sensors are not shared between channels.

4.2 Mean Time between Failure (MTBF) Assumptions The analysis assumes:

- Failures are independent of each other - Failures occur randomly at a constant rate over time. - Repairs/replacements return the system to a “good as new” condition - 35C max ground benign environment (unless otherwise noted) - Component failure rates as listed in the Telcordia standard unless otherwise

specified. These failure rates are assumed to be conservative relative to failure data from returns to Invensys.

- Wiring, interconnects, nests, racks and similar components are not considered in this analysis because their failure rate is much lower than the components on the modules.

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 25 of 83 Date: 10/11/13 4.3 Mean Time to Repair (MTTR) Assumptions

The analysis assumes: - Repair by replacement. - Personnel will be available to repair all failures within 24 hours. - Availability of at least one module on site as spare for each module type. Additional

modules may be required if they have a high failure rate and/or the time to replace used spares is significant.

- MTTR includes the time necessary to diagnose the fault, stabilize the system prior to component swap out, perform the swap out, test and bring the system back on line to full functionality. In cases where a system or subsystem is comprised of multiple components, the MTTR for the system or subsystem will be comprised of the worst case MTTR of the components comprising the system or subsystem

- Since the MTTR = 24 hours, the reliability analysis assumes the detected failures being repaired can be ignored.

4.4 PPS Tricon 2oo4 Reliability Assumptions The assumptions used to calculate the reliability for the PPS Tricons in a 2oo4 configuration are:

1) The TI maximum is 21,900 hours (30 months) 2) The Mean Time to Repair - Online (MTTRot) is 24 hours 3) The Most Significant Instrumented Function used for the Fail-to- Function

calculations was identified as Over-temperature – Delta T function – DTTA and requires 3 AI modules (two 3721 and one 3703) and 1 DO module (one 3601). (From Reference 7.1.3 Section 3.2.5 and 7.4.3 Table 10, 11, 12 and 18).

4) All I/O modules in RXM chassis are not included in the Fail-Safe calculations. 5) The common cause Beta factors are Beta_2oo3 = 1.5%, Beta_Tricons_2oo4 = 0.6%. 6) Unused I/O on Tricon components is assumed to be non-contributors to the failure

rate.

4.5 PPS Tricon 2oo3 Reliability Assumptions The assumptions used to calculate the reliability for the PPS Tricons in a 2oo3 configuration are:

1) The TI is 21,900 hours (30 months) 2) The Mean Time to Repair - Online (MTTRot) is 24 hours 3) The Most Significant Safety Instrumented Function used for the Fail-to-Function

calculations was identified as Steam Line Break Protection and requires 1 AI module(one 3721) and 1 DO module(one 3603). (From Reference 7.13 Section 3.2.10 and 7.4.3 Table 12 and 14)

4) All I/O modules in RXM chassis are not included in the Fail-Safe calculations.


5) The common cause Beta factors are Beta_2oo3 = 1.5% and Beta_Tricons_2oo3= 1.5%


5 Method of Analysis

5.1 Triconex Tricon Version 10.5 EXCEL Spreadsheets The Tricon reliability analysis is based on the Tricon Reliability Calculation Spreadsheets that use Markov based models developed by Triconex and reviewed/approved by TUV Rheinland. These spreadsheets provide the necessary system reliability calculations for the Tricon logic solver, including 3 main processors, logic solver power supplies, all the common chassis and conventional safety rated I/O modules. Common cause calculations are included in the spreadsheets. Annunciator points and other I/O that will not trip the process automatically are not considered in the scope of this analysis and are not included in the spreadsheet results. While the calculation spreadsheets account for dual chassis power supplies, field power supplies are not included in the Tricon Reliability Calculation Spreadsheet scope. The current Tricon Version 10.5 Reliability Calculation Spreadsheet is TRICONV10.5_1110 and is used to calculate the PFDavg and MTTFspurious for a single

Tricon configuration. Two new versions of the spreadsheet have been developed to add the calculation of PFDavg and MTTFspurious for a 2oo4 configuration with four Tricons and a 2oo3 configuration with three Tricons. A third version of the spreadsheet has been developed for single versions of the Tricon. The new versions of the EXCEL Workbook files are:

TRICONV10.5_1110_DIABLO_CANYON_2oo4.xlsx TRICONV10.5_1110_ DIABLO_CANYON_2oo3,xlsx TRICONV10.5_1110_ DIABLO_CANYON.xlsx Spreadsheet PFD & MTTF in the TRICONV10.5_1110_ DIABLO_CANYON_2oo4.xlsx file calculates PFDavg and MTTFspurious for a 2oo4 configuration of four Tricons and also a single Tricon. Spreadsheet PFD & MTTF in the TRICONV10.5_1110_ DIABLO_CANYON_2oo3.xlsx file calculates PFDavg and MTTFspurious for a 2oo3 configuration of three Tricons and also a single Tricon. Spreadsheet PFD & MTTF in the TRICONV10.5_1110_ DIABLO_CANYON.xlsx file calculates PFDavg and MTTFspurious for each of the single Tricons.

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 28 of 83 Date: 10/11/13 5.2 Spreadsheets for Reliability Calculation of Redundant Tricon Configurations

Spreadsheets for the calculation of PFDavg and MTTFspurious for Tricon 2oo3 and 2oo4 configurations are used to show the additional calculations required for redundant Tricon configurations. Spreadsheets labeled 2oo4 Tricons and 2oo3 Tricons are in the workbook TRICONV10.5_1110_DIABLO_CANYON_2oo4 file and TRICONV10.5_1110_DIABLO_CANYON_2oo3 file. Printouts of these spreadsheets are shown in Section 6.


6 Reliability Calculations The reliability calculations for each of the Tricons used the Triconex Tricon Version 10.5 Spreadsheet with Diablo Canyon configuration inputs itemized in the Assumptions Section 4. The first eight Figures (spreadsheets) show the values of PFDavg and MTTFspurious for each of the PPS Tricons. Figures 6-9 and 6-10 show the PFDavg and MTTFspurious values for the 2oo4 PPS functions. Figures 6-11 and 6-12 show the additional calculations for the 2oo4 Tricon configuration. Figures 6-13 through 6-16 show the calculation for 2oo3 PPS functions.


Figure 6-1: PPS I Tr icon - Fail-to-Function

gary.mcdonald



Figure 6-2: PPS I Tr icon - Fail-Safe

gary.mcdonald



Figure 6-3: PPS II Tr icon - Fail-to-Function

gary.mcdonald



Figure 6-4: PPS II Tr icon - Fail-Safe

gary.mcdonald



Figure 6-5: PPS III Tr icon - Fail-to-Function

gary.mcdonald



Figure 6-6: PPS III Tr icon - Fail-Safe

gary.mcdonald



Figure 6-7: PPS IV Tr icon - Fail-to-Function

gary.mcdonald



Figure 6-8: PPS IV Tr icon - Fail-Safe

gary.mcdonald



Figure 6-9: 2oo4 OTDT Reactor Tr ip Safety Function - Fail-to-Function

gary.mcdonald



Figure 6-10: 2oo4 OTDT Reactor Tr ip Safety Function - Fail-Safe

gary.mcdonald



Figure 6-11: PFDavg and MTTFspur ious for 2oo4 Tr icon Configuration

gary.mcdonald



Figure 6-12: Symbols Used to Calculate PFD and MTTF for 2oo4 Configuration

gary.mcdonald



Figure 6-13: 2oo3 Steamline Isolation Function - Fail-to-Function

gary.mcdonald



Figure 6-14: 2oo3 Steamline Isolation Function - Fail Safe

gary.mcdonald



Figure 6-15: PFDavg & MTTF Calculation for 2oo3 Steamline Function

gary.mcdonald



Figure 6-16: Symbols for Calculation for 2oo3 Steamline Isolation Function

gary.mcdonald



7 References The following are referenced within this document or were used to develop this document:

7.1 PG&E Documents 7.1.1 PG&E Purchase Order 3500897372 7.1.2 PG&E Process Protection System Replacement Conceptual Design Document, R4 7.1.3 PG&E Functional Requirements Specification, 08-0015-SP-001, R5 7.1.4 PG&E Process Protection System Replacement Interface Requirements Specification

including Appendix 3.1, I/O Listing, R6

7.2 NRC Documents 7.2.1 NUREG-0800, Standard Review Plan, Standard Review Plan for the Review of Safety

Analysis Reports for Nuclear Power Plants: LWR Edition, Chapter 7 – Instrumentation and Controls, U.S. Nuclear Regulatory Commission

7.3 Reliability Methodology 7.3.1 Telcordia (Bellcore) TR-NWT-000332, Issue 6 December 1997, "Reliability Prediction

Procedure for electronic equipment" 7.3.2 Relex version 7.7 for calculation of component data 7.3.3 IEC 61513 - 2001, "Nuclear Power Plants-Instrumentation and Control for Systems

Important to Safety-General Requirements for Systems" 7.3.4 IEC 61508 - 2009, "Functional safety of electrical/electronic/programmable electronic

safety-related systems" Parts 1 through 6 7.3.5 Mil-HDBK-217F, "Reliability Prediction of Electronic Equipment, Method I case 1

(parts count) to generate failure rate

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 47 of 83 Date: 10/11/13 7.3.6 ANSI S84.01-1996 “Application of Safety Instrumented Systems for the Process

Industries” 7.3.7 ANSI/ISA TR84.00.02-2002 “Safety Instrumented Functions (SIF) – Safety Integrity

Level (SIL) Evaluation Techniques Part 1: Determining the SIL of a SIF via Simplified Equations”

7.3.8 IEEE Standard No.762 “Definitions for Use in Reporting Electric Generating Unit

Reliability, Availability and Productivity 7.3.9 IEEE Standard 352-1987,IEEE Guide for General Principles of Reliability Analysis of

Nuclear Power Generating Station Safety Systems 7.3.10 IEEE Standard 577-2004, IEEE Standard Requirements for Reliability Analysis in the

Design and Operation of Safety Systems for Nuclear Facilities

7.4 Invensys component specifications and reliability data 7.4.1 Triconex Reliability / Availability Spreadsheet for TRICON version 10.5 TMR Controller - PFDavg & MTTFspurious Calculation

7.4.2 Invensys Document No. 993754-1-811, Rev A., Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Power Plant-Failure Modes and Effects Analysis, March 15, 2013. 7.4.3 Invensys Document No. 993754-11-807, Rev. 1, Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Power Plant Hardware Requirements Specification (HRS) Protection Set I, September 12, 2013. 7.4.4 Invensys Document No. 993754-11-917 Rev. 0, Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Plant Hardware Design Description (HDD) Protection Set I, April 25, 2013.


8 Conclusion/Discussion The reliability analysis shows the PFDavg is in the 1.0E-07 to 1.0E-06 range for the 2oo3

and 2oo4 Tricon configurations for a proof test interval (TI) of 30 months. The MTTFspurious is in the many thousands of years for the 30 month proof test interval.


Attachment A: Markov Models for Tricon Version 10.5

The MARKOV model based reliability calculation spreadsheet developed by Triconex and reviewed by TUV provides:

1. A quantitative analysis of the Safety Availability in the form of a PFDavg (Average Probability of Failure on Demand) using a Fail-To-Function Markov Model 2. A quantitative analysis of the Fail Safe Reliability in the form of an MTTFspurious (Mean Time to Fail Spurious) using a Fail-Safe Markov Model

PROBABILITY OF FAILURE ON DEMAND CALCULATIONS USING TRICON VERSION 10.5 FAIL-TO-FUNCTION MARKOV MODEL

A Fail-to-Function Markov Model for the TRICON Version 10.5 is shown in Figure A1 – Part 1, Figure A1 – Part 2 and Figure A1 – Part 3. State 1 is the initial state where there are no failures of any of the modules in the system. Because of the triplicated architecture of the TRICON, at least two dangerous failures must occur to put the system in a fail-to-function state. State 44 is an absorbing fail-to-function state where multiple dangerous undetected failures have occurred and the system is in a fail-to-function condition. States 2 through 22 are intermediate states where a dangerous undetected failure of a portion of a subsystem has occurred but the system is not in a fail-to-function state. States 23 through 43 are states where a second dangerous failure (a dangerous detected failure) has occurred that has put the system in a temporary fail-to-function state. These states are temporary because the dangerous detected failures can be repaired and returned to the dangerous undetected failure states (2 through 22). The Fail-to-Function Markov Model was derived from the ISA Technical Report TR84.0.02 Part 5 developed by the SP84 Committee. The sections following the Markov Model Figures define the states in the Markov Model and show the equations for the transition rates (λs) in the Markov Model. The PFDavg calculations for the TRICON are in an EXCEL spreadsheet TRICONV10.5_1110. The results of the PFDavg and calculations are shown on Sheet 2 of the spreadsheet.


Figure A1 – Par t 1 Fail-to-Function Markov Model For TRICON V10.5 TMR Controller


Figure A1 – Par t 2: Fail-to-Function Markov Model For TRICON V10.5 TMR Controller


Figure A1 – Par t 3: Fail-to-Function Markov Model for TRICON V10.5 TMR Controller

Fail-to-Function Markov Model States for TRICON V10.5 TMR Controller

State 1 No Failures (Initial State after Complete Repair) State 2 Dangerous Undetected Failure of a Digital Input Common Processing Circuit State 3 Dangerous Undetected Failure of a Digital Input Circuit State 4 Dangerous Undetected Failure of an Analog Input Common Processing Circuit State 5 Dangerous Undetected Failure of an Analog Input Circuit State 6 Dangerous Undetected Failure of an Isolated Analog Input Processing Circuit


State 7 Dangerous Undetected Failure of an Isolated Analog Input Circuit State 8 Dangerous Undetected Failure of an Analog Output Common Processing Circuit State 9 Not used (Analog Output Point failure rate is very small because of triplicated DACs on

each AO point and can be neglected) State 10 Dangerous Undetected Failure of a Main Processor State 11 Dangerous Undetected Failure of a 24 VDC Digital Output Common Processing Circuit State 12 Dangerous Undetected Failure of a 24 VDC Digital Output Switch State 13 Dangerous Undetected Failure of a 115 VAC Digital Output Common Processing Circuit State 14 Dangerous Undetected Failure of a 115 VAC Digital Output Switch State 15 Dangerous Undetected Failure of a High Density Digital Input Common Processing

Circuit State 16 Dangerous Undetected Failure of a High Density Digital Input Circuit State 17 Dangerous Undetected Failure of a High Density Analog Input Common Processing

Circuit State 18 Dangerous Undetected Failure of a High Density Analog Input Circuit State 19 Dangerous Undetected Failure of a Pulse Input Common Processing Circuit State 20 Dangerous Undetected Failure of a Pulse Input Circuit State 21 Not used (reserved for addition of an I/O module) State 22 Not used (reserved for addition of an I/O module) State 23 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a Digital Input

Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or Digital Input Module on 2nd Leg

State 24 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a Digital Input Circuit plus Additional Dangerous Detected Failure of Processor or Digital Input Module on 2nd Leg

State 25 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of an Analog Input Common Processing Circuit plus Additional Dangerous Detected Failure of Processor or Analog Input Module on 2nd Leg

State 26 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of an Analog Input Circuit plus Additional Dangerous Detected Failure of Processor or Analog Input Module on 2nd Leg

State 27 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of an Isolated Analog Input Common Processing Circuit plus Additional Dangerous Detected Failure of Processor or Isolated Analog Input Module on 2nd Leg

State 28 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of an Isolated Analog Input Circuit plus Additional Dangerous Detected Failure of Processor or Isolated Analog Input Module on 2nd Leg

State 29 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of an Analog Output Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or Analog Output Module on 2nd Leg

State 30 Not used (Analog Output Point failure rate is very small because of triplicated DACs on each AO point and can be neglected)

State 31 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a Main Processor plus Additional Dangerous Detected Failure of Processor or Other I/O Module on 2nd Leg


State 32 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a 24 VDC Digital Output Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or 24 VDC Digital Output Module on 2nd Leg

State 33 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a 24 VDC Digital Output Switch Plus Additional Dangerous Detected Failure of Processor or 24 VDC Digital Output Module on 2nd Leg

State 34 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a 115 VAC Digital Output Common Processing Plus Additional Dangerous Detected Failure of Processor or 115 VAC Digital Output Module on 2nd Leg

State 35 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a115 VAC Digital Output Switch Plus Additional Dangerous Detected Failure of Processor or 115 VAC Digital Output Module on 2nd Leg

State 36 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a High Density Digital Input Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Digital Input Module on 2nd Leg

State 37 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a High Density Digital Input Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Digital Input Module on 2nd Leg

State 38 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a High Density Analog Input Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Analog Input Module on 2nd Leg

State 39 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a High Density Analog Input Circuit Plus Additional Dangerous Detected Failure of Processor or High Density Analog Input Module on 2nd Leg

State 40 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a Pulse Input Common Processing Circuit Plus Additional Dangerous Detected Failure of Processor or Pulse Input Module on 2nd Leg

State 41 Repairable Fail-to-Function State Due to Dangerous Undetected Failure of a Pulse Input Circuit Plus Additional Dangerous Detected Failure of Processor or Pulse Input Module on 2nd Leg

State 42 Not used (reserved for addition of an I/O module) State 43 Not used (reserved for addition of an I/O module) State 44 Final Absorbing Fail-to-Function State Due to Dangerous Undetected Failures on Two

Legs


Calculation of PFDavg for Low Demand Mode

PFD = (λ12 λ223 +λ13 λ324 +λ14 λ425 +λ15 λ526 +λ16 λ627 +λ17 λ728 +λ18 λ829 +λ19 λ930

+λ110 λ1031 +λ111 λ1132 +λ112 λ1233 +λ113 λ1334 +λ114 λ1435 +λ115 λ1536 +λ116 λ1637

+λ117 λ1738 +λ118 λ1839 +λ119 λ1940 +λ120 λ2041 +λ121 λ2142 +λ122 λ2243)∗MTTRοt

+λ144∗t + (λ11 λ144 +λ12 λ244+λ13 λ344+λ14 λ444+λ15 λ544+λ16 λ644+λ17 λ744

+λ18 λ844+λ19 λ944+λ110 λ1044+λ111 λ1144+λ112 λ1244+λ113 λ1344+λ114 λ1444

+λ115 λ1544+λ116 λ1644+λ117 λ1744+λ118 λ1844+λ119 λ1944+λ120 λ2044+λ121λ2144

+λ122 λ2244)∗t2/2


Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for High Demand Modes with Repair of Dangerous Detected Failures

λ12 = 3*nsf*FR_IP_DU λ13 = 3*nsf*ndipts*FR_IC_DU λ14 = 3*nasf*FR_AIP_DU λ15 = 3*nasf*ndaipts*FR_AIC_DU λ16 = 3*niaisf*FR_IAIP_DU λ17 = 3*niaisf*niaipts*FR_IAIC_DU λ18 = 3*masf*FR_AOP_DU λ19 = 0 λ110 = 3*FR_MP_DU λ111 = 3*msf*FR_OP_DU λ112 = 4*msf*ndopts*FR_OC_DU λ113 = 3*mhvsf*FR_HVOP_DU λ114 = 4*mhvsf*nhvdopts*FR_HVOC_DU λ115 = 3*nhdsf*FR_HDIP_DU λ116 = 3*nhdsf*nhddipts*FR_HDIC_DU λ117 = 3*nahdsf*FR_HDAIP_DU λ118 = 3*nahdsf*nhdaipts*FR_HDAIC_DU λ119 = 3*npsf*FR_PIP_DU λ120 = 3*npsf*npipts*FR_PIC_DU



(Continued)

λ144 = Beta*ccf3legs*(FR_MP_DU + nsf*FR_ISF_DU + nhdsf*FR_HDISF_DU + nasf*FR_AISF_DU + nahdsf*FR_HDAISF_DU + niaisf*FR_IAISFS_DU + maosf*FR_AO_DU + msf*FR_OSF_DU + mhvsf*FR_HVOSF_DU+ npsf*FR_PISF_DU) + BetaD*ccf3legs*(FR_MP_DD + nsf*FR_ISF_DD + nhdsf*FR_HDISF_DD + nasf*FR_AISF_DD + nahdsf*FR_HDAISF_DD + niaisf*FR_IAISFS_DD + maosf*FR_AO_DD+ msf*FR_OSF_DD + mhvsf*FR_HVOSF_DD+ npsf*FR_PISF_DD)

λ223 = 2* (FR_MP_DD + FR_ISF_DD) λ244 = 2* (FR_MP_DU + FR_ISF_DU) λ324 = 2*(FR_MP_DD + FR_IP_DD + FR_IC_DD) λ344 = 2*(FR_MP_DU + FR_IP_DU + FR_IC_DU) λ425 = 2*(FR_MP_DD + FR_AISF_DD) λ444 = 2*(FR_MP_DU + FR_AISF_DU) λ526 = 2*(FR_MP_DD + FR_AIP_DD + FR_AIC_DD) λ544 = 2*(FR_MP_DU + FR_AIP_DU + FR_AIC_DU) λ627 = 2*(FR_MP_DD + FR_IAISF_DD) λ644 = 2*(FR_MP_DU + FR_IAISF_DU) λ728 = 2*(FR_MP_DD + FR_IAIP_DD + FR_IAIC_DD) λ744 = 2*(FR_MP_DU + FR_IAIP_DU + FR_IAIC_DU) λ829 = 2*(FR_MP_DD + FR_AO_DD) λ844 = 2*(FR_MP_DU + FR_AO_DU)



(Continued) λ930 = 0 λ944 = 0 λ1031 = 2*(FR_MP_DD + nsf*FR_ISF_DD + nasf*FR_AISF_DD +

niaisf*FR_IAISF_DD + maosf*FR_AO_DD + msf*FR_OSF_DD + mhvsf*FR_HVOSF_DD + nhdsf*FR_HDISF_DD + nahdsf*FR_HDAISF_DD+ npsf*FR_PISF_DD)

λ1044 = 2*(FR_MP_DU + nsf*FR_ISF_DU + nasf*FR_AISF_DU + niaisf*FR_IAISF_DU + maosf*FR_AO_DU + msf*FR_OSF_DU + mhvsf*FR_HVOSF_DU + nhdsf*FR_HDISF_DU + nahdsf*FR_HDAISF_DU+ npsf*FR_PISF_DU)

λ1132 = 2*(FR_MP_DD + FR_OSF_DD) λ1144 = 2*(FR_MP_DU + FR_OSF_DU) λ1233 = 2*(FR_MP_DD + FR_OP_DD + FR_OC_DD) λ1244 = 2*(FR_MP_DU + FR_OP_DU + FR_OC_DU) λ1334 = 2*(FR_MP_DD + FR_HVOSF_DD) λ1344 = 2*(FR_MP_DU + FR_HVOSF_DU) λ1435 = 2*(FR_MP_DD + FR_HVOP_DD + FR_HVOC_DD) λ1444 = 2*(FR_MP_DU + FR_HVOP_DU + FR_HVOC_DU) λ1536 = 2* (FR_MP_DD + FR_HDISF_DD) λ1544 = 2* (FR_MP_DU + FR_HDISF_DU) λ1637 = 2*(FR_MP_DD + FR_HDIP_DD + FR_HDIC_DD) λ1644 = 2*(FR_MP_DU + FR_HDIP_DU + FR_HDIC_DU) λ1738 = 2*(FR_MP_DD + FR_HDAISF_DD)



(Continued) λ1744 = 2*(FR_MP_DU + FR_HDAISF_DU) λ1839 = 2*(FR_MP_DD + FR_HDAIP_DD + FR_HDAIC_DD) λ1844 = 2*(FR_MP_DU + FR_HDAIP_DU + FR_HDAIC_DU) λ1940 = 2*(FR_MP_DD + FR_PISF_DD) λ1944 = 2*(FR_MP_DU + FR_PISF_DU) λ2041 = 2*(FR_MP_DD + FR_PIP_DD + FR_PIC_DD) λ2044 = 2*(FR_MP_DU + FR_PIP_DU + FR_PIC_DU) λ232 = λ243 = λ254 = λ265 = λ276 = λ287 = MU_OT λ298 = λ309 = λ3110 = λ3211 = λ3312 = λ3413 = λ3514 = MU_OT λ3615 = λ3716 = λ3817 = λ3918 = λ4019 = λ4120 = λ4221 = λ4322 = MU_OT


Equations for Failure Rates in TRICON V10.5 Fail-to-Function Markov Model for Continuous and Very High Demand Modes

with No Repair of Dangerous Detected Failures

For Continuous and Very High Demand Mode there is No Repair and Hence the States 23 through 43 are Not Used.

λ12C = 3*nsf*FR_IP_D λ13C = 3*nsf*ndipts*FR_IC_D λ14C = 3*nasf*FR_AIP_D λ15C = 3*nasf*ndaipts*FR_AIC_D λ16C = 3*niaisf*FR_IAIP_D λ17C = 3*niaisf*niaipts*FR_IAIC_D λ18C = 3*masf*FR_AOP_D λ19C = 0 λ110C = 3*FR_MP_D λ111C = 3*msf*FR_OP_D λ112C = 4*msf*ndopts*FR_OC_D λ113C = 3*mhvsf*FR_HVOP_D λ114C = 4*mhvsf*nhvdopts*FR_HVOC_D λ115C = 3*nhdsf*FR_HDIP_D λ116C = 3*nhdsf*nhddipts*FR_HDIC_D λ117C = 3*nahdsf*FR_HDAIP_D λ118C = 3*nahdsf*nhdaipts*FR_HDAIC_D λ119C = 3*npsf*FR_PIP_D λ120C = 3*npsf*npipts*FR_PIC_D λ121C = 0 λ122C = 0



with No Repair of Dangerous Detected Failures (Continued)

λ144C = Beta*ccf3legs*(FR_MP_DU + nsf*FR_ISF_DU + nhdsf*FR_HDISF_DU + nasf*FR_AISF_DU + nahdsf*FR_HDAISF_DU + niaisf*FR_IAISFS_DU + maosf*FR_AO_DU + msf*FR_OSF_DU + mhvsf*FR_HVOSF_DU + npsf*FR_PISF_DU) + BetaD∗ccf3legs* (FR_MP_DD + nsf*FR_ISF_DD + nhdsf*FR_HDISF_DD + nasf*FR_AISF_DD + nahdsf*FR_HDAISF_DD + niaisf*FR_IAISFS_DD + maosf*FR_AO_DD + msf*FR_OSF_DD + mhvsf*FR_HVOSF_DD + npsf*FR_PISF_DD)

λ244C = 2* (FR_MP_D + FR_ISF_DU+ FR_ISF_DD) λ344C = 2*(FR_MP_D + FR_IP_D + FR_IC_D) λ444C = 2*(FR_MP_D + FR_AISF_DU + FR_AISF_DD) λ544C = 2*(FR_MP_D + FR_AIP_D + FR_AIC_D) λ644C = 2*(FR_MP_D + FR_IAISF_DU + FR_IAISF_DD) λ744C = 2*(FR_MP_D + FR_IAIP_D + FR_IAIC_D) λ844C = 2*(FR_MP_D + FR_AO_D) λ944C = 0 λ1044C = 2*(FR_MP_D + nsf*FR_ISF_DU + nasf*FR_AISF_DU +

niaisf*FR_IAISF_DU + maosf*FR_AO_DU + msf*FR_OSF_DU + mhvsf*FR_HVOSF_DU + nhdsf*FR_HDISF_DU + nahdsf*FR_HDAISF_DU+ npsf*FR_PISF_DU nsf*FR_ISF_DD + nasf*FR_AISF_DD + niaisf*FR_IAISF_DD + maosf*FR_AO_DD + msf*FR_OSF_DD + mhvsf*FR_HVOSF_DD + nhdsf*FR_HDISF_DD + nahdsf*FR_HDAISF_DD+ npsf*FR_PISF_DD)



with No Repair of Dangerous Detected Failures (Continued) λ1144C = 2*(FR_MP_D + FR_OSF_DU + FR_OSF_DD) λ1244C = 2*(FR_MP_D + FR_OP_D + FR_OC_D) λ1344C = 2*(FR_MP_D + FR_HVOSF_DU+ FR_HVOSF_DD ) λ1444C = 2*(FR_MP_D + FR_HVOP_D + FR_HVOC_D) λ1544C = 2* (FR_MP_D + FR_HDISF_DU + FR_HDISF_DD) λ1644C = 2*(FR_MP_D + FR_HDIP_D + FR_HDIC_D) λ1744C = 2*(FR_MP_D + FR_HDAISF_DU + FR_HDAISF_DD) λ1844C = 2*(FR_MP_D + FR_HDAIP_D + FR_HDAIC_D) λ1944C = 2*(FR_MP_D + FR_PISF_DU+ FR_PISF_DD) λ2044C = 2*(FR_MP_D + FR_PIP_D + FR_PIC_D) λ2144C = 0 λ2244C = 0 λ232 = λ243 = λ254 = λ265 = λ276 = λ287 = 0 λ298 = λ309 = λ3110 = λ3211 = λ3312 = λ3413 = λ3514 = 0 λ3615 = λ3716 = λ3817 = λ3918 = λ4019 = λ4120 = λ4221 = λ4322 = 0


Definition of Terms

nsf = Number of 32 Point Digital Input Modules for Largest Safety Function ndipts = Number of Digital Input Points per Module for Largest Safety Function nhdsf = Number of 64 Point HD Digital Input Modules for Largest Safety Function nhddipts = Number of HD Digital Input Points per Module for Largest Safety Function nasf = Number of 32 Point Diff. Analog Input Modules for Largest Safety Function ndaipts = Number of Diff. Analog Input Points per Module for Largest Safety Function nahdsf = Number of 64 Point HD Analog Input Modules for Largest Safety Function nhdaipts = Number of HD Analog Input Points per Module for Largest Safety Function niaisf = Number of 16 Point Isolated Analog Input Modules for Largest Safety Function niaipts = Number of Isolated Analog Input Points per Module for Largest Safety Function msf = Number of 32 Point 24 VDC Digital Output Modules for Largest Safety Function ndopts = Number of 24 VDC Digital Output Points per Module for Largest Safety Function mhvsf = Number of 16 Point 115 VAC Digital Output Modules for Largest Safety

Function nhvdopts = Number of 115 VAC Digital Output Points per Module for Largest Safety

Function maosf = Number of Analog Output Modules for Largest Safety Function npsf = Number of Pulse Input Modules for Largest Safety Function npipts = Number of Pulse Input Points per Module for Largest Safety Function nic = Number of Input Points on Digital Input and Analog Input Modules (32 points) nhdic = Number of Input Points on High Density DI and AI Modules (64 points) niaic = Number of Input Points on Isolated Analog Input Modules (16 points) noc = Number of Output Points on 115 VAC Digital Output Modules (16 points) nhdoc = Number of Output Points on 24 VDC Digital Output Modules (32 points) npc = Number of Pulse Input Points on Pulse Input Modules (8 points) FR_AI = Failure Rate of a Diff. Analog Input Module Leg FR_AISF= Failure Rate of a Diff. Analog Input Module with Input Circuits for Largest Safety

Function FR_AI_DU = Dangerous Undetected Failure Rate of a Diff. Analog Input Module Leg FR_AI_DD = Dangerous Detected Failure Rate of a Diff. Analog Input Module Leg FR_AIP = Failure Rate of a Diff. Analog Input Module Common Processing Circuit FR_AIP_DU = Dangerous Undetected Failure Rate of an Analog Input Module Common

Processing Circuit FR_AIC = Failure Rate of a Diff. Analog Input Circuit FR_AIC_DU = Dangerous Undetected Failure Rate of a Diff. Analog Input Circuit FR_AOP = Failure Rate of a Diff. Analog Output Module Common Processing Circuit FR_AOP_DD = Dangerous Detected Failure Rate of an Analog Output Module Common Processing

Circuit

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 64 of 83 Date: 10/11/13 FR_AOP_DU = Dangerous Undetected Failure Rate of an Analog Output Module Common

Processing Circuit FR_HDAI = Failure Rate of a High Density Analog Input Module Leg FR_HDAISF = Failure Rate of a High Density Analog Input Module with Input Circuits for Largest

Safety Function FR_HDAI_DU = Dangerous Undetected Failure Rate of a High Density Analog Input Module Leg FR_HDAI_DD = Dangerous Detected Failure Rate of a High Density Analog Input Module Leg FR_HDAIP = Failure Rate of a High Density Analog Input Module Common Processing Circuit FR_HDAIP_DU Dangerous Undetected Failure Rate of a High Density Analog Input Module

Common Processing Circuit FR_HDAIC = Failure Rate of a High Density Analog Input Circuit FR_HDAIC_DD Dangerous Undetected Failure Rate of a High Density Analog Input Circuit FR_HDI = Failure Rate of a High Density Digital Input Module Leg FR_HDISF = Failure Rate of a High Density Digital Input Module with Input Circuits for Largest

Safety Function FR_HDI_DU = Dangerous Undetected Failure Rate of a High Density Digital Input Module Leg FR_HDI_DD = Dangerous Detected Failure Rate of a High Density Digital Input Module Leg FR_HDIP = Failure Rate of a High Density Digital Input Module Common Processing Circuit FR_HDIP_DU = Dangerous Undetected Failure Rate of a High Density Digital Input Module

Common Processing Circuit FR_HDIC = Failure Rate of a High Density Digital Input Circuit FR_HDIC_DU = Dangerous Undetected Failure Rate of a High Density Digital Input Circuit FR_HVO = Failure Rate of a 115 VAC Digital Output Module Leg FR_HVOSF = Failure Rate of a 115 VAC Digital Output Module with Output Circuits for Largest

Safety Function FR_HVO_DU = Dangerous Undetected Failure Rate of a 115 VAC Digital Output Module Leg FR_HVO_DD = Dangerous Detected Failure Rate of a 115 VAC Digital Output Module Leg FR_HVOP = Failure Rate of a 115 VAC Digital Output Module Common Processing Circuit FR_HVOP_DU Dangerous Undetected Failure Rate of a 115 VAC Digital Output Module Common

Processing Circuit FR_HVOC = Failure Rate of a 115 VAC Digital Output Switch FR_HVOC_DU Dangerous Undetected Failure Rate of a 115 VAC Digital Output Switch FR_IAI = Failure Rate of an Isolated Analog Input Module Leg FR_IAISF = Failure Rate of an Isolated Analog Input Module with Input Circuits for Largest

Safety Function FR_IAI_DU = Dangerous Undetected Failure Rate of an Isolated Analog Input Module Leg FR_IAI_DD = Dangerous Detected Failure Rate of an Isolated Analog Input Module Leg FR_IAIP = Failure Rate of an Isolated Analog Input Module Common Processing Circuit FR_IAIP_DU = Dangerous Undetected Failure Rate of an Isolated Analog Input Module Common

Processing Circuit FR_IAIC = Failure Rate of an Isolated Analog Input Module Input Circuit

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 65 of 83 Date: 10/11/13 FR_IAIC_DU = Dangerous Undetected Failure Rate of an Isolated Analog Input Circuit FR_I = Failure Rate of a 24 VDC Digital Input Module Leg FR_ISF = Failure Rate of a 24 VDC Digital Input Module with Input Circuits for Largest

Safety Function FR_I_DU = Dangerous Undetected Failure Rate of a 24 VDC Input Module Leg FR_I_DD = Dangerous Detected Failure Rate of a 24 VDC Input Module Leg FR_IP = Failure Rate of a 24 VDC Input Module Common Processing Circuit FR_IP_DU = Dangerous Undetected Failure Rate of a 24 VDC Input Module Common

Processing Circuit FR_IC = Failure Rate of a 24 VDC Digital Input Circuit FR_IC_ DU = Dangerous Undetected Failure Rate of a 24 VDC Input Circuit FR_MP = Failure Rate of a Main Processor FR_MP_DD = Dangerous Detected Failure Rate of a Main Processor FR_MP_DU = Dangerous Undetected Failure Rate of a Main Processor FR_O = Failure Rate of a 24 VDC Digital Output Module Leg FR_OSF = Failure Rate of a 24 VDC Digital Output Module with Output Circuits for Largest

Safety Function FR_O_DU = Dangerous Undetected Failure Rate of a 24 VDC Digital Output Module Leg FR_O_DD = Dangerous Detected Failure Rate of a 24 VDC Digital Output Module Leg FR_OP = Failure Rate of a 24 VDC Digital Output Module Common Processing Circuit FR_OP_DU = Dangerous Undetected Failure Rate of a 24 VDC Digital Output Module Common

Processing Circuit FR_OC = Failure Rate of a 24 VDC Digital Output Switch FR_OC_DU = Dangerous Undetected Failure Rate of a 24 VDC Digital Output Switch FR_PI = Failure Rate of a Pulse Input Module Leg FR_PISF = Failure Rate of a Pulse Input Module with Input Circuits for Largest Safety

Function FR_PI_DU = Dangerous Undetected Failure Rate of a Pulse Input Module Leg FR_PI_DD = Dangerous Detected Failure Rate of a Pulse Input Module Leg FR_PIP = Failure Rate of a Pulse Input Module Common Processing Circuit FR_PIP_DU = Dangerous Undetected Failure Rate of a Pulse Input Module Common Processing

Circuit FR_PIC = Failure Rate of a Pulse Input Circuit FR_PIC_ DU = Dangerous Undetected Failure Rate of a Pulse Input Circuit Beta = Common Cause Factor for Dangerous Undetected Failures (0.015 or 1.5%) ccf3legs Fraction of Common Cause Failures that affect all 3 Tricon legs (0.25) BetaD = Common Cause Factor for Dangerous Detected Failures (0.005 or 0.5%) FR_ISF_DD = FR_IP_DD + ndipts*FR_IC_DD FR_ISF_DU = FR_IP_DU + ndipts*FR_IC_DU

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 66 of 83 Date: 10/11/13 FR_AISF_DD = FR_AIP_DD + naipts*FR_AIC_DD FR_AISF_DU = FR_AIP_DU + naipts*FR_AIC_DU FR_IAI SF_DD= FR_IAIP_DD + niaipts*FR_IAIC_DD FR_IAI SF_DU= FR_IAIP_DU + niaipts*FR_IAIC_DU FR_OSF_DD = FR_OP_DD + 4/3*ndopts*FR_OC_DD, 4/3 for quad output voter. FR_OSF_DU = FR_OP_DU + 4/3*ndopts*FR_OC_DU, 4/3 for quad output voter. FR_HVOSF_DD = FR_HVOP_DD + 4/3*nhvdopts*FR_HVOC_DD, 4/3 for quad output voter. FR_HVOSF_DU = FR_HVOP_DU + 4/3*nhvdopts*FR_HVOC_DU, 4/3 for quad output voter FR_AO = FR_AOP, FR_AOC can be ignored because the output circuit failure rate is very

small due to the triplicated DACs in each output circuit. FR_HDAISF_DD = FR_HDAIP_DD + nhdaipts*FR_HDAIC_DD FR_HDAISF_DU = FR_HDAIP_DU + nhdaipts*FR_HDAIC_DU FR_HDISF_DD = FR_HDIP_DD + nhddipts*FR_HDIC_DD FR_HDISF_DU = FR_HDIP_DU + nhddipts*FR_HDIC_DU FR_PISF_DD = FR_PIP-DD + npipts*FR_PIC_DD FR_PISF_DU = FR_PIP-DU + npipts*FR_PIC_DU


MEAN TIME TO FAILURE – SPURIOUS CALCULATIONS USING TRICON Version 10.5 FAIL-SAFE MARKOV MODEL

The Fail Safe Markov Model for the TRICON Version 10.5 is shown in Figure A2. It should be noted that the Markov states 1D, 1U, 2D, 2U,…,ND, NU are intermediate states where one safe failure has occurred but since the TRICON has three legs a second safe failure must occur before the system is in the fail safe state (state 0). It should also be noted that states 1D, 2D,..,ND are for detected safe failures that are repaired on-line with repair rate µOT. States 1U, 2U,.., NU are for undetected safe failures that are repaired during periodic off-line testing with a repair rate µPT. The Markov Model can be simplified by using the total safe failure rates of the subsystems and an effective repair rate µi of the subsystems. This simplified model is shown in Figure A3. There is a closed form solution for MTTFspurious when the Markov Model is of the form shown in Figure A3. The equation for MTTFspurious is as follows:

Where λi is the first subsystem failure to an intermediate (derated) state, θi is the failure rate from the derated state i to the fail safe state, µi is the effective repair rate of subsystems in the derated state. The expression 1/(µi+ θi) in the MTTFspurious equation can be computed using the following equation:

1/(µi+ θi) = Ci/(µOT+ θi) + (1-Ci) /(µPT+ θi) Where Ci is the diagnostic coverage for the subsystem. Figure A4 – Part 1, Figure A4 – Part 2 and Figure A4 – Part 3 show the Fail Safe Markov Model for the TRICON Version 10.5 TMR Controller. Subsequent sections of the document contain the equations for the expressions in the Fail Safe Markov Model. The last section of the document contains a definition of terms. The MTTFspurious calculations for the TRICON

θµθλ

θµλ

ii

iin

i

ii

in

i

+

++1

=usMTTFspurio∑

∑

=

=

1

1

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 68 of 83 Date: 10/11/13 Version 10.5 are in an EXCEL spreadsheet TRICONV10.5_1110. The results of the MTTFspurious calculations are shown on Sheet 3 of the spreadsheet.

Figure A2: Gener ic Fail-Safe Markov Model Using Detected and Undetected Safe Failure Rates


Figure A3: Gener ic Fail-Safe Markov Model Using Total Safe Failure Rates


Figure A4 - Par t 1: Fail-Safe Markov Model for TRICON Version 10.5 TMR Controller


Figure A4 - Par t 2: Fail-Safe Markov Model For TRICON

Version 10.5 TMR Controller


Figure A4 - Par t 3: Fail-Safe Markov Model for TRICON

Version 10.5 TMR Controller


Fail-Safe Markov Model States for TRICON Version 10.5 TMR Controller State 0 Fail Safe State (False Trip) Due to Safe Failures on Two Legs State 1 Safe Failure of a Digital Input Common Processing Circuit State 2 Safe Failure of a Digital Input Circuit State 3 Safe Failure of a High Density Digital Input Common Processing Circuit State 4 Safe Failure of a High Density Digital Input Circuit State 5 Safe Failure of an Analog Input Common Processing Circuit State 6 Safe Failure of an Analog Input Circuit State 7 Safe Failure of a High Density Analog Input Common Processing Circuit State 8 Safe Failure of a High Density Analog Input Circuit State 9 Safe Failure of an Isolated Analog Input Common Processing Circuit State 10 Safe Failure of an Isolated Analog Input Circuit State 11 Safe Failure of an Analog Output Common Processing Circuit State 12 Not Used State 13 Safe Failure of a 24 VDC Digital Output Common Processing Circuit State 14 Safe Failure of a 24 VDC Digital Output Switch State 15 Safe Failure of a 115 VAC Digital Output Common Processing Circuit State 16 Safe Failure of a 115 VAC Digital Output Switch State 17 Safe Failure of a Main Processor State 18 Safe Failure of a Power Supply State 19 Safe Failure of a Pulse Input Common Processing Circuit State 20 Safe Failure of a Pulse Input Circuit State 22 No Failures (Initial State after Complete Repair)

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 74 of 83 Date: 10/11/13 Equations for Failure Rates in TRICON V10.5 Fail-Safe Markov Model

λ1 = 3*n*FR_IP_S λ2 = 3*n*nic*FR_IC_S λ3 = 3*nhd*FR_HDIP_S λ4 = 3*nhd*nhdic*FR_HDIC_S λ5 = 3*na*FR_AIP_S λ6 = 3*na*nic*FR_AIC_S λ7 = 3*nahd*FR_HDAIP_S λ8 = 3*nahd*nhdic*FR_HDAIC_S λ9 = 3*niai*FR_IAIP_S λ10 = 3*niai*niaic*FR_IAIC_S λ11 = 3*mao*FR_AOP_S λ12 = 0 λ13 = 3*m*FR_OP_S λ14 = 4*m*nhdoc*FR_OC_S λ15 = 3*mhv*FR_HVOP_S λ16 = 4*mhv*noc*FR_HVOC_S λ17 = 3*FR_MP_S λ18 = 2*l*FR_PS_S λ19 = 3*np*FR_PIP_S λ20 = 3*np*npc*FR_PIC_S λ21 = Beta*ccf3legs* (FR_MP_SU + n*FR_I_SU + nhd*FR_HDI_SU + na*FR_AI_SU

+ nahd*FR_HDAI_SU + niai*FR_IAI_SU+ mao*FR_AOP_SU + m*FR_O_SU + mhv*FR_HVO_SU + np*FR_PI_SU) +Beta*ccf3legs*((FR_MP - FR_MP_DU - FR_MP_SU) + n*(FR_I - FR_I_DU - FR_I_SU) + nhd*(FR_HDI-FR_HDI_DU-FR_HDI_SU) + na*(FR_AI – FR_AI_DU - FR_AI_SU) + nahd*(FR_HDAI – FR_HDAI_DU - FR_HDAI_SU) + niai*(FR_IAI – FR_IAI_DU - FR_IAI_SU) + m*(FR_O – FR_O_DU - FR_O_SU) + mhv*(FR_HVO – FR_HVO_DU - FR_HVO_SU) + np*(FR_PI – FR_PI_DU - FR_PI_SU) + mao*(FR_AOP – FR_AOP_DU - FR_AOP_SU)) + Beta*l*FR_PS_S

θ1 = 2*(FR_MP_S + FR_I_S) θ2 = 2*(FR_MP_S + FR_IP_S + FR_IC_S) θ3 = 2*(FR_MP_S + FR_HDI_S) θ4 = 2*(FR_MP_S + FR_HDIP_S + FR_HDIC_S)

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 75 of 83 Date: 10/11/13 θ5 = 2*(FR_MP_S + FR_AI_S) θ6 = 2*(FR_MP_S + FR_AIP_S + FR_AIC_S) θ7 = 2*(FR_MP_S + FR_HDAI_S) θ8 = 2*(FR_MP_S + FR_HDAIP_S + FR_HDAIC_S) θ9 = 2*(FR_MP_S + FR_IAI_S) θ10 = 2*(FR_MP_S + FR_IAIP_S + FR_IAIC_S) θ11 = 2*(FR_MP_S + FR_AOP_S) θ12 = 0 θ13 = 2*(FR_MP_S + FR_OP_S) + 5/3*nhdoc*FR_OC_S θ14 = 5/4*(FR_MP_S + FR_OP_S) + FR_OC_S θ15 = 2*(FR_MP_S + FR_HVOP_S) + 5/3*noc*FR_HVOC_S θ16 = 5/4*(FR_MP_S + FR_HVOP_S) + FR_HVOC_S θ17 = 2*(FR_MP_S + n*FR_I_S + nhd*FR_HDI_S + na*FR_AI_S + nahd*FR_HDAI_S

+ niai*FR_IAI_S + mao*FR_AOP_S + m*FR_O_S+ mhv*FR_HVO_S + np*FR_PI_S) θ18 = FR_PS_S θ19 = 2*(FR_MP_S + FR_PI_S) θ20 = 2*(FR_MP_S + FR_PIP_S + FR_PIC_S)

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 76 of 83 Date: 10/11/13 FR_I = FR_IP + nic*FR_IC, FR_AI = FR_AIP + nic*FR_AIC FR_HDI = FR_HDIP + nhdic*FR_HDIC, FR_HDAI = FR_HDAIP + nhdic*FR_HDAIC FR_IAI = FR_IAIP + niaic*FR_IAIC FR_O = FR_OP + 4/3*nhdoc*FR_OC, Factor of 4/3 is because of quad output voter. FR_HVO = FR_HVOP + 4/3*noc*FR_HVOC, Factor of 4/3 is because of quad output voter. FR_AO = FR_AOP, FR_AOC can be ignored because of 3 DACs per point. FR_PI = FR_PIP + npc*FR_PIC

1/(µi+ θi) Term in the MTTFspurious Equation

1/(µ1E+ θ1) = C1/(µOT+ θ1) + (1-C1) /(µPT+ θ1) 1/(µ2E+ θ2) = C2/(µOT+ θ2) + (1-C2) /(µPT+ θ2) 1/(µ3E+ θ3) = C3/(µOT+ θ3) + (1-C3) /(µPT+ θ3) 1/(µ4E+ θ4) = C4/(µOT+ θ4) + (1-C4) /(µPT+ θ4) 1/(µ5E+ θ5) = C5/(µOT+ θ5) + (1-C5) /(µPT+ θ5) 1/(µ6E+ θ6) = C6/(µOT+ θ6) + (1-C6) /(µPT+ θ6) 1/(µ7E+ θ7) = C7/(µOT+ θ7) + (1-C7) /(µPT+ θ7) 1/(µ8E+ θ8) = C8/(µOT+ θ8) + (1-C8) /(µPT+ θ8) 1/(µ9E+ θ9) = C9/(µOT+ θ9) + (1-C9) /(µPT+ θ9) 1/(µ10E+ θ10) = C10/(µOT+ θ10) + (1-C10) /(µPT+ θ10) 1/(µ11E+ θ11) = C11/(µOT+ θ11) + (1-C11) /(µPT+ θ11) 1/(µ12E+ θ12) = C12/(µOT+ θ12) + (1-C12) /(µPT+ θ12) 1/(µ13E+ θ13) = C13/(µOT+ θ13) + (1-C13) /(µPT+ θ13) 1/(µ14E+ θ14) = C14/(µOT+ θ14) + (1-C14) /(µPT+ θ14) 1/(µ15E+ θ15) = C15/(µOT+ θ15) + (1-C15) /(µPT+ θ15) 1/(µ16E+ θ16) = C16/(µOT+ θ16) + (1-C16) /(µPT+ θ16) 1/(µ17E+ θ17) = C17/(µOT+ θ17) + (1-C17) /(µPT+ θ17) 1/(µ18E+ θ18) = C18/(µOT+ θ18) + (1-C18) /(µPT+ θ18) 1/(µ19E+ θ19) = C19/(µOT+ θ19) + (1-C19) /(µPT+ θ19) 1/(µ20E+ θ20) = C20/(µOT+ θ20) + (1-C20) /(µPT+ θ20) C1 = C_IP_S, C2 = C_IC_S, C3 = C_HDIP_S, C4 = C_HDIC_S C5 = C_AIP_S, C6 = C_AIC_S, C7 = C_HDAIP_S, C8 = C_HDAIC_S C9 = C_IAIP_S, C10 = C_IAIC_S, C11 = C_AOP_S, C12 = 0 C13 = C_OP_S, C14 = C_OC_S, C15 = C_HVOP_S, C16 = C_HVOC_S C17 = C_MP_S, C18 = C_PS_S, C19 = C_PIP_S, C20 = C_PIC_S

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 77 of 83 Date: 10/11/13 Definition of Markov Model Terminology l = Number of Redundant Power Supply Modules (= Number of Chassis) m = Number of NG 24 VDC Digital Output Modules mao = Number of Analog Output Modules mhv = Number of 115 VAC Digital Output Modules n = Number of 24 VDC Digital Input Modules nhd = Number of High Density Digital Input Modules na = Number of NG Diff. Analog Input Modules nahd = Number of NG High Density Analog Input Modules niai = Number of Isolated Analog Input Modules np = Number of Pulse Input Modules nic = Number of Input Points on Digital Input and Analog Input Modules (32 points) nhdic = Number of Input Points on High Density Modules (64 points) niaic = Number of Input Points on Isolated Analog Input Modules (16 points) noc = Number of Output Points on 115 VAC Digital Output Modules (16 points) nhdoc= Number of Output Points on NG 24 VDC Digital Output Modules (16 points) npc = Number of Input Points on Pulse Input Module (8 points)

FR_AI = Failure Rate of an Analog Input Module Leg FR_AI_DU = Dangerous Undetected Failure Rate of an Analog Input Module Leg FR_AI_SU = Safe Undetected Failure Rate of an Analog Input Module Leg FR_AI_S = Safe Failure Rate of an Analog Input Module Leg FR_AIP_S = Safe Failure Rate of an Analog Input Module Common Processing Circuit FR_AIC_S = Safe Failure Rate of an Analog Input Circuit FR_AOP = Failure Rate of an Analog Output Module Leg FR_AOP_DU = Dangerous Undetected Failure Rate of an Analog Output Module Leg FR_AOP_SU = Safe Undetected Failure Rate of an Analog Output Module Leg FR_AOP_S = Safe Failure Rate of an Analog Output Module Common Processing Circuit FR_HDAI = Failure Rate of a High Density Analog Input Module Leg FR_HDAI_DU = Dangerous Undetected Failure Rate of a High Density Analog Input Module Leg FR_HDAI_SU = Safe Undetected Failure Rate of a High Density Analog Input Module Leg FR_HDAI_S = Safe Failure Rate of a High Density Analog Input Module Leg FR_HDAIP_S = Safe Failure Rate of a High Density Analog Input Module Common Processing Circuit FR_HDAIC_S = Safe Failure Rate of a High Density Analog Input Circuit FR_HDI = Failure Rate of a High Density Digital Input Module Leg FR_HDI_DU = Dangerous Undetected Failure Rate of a High Density Digital Input Module Leg FR_HDI_SU = Safe Undetected Failure Rate of a High Density Digital Input Module Leg FR_HDI_S = Safe Failure Rate of a High Density Digital Input Module Leg FR_HDIP_S = Safe Failure Rate of a High Density Digital Input Module Common Processing Circuit FR_HDIC_S = Safe Failure Rate of a High Density Digital Input Circuit FR_HVO = Failure Rate of a 115 VAC Digital Output Module Leg FR_HVO_DU = Dangerous Undetected Failure Rate of a 115 VAC Digital Output Module Leg

Document: 993754-1-819 Title: Reliability Analysis Revision: 0 Page: 78 of 83 Date: 10/11/13 FR_HVO_SU = Safe Undetected Failure Rate of a 115 VAC Digital Output Module Leg FR_HVO_S = Safe Failure Rate of a 115 VAC Digital Output Module Leg FR_HVOP_S = Safe Failure Rate of a 115 VAC Digital Output Module Common Processing Circuit FR_HVOC_S = Safe Failure Rate of a 115 VAC Digital Output Switch FR_IAI = Failure Rate of an Isolated Analog Input Module Leg FR_IAI_DU = Dangerous Undetected Failure Rate of an Isolated Analog Input Module Leg FR_IAI_SU = Safe Undetected Failure Rate of an Isolated Analog Input Module Leg FR_IAI_S = Safe Failure Rate of an Isolated Analog Input Module Leg FR_IAIP_S = Safe Failure Rate of an Isolated Analog Input Module Common Processing Circuit FR_IAIC_S = Safe Failure Rate of an Isolated Analog Input Circuit FR_I_DU = Dangerous Undetected Failure Rate of a 24 VDC Input Module Leg FR_I_SU = Safe Undetected Failure Rate of a 24 VDC Input Module Leg FR_I_S = Safe Failure Rate of a 24 VDC Input Module Leg FR_IP_S = Safe Failure Rate of a 24 VDC Input Module Common Processing Circuit FR_I = Failure Rate of a 24 VDC Input Module Leg FR_IC_ S = Safe Failure Rate of a 24 VDC Input Circuit FR_MP = Failure Rate of a Main Processor FR_MP_S = Safe Failure Rate of a Main Processor FR_MP_SU = Safe Undetected Failure Rate of a Main Processor FR_MP_DU = Dangerous Undetected Failure Rate of a Main Processor FR_O = Failure Rate of a 24 VDC Digital Output Module Leg FR_O_DU = Dangerous Undetected Failure Rate of a 24 VDC Digital Output Module Leg FR_O_SU = Safe Undetected Failure Rate of a 24 VDC Digital Output Module Leg FR_O_S = Safe Failure Rate of a 24 VDC Digital Output Module Leg FR_OP_S = Safe Failure Rate of a 24 VDC Digital Output Module Common Processing Circuit FR_OC_S = Safe Failure Rate of a 24 VDC Digital Output Switch FR_PS_S = Safe Failure Rate of a Power Supply FR_PI = Failure Rate of an Pulse Input Module Leg FR_PI_DU = Dangerous Undetected Failure Rate of an Pulse Input Module Leg FR_PI_SU = Safe Undetected Failure Rate of an Pulse Input Module Leg FR_PI_S = Safe Failure Rate of an Pulse Input Module Leg FR_PIP_S = Safe Failure Rate of an Pulse Input Module Common Processing Circuit FR_PIC_S = Safe Failure Rate of an Pulse Input Circuit Beta = Common Cause Factor (0.015 or 1.5%) ccf3legs = Common Cause Factor affecting all three legs of module (0.25)


Attachment B: Estimating Common Cause Factors Using IEC 61508-6 Standard The -factor is calculated for the sensors, the logic subsystem and the final elements separately.

In order to minimize the probability of occurrence of common cause failures, one should first establish which measures lead to an efficient defence against their occurrence. The implementation of the appropriate measures in the system lead to a reduction in the value of the -factor used in estimating the probability of failure due to common cause failures.

Table B1 lists the measures and contains associated values, based on engineering judgement, which represent the contribution each measure makes in the reduction of common cause failures. Table B1 has been modified by removing the X and Y values for the sensors and final elements. In their place are the XLS and YLS for the Tricon logic subsystem.

Extensive diagnostic tests may be incorporated into programmable electronic systems that allow the detection of non-simultaneous common cause failures. To allow diagnostic tests to be taken into account in the estimation of the -factor, the overall contribution of each measure in Table B1 is divided, using engineering judgement, into two sets of values, X and Y. For each measure, the X: Y ratio represents the extent to which the measure’s contribution against common clause failures can be improved by diagnostic testing.

The user of Table B1 should ascertain which measures apply to the system in question, and sum the corresponding values shown in each of columns XLS and YLS for the logic subsystem, the sums being referred to as X and Y, respectively.

Table B2 is used to determine a factor Z from the frequency and coverage of the diagnostic tests. The score S is then calculated using the following equations, as appropriate (see previous clause):

– YXS += to obtain the value of int (the -factor for undetected failures); and

– ( ) Y1ZXSD ++= to obtain the value of D int (the -factor for detected failures).

Here S or SD is a score which is used in Table B3 to determine the appropriate int -factor.

int and D int are the values of the common cause failure prior to considering the effect of different degrees of redundancy.

The Tricon values for X and Y determined from Table B1 are X = 35.5 and Y = 42.75. And thus S = 78.25. The Z factor for the Tricon is 2 (See Table B2) The SD factor is SD = 149.25. Using the S and SD factors in Table B3, int and D int are 1% and 0.5% respectively.


Table B1 – Scoring programmable electronics

gary.mcdonald



Table B1 (continued)

gary.mcdonald



Table B2 – Value of Z: programmable electronics

Diagnostic Diagnostic test interval coverage Less than 1 min Between 1 min and 5 min Greater than 5 min

≥ 99 % 2,0 1,0 0 ≥ 90 % 1,5 0,5 0 ≥ 60 % 1,0 0 0

Table B3 – Calculation of β int or βD int

Score (S or SD) Corresponding value of β int or βD int for the:

Logic subsystem Sensors or final elements

120 or above 0,5 % 1 % 70 to 120 1 % 2 % 45 to 70 2 % 5 % Less than 45 5 % 10 % NOTE 1 The maximum levels of βD int shown in this table are lower than would normally be used, reflecting the use of the techniques specified elsewhere in this standard for the reduction in the probability of systematic failures as a whole, and of common cause failures as a result of this. NOTE 2 Values of βD int lower than 0,5 % for the logic subsystem and 1 % for the sensors would be difficult to justify.

The β int derived from Table B3 is the common cause failure associated with a 1oo2 system. For other levels of redundancy (MooN) this β int value will change as given in Table B4 to yield the final value of β.


Table B4 – Calculation of β for systems with

Levels of redundancy greater than 1oo2

MooN N

2 3 4 5

M 1 β int 0.5 β int 0.3 β int 0.2 β int

2 - 1.5 β int 0.6 β int 0.4 β int

3 - - 1.75 β int 0.8 β int

4 - − - 2.0 βint

Beta values used for the Tricon configurations are shown in the Table below.

Tricon Configuration Beta Value

Single PPS Tricon (2oo3) 1.5% Four 2oo4 PPS Tricons 0.6% Three 2oo3 PPS Tricons 1.5% Note 1: These Beta's are applied to each Tricon PFDavg and MTTFspurious calculations