3.3 Analytic Development of Reliability and Performance in Engineering Design 183 Table 3.16 Extract from FMECA worksheet of quantitative RAM analysis field study: motor RJS pump no. 1 component Assembly Component Failure description Failure mode Failure effect Failure consequence Cause of failure Critical analysis RJS pump no. 1 Motor RJS pump no. 1 Motor fails to start or driv e pump TLF Motor failure prevents quenching of the gas and the protection of the RJS structure due to reduced flow. Standby pump should start up automatically Maintenance Loose or corroded connections or motor terminals (1) 100% (2) 0.50 (3) 2 (4) 2.0 (5) 1.00 Low criticality RJS pump no. 1 Motor RJS pump no. 1 Motor fails to start or driv e pump TLF Motor failure prevents quenching of the gas and the protection of the RJS structure due to reduced flow. Standby pump should start up automatically Maintenance Motor winding short or insulation fails (1) 100% (2) 0.25 (3) 2 (4) 2.0 (5) 0.50 Low criticality RJS pump no. 1 Motor RJS pump no. 1 Motor cannot be stopped or started locally TLF If required to respond in an emergency failure of motor, this could result in injury risk Injury risk Local stop/start switch fails (1) 50% (2) 0.25 (3) 11 (4) 5.5 (5) 1.38 Low criticality RJS pump no. 1 Motor RJS pump no. 1 Motor overhe ats and trips PFC Motor failure prevents quenching of the gas and the protection of the RJS structure due to reduced flow. Standby pump should start up automatically Maintenance Motor winding short or insulation fails (1) 100% (2) 0.25 (3) 1 (4) 1.0 (5) 0.25 Low criticality 184 3 Reliability and Performance in Engineering Design Table 3.16 (continued) Assembly Component Failure description Failure mode Failure effect Failure consequence Cause of failure Critical analysis RJS pump no. 1 Motor RJS pump no. 1 Motor overhe ats and trips PFC Motor failure prevents quenching of the gas and the protection of the RJS structure due to reduced flow. Standby pump should start up automatically Maintenance Bearings fail due to lack of or to excessi ve lubrication (1) 100% (2) 0.50 (3) 1 (4) 1.0 (5) 0.50 Low criticality RJS pump no. 1 Motor RJS pump no. 1 Motor vibrates excessively PFC Motor failure prevents quenching of the gas and the protection of the RJS structure due to reduced flow. Standby pump should start up automatically Maintenance Bearings worn or damaged (1) 100% (2) 0.50 (3) 1 (4) 1.0 (5) 0.50 Low criticality 3.3 Analytic Development of Reliability and Performance in Engineering Design 185 Table 3.17 Extract from FMECA worksheet of quantitative RAM analysis field study: MCC RJS pump no. 1 component Assembly Component Failure description Failure mode Failure effect Failure consequence Cause of failure Critical analysis RJS pump no. 1 MCC RJS pump no. 1 Motor fails to start upon command TLF Motor failure starting upon command prev ents the standby pump to start up automatically Maintenance Electrical supply or starter failure (1) 100% (2) 0.25 (3) 2 (4) 2.0 (5) 0.50 Low criticality RJS pump no. 1 MCC RJS pump no. 1 Motor fails to start upon command TLF Motor failure starting upon command prev ents the standby pump to start up automatically Maintenance High/low voltage defective fuses or circuit breakers (1) 100% (2) 0.25 (3) 2 (4) 2.0 (5) 0.50 Low criticality RJS pump no. 1 MCC RJS pump no. 1 Motor fails to start upon command TLF Motor failure starting upon command prev ents the standby pump to start up automatically Maintenance Control system wiring malfunction due to hot spots (1) 100% (2) 0.25 (3) 2 (4) 2.0 (5) 0.50 Low criticality 186 3 Reliability and Performance in Engineering Design Table 3.18 Extract from FMECA worksheet of quantitative RAM analysis field study: RJS pump no. 1 control valve component Assembly Component Failure description Failure mode Failure effect Failure consequence Cause of failure Critical analysis RJS pump no. 1 Control valve Fails to open TLF Prevents discharge of acid from the pump that cleans and cools gas and protects the RJS. Flow and pressure protections would prevent damage. May result in downtime if it occurs on standby pump when needed Production No PLC output due to modules electronic fault or cabling (1) 100% (2) 0.50 (3) 6 (4) 6.0 (5) 3.00 Low/medium criticality RJS pump no. 1 Control valve Fails to open TLF Prevents discharge of acid from the pump that cleans and cools gas and protects the RJS. Flow and pressure protections would prevent damage. May result in downtime if it occurs on standby pump when needed Production Solenoid valve fails, failed cylinder actuator or air receiver failure (1) 100% (2) 0.50 (3) 6 (4) 6.0 (5) 3.00 Low/medium criticality 3.3 Analytic Development of Reliability and Performance in Engineering Design 187 Table 3.19 Extract from FMECA worksheet of quantitative RAM analysis field study: RJS pump no. 1 instrument loop (pressure) assembly Assembly Component Failure descrip- tion Failure mode Failure effect Failure conse- quence Cause of failure Critical analysis RJS pump no. 1 in- strument loop (pressure) Instrument (pressure. 1) Fails to provide accurate pressure indication TLF Fails to permit pressure monitoring Maintenance Restricted sensing port due to blockage by chemical or physical action (1) 100% (2) 3.00 (3) 2 (4) 2.0 (5) 6.00 Medium/high criticality RJS pump no. 1 in- strument loop (pressure) Instrument (pressure. 2) Fails to detect low- pressure condition TLF Does not permit essential pressure monitoring and can cause damage to the pump due to lack of mechanical seal flushing Maintenance Pressure switch fails due to corrosion or relay or cable failure (1) 100% (2) 0.50 (3) 2 (4) 2.0 (5) 1.00 Low criticality RJS pump no. 1 in- strument loop (pressure) Instrument (pressure. 2) Fails to provide output signal for alarm condition TLF Does not permit essential pressure monitoring and can cause damage to the pump due to lack of mechanical seal flushing Maintenance PLC alarm function or indicator fails (1) 100% (2) 0.30 (3) 2 (4) 2.0 (5) 0.60 Low criticality 188 3 Reliability and Performance in Engineering Design To introduce uncertainty in this analysis, according to the theory developed for the extended FMECA, the following approach is considered: • Express the various failure modes, including their (more or less) certain conse- quences (i.e. the more or less certainty that the consequence can or cannot occur) • Present the number o f uncertainty levels in linguistic terms • For a given failure mode, sort the occurrence of the consequences into a specific range of (6+1) categories: – Three levels of more or less certain consequences (‘completely certain’, ‘al- most certain’ , ‘likely’ ) – Three levels of more or less impossible consequences (‘completely impossi- ble’, ‘almost impossible’, ‘unlikely’) – One level for ignorance. The approach is thus initiated by expressing the various failure modes, along with their (more or less) certain consequences. The discriminability of the failure modes Table 3.20 Uncertainty in the FMECA of a critical control valve Compo- Failure Failure Failure Failure (1) (1) Critical nent description mode consequence cause μ M(d)+ μ M(d)− analysis Control valve Fails to open TLF Production No PLC output due to modules electronic fault or cabling 0.6 0.4 (2) 0.5 (3) 6 (4) 3.6 (or not—2.4) (5) 1.8 (or not—1.2) Low criticality Control valve Fails to open TLF Production Solenoid valve fails, due to failed cylinder actuatororair receiv er failure 0.6 0.4 (2) 0.5 (3) 6 (4) 3.6 (or not—2.4) (5) 1.8 (or not—1.2) Low criticality Control valve Fails to seal/close TLF Production Valve disk damaged due to corrosion or wear 0.8 0.2 (2) 0.5 (3) 6 (4) 4.8 (or not—1.2) (5) 2.4 (or not—0.6) Low criticality Control valve Fails to seal/close TLF Production Valve stem cylinders seized due to chemical deposition or corrosion 0.8 0.2 (2) 0.5 (3) 6 (4) 4.8 (or not—1.2) (5) 2.4 (or not—0.6) Low criticality 3.3 Analytic Development of Reliability and Performance in Engineering Design 189 with their (more or less) certain consequences is checked. If this is not sufficient, then the question is explored whether some of the (more or less) certain conse- quences of one failure mode could not be expressed as more or less impossible for some o ther fault modes. The three categories of more or less impossible con- sequences are thus indicated whenever necessary, to allow a better discrimination. After this refinement stage, if a set of failure modes still cannot be discriminated in a satisfying way, then the observability of the consequence should be questioned. b) Results of the Qualitative FMECA As an example, the critical control valve considered in the FMECA chart of Ta- ble 3.18 has been itemised for inclusion in an extended FMECA chart relating to the discriminated failure mode, TLF, along with its (more or less) certain conse- Table 3.21 Uncertainty in the FMECA of critical pressure instruments Compo- Failure Failure Failure Failure (1) (1) Critical nent description mode consequence cause μ M(d)+ μ M(d)− analysis Instru- ment (pres- sure. 1) Fails to detect low-pressure condition TLF Maintenance Pressure switch fails due to corrosion or relay or cable failure 0.6 0.4 (2) 0.50 (3) 2 (4) 1.2 (or not—0.8) (5) 0.6 (or not—0.4) Low criticality Instru- ment (pres- sure. 1) Fails to provide accurate pressure indication TLF Maintenance Restricted sensing port due to blockage by chemical or physical action 0.8 0.2 (2) 3.00 (3) 2 (4) 1.6 (or not—0.4) (5) 4.8 (or not—1.2) Medium criticality Instru- ment (pres- sure. 2) Fails to detect low-pressure condition TLF Maintenance Pressure switch fails due to corrosion or relay or cable failure 0.6 0.4 (2) 0.50 (3) 2 (4) 1.2 (or not—0.8) (5) 0.6 (or not—0.4) Low criticality Instru- ment (pres- sure. 2) Fails to provide output signal for alarm condition TLF Maintenance PLC alarm function or indicator fails 0.8 0.2 (2) 3.00 (3) 2 (4) 1.6 (or not—0.4) (5) 4.8 (or not—1.2) Medium criticality 190 3 Reliability and Performance in Engineering Design quences, given in Tables 3.20 and 3.21. To simplify, it is assumed that all the events are directly observable—that is, each effect is non-ambiguouslyassociated to a con- sequence, although the same consequence can be associated to other effects (i.e. the effects, or events, are equated to their associated consequences, or manifestations). The knowledge expressed in Tables 3.20 and 3.21 describes the fuzzy relation be- tween failure modes, effects and consequences, in terms of the f uzzy sets for the expanded FMECA, M(d)+(m i ) and M(d)−(m i ). The linguistic qualitative-numeric mapping used for uncertainty representation is tabulated below (Cayrac et al. 1994). Qualifier Ref. code μ M(d)+ μ M(d)− Certain 1 1.00.0 Almost certain 2 0.80.2 Likely 3 0.60.4 Unlikely 4 0.40.6 Almost unlikely 5 0.20.8 Impossible 6 0.01.0 Unkno wn 7 0.00.0 The ‘critical analysis’ column of the extended FMECA chart relating to the dis- criminated failure mode, along with its (more or less) certain consequences, in- cludes items numbered 1 to 5 that indicate the following: (1) Possibility of occurrence of a consequence ( μ M(d)+ ) or impossibility of occur- rence of a consequence ( μ M(d)− ) (2) Estim ated failure rate (th e nu mber o f failures per year) (3) Severity (expressed as a number from 0 to 10) (4) Risk (product of 1 and 3) (5) Criticality value (product of 2 and 4). 3.3.3 Analytic Development of Reliability Evaluation in Detail Design The most applicable methodsselected for further developmentas tools for reliability evaluation in determining the integrity of engineering design in the detail design phase are: i. The proportional hazards model (or instantaneous failure rate, indicating the probability of survival of a component); ii. Expansion of the exponential failure distribution (considering component functional failures that occur at random intervals); iii. Expansion of the Weibull failure distribution (to d etermine component criti- cality for wear-out failures, not random failures); iv. Qualitative analysis of the Weibull distribution model (when the Weibull pa- rameters cannot be based on obtained data). 3.3 Analytic Development of Reliability and Performance in Engineering Design 191 3.3.3.1 The Proportional Hazards Model The proportional hazards (PH) model was developed in order to estimate the effects of different covariates influencing the times to failure of a system (Cox 1972). In its original form, the model is non-parametric, i.e. no assumptions are made about the nature or shape of the underlying failure distribution. The original non-parametric formulation as well as a parametric form of the model are considered, utilisin g the Weibull life distribution. Special developments of the proportional hazards model are: General log-linear, GLL—exponential General log-linear, GLL—Weibull models. a) Non-Parametric Model Formulation From the PH model, the failure rate of a system is affected not only by its oper- ating time but also by the covariates under which it operates. For example, a unit of equipment may have been tested under a combination of different accelerated stresses such as humidity, temperature, voltage, etc. These factors can affect the failure rate of the unit, and typically represent the type of stresses that the unit will be subject to, once installed. The instantaneous failure rate (or hazard rate) of a unit is given by the following relationship λ (t)= f(t) R(t) , (3.144) where: f(t)=the probability density function, R(t)=the reliability function. For the specific case where the failure rate of a particular unit is dependent not only on time but also on other covariates, Eq. (3.144) must be modified in order to be a function of time and of the covariates. The proportional hazards model assumes that the failure rate (hazard rate) of a unit is the product of the following factors: • An unspecified baselin e failure rate, λ o (t), which is a function of time only, • A positive function g(x,A ) that is independent of time, and that incorporates the effects of a number of covariates such as humidity, temperature, pressure, voltage, etc. The failure rate of the unit is then given by λ (t,X)= λ o (t) ·g(X,A) , (3.145) where: X = a row vector consisting of the covariates, X =(x 1 ,x 2 ,x 3 , ,x m ) 192 3 Reliability and Performance in Engineering Design A = a column vector consisting of the unknown model parameters (regression parameters), A =(a 1 ,a 2 ,a 3 , ,a m ) T m = number of stress-related variates (time-independent). It can be assumed that the form of g(X ,A) is known and λ o (t) is unspecified. Dif- ferent forms of g(X ,A) can be used but the exponential form is mostly used, due to its simplicity. The exponential form of g(X ,A) is given by the following expression g(X ,A)=e A T X T = exp  m ∑ j= 1 a j x j  , (3.146) where: a j = model parameters (regression parameters), x j = covariates. The failure rate can then be written as λ (t,X)= λ o ·exp  m ∑ j= 1 a j x j  . (3.147) b) Parametric Mo del Formulation A parametric form of the proportional hazards model can be obtained by assuming an underlying distribution. In general, the exponential and the Weibull distributions are the easiest to use. The lognormal distr ibution can be utilised as well but it is not considered here. In this case, the Weibull distribution will be used to formulate the parametric proportional h azards model. The exponential distribution case can be easily obtained from the Weibull equations, by simply setting the Weibull shape parameter β = 1. In other words, it is assumed that the baseline failure rate is para- metric and given by the Weibull distribution. The baseline failure rate is given by the following expression taken from Eq. (3.37): λ o = β (t) β −1 μ β , where: μ = the scale parameter, β = the shape parameter. Note that μ is the baseline Weibull scale parameter but not the PH scale parameter. The PH failure rate th en becomes λ (t,X)= β (t) β −1 μ β exp  m ∑ j= 1 a j x j  , (3.148) . reliability evaluation in determining the integrity of engineering design in the detail design phase are: i. The proportional hazards model (or instantaneous failure rate, indicating the probability of survival of. criticality 188 3 Reliability and Performance in Engineering Design To introduce uncertainty in this analysis, according to the theory developed for the extended FMECA, the following approach is considered: •. in Tables 3.20 and 3 .21 describes the fuzzy relation be- tween failure modes, effects and consequences, in terms of the f uzzy sets for the expanded FMECA, M(d)+(m i ) and M(d)−(m i ). The linguistic