New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


by: Jan Rowe


Marketplace > Oregon State University > Mechanical Engineering > ME 515 > RISK AND RELIABILITY ANALYSIS IN ENGINEERING DESIGN
Jan Rowe
GPA 3.81


Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes
25 ?




Popular in Course

Popular in Mechanical Engineering

This 224 page Class Notes was uploaded by Jan Rowe on Monday October 19, 2015. The Class Notes belongs to ME 515 at Oregon State University taught by Staff in Fall. Since its upload, it has received 11 views. For similar materials see /class/224520/me-515-oregon-state-university in Mechanical Engineering at Oregon State University.




Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/19/15
ME 5 l 9 5 l 5 Risk Based Design Prof lremYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lecture 8 Risk Analysis Methods FMEAFMECA Example Space Shuttle Main Engine SSME SSME system includes space shuttle propulsion system fuel tank liquid oxygen amp liquid hydrogen guidance systems Reliability prediction for the space shuttle is a monumental task Rocket Propulsion systems consist of liquid rocket engines and solid rocket motors 0 Space shuttle booster propulsion 3 liquid engines SSME and 2 SRMs SSME a major subsystem that is analyzed in great detail SSME essentially a power plant that burns liquid hydrogen and liquid oxygen from the external fuel tank 0 Propellants stored as liquids in tanks and fed on demand into the combustion chamber by gas pressurization or a pump 0 Bipropellant engines chemically react a fuel and an oxidizer Example Space Shuttle Main Engine SSME 0 SSME includes low and highpressure hydrogen and oxygen turbopumps main fuel injectors main combustion chamber the nozzle 0 Numerous parts high pressure fuel turbopump cooling system preburners valves 0 Undergo extreme stresses thermal stresses due to temps ranging from 423 liquid hydrogen to 6000 Degrees F inside combustion chamber extreme vibration levels 0 Very high performance requirements high pressure turbopump spins at 30000rpm with a discharge pressure of 6900psi for the oxidizer turbopump 8000 psi 0 NO SSME HAS EVER FAILED CATASTROPHICALLY lN FLIGHT Low Pressure oxidizer Turbopump oxidizer Prebumerg High Pr mg ess e OxidizerTurbopump Main Injector V Fuel Freburner Hot Gas Manifold Lowpressure Fuel Turbopum Controlle Propellant Q Valve High Pressure Fuel Turbopump Main Combustion Hydraulic Chamber Actuators Example Space Shuttle Main Engine In a rocket engine stored fuel and stored oxidizer are pumped into a combustion chamber where they get mixed and burned ignited The combustion chamber produces large amounts of exhaust gas at high temperature and pressure The hot exhaust is passed through a nozzle which accelerates the flow Thrust is produced Newton s third law of motion 0 Amount of thrust depends on the mass flow rate through the engine the exit velocity of the exhaust and the pressure are the nozzle exit Example Liquid Rocket Engines Bipropellant engine used to change a spacecraft39s velocity and to adjust its orbit Liquid Rocket Engine Combustion Pumps Chamber Nozzle p V Velocny Exquot 6 Throat m mass flow rate p pressure Thrust F nl Ve pe po Ae Thrust Amount of force applied to the rocket based on the expulsion of gases Example Space Shuttle Main Engine 0 In the SSME liquid oxygen and liquid hydrogen are passed through completely separate turbopump packages driven by separate preburners 0 The turbine gas is generated by burning a portion of the total main engine flow 0 This gas flows through a turbine to power the pumps and ten dumped into the main combustion chamber along with the flow from another pump loop 0 Additional propellant is added to form the main thrust chamber flow Example Space Shuttle Main Engine Fuel and oxidizer from the external tank enters the external tank then to the main propulsion system feedlines and enters the low pressure oxidizer or fuel turbopumps through valves The low pressure oxidizer turbopump LPOTP boosts the liquid oxygen pressure from 07 to 29 MPa IOO to 422 psia The flow from the LPOTP is supplied to the high pressure oxidizer turbopump HPTOPthe pressure boosts allows the HPTOP to operate at high speeds The HPOTP s main pump boosts the liquid oxygen pressure up to 30 MPa 4300psi at 2820rpmthe discharge flow splits one path through the main oxidizer valve and enters the main combustion chamber another path goes to the oxidizer heat exchanger the heat exchanger converts the liquid oxygen to gas the gas is routed to the external tank to pressurize the liquid oxygen tank another path goes to the HPOTP second stage preburner pump to boost LOX pressure to 5 MPa 7420 psia passes through the valves to enter the fuel preburner Example Bipropellant Engines Pressure fed uses earthstorable propellants Contains one l00lbf radiation cooled liquid fueled engine Two positive expulsion tanks for the fuel and two for the oxidizer A pressurant tank stores helium at 4000 psia and a quadredundant regulator regulates flow together they ensure 200 psia feed pressure to the propellant tanks even after a single regulator failure Both the fuel and oxidizer tanks can use propellant management devices to feed propellant to the engine if required Special valves to isolate propellants from the engine until the system is ready Manual fill and drain valves to load propellant and pressurant gas into the system Manual valves for system leak checking Check valves to ensure that fluid flow is only in the correct direction and that the fuel and oxidizer never mix anywhere except in the engine Pressure transducers filters temp sensors heaters to ensure proper system operation SSME Schematic of the Propellant Flow Mam LO valve 7 ffWMW Ii 1411 45 a H drogen 0 Low pwssure Igel we fuel booster Low pressure 021 an 5 lulbopump derElquot oxygen 39 I 74 by not gasmed H2 39UFDODUmD Prebume 7 1 driven by an 39 qu dvgxnygen high pressure I e oxygen Z quot turbopump g v W 417 J 7 Preburner f lw d 4 and fuel yum turbopump I with 3stage I I x Regeneranvely cooled 39 mam ccmhushon chamber Part D mygen llow I5 pressunzed In a h4ghm presst wxlh a se aralennncHe h ldrogen pump N p K H Regeneratwciy Coolant rooled mama control nozzle vaIVe Thrus chamber gas ex ausl n w HYDROGEN INLET 39 039 SSME Schematic of the Propellant Flow 39 quotr W 39 quotno OXYGEN INLET gt LOWJ RESSUHE gt I 4 3 2 HYDROGEN 39 LowPRESSUHt V 39 TUHEXOPUMP 39 OXYGEN 39 quot 39 quot TURDOPUMP r a u a r r l HYDROGEN x 39 pnzsun nm I F x 2 H H IGHPH ESSUH E vIv oxquN a TURBOPUMF mm 39 3 HIGHVVAESSURE HYDROGEN Tuaaowm NOZZLE CODLANT cnmaan VALVE V a SSME propellant ow schematic SSM E Schematic of a H P Turbopump FMECA Example SSME 0 Class Exercise Liquid Rocket Engine SSME Generate a sample FMECA for the main oxygen valve MOV in the liquid oxygenliquid hydrogen engine Main function controls the flow of oxygen to the engine during startup and mainstage ring and terminates the flow at cutoff of the engine FMECA Example SSME MOV Table 141 Partial FMEA for one part of a liquid rocket engine Made no Failure mode Dctccuon method Effect description ElTecl on cngmc lnlemal leak C injector pressure Accumulauon of Hard slan my prunaturc opening and lempcramrc om m in ma damage engine nimrs 0V DS combustion chamber skm mp 0v pnnr m snarl signal pnsmun mommr possible hard sum 2 Fall cluscd MOV posmnn mommr Engine fails to sum None 3 Reslnclcd flow MUV pusllmn monitor Reduced LOX ow my cause pmmny opened M39R monilur to MCQ MR upsex premalure culoff valve reduced performance 4 Exmm leak Engmc LOX ow Loss of oxidizer m LOX rmpiuging on monimr MOV DS mam Combustion ade dwarc skin amperaturc chamber Injech and may cause secondary AS failure 5 quls openleaks CC injector prcssurc LOX accumulation m 05 blc combustion and amperaer in actor hard start chamberinjector mommls MOV and offer operauon bumom positron manner 1gb MR transrent shu ow39n oxxdizer ow continues unm vehicle prevalvc is closed FM ECA Example SSME E cct on missionvehicle Cn calily Pnssxble causes Preventive action V 3 s damaged seat seal during prelauncll prcm lum open signal prepua o Prclmmcll purges controller 3 mechanical resaicuon m pmlaunch prepamlmm acmawrvalw moiimi Possible loss ofmission 2 Contamination chlional checks during may save mission during 10 actuatorvach motion mgc mains Material or Possible loss Dfmlssion 2 Proof and leak test at build seal damage Dr lass 0r 39 seal retention ma save mission during mainsmgc Possible loss of l lnlernnl leak from Close vehicle prevalvc Vehiclemission contaminau39on l Failsale closlng Sprmg or damaged sum loss of pneumatic pressure mcc Example Space Shuttle Main Engine 0 Terminology 0 MOV main oxidizer valve 0 MFV Main FuelVaIve 0 MR Propellant mixture ratio 0 LOX Liquid Oxygen 0 MCC Main Combustion Chamber 0 ASlAugmented Spark Ignitor SSME fuel preburner FMECA Example SSME 0 Note this is an tiny excerpt from a complete FMECA for a liquid rocket engine which can cover thousands of pages 0 Liquid Rocket Engine Reliability Prediction A partscomponents list for a candidate design as a possible successor to the space shuttle engine including the number of components required and generic failure ratesThe failure rates were obtained from various sources handbooks company technical reports government and other data banks FMECA Example SSME 0 Class Exercise Liquid Rocket Engine Reliability Prediction Table 143 Liquid racket engine reliahility prediction Item no Componan 11 A 1 Injector 1 110 2 Combustion chamber 1 060 3 on e 1 0 20 4 Nozzle coolant manifold 1 020 5 Nozzle coolant mummy z 210 6 Gimhzxi bearing assembly 1 40 7 Propelhnt shutoff valve 2 070 8 mvwranl shutOH vale 2 030 9 Low pressurc lurbnpump 1 030 10 Bypass v39 Vs 1 050 11 Turbupump assembly 3 350 12 Oxidlzcrfuel valves 2 040 13 Gas gcncxalor 1 060 14 Ignite chamber 1 020 15 gm er 2 0 10 16 Igniter valves 4 020 17 ines 20 0 01 18 Ori ce 4 i 10 19 Filter 2 0 10 20 39I ransduccr 9 006 21 Harness Sol 1 150 FMECA Example SSME 0 Class Exercise Liquid Rocket Engine Reliability Prediction 0 Compute the total failure rate Conclusions 0 FMEAFMECA 0 A qualitative reasoning approach best suited for mechanical and electrical hardware systems 0 Considers how the failure modes of each system component can result in system performance problems 0 Ensures that appropriate safeguards against such problems are in place 0 FMECA A quantitative version of FMEA 0 Bene ts 0 Shortcomings FMEAFMECA 0 HW 4 Generate FMECA for your team s selected system 0 Complete FM ECA worksheet download from course web site using the hardwaresystem approach 0 Compute criticalityseverity RPN prioritize risks based on RPN make recommendations 0 Redo an FMECA using the functional approach 0 Turn in a team report with ndings and discussion of bene ts of FMECA ME 5 l 9 5 l 5 Risk Based Design Prof lremYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lectures IO Risk Analysis Methods Fault Tree Analysis FTA FTA Fault Tree Analysis 0 Fault Tree analysis FTA is a topdown approach to failure analysis 0 Starts with a potential undesirable event undesired stateaccident 0 TOP event the failure that initiates the investigation 0 Basic event other failures that are related to the top event 0 Determines all the ways the accident can happen 0 Proceeds backwards to determining how the top event can be caused by individual or combined lower level failures or events component failures contributing to the system state 0 The causes of the TOP Event are connected through logic gates 0 ANDgates and OR gates primarilyBoolean Operators 0 Reliability of the toplevel events is assessed by determining the probabilities of the individual elements using the logic of the tree Fault Tree Example Top Failure Event 633 f Basic l Basicl FTA 0 Starting point is often an existing FMECA and a system block diagram 0 FMECA is an essential rst step in understanding the system 0 Block diagram is an essential step in capturing the relationships 0 In addition the design operation and environment of the system must by understood and evaluated 0 Finally the cause and effect relationships leading to the TOP event must be identi ed and understood System block diagram 9 Fault Tree Construction 0 De ne TOP event clear and unambiguoussame as for an event tree 0 What eg re 0 Where eg in the reactor 0 When eg during normal operation 0 Determine the immediate necessary and suf cient events and conditions causing the TOP event 0 Connect using AND or OR gates 0 Proceed down to an appropriate lower level independent basic events events for which there is failure data Fault Tree Symbols The ORgate indicates that the output event occurs if any of the input events occur corresponding transferin symbol Logic OR39Qate gates I The ANDgate indicates that the output event occurs only if all the input events occur at the same time AN Dgate The basic event represents a basic equipment failure that requires no further development of input failure causes events States The undeveloped event represents an event that is not examined further because information is unavailable or because its consequences are insignificant Description The comment rectangle is for supplementary of state information TranSfer The transferout symbol indicates that the fault Transfer out tree IS developed further at the occurrence of the symbols FTA Example Redundant Fire Pumps Class exercise Fault tree analysis of re pump system T TOP event No water from re water system Causes for top event VF valve failure FPlzfailure of re pump FP2 failure of re pump 2 Fire pump 1 Fire pump 2 Engine Eszailure of engine G I no output from any of the fire pumps GZ no water from FPI GB no water from FP2 FTA Example Redundant Fire Pumps 0 What would the simplest fault tree look like T Fire pump 1 Fire pump 2 FP1 FP2 Eng39 e FTTA Example Redundant Fire Pumps No water from Valve fire pump system OR EL Fire pump 1 I Fire pump 2 FP2 Englne Valve blocked or No water from T T fail to open the two pumps 51 AND I No water from No water from pump 1 pump 2 OR OR Failure of Failure of Failure of Failure of pump 1 engine pump 2 engine FTTA Example Redundant Fire Pumps g Valve No water from fire pump system OR T I I Valve blocked or No water from Failure of fail to open the two pumps engine l l Fire pump 1 I Fire pump 2 FP1 FP2 Failure of Failure of pump 1 pump 2 FP1 FP2 Logically identical to the previous one Fault Trees Qualitative Assessment 0 Cut Sets A set of basic events whose simultaneous occurrence ensures that the TOP event occurs 0 A cut set is minimal if the set cannot be reduced without losing its status as a cut set 0 The TOP event will occur if all the basic events in a minimal cut set occur at the same time Fault Trees Qualitative Assessment 0 Qualitative assessment by investigating minimal cut sets 0 Order the cut sets 0 Rank based on type of basic events human errorfaiure of active equipment failure of passive equipment 0 Look at large cut sets with dependent items Rank Basic event 1 Basic event 2 1 Chmwa Human error Human error Human error Failure of active unit Failure of active unit Failure of passive unit Human error Failure of active unit Failure of passive unit Failure of active unit Failure of passive unit Failure of passive unit Fault Trees Quantitative Assessment 0 Probabilities 0 QO 1 PrThe TOP event occurs at time t 0 qll PRBasic event i occurs at time t 0 Qjt PrMinimaI cut setj fails at time t 0 Events 0 Let Elt denote the basic event i that occurs at time t 0 e g component i is in a failed state at time t 0 A minimal cut set is assumed failed when all the basic events occur at the same time Fault Trees Quantitative Assessment TOP Event 1 Event 2 occurs occurs 0 For a single AN Dgate 0 Let Eit denote the basic event i that occurs at time t 0 Let qit PrElti 12 0 When the basic events are independent the TOP event probability Qot is NotezTOP event occurs if all events occurintersection Q00 PrE1t 0 EN PrE1I PrE2I q1t q2t 0 For a single ANDgate with m basic events we have Q00 qJz Fault Trees Quantitative Assessment TOP A l LI Event 1 Event 2 occurs occurs E1 52 0 For a single ORgate O O 0 When the basic events are independent the TOP event probability Qot is NotezTOP event occurs if at least one fails Q0 I PrE1t U E2 PrE1t PrE2 PrE1t 0 E2 Q1t Q20 Q10 Q20 2 1 1 Q1t1 Q20 0 For a single ORgate with m basic events we have Q0ltrgt1 Hlt1 qjltr Fault Trees Cut Set Assessment Min out set j fails AN DGate Basic event jr occurs Basic event j1 Basic event j2 occurs occurs 0 A minimal cut set fails if and only if all the basic events in the set fail at the same time 0 Probability that cut set j fails at time t i210 1391qu where all the r basic events in the minimal cut set are independent Fault TreeszTOP Event Probability OP ORGate Min out set 1 Min out set 2 Min out set k fails fails 39 39 39 fails 0 The TOP event occurs if at least one of the minimal cut sets fails 0 The TOP event Probability k Q00 3 1 Ha Qjlttgtgt j1 The inequality sign implies that the minimal cut sets are not always independent same basic event can me a part of several cut sets FTTA Example Redundant Fire Pumps 0 Class exercise 0 Compute the overall probability for the TOP event to occur in terms of the probabilities of the basic events EFVF FPI FP2 FTA to RBD Mapping Series Con guration Parallel Con guration RBD to FTA Mapping ORgate Series configuration TOP event occurs if at least one fails ANDgate Parallel configuration TOP event occurs if all fail NOTE difference with when we were computing reliabilities WHY RBD to FTA Mapping 0 Class Exercise convert RDB from lecture 34 to a fault tree W Input H 39 Output gtn Fault Trees Input Data 0 Basic event probability 61t PrBasic event i occurs at time t 0 Types of events 0 Nonrepairable units unit not repaired when a failure occurs 0 Input data failure rate 7L basic event prob 6111 1 6 Ail z 11 0 Repairable unit repaired when failure occurs 0 Mean time to repairzMTTRl basic event prob qlt z ll 0 Periodically tested unit hidden failures 21 11 2 0 Frequency of events event i occurs now and then with no specific duration with frequency 0 Test interval Tl basic event prob qltz 0 On demand probability input data is PrUnit i fails upon request 0 Used to mode operator errors FTA ExampleszAn Electric circuit 0 Consider an electric circuit 0 TOP event motor fails to start 0 Clearer motor fails to start when switch is closed at a given time t jg Switch Generator Motor Fuse FTA ExampleszAn Electric circuit 0 TOP event motor fails to start has three causes 0 primary motor failure in the design envelope due to natural aging 0 secondary failure due to causes outside design envelope overrun mechanical vibrations thermal stresses inadequate lubrication of bearings etc 0 motor command fault caused by inadvertent control signals or noise no current to motor FTA ExampleszAn Electric circuit Class Exercise Build the Fault Tree an electric circuit with TOP event motor fails to start FTA ExamplesAn Electric circuit moxnr lailure Nu currenr w wxre kach dues nm Generator Motor carry current Switch Easic wire failure Nn nurrem m swnch Generalor does nor Supply aurrem Crmu rr dues not accem current Fuse dues nor carry currem or failure Basic 52 far we Secondary failure Serondary generator mm m Secondary ailum FTA 0 Class exercise 0 Build a FauItTree for one TOP event in your system 0 Present to class FTA o HW 5 For I TOP event for your system 0 Build an EventTree for your system compute probabilities for each outcomes 0 Build a FaultTree of your system compute probability for TOP event in terms of probabilities of basic eventsfailuresleave symbolic 0 Map your fault tree to a reliability diagram representation 0 Bene ts vs shortcomings Compare to FMECA FTA ExamplesA Pumping Station Outlet valve Pressure sense line I switch s1 II I l l Pressure sthch F r Fuse l w I l I Reservoir U Pressure tank FTA Examples Pumping System A pressure tankpumpmotor system and a control system intended to keep the tank in a filled and pressurized condition Function of control system is to regulate the operation of the pump Function of the pump is to pump fluid from an infinitely large reservoir into the tank It takes 60 sec to pressurize the tank the pressure switch has contacts that are closed when the tank is empty When the threshold pressure is reachedthe pressure switch contacts open deenergizing the coil of relay K2 so that relay K2 contacts open removing power from the pump causing the pump motor to cease operation The tank is fitted with an outlet valve that drains the entire tank the outlet valve is not a pressure relief valve When the tank is empty the pressure switch contacts close and the cycle gets repeated FTA Examples Pumping System Initial state dormant with switch S l relays KI and K2 contacts open ie the control system deenergizedtimer relay contacts cosedtank assumed empty so the pressure switch contacts are assumed closed System operation mode started by depressing switch S which applies power to the coil of relay Klcosing relay Kl contacts relay Kl becomes electrically selflatched Closure of relay Kl contacts allows power to be applied to the coil of relay K2 whose contacts close to start the pump motor In the shutdown mode after 20 secthe pressure switch contacts should open since excess pressure should be detected by the pressure switch deactivating the control circuit deenergizing the K2 coil opening the K2 contacts and thereby shutting the motor off If there is a pressure switch hangup emergency shutdown mode the timer relay contacts should open after 60 sec deenergizing the Kl coil which then deenergizes the K2 coil shutting off the pump Assume that the timer resets itself automatically after each trial that the pump operates as specified and that the tank is emptied of fluid after each time Flowchart of Pumping System Transinon to pu mping K2 7 Energized dosed T R 7 cont dosed Pump 7 starts DEMAND MODE PUMPING MODE H READY MODE Simtup ransltxun men a ready Resetswntcr conlopen R9581 ms 7 mm open Deemrglmd Ra s 7 conLOpen Relay K1 cum oprm 5mm X o mmamv Kl 7 cont closed Open K1 7 am closed Relay K2 7 com open dosed K2 7 0va closed T R Resets m K2 7 com open Tlmcr slaw 7 com closed 39 TIR 7 COnL ulased is time Pressure Switch 7 cont dosed Reay and nmvng v M Conquot we 7 K1 7 Energized PIS 7 com dosed Pump 7 5mm and mommrmg and Iaiched and moniw 39ng Reizxv K2 Energized and closed Timer switch 7 Sxarts lming K1 7 com open K2 7 com open Pressure TI 7 mes out and swixch 7 Munimnng momentamy we WESSU39E MS 7 fai ed closet Pump 7 Siups Emergency 5 down assume pressure swncn hang up EMERGENCY SHUTDOWN RS 7 com open K1 7 com open K c TR 7 cont CIOSEd PIS 7 com closed FTA Examples Pumping System 0 Sequences of failure events leading to system hazards 0 Pressure switch fails to opentimer fails to timeoutoverpressurerupture of tank 0 Reset switch fails to closepump does not startfluid becomes unavailable from tank 0 Leak of flammable fluid from tankrelay sparksfire FTA Examples Pumping System 0 Undesired TOP event Rupture of pressure tank after the start of pumping 0 Should be written to specify aWHAT and aWHEN 0 Ask question Can this fault consist of a component failure 0 If answer isYES add an ORGate under the TOP event and consider primary secondary and command failures 0 Continue on to the secondary failure of tank rupture can be caused by orand 0 Consider the fault event K2 relay contacts remain open for tgt605ec 0 Can this consist of a component failureYes the contacts could jam weld or corrode shutadd ORgate for primary secondary and command failures 0 Consider the command fault involves the proper operation but in the wrong place or at the wrong time due to an erroneous signal or command from another component I 0 Erroneous signal application of EMF to the relay coi 0 Causes two eventsadd AN Dgate etc FTA Examples Pumping System acts remeim T 60 sec K 2 rota can closed lnr lank mm olher oui of ialcrance condmuning much K 2 relay secondary raiiure EMFID K2 relay call for T 60598 EMF remains on pressure swlxch nomads when PS com dear2d Tgt 60 Sec Pressure switdl commas closed for FTA Examples Pumping System F Lhru S1 switch 00 ms when PS cont dosedT gt 50 sec S1 swiidl secondary Iailure In open K1 relay nomads lei ta upon 39 mer does not 1m out due In impropm sell39ng instarla an EMF mm K1 relay oumacts when PS com closed Tgt 60 sec Timer relay contacts all 0 open whs cont dosed Tgt 60 sec n PIS K1 relay secondary failure 1Imer relay conLacIs faj lo open nmet relay secondary bailm 3 Excess pressum no sensed by pressure mualed switch FTA ExampleszA Reactor System Temperaxum button REACTOR Valve actuator Vaive C bypass J quotmm usayi n ga FTA ExamplesA Reactor System mman rmcxmn amzy yHaw H lmqr 1 mm an vvnw 4 WWW 51 5mm 0 3 mm mm Hum 31 mm 11 Huh 4 lt M mm m Jqu 777 Wow 31 um 2 REFV1 Cnmnumi nu Vam A w 0mm A Cammam mmvawu mum mummy Rm 3 Fm 2221 mum m Cumwdhu Mmr mum ml uy unud mman um FTA ExamplesA Reactor System W m M 222 n4 3911 cm W m w W mm mm a 21 1mm 21 43 wmm m m rs ummw Fm 222 my lam m sauna Advanced FTAs AND Gate Output event neeurs ttatt tnput events uncut snnuttaneuusv ORGate Output event neeurs ttanv une uttne tnput events numtrs INHIBITGate tnputpmttueesuutputwnen eunttttunat event numtrs Priority AND Gate Output event neeurs tt aH tnput events nunttrtn tne enternmn tetttu ngnt Exclusive 0R Gate Output event neeurstt une but nut bnth uttne tnput events uncut m out ofn Gate vntttme nrsampte gate Output event nucttrs Wm nut utn tnput events uncut Boolean Orientals Used in Faultlee constnmion E39UEHT SYMBOL Advanced FTAs MEANING Eleeio component failure event with x eufficient data ICIRCLE Kl lt I Undeveloped event DIAMOND Er RECT xl JGLE State of evetem or component event Li 0 quot2quot 39 L Conditional event with the inhibit gate ix l House event Either occurring or not occurring HOUSE A Transfer symbol TRIANGLE Event symbols used to construct a fault tree What they mean Circle represents a failed component These events are called basic events and are usually primary failures requiring component replacement Rectangle is the status ofthe event or an intermediary event leading up to another event It is representative ofthe gate in the fault tree Diamond events that are undeveloped meaning that no analysis has been done on the event but it is assumed to be an initiating or participating factor for another chain of events House is used to simulate an input or a scenario that might not even be a real scenario It allows for analysis with greater detail or more ease at times Triangle compressed representation of a fault tree to be used in another fault tree FTA Conclusions 0 Fault Tree analysis FTA is a topdown approach to failure analysis Identi es all the possible causes of a speci ed undesired TOP event A structured topdown deductive analysis Leads to improved understanding of system characteristics design flaws insuf cient operational and maintenance procedures may be revealed and corrected Not fuy suitable for modelling dynamic scenarios It is binary fail or succeed and therefore may not address some of the problems System failure or accident the top event The fault tree consists of sequences of events that lead to system lailure or accident The sequences of events are built by AND OR or other logic gates The events above the gates and all events that have a more basic cause are denoted by rectangles with the event described in the rectangle The sequences finally lead to basic cause for which there is failurerate data available The basic causes are denoted by circles and represent the limit oi resolution of the lault tree ME 5 I9 5 5 Risk Based Design Prof remYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lectures 4 Reliability Engineering Reliability Measures amp Models Today s Lecture Reliability Engineering Process Reliability Measures Reliability Block Diagrams QRA paper discussion maybe next week Reliability Analysis Tools 0 Reliability engineering requires a careful analysis of potential failures and underlying causes 0 Reliability block diagrams for prediction assessment amp optimization 0 FMEAFMECA bottomup failure analysis component to system 0 FTA topdown analysis systemlevel event to component 0 All use reliability measures based on probabilityreliability theory Reliability Theory Measures 0 Recall Reliability theory is the foundation of reliability engineering 0 Four key elements 0 Reliability is a probability there is always a chance of failure 0 Predicated on intended function operation without failure even if no individual part fails 0 Applies to a speci ed period oftime units might differ per domain miles for automobiles cycles of use for machinery etc 0 Restricted to operation under speci ed conditions Mars Rover will have different speci ed conditions than a family car Reliability Measures 0 Life of a system or timetofailure cannot be de ned deterministically 0 Must assign a probability function to the timetofailure t 0 Let T be the timetofailure random variable Probability Basic De nitions 0 Probability Density Function pdf ft indicates the failure distribution over the entire time 0 The larger ftthe more failures occur in a small interval around t 0 Not used to measure reliability but the basic tool to derive other metrics 0 Cumulative Distribution Function cdf Ft indicates the probability that a product will fail by a speci ed time t the probability of failure population fraction failing by time t 0 Let T be the timetofailure random variable mathematically cdf FtPTSt j ftdt dFt leI P f t dt Reliability Measures 0 Rt Reliability Function also called survival function at time t population fraction surviving at time t 0 Reliability is the probability that the system will not fail by time t ie probability of success complement of Ft RtPTgtt1 PTSt 1 Ft1 j ftdt of ftdt Reliability Measures 0 ht Hazard rate or hazard functionsame concept as failure rate 0 De ned mathematically as the limit of the instantaneous failure rate given no failures up to time t ht Rt 0 Note that the hazard rate for an exponential distribution is equal to the failure rate more on this later ht l 0 Units failures per unit time Reliability Measures 0 Failure Rate Rate at which failures occur in a speci ed time interval 0 Number of failures divided by total operating hours failure rate per hour percentage of failuresIOOO hours or failuresmillion hrs A failures hours Computing Failure Rates InClass Exercise 0 Test performed to estimate failure rate of a component ten identical components tested until they either fail or reach 000 hours Test results Component Hours Failure I IOOO No failure 2 IOOO No failure 3 467 Failed 4 IOOO No failure 5 630 Failed 6 590 Failed 7 IOOO No failure 8 285 Failed 9 648 Failed lo 882 Failed TOTAL 7502 6 Computing Failure Rates Component Hours Failure l 000 No failure 2 000 No failure 3 467 Failed 4 000 No failure 5 630 Failed 6 590 Failed 7 000 No failure 8 285 Failed 9 648 Failed lo 882 Failed TOTAL 7502 6 Estimated failure rate 6 failures7502 hours 00007998 failureshr 7998 X e6 failureshr or 7998 failures for every million hours of operation Other Reliability Measures 0 MTTFMean time to Failurethe expected or mean value of the time to failure random variable 0 MTBFMean time between failuresthe inverse of failure rate 1 MTBF A MTTF Et Tatum imam Other Reliability Measures 0 Maintainability probability that a system will be restored to a satisfactory operating condition within a speci ed interval of downtime 0 Factors to improve maintainability include accessibility builtin testdiagnostics modularity standardization color coding etc 0 MTTRzTime to repair 0 Availability a function of both reliability and maintainability 0 A MTBFMTBFMTTR considering operating time amp corrective maintenance time only 0 Durability a special case of reliability Failure Distributions Several well known distributions have been found in practice to describe failure characteristics of different items Cannot assume that any one distribution is applicable in all instances Typical distributions include Exponential Describes the time between consecutive rare random events in a process with no memory prob of a product failing in the next small interval of time is independent of time good for modeling random failures LogNormal Used if variable is multiplicative product of many small independent factors Weibull Often used for life data analysis because it can mimic behavior of other distributions such as exponential and normal Poisson Describes a very large number of individually unlikely events Probability Distributions l 15 7 u 06 02 14 09 39 u 003l0 1 i1 0050 1 08 u26 05 12 07 1 1 l 06 0399 05 0398 07 04 06 03 0395 39 04 02 03 02 01 x 01 x 0 4 4 VDL 0 5 4 3 2 l 0 l 2 3 4 5 Normal Distribution pdf I l I I 19 12 r 17 105 k2 16 X 0 k2 7 157 115 k3 1 A30 k4 7 13 127 i 7 11 14 7 09 03 07 7 05 k2 D6 X210 k2 us 7 115 k3 04 130 k4 03 DZ E71 u 05 1 15 2 25 3 35 4 45 0395 1 is 2 25 393 3 5 394 415 5 eibull Distribution pdf Weibull Distribution cdf Deriving Rt from a pdf cdf 0 Ex if time to failure is exponentially distributed with parameter 2 0 One of the well known distributions describing failure characteristics 0 Popular for modeling the life of electronic components for radar aircraft and spacecraft electronics etc pdf 16 h 2 d Ft lie Malt 1 My 2 0 C Reliability 1 ellt 2 Function Deriving Reliability Measures HW2Part I 0 Given failure rate data on previous example and assuming component failure data follows an Exponential distribution derive the rest of the reliability measures Deriving Rt from pdf cdf 0 Ex If timetofailure is Weibu distributed 0 Another well known distributions describing failure characteristics 0 Very flexible can model each phase of the Bathtub curve 0 Good for components whose failures are driven by degradation 3 Pdfi ft 3 t lexp ij t20 063 06 t 3 Cdf Ft1 exp j 05 Deriving Reliability Measures HW2 Part 2 Assuming the life of an automotive component is Weibull with alpha 62 X e05 miles and beta3 calculate Ft Rt and ht at the end of the warranty period of 36000 miles Next Reliability Models Up to now the measures we discussed were for one component or subsystem only How do you compute reliability for a total SYSTEM composed of many componentssubsystems Reliability Models 0 Reliability Block Diagrams a model that can serve as the basis for accomplishing reliability allocation reliability prediction and subsequent design analysis amp evaluation 0 A graphical representation of logic connection of components within a system reliability block diagrams developed to show component relationships which are then used for reliability analysis 0 Should evolve directly from functional analysis 0 Individual reliabilities combined using series andor parallel network representations to compute system level reliability 0 Used for bottomup reliability prediction and topdown reliability allocation 0 Used to identify weak areas and areas for design improvements Reliability Block Diagrams 0 In Class Exercise 0 A hierarchical decomposition of an automobile consisting of a body a powertrain an electrical and chassis subsystems broken down further into multiple lower level subsystems 0 Assume that from a reliability perspective the automobile is a series system which fails if one or more subsystems break Reliability Block Diagrams Body Powertrain Electrical yaSSii Exterior Interior Power Customer Vehicle Brakes susPenSiCm Supply features Control Engine Transmission Aode Reliability Block Diagrams First Level Subsystems in Series Body Reliability Block Diagrams First Level Subsystems in Series Electrical Chassis Powe rtrain Reliability Block Diagrams Second Level Subsystems in Series Power Customer Vehicle Exterior Interior Engine Transmission Axle Supply features Control Brakes Susp Note the increase in the complexity of the reliability block diagram RBD of a typical automobile has over l2000 blocks component or part Reliability Block Diagrams 0 IMPORTANT Physical con gurations in series or in parallel do not necessarily indicate the same logic relations in terms of reliability 0 An automobile engine may have six cylinders connected in parallel mechanically 0 From a reliability perspective the six cylinders are in series because the engine will fail if one or more cylinder fails 0 Constructing the reliability block diagram can be timeconsuming for large scale systems 0 Commercial software packages available 0 Basic tool for system reliability analysisapplication to fault tree analysis later Reliability Block Diagrams 0 Series networks A system where one or more components failing will result in failure of the entire system All components must operate in a satisfactory manner if the system is to function properly Total reliability of the system is the product of the individual subsystemcomponent reliabilities Assumption of independence failure of one component does not affect the life of other components Input Output Rsystem H Rf RA gtllt RB gtllt RC i1 Reliability Block Diagrams 0 Note that for Series networks 0 System reliability is less than the reliability of any one component 0 System reliability decreases rapidly as the number of components in the system increases 0 Support the principle of minimizing the complexity of an engineering deggn Reliability Block Diagrams 0 lnclass exercise 0 For the automobile rst level subsystems in the previous example assume series reliability logicwhere lifetime of the body powertrain electrical and chassis subsystems are exponentially distributed with given failure rates per l000 miles 0 Calculate reliability Rt of the vehicle at 36000 miles A 51x10 4 12 632610 4 33 553610 4 14 48x10 4 Models Reliability Block Diagrams HW2 Part 3 0 For the automobile system in the previous exercise compute reliability Rt assuming the time to failure of the components in the system are modeled with the Weibull distribution Reliability Block Diagrams 0 Parallel networks 0 Several components are in parallel where all components must fail to cause a total system failure 0 System succeeds if one or more components are operational 0 Parallel redundant networks used to improve system reliability Input 4F 4 Output gt Rsystem 21 i1 1 1 RA1 RB1 RC Reliability Block Diagrams 0 Note that for parallel networks 0 Reliability of the system increases with the number of components within system 0 A means to increase overall system reliability 0 Typically used for safetycritical systems such as aircraft and spacecraft 0 Must be weighed against other criteria such as the extra cost and weight due to increased number of components 0 Parallel design rarely used for improving automobile reliability due to cost considerations Reliability Block Diagrams HW2Part 4 0 See the reliability block diagram for a lighting system below Suppose that the lighting system uses three identical bulbs and that other components in the system are IOO reliable The times to failure of the bulbs are Weibull with parameters alphal35 and beta35000 hours Calculate the reliability of the system after 8760 hours of use m Bulb3 Models Reliability Block Diagrams 0 Combinations of networks Redundancy added at different levels 0 System level block G is redundant with all the other blocks combined 0 Block C is redundant with Block D at a different level gtn Input n L Output n n gt Models Reliability Block Diagrams Input Output gtu 0 lnClass exercise 0 What paths that will result in successful system operation ABCEABCFABDEABDF G Models Reliability Block Diagrams 0 Standby redundancy 0 Standby unit not operational until a failure sensing device senses a failure and switches operation to the other subsystem use Poisson distribution to determine reliability 0 Reliability of standby systems higher than reliability of system w operating redundancy Input Output Models Reliability Block Diagrams HW2Part 5 0 For electronic system consisting of 3 subsystems A B and C with components in series and in parallel and with individual reliabilities provided assuming all parts operate independently compute the overall reliability of system M ME 5 l 9 5 l 5 Risk Based Design Prof lremYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lecture 7 Risk Analysis Methods FMEAFMECA Today s Lecture De nitions FMEAFMECA Procedure Examples De nitions Failure inability of an item to perform a required function Fault the state of the system characterized by its inability to perform its required function a state resulting from a failure 0 Different than an error de ned as a discrepancy between a computed observed or measured value and the true speci ed or theoretically correct value Failure Mode a description of a fault Failure Mechanism the physical or chemical process or de ciency causing the failure Failure Cause the circumstances during design manufacturing or use which have led to a failure Severity the impact of the failure mode on the system as a whole and on the outside environment Reliability Analysis Methods 0 Whitebox modeling and analysis for multicomponent systems 0 Recall system failure modeled in terms of the failures of the components of the system 0 Linking of component failures to system failures can be done by 0 Bottomup forward approach FMEAFMECA 0 Start with failure events at component level and proceed forward to the system level to evaluate consequences on system 0 Topdown backward approach ETAFTA 0 Start at the system level and proceed backward downward to the component level 0 Can be done either qualitatively focus on causal relations or quantitatively focus on measures FM EAFM ECA FM EA FM ECA Failure mode effects and criticality analysis Design technique used to identify and investigate potential system failures and weaknesses reviewing a system in terms of its components to identify failures modes causes effects History 0 Originally developed by the US military to classify failures according to impact on mission success and personnelequipment safety I949 0 Used on the Apollo space missions in the 960s 0 Adopted by Ford Motor Company in the 980s following the design flaws in the Pinto to prevent the rupture of the fuel tank in a crash leading to a re 0 All automobile companies require an FMEA program FM EAFM ECA 0 Basic questions answered IEEE Standard 352 How can each part conceivany fail What mechanisms might produce these failure modes What could the effects be if the failures did occur How is the failure detected What inherent provisions are provided in the design to compensate for the failure What is the severity ranking MILSTD 882 0 Generates a document that records function failure modefailure mechanism failure cause failure effects detection methodscontrols ranking of criticalityseverity FMECA recommended actions FM EA FM ECA Language Function lubricate position retain support etc 0 Use of an active verb and noun see list Failure Broken worn noise rust etc Failure Mode Open circuit cracked brittle dirty corroded misaligned leak hole missing etc provide physical failure mechanisms when possible Causes of Failure item does not work vibration shock loads worn bearings voltage surge human error poor skills etc trying to identify root cause to eliminate failure Effects of Failure noise unstable operation impaired unpleasant odor does not work excessive effort required loss of life etc What happens when a failure occursWhat are the consequences FM EA FM ECA Language 0 Existing ControlsDetection Methods Controls that exist to prevent causes of failure from occurring during process design or service 0 design guidelines design reviews validate the process for certain production capability studies operator training durability tests design of experiments nite element analysis simulation testing trial testing probabilistic modeling inspections routine maintenance etc 0 Recommended ActionszAction to be taken to reduce the severity occurrence andor increase the detection 0 no action taken at this time add builtin detection devices sensors provide alternatives to the designservice add redundant systems 0 Data System installation and checkout procedures operating and maintenance instructions inspection reports calibration procedures modi cations drawings speci cations etc Verbs amp Nouns for FMEA Table 11 Verbs and nouns lor syslemdesign FMEA A partial list of verbs and nouns used in the construcrion of a systerr FMEA is provided Verbs Nouns actuate insulate appearanCe light amplify interrupt circuit liquid apply limit contacts noise change locate contamination oxidation close maintain convenience paint collect module current panel conduct mount damage piston contain move density protection control prevent dust radiation create protect effect repair decrease rectify energy rust emit reduce features style establish repel How switch fasten rotate uid symmetry lter secure force torque hold shield Form vibration ignite shorten friction voltage impede space heat volume improve support insulation Weight increase time verb induce transmit Verbs amp Nouns for FMEA Table C2 Verbs ond nouns for processservice FMEA A partial list ofverbs and nouns used in the construction Ufa process FMEA is provided Verbs Nouns allow minimize corrosion light apply modify current material bake move decor motion band produce effort power compress receive electricity shape convey reduce energy supplies decrease remove environment tools discard resist equipment torque drive restrict xtures voltage dry shape force waste eliminate sort friction stake nish store re support form transmit generate transport improve weigh li wrap FM EA FM ECA Quanti cation 0 When and FMEA is quantifiedwe have an FMECA criticality rating a measure of severity prob of failure occurrence and detectability gives Risk Priority NumberRPN In most formal systems the consequences are evaluated by three criteria and risk indices for each ranging from to IO 0 S severity 0 O probabilitylikelihood of failure occurrence 0 D detectability 0 Overall risk of each failure quanti ed by the Risk Priority Number 0 RPN S X 0 X D 0 Potential failures prioritized using RPN to decide which actions to take to reduce the risk FM EA FM ECA Quanti cation Severity is a rating corresponding to the seriousness of an effect of a potential failure mode determined by the de ree of injury property damage or system damage that could eventual y occur Takes a number on a scale from llO Occurrence is a rating correspondin to the rate at which a rst level cause and its resultant failure mo e will occur over the design life of the system over the design life of the product or before any additional process controls are applied Takes a number on a scale from llO Detection is a rating corresponding to the likelihood that the detection methods or current controls will detect the potential failure mode before the product is released for production for design or for process before it leaves the production facility Takes a number on a scale from llO Typical Ratings for S O D um it s ns39gn nant LGMLEIIM w re mm anncyance dowmsma un Z w due 90 tquote slight dowrrrz nta on 5000 ps omanm 2000 at pmdustv y is I EEClaCECl by We 50D or assembly re domrna Ea on are due in mpwsnz withos39i camplete css o39i Prmumivty mpaczsw by 39re rails in loss cf fmc on whhout a dawms ta un n sar39Ewnr e em an safe system 0 wayranry Gaza Dr with warn rig belure Dquot tes iing Dr wio axiom of Qwernmemal e em an safe sy sbem E D da a Dr signi es39139 w clutwaming befcre testing Dl39 vicazion Ufgwernmen ral at prevemed befare reachi 39Ihe be faund ur gas39mmed before are reach Iquot nezt ws EDmer undetecmd failure from reaching aha next will reth 1113 next cssbcmsr are poisn al failure reaching tn detemsd or prevsnzsc befure be next cusmrr will be detected 39339 prevented reactquot ng 39ll39lE Her GUS me pDhsnta failure w DDTCEEEEJ he po ernjal Word Description of Scales Probability of occurrence 39 Probability of likelihood of the defect or defective Ranking or frequency Degree of severity detection product reaching the cusxomer 1 Very low or Rare Minor nuisance Detectahle before Very low to none none lt l per IO to 10quot service is released Detectable after 2 low or minor Infrequent Product operable at reduced release but before Low or minor 2 to 0 per 10 ro 10 performance production Detectable before 3 moderate or Moderate Gradual performance degradation reaching the Moderate or signi cant signi cant 1 to 25 perilO to 10quot customer Delectable only by 4 high Frequent and high Loss of Function customer andor High 26 to 50 per 10 to 10quot during service Undetectable until 5 very high or Very high to catastrophic Safetyrelated catastrophic failures catastrophe occurs Very high catastrophic gt50 per 10 D 10 Table E2 Word description of 15 scale for design FMEA Nola This guideline is only a sample If may be changed lo suit specific applicoiions Numerical Guidelines Us V JA Mechanical 0139 Electronics or General electromechanical semiconductor Medical Automotive guidelines Rank industry industry devices industry for severity verylow ltor 1 in 10000 lt or i in 1 million lt or l in 100000 lt or 1 in 10000 None 1 2 low or minor 2 10 in 10000 2 to 10 in 1 million 2 to 10 in 100000 ltor 1 in 2000 Minor moderate or 1125 in 10000 11 to 25 in 1 million 11 to 25 in 100000 lt or 1 in 500 Signi cant signi cant high 26 50 in 10000 26 to 50 in 1 million 26 to 50 in 100000 H 1 in 50 High very high gt50 in 10000 gt50 in 1 million gt50 in 100000 gtor 1 in 10 Catastrophic FM EA FM ECA Roadmap dv311 tifjr Potential Failure Mode I A v Determine dentifr Ppt ent lal Severity Effects of Failure Mode x I Determine Identify Potential 0 C curfew CauseIZS of Failure Mode Determine i gt RPM Determine Evaluate Cuirem 339 ammability Controls or Design Veri cation Process Identify Actions Leading to Improvement Typical FM EA Worksheet Par No Potential Failure Mode Potential Failure Effects of Severity 8 Potential Causes Occurrence 0 Current methods for detection Detection D Recommend Action RPN SOD Sample Generic FMEA conlucls when energized Syslem Sam la Prepared by Dole Subsyslem Approved by Revision Subsyslem elemern Fags l or Failure affect on llem Funcllun Failure Failure Componeni or Nsxl higbar Sysiern Failura deiacilon Remarks Identification mode cause 39 assem ly malhnd swnch lniliaies Fails lo open Relsuse None Muinlains Muimulnsenargylo Molar coniinues lo runs mnier power spvlng leilure energy in powarcircuil o r l W funclien Cnnmc39s quotsad circuil relay lhmugh relay dmm We mummy Benery 2 Provides relay Fails lo provide Deplein bunery None Falls ID aperale Syslam fails Melor no running relay clreuil vo ago adequale power pram 90de am 93 s ho elay clrcuil lo operale and see els Relay Closes reley Cni ails re Coil sharled er Doss ncl close nees nol energize Syslam falls lo Meier no running relay coil produce EMF opan relay cunrucls power circuii operuie Relay confucls Energizasund deenergizes power circu il Failsioopen Cenlacls fused None lo mcIDr Moior Conlinues lo Hm S makevisual breaker ll m Molar Provides desired Fuilslo epereie Motorshuned Moioroverlreeis ngh cmrenlin rh d o Smelreyisuel mechanical eyenl power circvll clrcmlwlreirmolons 5 madequot Circull breakerfallsieo n andswilchoirsluy uikr Circuirbrmkar Providespnwnl39 Faiklnopan Conreeielrreeri Nona I u 39 circuil ising Spyingfcilms mcloriireluycon lo molar Smokevisual lee ere clese Eunaryltl Previdesrneior Failslopravlde Depleledbanary Nuns one Syslemlalls Materneirunnlng pewereireuil Vo uga udaquompawar hemmed Emma loopemle onddepleles Example 39 Sample of a generic system FMEA mm FM EA FM ECA 1 0 Class exerclse u Hydraulically operated fail safe gate valve used extensively in many industries to control fluid flow eg the valve can be a subsystem of a complex processing system such as an oil re nery u The valve is held open by hydraulic pressure and is sprin compressed When due pressure is released bled off the spring reverts to its normal uncompressed state and due valve closes FMEAFMECA 0 Class exercise 0 Essential Function 0 The different Failure Modes 0 The effects of failure modes Warng 7 grease Hydraulic spermian Fwezzra Bap F39esltir 39 niiiJunLIr IE15139 r 53915quot Spring seal r 353 39 Gritt r r ilEedra Fiumu M ijg niteulicniiljy I iiil i Hui51F guilt valuc Rupriulcd Emsn milni uh ily tfiigim39wn39 is nnr 3quot 4 Wl 31195 1903 51 p Tripp in I llfil39i Willi Tuiitliticizln 39Im Himmi Science FM EAFM ECA 0 Class exercise 0 Essential Function control the flow of fluid in a pipe more speci c stop the flow of the fluid at the appropriate time 0 The different Failure Modes and their effects Failure Mode Effect Fails closed Flow can not be stopped Fails open No flow Does not open fully Flow less than full Does not respond to controller Loss of control over flow Leaks through valve Loss of fluid potential hazard Leaks around valve Loss of fluid potential hazard 0 Severity ranking depends on the environment and the type of fluid flowing through the pipe FM EA FM ECA Phases System FMEA Design FMEA Process FMEA Service FMEA FM EA FM ECA Diagrams 0 Functional Structure Decomposition 0 Functional Flow Diagrams O ProcessStep Diagrams Examplgof a Functional Flow Diagram 1 FUNCTIONAL FLOW DIAGRAM TOP LEVEL A 0 A2 0 A3 1 Am A5 A7 mcomc PACKAGE YACKAGI A v PROCESSING r PACKAGE UNLOADING DISTRIBUTON UUTGUING PACKAGE LOADING V FUNl nUNAL 10w DIAGRAMS SECOND LEVEL I ALI A11 A15 A 58 TRANSFER PACKAGE FROM FOS TION MCKAGE VOICE NDUCHUN UNLOAm RTO ROLLERS SLED pHOm CELL A U A2 A3 REF A5 quot 39 39 0 r AUGN PACKM DEIERWNE HEIUHT x APPLY IABELT PACKAGE AND TRANSMIT SIDE PAN FOR LABEL PACKAGE LABEL INFORMAI UN 0 LAHH APPLICATION APPLIHTOR APPLK ATOR A311 All A32 A33 MFRUH PACKth FLOW ALIUN PACKAGES ADJUSI DIS39I39ANFES FROM THREE LINES TD SIDE PAN FOR PROPER H v pACKAG SINGLE BELT 7 FOR PROF R DIVERS A14 L A3f A4 DETERMDJE PACKAGE CHECK LABEL AND HEIGH I ANDTM V FD f gll1 YK JZNE TIDN INmRMAnm mum DECODES LABEL To PACKAGE Wu 5 Likely m ha pun n his mm How 15 it likely lo ail made 5 aims9 m m ma Ilkcly humans on nmcr runnmm m clumuxm or he syslcm Haw c mm a Lhis failure in Lenus nfimpacl on me ulnmatc mission of the swarm How n en ia his likely to ml Mm can bu done m prccluzlc um mum S Figure 1216 Packaoehandlin plant functional flow diagram Procedure for FM EA 0 De ne the main system clearly de ne the intended functions and system boundaries to avoid overlooking key elements or penalizing a system by associating other outside equipment Compressed Air System Boundary of analysis within scope Boundary of analysis Intended Functions Provide compressed air at 00 psig Breaker supplying power to the compressor Power supply bus for the compressor Remove moisture and contaminants from the air etc Lines in pneumatic qmpmem Contain the compressed air Aw intake Wllh vain cap 0 Ali intake mm Procedure for FMEA 0 De ne the problems of interest 0 Safety problems ways in which system failures can result in injury caused by steering or propulsion failures hoist and rigging failures exposure to high temperatures res explosions etc 0 Environmental issues ways in which system failure can affect the environment caused by equipment failures that result in discharge of material into the water equipment failures that result in a material spill seal failures etc 0 Economic impacts ways in which a system failure can have adverse economic impacts due to business risks vessel detailed at port lost revenue environmental restoration costs Procedure for FMEA 0 Choose a type of FMEA to perform 0 Hardwarecomponent approach good choice when e ve ry component in the system must be reviewed dif cult when analyzing complex systems or systems that are not well de ned Bottomup Approach Subr subsystem Subr subsystem Cnmpnnent Cnmpnnent Subsystem Cnmpnnent Cnmpnnent Cnmpnnent Cnmpnnent 7 System Procedure for FM EA 0 Choose a type of FMEA to perform 0 Functional approach when hardware items cannot be uniquely identi ed a system SVSfell 7 eg during conceptual design focus on functional intent of not being satis ed rather than speci c failure modes of items Fundinn Fncus Tapednwn Apprnzchl Summm eumpunem level me Sueeummm eumpunem level Summm Summlun campanem level Summlun campanem level Summlun campanem level Summlun campanem level Summm Sueeummm eullmnem level Sueeueeumunellun eullmnem level Sueeummm Sueeueeumunemleullpunenllevel Procedure for FMEA 0 Subdivide system by equipmentpart of by functions 0 Ex of the hardware approach 1 1 1 R am cap 11 mtake 1 12 39FW Fmvauun 1 13 Pvessuve gauge Subs mm 1 1 A P1pmg y 121 Cumpvessuv 122 0umm1 map 12 Cumpvessuv 12 3 2112mm Subsystem 1 2 A P1pmg 1 Cumpvessmn System 2 71 Dvyev1 272 Dvyev2 Cum 125m 2 73 Va1ve 5 2 Dvyma Sysmm A 512m 2 74 P1pmg y 275 Mu1stuve a1an 3 1 A1Hec21vev 3 2 Dvamvave 373 Pvessuvegauge 3 gsgx mn 3 A S1gmg1ass v 3 5 1me Procedure for FM EA 0 Subdivide system by equipmentpart of by functions 0 Ex of the functional approach 11 intake air 1F rovide 12 rSompress air compressed air to 1EZ psig st1EID psig 1 Contain air 14 Distribute air Compressed 211 Remove moisture in Air SYSTEM dryers 21 Remove 212 Remove moisture in air moisture receiver 2Remove 213 Remove moisture in moisture and knockout pots contaminants from the air 22 Remove contaminants Procedure for FMEA 0 Identify potential failure modes T grca FaHure Condmon Premature operauorr Functional Failures oflnterest Funcuon Compress arrro 100 osrg Sgecmc Funcuona FaHureS to Consrder sron Stan maturery re the ayatem rs readyfor operauon 7 before the pressure decreases to the demand pormrorme compressor 4 Comoros e oero 4 orescrroeoume 4 at a orescrroeo Ume acmeved L r uwm Hde 4 durmg operauon aHpr m or vorume operauonar capabmty omer um que faHure conomons Someone rs rmureo durmg compressron operauon OH me the sewer durmg compressron operauon Procedure for FM EA 0 identify potential failure modes see complete list Procedure for FMEA 0 Evaluate potential failure modes capable of producing accidents of interest 0 Mission phaseoperational mode describe how the system is being used 0 Effects accidents that are expected if the fm occurs divided into 0 Local effects Initial changes in system conditions 0 Higher level effects change in the next higher level of equipment or system function 0 End effects overall effects on the system 0 Causes 0 Indications 0 Safeguards Procedure for FM EA 0 Document Example from a Hardwarebased FMEA MachineIProcess Onboard compressed arr system Subject 1 2 2 Compressor controt toop Description Us p on system pressure starts 5195 psrg and stops 51105 psrg Next higher level 1 2 Compressor subsystem Procedure for FMEA 0 Document Example from a Functionbased FMEA Onboard compressed arr ystem Subje 1 Provroe compressed arr at 100 ps Description make an compress the arrro 100 mg and orstrroure me arr wrmour 055 to me manufacturmg 00 stauorrs or macmrre MachinoIProcos Compressed arr ayatem Next higher level Procedure for FMEA 0 Perform quantitative evaluation 0 If necessary 0 Bene ts 0 Compare overall risk levels against risk acceptance guidelines 0 Prioritize potential failure modes based on risk to allocate resources to best manage the most signi cant risks 0 Estimate risk reduction to help justify recommendations generated during analysis Procedure for FMEA 0 Use results in decision making 0 System improvements FMEA results present speci c and practical suggestions for reducing accident exposure associated with a speci c system Suggestions include changes in design con guration and equipment speci cations to better operating and maintenance practices 0 Maintenance task planninng very prominent use of FMEA to establish effective maintenance plans 0 Spare parts inventorieszAnother prominent use of FMEA to determine types and numbers of spare parts to keep 0 Troubleshooting guidelines FMEAs contain the information needed to develop effective troubleshooting guidelines Procedure for FMEA 0 Class Exercise Hardwarecomponent approach 0 Take the virtual dissection of your system and work your way up to the system to come up with the system component hierarchy Procedure for FMEA 0 Class Exercise Functional approach What is the overall functionality of your system Break it down into subfunctions and subsubfunctions ME 5 l 9 5 l 5 Risk Based Design Prof lremYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lecture 2 Basic Concepts of Risk and Uncertainty Risk Analysis Today s Lecture 0 De nition of RISK 0 Risk vsUncertainty O RiskAnaIysis Process 0 RiskAssessment 0 Risk Management 0 Risk Communication RiskWhat is it 0 Class exercise Define risk RislltWhat is it 0 Risk 0 Many de nitions depending on application and context 0 An event with a potential harm or losses 0 UNCERTAINTY with a badnegative outcome 0 Key components 0 Likelihood aka probability or uncertainty 0 Consequence losses in dollars work hours human lives etc 0 RISK Probability of the event x Consequence of the event Risk vs Uncertainty 0 Risk and Uncertainty very commonly used interchangeably 0 De nitions from Decision Theory and Statistics Doug Hubbard 0 Uncertainty a lack of certainty a state of having limited knowledge about an event making it impossible to exactly describe existing state or future outcome 0 Measurement of Uncertainty a set of possible states or outcomes where probabilities are assigned to each possible state or outcome 0 Risk a state of uncertainty where some possible outcomes have an undesired effect of significant loss 0 Measurement of Risk a set of measured uncertainties where some possible outcomes are losses and the magnitude of those losses Risk vs Uncertainty 0 Uncertainty might be only due to a lack of knowledge about obtainable facts 0 egYou might be uncertain about how a new rocket design will work but you might be able to remove this uncertainty with further analysis and testing 0 Uncertainty might be more fundamental and unavoidable 0 eg Inherent variations in manufactured products tolerances 0 Uncertainty of a measurement given in error bars 0 Found by repeating the measurement enough times until you obtain a good estimate of the standard deviation of the values Risk vs Uncertainty 0 Example Learning to live with rain welcome to Oregon 0 If you do not know whether it will rain tomorrow you have a state of uncertainty 0 If you apply probabilities to the possible outcomes using weather forecasts you have quanti ed the uncertainty 0 If you have quanti ed your uncertainty as a 90 chance of sunshine and are planning a major outdoor event for tomorrow then you have risk since there is a 0 chance that it will be rain which is undesirable 0 If there is potential of monetary loss due to the cancellation of the event in case of rain then you have quanti ed the risk eg a 0 chance of loosing 50000 Rislltthere When 0 Class exercise 0 Where do you expect to find risksuncertainty 0 When do you have to be concerned Risk2Why do we care Consequence Risk Considerations Must weigh bene ts vs consequences of taking risks Risk Considerations 0 Class exercise 0 How much of a concern is risk 0 Think about different types of industries a small business custom design and manufacturing ATS platform based design and manufacturing GM Nike 0 Think about government labs with different missions manned vs unmanned exploration vs national defense missions vs research NASAAFRL Lawrence Livermore labs Risk Considerations 0 When risk is part of doing business 0 EX ATS 0 EX NASA Risk Considerations 0 Where is their risk most pronounced 0 Phase of product lifecycle 0 Type of risk Risk in Different Phases of the 0 Operations Types of Risk onsiderations Technical 108 Method 3 a 4 n FLOPS 7 g 10 r Hegressian g Neural network g E quot 70 o Hybrid m I I I I w 28 29 30 31 32x104 Thrust In 3 LOB 2100 D a u m EWHML 3 1041 a 5 39 a 3 39 E E E E a 100 a 1000 2 S 2 8 a n I I I a I I I 300 3020 3040 8060 3000 1600 1800 2000 Tuvblne inIeI temperature R Wing area 2 Vlum h u mum Schedule Risk Analysis Process 0 How do you think companies assess manage and communicate risks Write down ideal risk process Risk Analysis Process 0 In most cases risks cannot be avoided and in some cases it is part of the business model and a natural component of technology development 0 It is important to 0 Identify risks proactive continuous and EARLY 0 Analyze risks levels likelihood consequence 0 Assess options 0 Develop plan to manage mitigate risks and recover from failures due to risks 0 Treat risk as just another a design parameter 0 Design stage RISK BASED DESIGN Risk Analysis Process 0 Risk assessment 0 Identifying sources of potential harm and assessing the likelihood that harm will occur and the consequences 0 Risk management 0 Evaluating which risks that were identi ed require management and choosingimplementing the plans or actions required to control or mitigate those risks 0 Risk communication 0 Creating an open dialogue between the various stakeholders customers and engineers risk assessors analysts and managers to then actively inform all the other processes involved Risk Assessment 0 Qualitative Examples 0 Quantitative Examples Risk Assessment 0 Qualitative 0 lists discussions brainstorming sessions lessons learned databases prior knowledge 0 Quantitative 0 simple rankings occurrence probabilities Qualitative Risk Assessment Fever Charts Signi cant Moderate Likelihood of Failure on innovative use of existing technologies No new technology systems are offtheshelf Minor Moderate Signi cant Consequence High Technical Consequence of Failure Little or no impact on program objectives Majo degradation in technical performance that couldjeopardize program success in technical I per ormance lmPaCt 0quot with little or no objectives program objectives QualitativeQuantitative Risk Assessment Simple rankings Fever charts with numbers for likelihood and consequence I5 FMEAs FMECAs with numbers will cover this later in the term Qualitative Risk Assessment 0 Class exercise What are some problems with qualitative assessments of risk Risk Assessment 0 Challenge for engineering systems 0 Measuring engineering risk is often very dif cult 0 Probability is assessed using case studies 0 Frequency of past similar events 0 Rare failures are hard to estimate 0 Huge problem with NASA type designs public scrutiny 0 Requires deep knowledge and lots and lots of analyses Quantitative Risk Assessment 0 Risk Sensitive Industries 0 EX nuclear power and aircraft industries NASA 0 Risk managed in a highly quantitative way 0 Possible failure of a complex series of engineered systems can result in highly undesirable outcomes 0 The usual measure of risk for these types of events 0 RISK Probability of the event X Consequence Probabilistic Risk Assessment 0 PRA a systematic and comprehensive methodology to evaluate risks associated with complex engineered technological systems eg airliners nuclear power plants 0 Accepted use by US government agencies regulatory agencies to enhance safety without applying undue conservatism 0 Answers 3 basic questions 0 What can go wrong initiating events 0 What and how severe are the potential detriments 0 How likely are they to occur probabilities or frequencies Probabilistic Risk Assessment 0 What can go wrong initiating events 0 Use of technical knowledge of possible causes 0 Use of FMEA to focus on most important initiators 0 What and how severe are the potential detriments 0 Development of event or accident scenarios 0 Deterministic analyses thermal fluid structural to describe the phenomena that can occur along the path of event scenario 0 How liker are they to occur probabilities or frequencies 0 Boolean logic methods for model development ETA amp FTA 0 Probabilistic amp statistical methods to quantify model Probabilistic Risk Assessment 0 Class exercise What are some problems with PRAZ Probabilistic Risk Assessment 0 Class exercise What are some problems with PRAZ see reading assignment Risk Management 0 Class exercise Define risk management Risk Management 0 Figuring out what might go wrong deciding what to do to about it or whether to do anything about it and implementing necessary steps to preventeliminate mitigate it andor reduce its impact 0 Ideal prioritize to handle the risks with the greatest loss amp probability of occurrence rst 0 In practice very dif cult to balance between high problow loss and low probhigh loss Risk Management Risk avoidance do not perform activity that has risk 0 Losing out on potential gain not flying not going to space Risk reduction implement methods to reduce severity of loss 0 Eg sprinklers to put out re to reduce risk of loss developing software incrementally prototyping Risk retention accepting loss when it occurs 0 Viable strategy for small risks the cost of insuring against risk greater than the total losses sustained Risk transfer causing another party to accept the risk 0 Insurance liability 0 Outsourcing SW development manufacturing customer support Risk Communication 0 Any ideas 0 Meetings charts brainstorming sessions reviews reports informal discussions 0 How effective do you think this is in the real world 0 Think about recent events failureshow much was due to lack of communication or miscommunication about the potential risks 0 Numbers helpbut are they realistic Do they mean anything Example System 0 Class exercise IO minutes Perform risk analysis on the daytoday operation of Rogers Hall 0 List potential failuresevents risks uncertainties consequences 0 Rank consequence from low to high rank l5 0 Rank likelihood from low to high rank l5 0 Place on a 5 by 5 chart likelihood vs consequence Closing Thoughts Most industries deal with risk on a regular basis The number of risks takenaccepted and the impact of that decision depends greatly on the domain situation Most acknowledge risk and uncertainty as one of the fuzziest part of their decision making process during design and development Most admit that prior knowledge or an expert is their main means of assessing risks identifying them deciding whether to do anything about them and what to do about them Most state that a formal and believably quantitative means to do risk analysis would be of great bene t but do not believe that it can be done Next week 0 Select a system to work with throughout the term 0 Pick a research topic 0 Reading assignment 039999ll i2ts su ME 5 l 9 5 l 5 Risk Based Design Prof lremYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lecture l8 RBD Research Methods FFIP Oreuin iats su FFIP Development Summary Develop Functional representation for system Develop Configurational representation for system oDirect mapping between functional and structural architectures Develop behavioral model for each component oTransition mode diagrams and qualitative modes of components egPPE nominal failed clogged or failed leak Develop behavioral simulation rules for each variable oQualitative Ex Qin from zero low nominal high oBehavior rules in terms of state variables eg QinQout if nominal Develop functional failure rules based on component states for each function Conditions for failure each system function is modeled as operating degraded or lost Ex The function failure logic for a transfer liquid function function is lost if the outflow from the pipe is zero degraded if the pipe outflow is less than the pipe inflow and operating all other times Oreuen igts S Sensor utlet Pi gt Open Tank ll Valve A FFIP Simulation Initialize component modes for all 7 components Liquid 06 Liquid 05 Liquid a 7 7 7 7 7 7 Controller Status Signal lh2 Initialize input flows and corresponding state process variables olnput state variables input flow rate set to nominal liquid level set to nominal oAll other states initialized to be functioning nominally Introduce critical events of interest to the simulation Execute behavioral models Feed the dynamic system state to the functional failure reasoner Oregiii iale FFIP Simulation Exerc1e Step 1 2 3 Inlet Valve lnlet Pipe i hdot Nominal Nominal hdot hoft Nominal Process Signal Oregtli isi Simulation Scenarios Sensor Initialize component modes for all 7 components Inlet Pip utlet Pi Ll gtOpen Tank ll Valve B ValveA Liquid Liquid Liquid Liquid Liquid Liquid Q1 Inlet 02 Inlet as k Tank 14 Outlet 05 Outlet 06 Valve Hpe r 7 Pipe Valve CS1 e 7 7 e 7 7 7 Controller 7 7 7 Status Signal 3912 What are some event scenarios that can end up in failures Use Excel spreadsheet to go analyze scenarios courtesy of Farzaneh FarhangMehr oregl l 329 A Case Example Store Guide Li uid Liquid Liquid Liquid Simulation Scenario I hover ow 39 39 hmvemowmeshom Critical Events injected in Sensor spec1f1ed order hdryoutthreshoid hdryout Inlet Outlet valve failed open Outlet Valve Inlet Valve Liquid 01 Liq u id 04 Liquid 05 Liquid e 7 7 7 7 7 7 Controller Status Signal quot2 r i i i i STATE VARIABLES Liquid FIOVW Control Laws l l l l l l 39f h2gthoft CS1quotoffquot CSZquotonquot l 01 zero low nominal high 1 l 2 u l Q2 zero low nominal high 1 If h2lt tht CS1 on C82 Off 1 QB zero low nominal high 1 1 Q4 zero low nominal high 1 Q5 zero low nominal high 06 zero low nominal high else if h2nosigna CS1 quotnosignalquot else CS1quotonquot CSZquotonquot I COM PONENT MODES h10hdohdot nominalhoft hof l i VALVE nominal on nominal off failed open failed closed 1 Status Signal Flow PIPE nominaL failed leak failed clogged l h2nosignalzerohdohdot nominalhoft hof TANK nominaL failed leak i CONTROLLER nominaL failed nosignal 1 Control Signal Flow I SENSOR nominaL failed burst CS1nosignal onoff 39 CSZnosigna onoff Oreuinasts r Sensor Simulation Scenario l 39 utlet Pi gt Open Tank L Valve B Valve A Inlet pipe clogged Transfer Liquid Valve A closed lost command TIME 397 r l L 7 7 7 7 7 7 Process Signal Status Signal System starts out nominal at t8 the inlet pipe gets clogged The first functional loss occurs at t9 for transfer liquid function Design control laws tell operator to shut off the outlet valve at t14 to prevent dryout The FFL rule for transfer liquid reasons about the status of this function and identifies the function as lost Based on this the supply liquid function is assumed to be degraded due to the low liquid level in tank Oreum igts Sensor utlet Pip gt Simulation Scenario Open Tank n Valve B Valve A Inlet pipe clogged Transfer Liquid Valve A closed Valve A Guide Liquid lost command failed open failed I K TIME I t0 t8 t9 t14 t20 22 Liquid Signal Then at t20 the outlet valve fails open this causes the tank level to drop further After the valve failure the guide liquid function is lost at t22 Oreumigie Simulation Scenario Supply Liquid Store Liquid failed failed I TIME I t22 tt24 t24 Export Liqui Liquid Signal gt Tank dryout Finally the supply liquid and store liquid functions are lost at t24 Leading to a tank dryout scenario even though the operator had shut off the valve A to prevent dryout NOTE the tank never failed but the tank functions were lost due to failure events Simulation Scenario Results tO Oregon State UNIVERSITY t5 t8 t10 t14 t19 t20 t22 t25 Component Modes Inlet Valve nominal on nominal on nominal on nominal on nominal on nominal on nominal on nominal on nominal on Inlet Pipe nominal nominal clogged clogged clogged clogged clogged clogged clogged Tank nominal nominal nominal nominal nominal nominal nominal nominal nominal Outlet Pipe nominal nominal nominal nominal nominal omin nominal nominal nominal Outlet Valve nominal on nominal on nominal on nominal on nominal off nominal off failed open failed open failed open Sensor nominal nominal nominal nominal nominal nominal nominal nominal nominal Controller nominal nominal nominal nominal nominal nominal nominal nominal nominal State Variables Liquid Flow Q1 nominal nominal nominal nominal nominal nominal nominal nominal nominal Liquid Flow Q2 nominal nominal nominal nominal nominal Liquid Flow Q3 nominal zero zero zero zero Liquid Flow Q4 39 nominal nominal zero nominal nominal Liquid Flow Q5 nominal nominal zero zero nominal nominal Liquid Flow Q6 nominal nominal zero zero nominal nominal Control S Flow CS1 on on on on on Control S Flow C82 on off off off off Liquid Flow h l nominal nominal nominal hdot hdot hdot hdot hdo hdo Status 8 Flow h2 397 nominal hdot hdot hdo hdo System Functions Import Liquid operating operating operating operating operating Guide Liquid operating operating operating operating operating Transfer Liquid operating lost lost lost lost Store Liquid operating operating operating operating operating Supply Liquid operating degraded degraded degraded lost Transfer Liquid operating operating operating operating lost Guide Liquid operating operating operating lost lost Export Liquid operating operating operating operating operating Measuer Level operating operating operating operating operating Process Signal operating operating operating operating operating 2 1 4 3 Import Guide T n er to e p Transfer 39 e Export Liquid Liquid Li id Li id Li id Liquid L39 39d Liquid Process Measure Signal Level Oreuei igts su Simulation Scenario Results lgt t0 Functional Failure Propagation Paths and Time Estimates Export Liql Ji Liquid V 7 7 7 7 T T T l f l l l l i L i F l39ocess l i Measure c c c F 1 Signal Stat us Level 1 Controler Signal Sensor c 7 7 7 7 7 7 7 7 a a 7 7 7 7 7 7 7 7 The Function Failure Logic amp Simulation captures 1 Temporal aspects of failures 2 Nonlinear aspects of fault propagation Faults do not propagate linearly Faults propagation does not necessarily follow component connectivity 3 The distinction between component failures vs functional failures Tank is nominal but Tank functions are failed leading to specific failures re99n i2ie A Case Example Sensor utlet Pip O O O gt Simulation Scenario OpenTank n 0 Critical Events introduced Va39Ve B Va39VeA 0 Sensor failed 0 Operator mistakenly shuts off outlet valve System assumed fully functional until level sensor fails at t7 At this point the system is working with inlet valve under nominal on mode The absence of on control signal to the valve does not have an immediate negative effect on system At t20 the operator shuts off the outlet valve operator error This causes the liquid levels to rise requiring an off signal to be issued for the inlet valve to avoid tank overflow But since the sensor has failed the rise of the liquid level cannot be detected so the inlet valve cannot be shut off Liquid level continues to rise leading to a tank overflow Oreuin iaie Simulation Scenario II lnlet Pipe c utlet Pi ngt gt Open Tank Ll Valve B Valve A i to Functional Failure Propagation Paths and Relative Time Estimates Lost at t10 Lost at t9 gt Tank overflow The first functional loss occurs at t9 measure level function Following this loss the process signal and guide liquid functions are lost at t10 and t11 oregl ll lillt su Simulation Scenario II 1 H1 11 as 11 17 11 a 11 an 11 r11 11 r211 ll 22 11 as l 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 177777777117iiiiiiijliiiiiiii riii777771Viiiiiii 1177777777711 39l 1 17777777771 Component Modes 11 11 11 11 11 11 11 1 11 1 Inlet Valve 11 nominal on 11 nominal on 11 nominal on 11 nominal on 1 1nominal on 11 nominal on 11 nominal on 1nomina on1 1nominal on1 Inlet Pipe 11 nominal 11 nominal 11 nominal 11 nominal 1 1 nominal 11 nominal 11 nominal 1 nominal 1 1 nominal 1 Tank 11 nominal 11 nominal 11 nominal 11 nominal 1 1 nominal 11 nominal 11 nominal 1 nom39 al 1 1 nominal 1 Outlet Pipe 11 nominal 11 nominal 11 nominal 11 nominal 1 1 nominal 11 nominal 11 nominal 1 noninal 1 1 nominal 1 Outlet Valve 11 nominal on 11 nominal on 11 nominal on 11 nominal on 1 1nominal on 11 nominal on 11 nominal off 1nominal off 1 1nominal off1 sor 11 nominal nominal 11 failed burst 11failed burst11falled burst11failed burst11 failed burst Haired burst1 1failed burst1 1 1 1 nominal 11 nominal 11 nomi 1 nominal nominal 11 nominal nomnal 1 nominal 1 l Controller nominal State Variables 1 1 1 1 1 1 1 1 1 1 1 1 1 1 l 11 11 l 1 1 1 1 11 11 1 1 1 1 1 1 11 l 1 1 1 1 1 Liquid Flow Q1 11 nominal 11 nominal 11 nominal 11 nominal 11 nominal 11 nominal 11 nominal 1 nominal 11 nominal 1 1 Liquid Flow 02 11 39 11 nominal 11 11 nominal 11 nominal 11 nominal 11 1 nominal 11 nominal 1 1 Liquid Flow 03 11 39 11 nominal 11 11 nominal 11 nominal 11 nominal 11 11 nominal 11 nominal 1 1 Liquid Flow 04 11 11 nominal 11 11 nominal 11 nominal 11 nominal 11 7 11 nominal 11 nominal 1 1 Liquid Flow Q5 11 39 11 nominal 11 11 nominal 11 nominal 11 nominal 11 11 nominal 11 nominal 1 1 Liquid Flow 06 11 39 11 nominal 11 11 nominal 11 nominal 11 nominal 11 1 zero 11 zero 1 1Control 8 Flow CS1 11 11 11 11 nosignal 11 nosignal 11 nosignal 11 1 nosignal 11 nosignal 1 1 Control 8 Flow 082 11 11 11 11 on 1 1 on 11 on 11 7 1 on 1 1 on 1 1 Liquid Flow M 11 nominal 11 nominal 11 nominal 11 nominal 11 nominal 11 nominal 11 nominal 1 hoft 11 hof 1 1 Statuss Flow h2 11 7 11 nominal 11 nosignal 11 nosignal 11 nosignal 11 nosignal 11 nosignal 11 nosignal 11 nosignal 1 1 11 1 11 11 1 1 11 11 11 1 1 1 1 Sptem Functions 11 11 11 11 11 11 11 11 11 1 1 Import Liquid 11 11 operating 11 11 operating 11 operating 11 operating 11 11 operating 11 operating 1 1 Guide Liquid 11 11 operating 11 11 operating 11 operating 11 M 11 11 Ioist 11 Ioist 1 1 Transfer Liquid 11 11 operating 11 11 operating 11 operating 11 operating 11 11 operating 11 operating 1 1 Store Liquid 11 11 operating 11 11 operating 11 operating 11 operating 11 11 operating 11 operating 1 1 Supply Liquid 11 11 operating 11 11 operating 11 operating 11 operating 11 11 operating 11 operating 1 1 Transfer Liquid 11 11 operating 11 11 operating 11 operating 11 operating 11 11 operating 11 operating 1 1 Guide Liquid 3 11 operating 11 11 operating T1 operating n operating 11 11 operating 1391 operating 1 1 Export Liquid 11 11 operating 11 11 operating LJ operating operating 1 11 operating 11 operating 1 1 Measure Level 11 11 operating 11 11 w 11 loj 11 w 11 11 LSt 11 leis 1 1 Process Signal 11 11 operating 11 11 operating a m 11 bit H 1 w 11 m 1 Lost at t 11 Signal Lost at t10 Lost at t9 gt Tank overflow Oreuin igie su Insights into FFIP Reasoning at the functional level rather than using lowlevel sensor values No a priori assumptions about possible fault propagation paths uses only information available during conceptual design about functional and configuration topology topological knowledge integrated with qualitative behavioral models and function failure logic Faults do not need to propagate following the functional or structural connectivity Avalve getting stuck open should not impose any fault propagation to its neighboring pipe component the pipe will continue to transfer flow as intended The loss of a guide liquid function eventually causes the loss of supply liquid function and Store liquid function these two functions are not connected to the initiating function Functional failures that do not result from direct component failures are identified resulting from global component interactions instead While component failures almost always lead to functional failures functions can also fail without components malfunctioning the tank in the first scenario is in its nominal mode without experiencing a faulty state whereas the two functions of the tank fail Oreuen igts su Conclusions and Future Directions Novel RBD Method see paper on course web site FFIP Ongoing and Future Work Implementation of the framework on a larger scale design problem Extension to software to enable integrated design of softwarehardware systems Software failures Software functions Software FFIPlike representation Automation currently being done in excel needs to be done using a GUIjava for practical use Quantification adding probabilitiessimilar to PRA Event scenario analysis adding event treessimilar to ETA Decision support tool adding decision trees identifying hotspots choosing between alternative designs Automate the reasoning and simulation parts Additional RBD research methods CostBenefit Analysis see paper on course web site ME 5 l 9 5 l 5 Risk Based Design Prof lremYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lectures 9 Risk Analysis Methods Event Tree Analysis ETA This Week s Lectures 0 RiskAnalysis Methods 0 Event Tree Analysis 0 Fault Tree Analysis Event Tree amp Fault Tree Analysis 0 An event tree analysis ETA 0 A graphical representation of the logic model that identi es and quanti es the possible outcomes following an initiating event 0 Event trees depict a chronological sequence of events such as system response 0 Event trees can lay out the Boolean logic successes and failures necessary to perform probabilistic calculations 0 A Fault Tree Analysis FTA 0 A graphical representation constructed by de ning TOP events and then use backward logic to de ne causes 0 Fault trees depict higherlevel events into combinations of component failures 0 Fault trees very ef cient at logically de ning combinations that can lead to system failures ifA fails what else will failANDORgates Event Tree amp Fault Tree Analysis 0 Event tree analysis and fault tree analysis are closely linked 0 Fault trees are often used to quantify system events that are part of event tree sequences 0 The logical processes employed to evaluate event tree sequences and quantify the consequences are the same as in fault tree analyses 0 Both produce Boolean logic expressions that are essential for probabilistic quanti cation 0 Most complex systems require both ETAs and FTAs Probabilistic Risk Assessment PRA modelled using both event trees and fault trees ETA De nitions 0 An accidental event 0 The rst signi cant deviation from a normal situation that may lead to unwanted consequences 0 Examples gas leak falling object start of a re 0 Barriers 0 Most well designed systems have barriers implemented to stop or reduce the consequences of potential accidental events 0 Also called safety functions or protection layers 0 May be technical andor organizational 0 Examples ETA An event tree analysis ETA is an inductive procedure that shows all possible outcomes resulting from an accidental initiating event taking into account whether safety barriers are functional or not Can be used to identify all potential accident scenarios and sequences in a complex system Can be used to identify design and procedural weaknesses and determine the probabilities of the various outcomes from an accidental event Uses Forward Logic Begins with an initiating event and propagates that event forward through the system considering all the ways that it can affect the behavior of the overall system Event Tree Example Event failure success Safety System 1 Safety System 2 l7 r accident quot0 no no accident accident accident Event Tree Construction Identify and de ne an initial event accidental event Identify barrierssafeguards designed to deal with the event Construct the event tree Describe potential resulting accident sequences Determine the frequency of the accidental event and the probabilities of the branches of the event tree Calculate the probabilitiesfrequencies for the identi ed consequences outcomes Identifying an Accidental Event 0 An essential rst step is to identify an accident event 0 What type of an event leak re explosion etc 0 Where is it control room laboratory etc 0 When does it occur normal operation maintenance etc 0 May be caused by 0 System or equipment failure 0 Human error 0 Process error Identifying Barriers NoteAccidental event is normally anticipated System designers will put barriers to respond to the event by terminating the accident sequence or mitigating its consequences List all relevant barriers for the speci c accidental events in the sequence they will be activated Examples Automatic detection systems re detection Automatic safety systems re extinguishing Alarms warning personneloperators Procedures and operator actions Mitigating barriers Identifying Barriers 0 Barriers described by a negative statement eg Barrier X does not function not able to perform its required functions when the accidental event occurs List additional events and factors eg gas is ignited wind blows towards of ce area B1 Bg 83 B4 85 Accidental Additional Barrier I does Barrier does Barrier I does Additional Outcome event event occurs not function not function not function event occurs consequence True Wind towards residential area Gas release By this way the most severe consequences will come first False Wind towards empty area Generic Event Tree ETA Generic Event Tree B1 82 83 B4 Accidental Additional Barrier I does Barrier ll does Additional Outcome event event occurs not function not function event ll occurs consequence T we Outcome 1 True F l a se Outcome 2 True True Outcome 3 False l Outcome 4 True True Outcome 5 True I F alse Outcome 6 False T we Outcome 7 False l False Outcome 8 False Outcome 9 ETA Class Exercise Build an event tree for a re event in Rogers An initiating event an accident EX Fire Nodes is the event tree represent possible functioning or malfunctioning of a system EX Sprinkler system activated Sprinkler system not activated The path that results in an accident is an accident sequence EX Fire in Rogers 330 sprinkler system not activated Rogers building burns down ETA Quanti cation 0 Let l be the frequency of the accidental initiating event 0 Let PrBi be the probability of event Bi 0 When we know that the accidental event has occurredthe probability of Outcome l is 0 PrOutcome l Accidental event PrB1 m 32 0 B3 0 B4 13111901311192 I 30131133 I 191 m BZPrB4 I 191 m 32 m B3 0 All probabilities are conditional given the result of the process until barrier i is reached 0 The frequency of Outcome l is LPrB1m B2 m B3 m B4 0 Same way for the frequencies of the other outcomes ETA Example Fire Scenario 020 Initi tin Sprinkler Fire alarm is Fre uenC antg Start of fire system does not activated Outcomes e ear eve not function p y True ldncontrolled flre WIth no 80 10398 True 0001 alarm 001 False Uncontrolled 6 f h I 79 10 True 0999 Ire WIt a arm 080 True Controlled fire 5 with no alarm 8390 3910 False 039001 Explosion 102 099 F I per year a se Controlled flre 7 9 103 0999 with alarm 39 False No fire 20 39103 Decision Making 0 Results from ETA used to Judge the acceptability of the system 0 Identify improvement opportunities 0 Make recommendations for improvements Justify allocation of resources for improvements Out L H M t Id Environmental come osso Ives aerla amage damage End descr 0 12 35 6 gt 2020NLMH N L M ETA Example Offshore Separator To flare PSV1 PSV2 i i D A RD Gas outlet Pr ssur s itches LT Separator G 39l d as 0an quot quot water inlet PSD1 PSD2 PSV pressure safety relief valve PSD Process shutdown system Fluid outlet Toiiae ng1 P92 L PSD1 PSD2 ex oulei ETA Example Offshore Separator 1 2 3 Initiatin PSDS do nOt PSVS do nOt Ru ture disc 9 close flow into relieve p Outcomes event does not open separator pressure True Rupture or explosion of True separator True False Gas flowing out of rupture disc Gas outlet blOCked False Gas relieved to flare shutdown no gas quotlostquot ETA Quanti cation Offshore Separator 0 Class Exercise For the offshore separator event tree 0 Assign probabilities to the branches of the event tree 0 Compute nal probabilities of each of the outcomes ETA Conclusions 0 Bene ts of ETA 0 Visualize event chains following an accidental event 0 Visualize barriers and sequence of activation 0 Basis for evaluating the need for new andor improved procedures and safety functions 0 Shortcomings of ETA 0 No standard for graphical representation of event tree 0 Only one initiating event can be studied in each analysis 0 Can overlook subtle system dependencies 0 Not well suited for handling common cause failures 0 Does not show acts of omission 039999ll i2ts su ME 5 l 9 5 l 5 Risk Based Design Prof lremYTumer Mechanical Industrial amp Manufacturing Engineering Oregon State University Fall 2007 Lecture l7 RBD Research Methods FFIP Oreuen igts su Design of Complex Systems Research Goals Developing methods amp tools to enhance early stage design to enable trades concept evaluation and architecture synthesis for complex amp integrated systems Focus on introducing failure amp risk in early design 0 Early stage design provides the greatest opportunities to explore design alternatives and perform trade studies Analysis of potential failures and associated risks must be done at this earliest stage to develop robust integrated systems Oreuen igts su Characteristics of Early Stage Conceptual Design High level of uncertainty o Incomplete knowledge 0 System representations mostly are functionbased 0 System models mostly are o qualitative lowfidelity highly abstract Functionality is the core of conceptual design 0 A necessary first step is to proactively analyze the functionality of the intended systems early in the design process Need To integrate formal methods and resulting decision support tools into earliest stages of design for design teams to systematically explore risks and vulnerabilities without committing to design decisions too early meninges Risk and Reliability Analysis 0 Typical Reliability and risk analysis techniques 0 Failure Modes and Effects and Criticality Analysis FMEAFMECA Fault Tree Analysis FTA and Event Tree Analysis ETA 0 Reliability Block Diagrams RBD Stochastic modeling of failures 0 Reliability measures Oregl ll iili Risk and Reliability Analysis 0 Thoughts insights on applicability in the early stages of functional design Oregin isie su Fault Management Tools Currently Utilized in Practice Summary 0 Existing fault management tools could be improved by facilitating fault assessment in early design stages capturing lowlevel physical interactions between components and their relations with system functionality what dynamic interactions result in functional failures 0 what system assets energy material information are lost due to failures 0 what functionality is lost degraded due to component failures 0 incorporating temporal resolution 0 what is the order of functional failures 0 how much time between functional failures Oreuin iats su Fault Management Tools 0 Failure Modes and Effects and Criticality Analysis FMEAFMECA o bottomup approach based on individual component failure modes 0 systematically examines all failure modes of all components inductive o wellaccepted easy to understand and implement o focuses only on risk of single independent component failures 0 component interactions are not captured explicitly relies on expert knowledge to assess criticality of failure consequences Highly subjective 0 Fault Tree Analysis FTA o topdown event based approach 0 contributing events are derived from higher level events deductive 0 presents the chain of events combined using logical gates using a tree structure 0 wellaccepted standard technique 0 large fault trees are difficult to understand due to complex logic 0 component interactions are not captured explicitly Oreuen igts su Fault Management Tools 0 Probabilistic Risk Assessment PRA o a complete framework for risk assessment 0 answers what can go wrong 0 how likely is it to happen 0 what are the consequences Stematelatos NASA Headquarters 0 combines master logic diagrams MLD s event sequence diagrams ESDs ETs and fault trees FTs to calculate probability of predefined highlevel failure events 0 tools SAPHIRE QRAS NASA developed 0 used to prioritize risk drivers 0 very sophisticated risk management tool not easy to implement 0 component interactions are not captured explicitly o no temporal representation Oreuin iaie Fault Management Tools 0 Model Based Diagnosis MBD from Sriram et al 2004 o a suite of tools developed to monitor and diagnose complex systems 0 based on integration of individual component behavior models 0 tools Livingstone L2 Hyde 0 used to identify runtime system discrepancies isolate fault causes and help higher level reasoning engines to recover from faults Risk Based Design 0 A critical need Reasoning about failures during conceptual design 0 Bridging risk analysis and design 0 Issues 0 No component information o No means to quantify failures 0 Highlevel thinking functions rather than solutions oregi ii iiil Oreuin ists su Function Failure Based Design Methodology FFDM 0 Addressing the need to investigate potential failure modes during conceptual design before component decisions are made 0 Failures collected for existing systems using actual data and or expert knowledge 0 Systems dissected to model functionality 0 Functions mapped to failure modes bypassing the component info 0 Helps designers think about potential failures and perform some further analysis on those functions 0 Provides designers with a means to avoid failures by exploring similar functions components etc o By implementing in the Design Repository provides a virtual organization to do a morphological search and explore similarities in an automated way


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Amaris Trozzo George Washington University

"I made $350 in just two days after posting my first study guide."

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.