3.3 Analytic Development of Reliability and Performance in Engineering Design 183
Table 3.16 Extract from FMECA worksheet of quantitative RAM analysis field study: motor RJS pump no. 1 component
Assembly Component Failure
description
Failure
mode
Failure effect Failure consequence Cause of failure Critical analysis
RJS
pump
no. 1
Motor
RJS pump
no. 1
Motor fails
to start or
driv e pump
TLF Motor failure prevents
quenching of the gas and
the protection of the RJS
structure due to reduced
flow. Standby pump
should start up
automatically
Maintenance Loose or corroded
connections or motor
terminals
(1) 100%
(2) 0.50
(3) 2
(4) 2.0
(5) 1.00

Low criticality
RJS
pump
no. 1
Motor
RJS pump
no. 1
Motor fails
to start or
driv e pump
TLF Motor failure prevents
quenching of the gas and
the protection of the RJS
structure due to reduced
flow. Standby pump
should start up
automatically
Maintenance Motor winding short or
insulation fails
(1) 100%
(2) 0.25
(3) 2
(4) 2.0
(5) 0.50
Low criticality
RJS
pump
no. 1
Motor
RJS pump

no. 1
Motor
cannot be
stopped or
started
locally
TLF If required to respond in
an emergency failure of
motor, this could result in
injury risk
Injury risk Local stop/start switch
fails
(1) 50%
(2) 0.25
(3) 11
(4) 5.5
(5) 1.38
Low criticality
RJS
pump
no. 1
Motor
RJS pump
no. 1
Motor
overhe ats
and trips
PFC Motor failure prevents
quenching of the gas and
the protection of the RJS

structure due to reduced
flow. Standby pump
should start up
automatically
Maintenance Motor winding short or
insulation fails
(1) 100%
(2) 0.25
(3) 1
(4) 1.0
(5) 0.25
Low criticality
184 3 Reliability and Performance in Engineering Design
Table 3.16 (continued)
Assembly Component Failure
description
Failure
mode
Failure effect Failure consequence Cause of failure Critical analysis
RJS
pump
no. 1
Motor
RJS pump
no. 1
Motor
overhe ats
and trips
PFC Motor failure prevents
quenching of the gas and

the protection of the RJS
structure due to reduced
flow. Standby pump
should start up
automatically
Maintenance Bearings fail due to lack
of or to excessi ve
lubrication
(1) 100%
(2) 0.50
(3) 1
(4) 1.0
(5) 0.50
Low criticality
RJS
pump
no. 1
Motor
RJS pump
no. 1
Motor
vibrates
excessively
PFC Motor failure prevents
quenching of the gas and
the protection of the RJS
structure due to reduced
flow. Standby pump
should start up
automatically

Maintenance Bearings worn or
damaged
(1) 100%
(2) 0.50
(3) 1
(4) 1.0
(5) 0.50
Low criticality
3.3 Analytic Development of Reliability and Performance in Engineering Design 185
Table 3.17 Extract from FMECA worksheet of quantitative RAM analysis field study: MCC RJS pump no. 1 component
Assembly Component Failure
description
Failure
mode
Failure effect Failure consequence Cause of failure Critical analysis
RJS
pump
no. 1
MCC RJS
pump
no. 1
Motor fails
to start upon
command
TLF Motor failure starting
upon command prev ents
the standby pump to start
up automatically
Maintenance Electrical supply or
starter failure

(1) 100%
(2) 0.25
(3) 2
(4) 2.0
(5) 0.50
Low criticality
RJS
pump
no. 1
MCC RJS
pump
no. 1
Motor fails
to start upon
command
TLF Motor failure starting
upon command prev ents
the standby pump to start
up automatically
Maintenance High/low voltage
defective fuses or circuit
breakers
(1) 100%
(2) 0.25
(3) 2
(4) 2.0
(5) 0.50
Low criticality
RJS
pump

no. 1
MCC RJS
pump
no. 1
Motor fails
to start upon
command
TLF Motor failure starting
upon command prev ents
the standby pump to start
up automatically
Maintenance Control system wiring
malfunction due to hot
spots
(1) 100%
(2) 0.25
(3) 2
(4) 2.0
(5) 0.50
Low criticality
186 3 Reliability and Performance in Engineering Design
Table 3.18 Extract from FMECA worksheet of quantitative RAM analysis field study: RJS pump no. 1 control valve component
Assembly Component Failure
description
Failure
mode
Failure effect Failure consequence Cause of failure Critical analysis
RJS
pump
no. 1

Control
valve
Fails to open TLF Prevents discharge of
acid from the pump that
cleans and cools gas and
protects the RJS. Flow
and pressure protections
would prevent damage.
May result in downtime
if it occurs on standby
pump when needed
Production No PLC output due to
modules electronic fault
or cabling
(1) 100%
(2) 0.50
(3) 6
(4) 6.0
(5) 3.00
Low/medium criticality
RJS
pump
no. 1
Control
valve
Fails to open TLF Prevents discharge of
acid from the pump that
cleans and cools gas and
protects the RJS. Flow
and pressure protections

would prevent damage.
May result in downtime
if it occurs on standby
pump when needed
Production Solenoid valve fails,
failed cylinder actuator or
air receiver failure
(1) 100%
(2) 0.50
(3) 6
(4) 6.0
(5) 3.00
Low/medium criticality
3.3 Analytic Development of Reliability and Performance in Engineering Design 187
Table 3.19 Extract from FMECA worksheet of quantitative RAM analysis field study: RJS pump no. 1 instrument loop (pressure) assembly
Assembly Component Failure
descrip-
tion
Failure
mode
Failure effect Failure
conse-
quence
Cause of failure Critical analysis
RJS
pump
no. 1 in-
strument
loop
(pressure)

Instrument
(pressure. 1)
Fails to
provide
accurate
pressure
indication
TLF Fails to permit pressure
monitoring
Maintenance Restricted sensing port due to
blockage by chemical or
physical action
(1) 100%
(2) 3.00
(3) 2
(4) 2.0
(5) 6.00
Medium/high criticality
RJS
pump
no. 1 in-
strument
loop
(pressure)
Instrument
(pressure. 2)
Fails to
detect
low-
pressure

condition
TLF Does not permit essential
pressure monitoring and can
cause damage to the pump
due to lack of mechanical
seal flushing
Maintenance Pressure switch fails due to
corrosion or relay or cable
failure
(1) 100%
(2) 0.50
(3) 2
(4) 2.0
(5) 1.00
Low criticality
RJS
pump
no. 1 in-
strument
loop
(pressure)
Instrument
(pressure. 2)
Fails to
provide
output
signal for
alarm
condition
TLF Does not permit essential

pressure monitoring and can
cause damage to the pump
due to lack of mechanical
seal flushing
Maintenance PLC alarm function or
indicator fails
(1) 100%
(2) 0.30
(3) 2
(4) 2.0
(5) 0.60
Low criticality
188 3 Reliability and Performance in Engineering Design
To introduce uncertainty in this analysis, according to the theory developed for
the extended FMECA, the following approach is considered:
• Express the various failure modes, including their (more or less) certain conse-
quences (i.e. the more or less certainty that the consequence can or cannot occur)
• Present the number o f uncertainty levels in linguistic terms
• For a given failure mode, sort the occurrence of the consequences into a specific
range of (6+1) categories:
– Three levels of more or less certain consequences (‘completely certain’, ‘al-
most certain’ , ‘likely’ )
– Three levels of more or less impossible consequences (‘completely impossi-
ble’, ‘almost impossible’, ‘unlikely’)
– One level for ignorance.
The approach is thus initiated by expressing the various failure modes, along with
their (more or less) certain consequences. The discriminability of the failure modes
Table 3.20 Uncertainty in the FMECA of a critical control valve
Compo- Failure Failure Failure Failure (1) (1) Critical
nent description mode consequence cause

μ
M(d)+
μ
M(d)−
analysis
Control
valve
Fails to open TLF Production No PLC output
due to modules
electronic fault
or cabling
0.6 0.4 (2) 0.5
(3) 6
(4) 3.6 (or
not—2.4)
(5) 1.8 (or
not—1.2)
Low criticality
Control
valve
Fails to open TLF Production Solenoid valve
fails, due to
failed cylinder
actuatororair
receiv er failure
0.6 0.4 (2) 0.5
(3) 6
(4) 3.6 (or
not—2.4)
(5) 1.8 (or

not—1.2)
Low criticality
Control
valve
Fails to
seal/close
TLF Production Valve disk
damaged due
to corrosion or
wear
0.8 0.2 (2) 0.5
(3) 6
(4) 4.8 (or
not—1.2)
(5) 2.4 (or
not—0.6)
Low criticality
Control
valve
Fails to
seal/close
TLF Production Valve stem
cylinders
seized due to
chemical
deposition or
corrosion
0.8 0.2 (2) 0.5
(3) 6
(4) 4.8 (or

not—1.2)
(5) 2.4 (or
not—0.6)
Low criticality
3.3 Analytic Development of Reliability and Performance in Engineering Design 189
with their (more or less) certain consequences is checked. If this is not sufficient,
then the question is explored whether some of the (more or less) certain conse-
quences of one failure mode could not be expressed as more or less impossible
for some o ther fault modes. The three categories of more or less impossible con-
sequences are thus indicated whenever necessary, to allow a better discrimination.
After this refinement stage, if a set of failure modes still cannot be discriminated in
a satisfying way, then the observability of the consequence should be questioned.
b) Results of the Qualitative FMECA
As an example, the critical control valve considered in the FMECA chart of Ta-
ble 3.18 has been itemised for inclusion in an extended FMECA chart relating to
the discriminated failure mode, TLF, along with its (more or less) certain conse-
Table 3.21 Uncertainty in the FMECA of critical pressure instruments
Compo- Failure Failure Failure Failure (1) (1) Critical
nent description mode consequence cause
μ
M(d)+
μ
M(d)−
analysis
Instru-
ment
(pres-
sure. 1)
Fails to detect
low-pressure

condition
TLF Maintenance Pressure
switch fails
due to
corrosion or
relay or cable
failure
0.6 0.4 (2) 0.50
(3) 2
(4) 1.2 (or
not—0.8)
(5) 0.6 (or
not—0.4)
Low criticality
Instru-
ment
(pres-
sure. 1)
Fails to
provide
accurate
pressure
indication
TLF Maintenance Restricted
sensing port
due to
blockage by
chemical or
physical action
0.8 0.2 (2) 3.00

(3) 2
(4) 1.6 (or
not—0.4)
(5) 4.8 (or
not—1.2)
Medium
criticality
Instru-
ment
(pres-
sure. 2)
Fails to detect
low-pressure
condition
TLF Maintenance Pressure
switch fails
due to
corrosion or
relay or cable
failure
0.6 0.4 (2) 0.50
(3) 2
(4) 1.2 (or
not—0.8)
(5) 0.6 (or
not—0.4)
Low criticality
Instru-
ment
(pres-

sure. 2)
Fails to
provide output
signal for
alarm
condition
TLF Maintenance PLC alarm
function or
indicator fails
0.8 0.2 (2) 3.00
(3) 2
(4) 1.6 (or
not—0.4)
(5) 4.8 (or
not—1.2)
Medium
criticality
190 3 Reliability and Performance in Engineering Design
quences, given in Tables 3.20 and 3.21. To simplify, it is assumed that all the events
are directly observable—that is, each effect is non-ambiguouslyassociated to a con-
sequence, although the same consequence can be associated to other effects (i.e. the
effects, or events, are equated to their associated consequences, or manifestations).
The knowledge expressed in Tables 3.20 and 3.21 describes the fuzzy relation be-
tween failure modes, effects and consequences, in terms of the f uzzy sets for the
expanded FMECA, M(d)+(m
i
) and M(d)−(m
i
).
The linguistic qualitative-numeric mapping used for uncertainty representation

is tabulated below (Cayrac et al. 1994).
Qualifier Ref. code
μ
M(d)+
μ
M(d)−
Certain 1 1.00.0
Almost certain 2 0.80.2
Likely 3 0.60.4
Unlikely 4 0.40.6
Almost unlikely 5 0.20.8
Impossible 6 0.01.0
Unkno wn 7 0.00.0
The ‘critical analysis’ column of the extended FMECA chart relating to the dis-
criminated failure mode, along with its (more or less) certain consequences, in-
cludes items numbered 1 to 5 that indicate the following:
(1) Possibility of occurrence of a consequence (
μ
M(d)+
) or impossibility of occur-
rence of a consequence (
μ
M(d)−
)
(2) Estim ated failure rate (th e nu mber o f failures per year)
(3) Severity (expressed as a number from 0 to 10)
(4) Risk (product of 1 and 3)
(5) Criticality value (product of 2 and 4).
3.3.3 Analytic Development of Reliability Evaluation
in Detail Design

The most applicable methodsselected for further developmentas tools for reliability
evaluation in determining the integrity of engineering design in the detail design
phase are:
i. The proportional hazards model (or instantaneous failure rate, indicating the
probability of survival of a component);
ii. Expansion of the exponential failure distribution (considering component
functional failures that occur at random intervals);
iii. Expansion of the Weibull failure distribution (to d etermine component criti-
cality for wear-out failures, not random failures);
iv. Qualitative analysis of the Weibull distribution model (when the Weibull pa-
rameters cannot be based on obtained data).
3.3 Analytic Development of Reliability and Performance in Engineering Design 191
3.3.3.1 The Proportional Hazards Model
The proportional hazards (PH) model was developed in order to estimate the effects
of different covariates influencing the times to failure of a system (Cox 1972). In its
original form, the model is non-parametric, i.e. no assumptions are made about the
nature or shape of the underlying failure distribution. The original non-parametric
formulation as well as a parametric form of the model are considered, utilisin g the
Weibull life distribution. Special developments of the proportional hazards model
are:
General log-linear, GLL—exponential
General log-linear, GLL—Weibull models.
a) Non-Parametric Model Formulation
From the PH model, the failure rate of a system is affected not only by its oper-
ating time but also by the covariates under which it operates. For example, a unit
of equipment may have been tested under a combination of different accelerated
stresses such as humidity, temperature, voltage, etc. These factors can affect the
failure rate of the unit, and typically represent the type of stresses that the unit will
be subject to, once installed.
The instantaneous failure rate (or hazard rate) of a unit is given by the following

relationship
λ
(t)=
f(t)
R(t)
, (3.144)
where:
f(t)=the probability density function,
R(t)=the reliability function.
For the specific case where the failure rate of a particular unit is dependent not only
on time but also on other covariates, Eq. (3.144) must be modified in order to be
a function of time and of the covariates. The proportional hazards model assumes
that the failure rate (hazard rate) of a unit is the product of the following factors:
• An unspecified baselin e failure rate,
λ
o
(t), which is a function of time only,
• A positive function g(x,A
) that is independent of time, and that incorporates
the effects of a number of covariates such as humidity, temperature, pressure,
voltage, etc.
The failure rate of the unit is then given by
λ
(t,X)=
λ
o
(t) ·g(X,A) , (3.145)
where:
X
= a row vector consisting of the covariates,

X
=(x
1
,x
2
,x
3
, ,x
m
)
192 3 Reliability and Performance in Engineering Design
A = a column vector consisting of the unknown model parameters
(regression parameters),
A
=(a
1
,a
2
,a
3
, ,a
m
)
T
m = number of stress-related variates (time-independent).
It can be assumed that the form of g(X
,A) is known and
λ
o
(t) is unspecified. Dif-

ferent forms of g(X
,A) can be used but the exponential form is mostly used, due to
its simplicity.
The exponential form of g(X
,A) is given by the following expression
g(X
,A)=e
A
T
X
T
= exp

m
∑
j= 1
a
j
x
j

, (3.146)
where:
a
j
= model parameters (regression parameters),
x
j
= covariates.
The failure rate can then be written as

λ
(t,X)=
λ
o
·exp

m
∑
j= 1
a
j
x
j

. (3.147)
b) Parametric Mo del Formulation
A parametric form of the proportional hazards model can be obtained by assuming
an underlying distribution. In general, the exponential and the Weibull distributions
are the easiest to use. The lognormal distr ibution can be utilised as well but it is
not considered here. In this case, the Weibull distribution will be used to formulate
the parametric proportional h azards model. The exponential distribution case can
be easily obtained from the Weibull equations, by simply setting the Weibull shape
parameter
β
= 1. In other words, it is assumed that the baseline failure rate is para-
metric and given by the Weibull distribution. The baseline failure rate is given by
the following expression taken from Eq. (3.37):
λ
o
=

β
(t)
β
−1
μ
β
,
where:
μ
= the scale parameter,
β
= the shape parameter.
Note that
μ
is the baseline Weibull scale parameter but not the PH scale parameter.
The PH failure rate th en becomes
λ
(t,X)=
β
(t)
β
−1
μ
β
exp

m
∑
j= 1
a

j
x
j

, (3.148)