Handbook of Reliability, Availability, Maintainability and Safety in Engineering Design - Part 69 pptx

Table 5.19 FMECA for process and cost criticality Component Failure description Failure mode Failure consequences Total $/failure prod.. and repair Cost risk MTBF months Process critical

Table 5.18 (continued)

Component Failure

description

Failure mode

Failure causes Defect.

MATL &

LAB ($)/failure (incl.

damage)

Econ.

$/failure (prod.

loss)

Total

$/failure (prod and repair)

Risk Cost criticality

rating

Instrument

loop

(press 2)

Fails to detect

low pressure

condition

TLF Low pressure switch fails due to corrosion

or mechanical damage

Instrument

loop

(press 2)

Fails to detect

low pressure

condition

TLF Pressure switch relay

or cabling failure

Instrument

loop

(press 2)

Fails to provide

output signal

for alarm

TLF PLC alarm function or indicator fails

Table 5.19 FMECA for process and cost criticality

Component Failure

description

Failure mode

Failure consequences

Total

$/failure (prod and repair)

Cost risk MTBF

(months)

Process criticality rating

Cost criticality rating

Maintenance frequency

Control

valve

criticality

Medium cost 12 monthly Control

valve

criticality

Medium cost 12 monthly Control

valve

Fails to

seal/close

criticality

Medium cost 6 monthly Control

valve

Fails to

seal/close

criticality

Medium cost 6 monthly Instrument

loop

(press 1)

Fails to

provide

accurate

pressure

indication

criticality

Low cost 3 monthly

Instrument

loop

(press 2)

Fails to detect

low pressure

condition

criticality

Low cost 3 monthly

Instrument

loop

(press 2)

Fails to detect

low pressure

condition

criticality

Low cost 3 monthly

Instrument

loop

(press 2)

Fails to

provide

output signal

for alarm

criticality

Low cost 3 monthly

666 5 Safety and Risk in Engineering Design qualitative assessment values for the likelihood of occurrence and the impact that the risk may have on costs Assessment values for risk may be designated as indicated previously, where risk has been defined as the result of multiplying the consequence

of the failure mode (i.e its severity) by the probability of failure (i.e its likelihood):

Risk(R) = Severity × Probability (or Likelihood)

Severity

The use of qualitative assessment scales for determining the severity of a failure consequence is common in risk analysis, where severity criteria are designated

a value ranging from 10 to 1 The most severe consequence is valued at 10 (dis-abling injury—life risk), whereas no safety risk is valued at 1, or 0, as indicated in the risk assessment scale in Table 5.20

Likelihood

Many different scales have been developed for determining the likelihood of failure occurrence One commonly used scale is expressed in terms of ‘probability quali-fiers’ given as:

Actual occurrence= 0.95 to 1.00,

Probable occurrence= 0.50 to 0.95, and

Possible occurrence= less than 0.50

Criticality

Once an overall total and an overall average value of risk has been assessed accord-ing to the risk assessment scale, a criticality rataccord-ing can be defined for each failure mode, using the following expression:

Criticality(C) = Risk × Failure rate

Failure Rate

If the failure rate for the item cannot be determined from available data, a represen-tative estimation for failure rate in high-corrosive process applications can be used This is done by the following qualifying values:

Qualification Failure rate (×10 −4)

Very high >5,000

5.2 Theoretical Overview of Safety and Risk in Engineering Design 667

Table 5.20 Risk assessment scale

Risk assessment scale

Estimated degree of Risk assessment values:

safety: Degree of severity× Probability

Severity criteria Actual Probable Possible

0.95 to 1.00 0.50 to 0.95 0.01 to 0.05 (Disabling injury) Deg Prob Risk Deg Prob Risk Deg Prob Risk

(Reported accident)

(Physical condition)

e) Qualitative Criticality Analysis

Qualitative criticality analysis is structured in a failure modes and safety effects (FMSE) analysis, in contrast to the standard FMECA, which is based on failure

rates, MTBF and MTTR The outcome of the FMSE, given in Table 5.21, indicates that the dominant failure modes that are the key shutdown drivers in determining the optimum maintenance frequency are the two control valve failure modes of medium criticality and scheduled frequency of 6 months

All other tasks relating to the control valve can be re-scheduled into this half-yearly shut This implies that the annual scheduled service of the control valve can

be premature with a low risk impact, and the quarterly scheduled checks or compo-nent replacements of the pressure instrument loops (pressure gauges and switches) can be delayed with low risk impact

A cost criticality analysis can now be conducted on the basis of the shutdown frequency of 6 months being the estimated likelihood of failure for all the relevant failure modes This approach is repeated for all those items of equipment initially found to be critical items according to a ranking of their consequences of failure The task seems formidable but, following the Pareto principle (or 80–20 rule), in most cases 80% of cost risk consequences are due to only 20% of all components Table 5.21 shows the application of qualitative risk assessment in the form of an FMSE for process criticality of the control valve given in Table 5.19

Table 5.21 Qualitative risk-based FMSE for process criticality, where (1)=likelihood of occurrence (%), (2)=severity of the consequence

(rating), (3)=risk (probability×severity), (4)=failure rate (1/MTBF), (5)=criticality (risk×failure rate)

Component Failure

description

Failure mode

Failure consequences

Failure causes (1) (2) (3) (4) (5) Criticality rating

Control

valve

Fails to

open

TLF Production Solenoid valve fails,

failed cylinder actuator or air receiver failure

75% 6 4.50 0.083 0.37 Low criticality

Control

valve

Fails to

open

TLF Production No PLC output due to

modules electronic fault

or cabling

75% 6 4.50 0.167 0.75 Low criticality

Control

valve

Fails to

seal/close

TLF Production Valve disk damaged due

to corrosion wear (same causes as ‘fails to open’)

100% 6 6.00 0.167 1.0 Medium criticality

Control

valve

Fails to

seal/close

TLF Production Valve stem cylinders

seized due to chemical deposition or corrosion

100% 6 6.00 0.25 1.5 Medium criticality

Instrument

loop

(press 1)

Fails to

provide

accurate

pressure

indication

TLF Maint Restricted sensing port

due to blockage of chemical or physical accumulation

100% 2 2.00 0.33 0.66 Low criticality

Table 5.21 (continued)

Component Failure

description

Failure mode

Failure consequences

Failure causes (1) (2) (3) (4) (5) Criticality rating

Instrument

loop

(press 2)

Fails to

detect low

pressure

condition

TLF Maint Low pressure switch fails

due to corrosion or mechanical damage

100% 2 2.00 0.33 0.66 Low criticality

Instrument

loop

(press 2)

Fails to

detect low

pressure

condition

TLF Maint Pressure switch relay or

cabling failure

75% 2 1.50 0.25 0.38 Low criticality

Instrument

loop

(press 2)

Fails to

provide

output

signal for

alarm

TLF Maint PLC alarm function or

indicator fails

100% 2 2.00 0.25 0.5 Low criticality

670 5 Safety and Risk in Engineering Design f) Residual Life Evaluation

Component residual life, in the context of a renewal/replacement process that is

typically carried out during scheduled preventive maintenance shutdowns in pro-cess plant, is in effect equivalent to the time elapsed between shutdowns This is, however, not the true residual life of the component based on its reliability charac-teristics The difference between the two provides a suitable means of comparison for maintenance optimisation of safety-critical components

Optimum maintenance intervals are best determined through the method of

equipment age analysis, which identifies the rate of component deterioration and

potential failure ages The risk-based maintenance technique of residual life assess-ment is ideally applied in equipassess-ment age analysis where the frequencies of preven-tive maintenance activities in shutdown programs can be optimised However, resid-ual life is widely used in modelling stochastic processes during detail engineering design, and is one of the random variables that determines the design requirements for component renewal/replacement; the other being the component age once the process design has progressed beyond the engineered installation stage, and has been in operation for some time

In reliability theory, residual life appears as the time until the next failure, whereas for the renewal/replacement process it is normally expressed as a

math-ematical function of conditional reliability in which the residual life is determined

from the component age The mean residual life or remaining life expectancy func-tion at a specific component age is defined to be the expected remaining life given survival to that age It is a concept of obvious interest in maintenance optimisation, and most important in process reliability

g) Failure Probability, Reliability and Residual Life

There are fundamentally two measures of reliability: the failure density function, which quantifies how many components would fail at different time points (i.e

a combination of how many components survive at each point, and the risk of fail-ure in the interval up to the following time point), and the hazard rate, which is the conditional chance of failure, assuming the equipment has survived so far It is the hazard rate that is essential for decisions about how long equipment can be left in service with a related risk of failure, or whether it should be renewed or replaced Component failure density in a common series systems configuration (or in a com-plex system reduced to a simple series configuration) is defined by the following function

f i (t) = lim

Δt→0

αS(t) −αS(t +Δt)

where:

f i (t) = the ith component failure

Δt = the time interval

5.2 Theoretical Overview of Safety and Risk in Engineering Design 671

α0 = the total number of components in operation at time t = 0

αS = the number of components surviving at time t or t +Δt.

The ith component cumulative distribution function (failure probability) is defined

by the following expression

F i (t) =

t

 0

and the ith component reliability is defined by:

R i (t) = {1 − F i (t)}

Substituting the equation for F i (t) in the equation for R i (t) leads to

R i (t) = 1 −

t

 0

However, a commonly used alternative expression for R i (t) is

R i (t) = e −

t

0

λi (t)dt

(5.88)

where:

λi (t) = the ith component hazard rate or instantaneous failure rate.

In this case, a component failure time can follow any statistical distribution function

of which the hazard rate is known The expression R i (t) is reduced to

The mean time between failures (MTBF) is defined by the following expression

∞

 0

Substituting the expression for R i (t) and integrating in the series gives the model

for MTBF—in effect, this is the sum of the inverse values of the component hazard rates, or instantaneous failure rates of all the components in the series

n

∑

i=1

−1

(5.91)

where:

λi = the ith component hazard rate or instantaneous failure rate.

672 5 Safety and Risk in Engineering Design

Residual life Let T denote the time to failure The survival function can then be

expressed as

The conditional survival function of a component that has survived without fail-ure can now be formulated

The conditional survival function of a component that has survived (without fail-ure) up to time x is

R (t|x) = P(T > t + x|T > x) (5.93)

= P (T > t + x)

P (T > t)

= R (t + x)

R (x)

R (t|x) denotes the probability that a component (of age x) will survive an extra time t The mean residual life (MRL) of a component of age x can thus be expressed

as

MRL(x) =

∞

 0

If x= 0, then the initial age is zero, implying a new item, MRL(0) = MTTF, the mean time to fail The difference between MTBF and MTTF is in their application Although both are similarly calculated, MTBF is applied to components that are repaired, and MTTF to components that are replaced The mean residual life (MRL)

function or remaining life expectancy function at age x is defined to be the expected remaining life given survival to age x Consider now the reliable life for the

one-parameter exponential distribution, compared to the residual life

h (x) =MRL(x)

Certain characteristics of the comparison between the mean residual life MRL and the mean time to fail MTTF are the following:

• When the time to failure for an item, T , has an exponential distribution (i.e constant hazard rate), then the function h (x) = 1 for all x and MRL = MTTF.

• When T has a Weibull distribution with shape parameterβ< 1 (i.e a decreasing failure rate), then h (x) is an increasing function.

• When T has a Weibull distribution with shape parameterβ> 1 (i.e an increasing failure rate), then h (x) is a decreasing function.

Thus, in the case of scheduled preventive maintenance activities with frequencies

less than their MTTF, the cost/risk of premature renewal or replacement is the loss of

potential equipment life (accumulated over all components), equivalent to the sum

of the differences between the residual life of each component and the scheduled

5.2 Theoretical Overview of Safety and Risk in Engineering Design 673 frequency Similarly, for those scheduled preventive maintenance activities with

fre-quencies greater than their MTTF, the cost/risk of delayed renewal or replacement

is the cost of losses (accumulated over all components) due to forced shutdowns as

a result of failure, plus the cost of repair to the failed component and to any con-sequential damage The likelihood of failure is equivalent to the ratio of the differ-ences between the MTTF of each component and the scheduled frequency, divided

by the differences between the residual life of each component and the scheduled frequency Table 5.22 shows the replacement of (1)= likelihood of occurrence and (4)= failure rate with the calculated residual life values, to the FMSE of Table 5.21

h) Sensitivity Testing

Sensitivity testing in FMSE considers limits of the likelihood of failure This is done

by representing the likelihood as a statistical distribution (usually, the standard nor-mal distribution), and determining the variance and standard deviation of the range

of likelihood values Sensitivity testing in this case is thus a statistical measure of how well a likelihood test correctly identifies a failure condition This is illustrated

in the concept tabulated below The sensitivity is the proportion of ‘true positives’

or true likelihood of failure, and is a parameter of the test

Specificity in the concept diagram is a statistical measure of how well a

likeli-hood test correctly identifies the negative cases, or those cases that do not result

in a failure condition The significance level of the sensitivity test is a statistical hypothesis testing concept It is defined as the probability of making a decision to reject the null hypothesis when the null hypothesis is actually true (a decision known

as a type I error, or ‘false positive determination’) The decision is made using the

P-value of the hypothesis test If the P-value is less than the significance level, then the null hypothesis is rejected The smaller the P-value, the more significant the

result is considered to be Differentα-levels of the hypothesis test indicate greater confidence in the determination of significance with smallerα-levels but run greater risks of failing to reject a false null hypothesis (a type II error, or ‘false negative de-termination’) Selection of anα-level involves a compromise in tendency towards

a type I error, or a type II error A common misconception is that a statistically significant result is always of practical significance One of the more common prob-lems in significance testing of sensitivity is the tendency for multiple comparisons

to yield spurious significant differences even where the null hypothesis is true For example, in a comparison study of the likelihood of failure of several failure modes, using anα-level of 5%, one comparison will likely yield a significant result despite the null hypothesis being true

During a sensitivity analysis, the values of the specified sensitivity variables are modified with changes to the expected value For one-way sensitivity analyses, one variable is changed at a time For two-way sensitivity analyses, two variables are changed simultaneously For a more sophisticated sensitivity analyses, an FMSE what-if analysis is conducted The differences between the outcomes of the qualita-tive risk-based FMSE and related cost risk for different expected values can then be

of likelihood values Sensitivity testing in this case is thus a statistical measure of how well... rate or instantaneous failure rate.

672 Safety and Risk in Engineering Design< /small>

Residual... considered to be Differentα-levels of the hypothesis test indicate greater confidence in the determination of significance with smallerα-levels but run greater risks of failing to reject a false null