Reliability in Design ‘©The reliability of a product is strongly influenced by decisions made during the design to correct as development proceeds. ‘= Itis often not practicable or economic to change a design once production has started. ‘+ It is therefore essential that design disciplines are used which minimize the possiblity of failure and which allow design deficiencies to be detected and corrected as early as possible. The basic requirements for failure-free design were laid down, Le. adequate safety ‘margins, protection against extreme load events and protection against strength degradation. The design must also take account of all other factors that ean affect reliability, such as production methods, use and maintenance, and failures not caused by load. © The design process must therefore be organized to ensure that feilure-free design principles are used and that any deviations from the principles are detected and corrected © Failure-free design is the only acceptable principle for any reliability conscious project team. Anything less will be reflected in the acceptance of failures throughout the development and production cycle, and a low rate of improvement. ‘© The designer must produce designs which will not fail if manufactured and used as specified. In order to be able to do this test data may be needed to reduce uncertainties. ‘© Any subsequent failures can then be firmly classified as design deficiencies which ‘escaped the review or test system, or as being due to manufacturing failures or overload. Failure-free design therefore involves prevention, check and cure. COMPUTER-AIDED ENGINEERING Computer-Aided Engineering methods are available to assist with a wide variety of design tasks. Their power, ease of use, and increasing availability due to reducing costs of ‘computing equipment and software are resulting in increasing applications. CAE also makes, possible the eration of designs which would otherwise be very difficult or uneconomic. for example electronic circuits (CAE for electronic design is usually refered to as electronic design automation (EDA).CAE can also provide enormous improvements in engineering productivity. Properly ns. eires a a oct simulation program can be used to design used, it can lead tothe creation of more reliable des & Proprietary versions of the SPICE analog electron circuits, and to test their operation under performance details ar held in the database. The de then build’ it and testi, all on the computer screen. The effects of parameter changes oF modes ean be quickly evaluated, and dynamic as well as static operating conditions can be tested. More advanced software exists for digital ci different operating conditions. Component signer can, in principle, design the cireult, lure it design and evaluation. In the mechanical engineering field, software is available for stress analysis, which performs finite element analysis calculations for mechanical and thermal stress calculations, ‘and for analysis of vibration and load responses. Drafting software is used for generating, ‘manufacturing drawings and machine tool instructions, and this can also be used to optimize the design of mechanisms. ble for design and analysis of systems and Specialist CAE software is also avi products incorporating other technologies, such as hydraulics, magnetics, and microwave technology capability is now also being provided, so that mixed technology electronics. Mult designs can be modelled and analysed. CAE provides the capability for rapid assessment of diferent design options, and for ‘analysing the effects of tolerances, variation, and failure modes. Therefore, if used in a systematic, disciplined way, with adequate documentation of the options studied and ity and reliability. CAE assessments performed, designs can be optimized for costs, produc should be considered as a powerful aid to more cost effective and correct design, not merely a ‘means of speeding up the design process. However, there are important limitations inherent in most CAE tools, The software models can never be totally accurate representations of all aspects of the design and of its operating environment. For example, clectronie circuit simulation programs generally ignore the effects of electromagnetic interference between components, and drafting systems will ignore distortion due to stress or temperature. Therefore, itis essential that engineers using CAE are aware of the limitations, and how these could affect their designs. The effective application of modem CAE places greater responsibility upon designers to be aware of the practical aspects and limitations of the relevant technologies. Otherwise they can be easily‘misled into placing undue faith in the accuracy and completeness of the software models, resulting in incorrect or unreliable designs. ENVIRONMENTS, The environments in which the product will be expected to be stored, operated and ‘maintained must be carefully assessed, as well as the expected severity and durations. The assessment must include all aspects that could affect the product's operation, safety and relia ity. Physical factors include temperature, vibration shock, hut ty, pressure, ete Extreme values and, where relevant rates of change must be considered. Other environmental Conditions, such as corrosive atmosphere, electrical interference, power supply variation, etc, ‘must also be considered. Where appropriate, combined environmental conditions, such as temperature/ corrosive atmosphere and vibrati 1 contamination, should be assessed. An aspect of environment often neglected in the treatment of the product by people, in storage, handling, ‘operation and maintenance. En yamental aspects should be reviewed systematically, and the review should be properly documented. ‘The protective measures to be taken must be identified, as appropriate to storage, transport, handling, operation and maintenance. Protective measures include packaging, provision of waming labels and instructions, protective treatment of surfaces, and design features Resistance to environmental con ms must be confirmed by test when hardware is available. LOAD PROTECTION Protection against extreme loads is not always possible, but should be considered whenever practicable. In many cases the maximum load can be pre-determined, and no special protection is necessary. However, in many other loading situations extreme extemal loads can occur and can be protected against. Standard products are available to provide protection agains, for example, overpressure in hydraulie oF pneuma systems, impact loads fo electrical overload. When overload protection is provided, the reliability analysis is performed on the basis of the maximum load which can be anticipated, bearing in mind the tolerances of the protection system. In appropriate cases, loads which ean occur when the protection system fails must also be considered.However, in most practical cass it willbe sufficient to design to withstand 4 predetermined load and to acept the fet that loads above this wil use flue. The letermined for a full elibiity analysis to be mine the distribution of such extreme fs of similar items, or from test or probability of such loads occuring must be d performed. It may not always be practicable to dete events, but data may be available either from failure record other records. Where credible data are not available the worst design lod case must be stated. The important point is thatthe worst design case is estimated and specified. common cause of fulur isthe use af safety factors related to average conditions, without adequate consideration having been given tothe extreme conditions which ean occur during use ofthe product. PROTECTION AGAINST STRENGTH DEGRADATION Strength degradation, in its many forms, ean be one ofthe most difficult aspects to take into account in design reliability analysis. Strength degradation due to fatigue in metals fairly well understood and documented, and therefore reliability analysis involving etl fatigue, including the effects of sires raisers such as notches, comers, holes and surface Finish, can be performed satisfactorily, and parts canbe designed to operated below the fatigue limit, or for defined safe lite However, other weakening mechanisms are often more complex. Combined stresses may accelerate damage of reduce the fatigue limit, Corrosion and wear are dependent upon environments and lubrication, the effets of which are therefore often difficult to forecast. [complete protection isnot posible, the designer must specify maintenance procedures for inspection, lubrication or scheduled replacement. Reliability analysis of designs with complex weakening processes is often impracticable Tests should then be designed to provide the required data by generating failures under known loading conditions.DESIGN ANALYSIS METHODS (Despite discipline, training and care, it is inevitable that occasional ‘oversights or erors will occur new designs. Design analysis methods have been developed to highligh critical aspects and to focus attention on possible shortfalls) metimes considered tedious and expensive. In most Design analyses are cases the analysis will show that nearly all aspects ofthe design are satisfactory, and much more effort wil have been expended in showing this than in highlighting a few deficiencies. However, the discovery of very few deficiencies at an appropriately early stage can save far more than the costs that might be incurred by having to modify the design at a later stage, oF by having to live with the consequences ofthe defect. Therefore, well-managed design analyses are extremely cost-ffestive. The tedium and expense can be greatly reduced by good planning an preparaon and by the ve of eomputerized metas nhs eto, we wil desrib the anain design analysis techniques available. Their place inthe overall design review process and the way they should be managed are also covered. The main reliability design analysis techniques described are 1. Quality faction deployment. 2. Reliability prediction. 3. Load-strength analysis 4. Fllure modes, effets and eriicality analysis 3. Fault tee analysis. 6. Hazard and operability study. 7. Parts materials and process review. 8. Others, including human aspects manufacturing, maintenance, ee Quality function deployment. horrible expression fora simple Quality Function Deployment (QFD) technique to identify all of the factors which might affeet the ability ofa design or product 10 satisfy the customer, and the methods and responsibilities necessary to ensure control. QFD g0¢s beyond reliability, as it covers aspects such as customer preferences for fel, appearance, fe, but it is a useful and systematic way to highlight design and process activities and controls necessary to ensure reliability. are‘QFD begins by a team consisting ofthe key marketing, design, production reliability and quality staff working their way through the project plan or specification and identifying the features that will require to be controlled. the control methods applicable, and the responsible people. Constraints and risks are also identified, as well as resources necessary. Attis stage no analysis or detailed planning is performed, but the methods likely to be applied fed. These methods are described later in this chapter and in others. QFD makes use of charts which enable the requirements to be listed, and controls, responsibilities, constraints, et, to be tabulated, as they relate to design, analysis, test, production ete, An example is shown in Figure. Cortelahon maine” K Xe Features Bl | 4 i ie elge| § |e8ly vawe IX] [2] a}a wwgome WWM Pal s lola] gimme felon foto] alel a 1 Few Ic) ] 0] 0] 2 Toaaing DX 4]e]@]@|@]a] = fa 4 q g_I8 [3/8 {8 i HEI BuM el lee Sslegloal gel slé SEE‘This shows requirements ented on an importance (1-5), and the design features that can affect them, Each feature i in tum rated against its contibuion © each requirement, and a total rating ofeach feature is derived by multiplying each rating by the importance value, and adding these values. Thus, the bearing selection hhousing construction, ‘and mounting design come out asthe most crtieal design features. ‘The conelation matrices indicate the extent 10 which requirements and eatres interact: plus sign()indate positive comelaton and minus negative coreaton- For example, magnet material and stator winding design might interct strongly. The minis signs inthe requirements matrix indicate conflicting requirements. ‘The options available are shown, In some cases furher modeling experiments are required, and tis prof the char can be used to Inccate the fables that ‘need t be included in such work, “The shape ofthe QFD chart has led to its course being called the house of qulity. OF quality here is sed in the widest sense to ineude all aspeets ofthe product that “vill affect its eputation and cost. Figure is a topevel char: lower level chats are used 10 analyse more deed aspects, for example, more detsiled design and component dancers, and production processes and tolerances, always against the same set of requirements, Thus every aspect of design and production including analysis, est production proces conto, final inspection, packaging, maintnanes et, is systematically evaluated and planned for, alvays in eaton most important product requirements. Requirements and features that are not important are shown up as such, and this ean be a very important contribution to cost reduction and reliability improvement. LOAD-STRENGTH ANALYSIS (LSA) LLoad-sirength anelysis (LSA) is a procedure to ensure that all load and strength aspect have been considered in deriving the design, and ifnecessary in planning of tests. The load-strengih analysis (LSA) should include the follow + Determine the most likely worst-case values and patterns of variation of load and strength Evaluate the safety margin for intrinsic reliability a i atDetermine protection methods (load limit, derating, screening, other quality control ‘wmethods) Identify and analyse strength degradation modes. Test to failure to corroborate, analyse results. Corrector control (redesign, safe life, quality control, maintenance, etc). Plastic ame Life testo condi ‘nweak lak Thickness of pode fra at tachment may be ‘ial ature Overvolage roecon or proved lng seeded ee Combine wih = & Dawonpower 72C supply variation Operating ate Das source ayn 1s Frequency? probability of ccurrnee| Wrst case Ioad/ combines oad Lav aarq 245 Cambent Lead-stength analysis example (043, uncton) Perry {aluminium Bi bracket to frame) Sold el Tale tem‘Above Table is an example of a hypothetical load-strength analysis for a mechanical and electrical assembly. The example shows approaches that can be used for different aspects of the analysis. Event probabilities can be expressed as full distributions, oras the likelihood of particular limiting case being exceeded. The former is more appropriate when the load(s) an cause degradation, or ifa more det le reliability assessment is required. Both examples show typical, though rather simple, cases where the effects of combined loads might have been overlooked but for the analysis. For example, the solenoid might be supplied with ‘manufacture's rating of 28V operating, +2 V, and a maximum ambient temperature of 45 °C. ‘Atest room temperature of the solenoid might have confirmed its ability to function with a 32 \V supply without overheating. However, the combined environment of +45°C and 32 V supply, albeit an infrequent occurrence, could lea to failure.FAILURE MODES, EFFECTS AND CRITICALITY ANALYSIS (FMECA) Failure modes effects and criticality analysis (FMECA) (or failure modes and effects analysis (FMEA), is probably the most widely used and most effective design reliability analysis method. The principle of FMECA is to consider each mode of failure of every component of a system and to ascertain the effects on system operation of each failure mode in tum, Failure effects may be considered at more than one level, eg. at subsystem and at overall system level. Failure modes are classified in relation tothe severity of their effects. ‘An FMECA may be based ona hardware ora functional approach Inthe hardware approach actual hardware failure modes are considered (e.g. resistor open circuit, bearing ~eiure). The factional approch is used when hardware tems cannot be uniquely identified fr in early design stages when hardware is not fully defined. In this approach function failures are considered (eg. no feedback, memory lost). Not that a functional failure mode can become hardvae fleet havareapprosch FMECA. An FMECA can aso be performed using «combination hada approsches igure 1 and 2 show worksheets taken from US MIL-HBBK-1629. Method 101 is a rnon-quanttative method, which serves to highlight failure modes whose effects would be Considered important in relation to severity, detectability, maintainability o safety. Method 102 maintainability or safety. ( ality analysis) includes consideration of failure rate or probability, failure mode ratio and a quantitative assessment of criticality, in order to provide a quantitative criticality rating for component or function. The failure mode Where B= Condit nal probability of loss of function or mission, failure mode ratio, 2ypart failure or hazard rate, ‘operating or at-risk time of item At can be replaced by failure probability, 1 — ‘The item criticality number is the sum of the failure mode eriticality numbers forthe item,Steps in performit ‘An effective FMECA can be performed only by an engineer or team of engineers 1aving thorough knowledge of the system's design and application. The fist step therefore is to obtain all the information available on the design. This includes specifications, drawings, e js test results, ec, (0 the extent they are ‘computer-aided engineering (CAE) data, stress anal available at the time, Fora criticality analysis the reliability prediction information must aso be available or it might be generated simultaneously. {A system functional block diagram and reliability block diagram should be prepared, if not already avaiable, as these form the basis for preparing. the FMECA and for understanding the completed analysis, If the system operates in more than one phase in which different functional red in the analysis, The relationships or item operating modes exist, these must be co effects of redundancy must also be considered by evaluating the effeets of failure modes assuming that the redundant subsystem is or isnot available. ‘An FMECA can be performed from different viewpoints, such as success, safety, lity, ete. It is necessary to mission availability, repair cost, failure mode or effet detectal decide, and to state, the viewpoint or viewpoints being considered in the analysis. For example, a safety-related FMECA might give a low criticality number to an item whose reliability seriously affects availabilty, but which is nt safety critica. and the objectives ofthe analysis are serious (high warranty costs, reliability reputation, safety ete.) the analysis should tke account of all failure modes ofall components. However, it might be appropriate to consider functional failure modes of sub-asemblies when these are based upon existing designs, eg. ‘modular power supplies in electronic systems, particularly if the design details are not known. FMECA should be started as soon as initial design information i available. It should be performed iteratively as the design evolves, so thatthe analysis ean bgused to influence the design and to provide documentation of the eventually completed design. Design options should be separately analysed, so that reliability implications ean be considered in deciding ‘on which option to choose. Test results shouldbe use to update the analysis. ESFMECA is not a trivial task, and can involve many hours or weeks of work, It can also be difficult to trace the effects of low-level failures correctly through complex system. If the system has been designed or design modelled using CAE (or electronie automation: EDA) software, this can be used to assist in the analysis, thus aiding the task of working out the effects of component-level failures on the operation of complex systems. Even with aids such as these, FMECA can be an inappropriate method for some designs, such as digital electronic systems in which low-level failures (€., of transistors wit integrated circuits) ae very, but uniformly, unlikely, and the effects are dynamic in the sense that they could Aifer widely depending upon the state of the system. FMECA is not appropriate for software designs, EMECA is widely used in many industries, particulary in those for which failures ean have serious Consequences, such as military, aerospace, automotive, medical equipment, ete. ‘Some industries have established standardized approaches (the US Military Standard is MIL Handbook-1629, and the US automotive companies have also produced a guidance document, However, these present rather rigid approaches, which furthermore are not appropriate for systems involving modem digital electronics, so they should be used only to the extent required by contracts and as valid forthe technology. Uses for FMECA FMECAs can be used very effectively for several purposes, in addition t0 the prime one of identifying safety or reliability critical feilure modes and effects. These include: 1. ening etres tobe included inthe test programe, 2. Preparation of diagnosis routines sich as owehas or faufinding tables. The MICA provides convenient isting ofthe file modes which produce particular fai tet or ymploms, and ths relive iketfoods of occurene, ~ Preparation of preventive mantnace requirments. Te effets and Heine fils canbe considered in elation othe sed for scheduled inspection Serving ot replacement. For example, ifa failure mode has an insignificant effect on safety or ‘operating suecess, the item could be replaced only on failure rather than at scheduled intervals, to reduce the probability of failure Design of built-in test (BIT), failure indications and redundancy. ‘The failure etectability, including BIT, viewpoint is an important one in FMECA of system ‘which include these features5. For analysis of testability, particularly for electronic subassemblies and systems, 10 ‘ensure that hardware can be economically tested and failures diagnosed, using automatic or manual test equipment. 66. For development of software for automatic test and BIT. lity analysis, to be used as 7. For retention as formal records of the safety and reli evidence if required in reports to customers or in product safety litigation. 8. An FMECA can be performed specifically to consider the possibility of produetion- induced failures, e.g, wrong diode orientation, Such a production FMECA ean be very useful in test planning and in design for ease of production. It's important to coordinate these activities, so that the most effective use ean be made of the EMECAs in all of them, and to ensure that FMECAs are available atthe right time and to the right people.Kontthecls-1) | Syn es Date tndertre love Shoot or | Roterence orawing Compiled by Mission Approved by temtuncional Mission phase! Faure tenticaton | gonstcaion Fature modes [operational Satection | Compensating | Severity umber | (eomenctature)| Function | andcauses |rmode mmotned | provisions | class | Remarks Figure 7.2. MIL-STD-1629 worksheet for method 101 wisogg m Avgeratio me Faiure|Faiture| Figure 7.3 MIL-STD-1629 worksheet for method 102 stahyouy Rasy pee s20f3opoyy aumrog FresnoRELIABILITY PREDICTIONS FOR FMECA, ‘Since FMECAs are performed primarily to identify critical failure modes and to evaluate ity values which could be considered as realistic worst design options, failure rate or rei ‘cases should be used. Standard methods sometime stipulate the reliability prediction methods 10 be used, e.g. MIL-HDBK-217 for électronies. However, it is very important to appreciate the large amount of uncertainty inherent in reliability prediction, particularly at the level of individual failure events, Therefore, worst-case or pessimistic reliability values should always, be used as input assumptions for failure modes which are identified as critical, or which “Diabet a eras tana might be eritical if the pessimistic assumption proved to be realistic. Alternative and. preferably unless eredible quantitative data are available, a value scale such as 0-1 should be used, with prearranged assignment (e.g. 1 = will definitely occur, 0.5 = will occur occasionally, 0.1 = will rarely occur, 0 = will never occur). Generally, the more critical the failure mode the more pessimistic should be the worst-case reliability assumptionsA hazard is « peenbial Sauce of Farum HAZARD AND OPERABILITY STUDY (HAZOPS) 1e for the systematic determination of Hazard and operability study (HAZOPS) is a tec the potential hazards that could be generated by a system, and of the methods that should be applied to remove or minimize them. It is used in the development of systems such as Petrochemical plant, railway systems, etc. and usually is part of the mandatory safety approval process. Table A shows an example of the format used. For the failure/deviation column, a set of 'guidewords is sometimes applied to help in the identification of things that could possibly go wrong. The usual guide words are: -no/not -less as well as -patt of -reverse -other than Table 1 HAZOPS on motion system (partial) Component/Failure/ Possible C Function ‘Deviation Cause/s Event Wo Safeguards Action: Electrical No power ces fo powe L Main Power System failure (1) Provide standby System Hydrauli Main AND ie ce ra Hyde in 1. Main AND ae dandy ha pressure SPStem failure 2) Checks on Maintenance 4 sooo Maintenance schedule . Main AND ‘ ove, 5YStem failure (2) | PWM circuit Permanent ‘on’ gave all See FMEA Solenoid valve Stu; on *k Ope" Conrseon Sram fare) To be determined Analysis, tst Stem failure (3) To be det termined Test HAZOPS should cover the whole range of potential failure causes, including natural hazards,human failures, etc ELTA aNPARTS, MATERIALS AND PROCESSES (PMP) REVIEW All new parts, materials and processes called up in the design should be identified. “Ne this context means new to the particular design and production organization. The designer is ikly to assume that part or meal wl perform as spect in the brochure and that process canbe conlled to comply wi the design. The reliability and quality assurance (ex) staf must ensure that his hs wel funded, New pats, material and processes must therefore be assessed or teste before being applied, so that adequate ning for production people an be planned quali contol sefeguards setup and ltemaivesouoes loated; New parts, ‘and processes must be formally approved for production and added to the approved lists, ‘Materials and processes must be assessed in relation to reliability. The main reliability considerations include: 1. Cyelical loading. Whenever loading is cyclical, including frequent impact loads, fatigue ‘must be considered. 2, External environment, The environmental conditions of storage and operation must be ‘considered in relation to factors such as corrosion and extreme temperature effects. 3. Wear, The wear properties of materials must be considered for all moving parts in contact. ‘There is such a wide variation of material properties, even among categories such as steels, aluminium alloys, plasties and rubbers, that it is not practicable to generalize about how these should be considered in relation to reliability. Material selection will be based upon several factors; the design review procedure should ensure that the reliability implications receive the attention appropriate to the application. NON-MATERIAL FAILURE MODES “Most reliability engincering is concemed with material failure, such as caused by load-strength interference and strength degradation. However, there isa large class of failure modes which are not related to this type of material failure, but which can have consequences which are just as serious. Examples of these are: 1. Fasteners which secure essential panels and which can be insecurely fastened due to ‘wear or left unfastened without being detected, 2. Wear in seals, causing low pressure leaks in hydraulic systems. 3._ Resistance increase of electrical contacts due to arcing and aceretion of oxides. LcFailure of protective surfaces, such as paints, metal plating or anodized surfaces. Distortion of pins, or intermittent contact, on multipin electrical connectors. Drift in electronic component parameter values. Electromagnetic interference (EMI) and timing problems in electronic systems. Other personnel-induced failures such as faulty maintenance, handling or storage, e.g. ‘omitting to charge electrolytic capacitors kept in long-term storage, which can result in reduced charge capacity in use. 9. Interface problems between sub-systems, due to tolerance mismatch. All of these modes can lead to perceived failures. Failure reporting systems always include a proportion of such failures. However, there is usually more scope for subjectiv terpretation and for variability due to factors such as skill levels, personal attitudes and maintenance procedures, especially for complex equipment. Non-material complex equipment. failures can be harder to assess atthe design stage, and often do not show up during a test programme. Design reliability assessments should address these types of failure, even though it may be impracticable to attempt to predict the frequency of ‘occurrence in some cases, particulary for personnclinduced failures. HUMAN RELIABILITY “The term ‘human reliability’ is used to cover the situations in which people, as operators or ‘maintainers, can affect the corrector safe operat ‘of systems. In these circumstances people are fallible and can cause component or system failure in many ways. Human reliability must be considered in any design in which human falibilty might affect reliability or safety. Design analyses include such as FMECA and FTA should specific consideration of human factors, such as the possiblity of incorrect operation oF maintenance, ability to detect and respond to failure conditions, and ergonomic or other Factors that might influence them. ‘Attempts have been made to quantify various human error probabilities, but such data should be treated with caution, as human performance is too variable to be eredibly forecastable from past records, Human error probabil is usually very dependent on training, supervision, and ‘motivational factor, so these must be considered inthe analysis. Of course, in many cases the design organization has litle or no control over these factors, but the analyses can be used to highlight the need for specific training, independent checks, oF operator and maintainer instructions and warnings.