3.3 Analytic Development of Reliability and Performance in Engineering Design 173 3.3.2.8 Uncertainty and Incompleteness in Engineering Design Analysis Uncertainty and incompleteness is inherent to engineering design analysis. Uncer- tainty, arising from the complex integration of systems, can best be expressed in qualitative terms, necessitating the results to be presented in the same qualitative measures. This causes problems in analysis based upon a probabilistic framework. The only acceptable framework for an approach to qualitative probability is that of comparative probabilities proposed by Fishburn (1986), but its application is not easy at the practical level because its representational requirements are exponential (Cayrac et al. 1994). An important question is to decide what kind of possibility theory or fuzzy logic representation (in the form of fuzzy sets) is best suited for engineering d esign anal- ysis. The use of conjunction-based representations is perceived as not suitable from the point of view of logic that is automated, because conjunction-based fuzzy rules do not fit well with the usual meaning of rules in artificial intelligence-based expert systems. This is important because it is eventually within an expert system frame- work that engineering design analysis such as FMEA and FMECA should be estab- lished, in order to be able to develop intelligent computer automated methodology in determining the integrity of engineering design. The concer n raised earlier that qualitative reasoning algorithm s may not be suitable for FMEA or FMECA is thus to a large extent not correct. This consideration is based on the premise that the FMEA or FMECA formal- ism of analysis requires unique predictions of system behaviour and, although some vagueness is permissible due to uncertainty, it cannot be ambiguous, despite the consideration that ambiguity is an inherent feature o f computationa l q ualitative rea- soning (Bull et al. 1995b). Implication-based representations of fuzzy rules may be viewed as constraints that restrict a set of possible solutions, thus eliminating any ambiguity. A possi- ble explanation for the concern may be that two predominate types of engineering reasoning applied in engineering design analysis—systems engineering and knowl- edge engineering—do not have the same background. The former is usually data- driven, and applies analytic methods where analysis models are derived from data. In general, fuzzy sets are also viewed as data, resulting in any form of reasoning methodology to be based on accumulating data. Incoherency issues are not con- sidered because incoherence is usually unavoidable in any set of data. On the con- trary, knowledge engineering is knowledge-driven, and a fuzzy rule is an element of knowledge that constrains a set of possible situations. The more fuzzy rules, the more information, and the more precise one can get. Fuzzy rules clearly stand at the crossroad of these two types of engineering applied to engineering design analysis. In the use of FMECA for engineering design analysis, the objective is to de- velop a flexible representation o f the effects and consequences of failure modes down to the relevant level of detail, whereby available knowledge—whether incom- plete or uncertain—can be expressed. The objective thus follows qualitative analysis methodology in handling uncertainty with possibility theory and fuzzy sets in fault diagnostic applications, utilising FMECA (Cayrac et al. 1994). 174 3 Reliability and Performance in Engineering Design An expansion of FMEA and FMECA for engineering design analysis is devel- oped in this handbook, particularly for the application of reliability assessment dur- ing the preliminary and detail design phases of the engineering design process. The expanded methodology follows the first part of the methodology proposed by Cayrac (Cayrac et al. 1994), but not the second part proposed by Cayrac, which is a further exposition of the application o f fault diagnosis using FMECA. A detailed description of introducing uncertainty in such a causal model is given by Dubois and Prade (Dubois et al. 1993). 3.3.2.9 Modelling Uncertainty in FMEA and FMECA In modelling un certainty with regard to possible failure as described by failure modes in FMEA and FMECA, consider the following: let D be the set of possi- ble failure modes,ordisorders {d 1 , ,d i , ,d p } of a given causal FMEA and FMECA analysis, and let M be a set of observable consequences,ormanifestations {m 1 , ,m j , ,m n } related to these failure modes. In this model, disorders and manifestations are either present or absent. For a given disorder d, we express its (more or less) certain manifestations, gathered in the fuzzy set M(d)+, and those that are (more or less) impossible, gathered in the f uzzy set M(d)−. Thus, the fuzzy set M(d)+ contains manifestations that (more or less) surely can be caused by the presence of a given disorder d alone. In terms of membership functions μ M(d)+ (m)=1 . (3.133) This means that the manifestation m exists in the fuzzy set of certain manifestations for a given disorder d. This also means that m is always present when d alone is present. Conversely, the set M(d)− contains manifestations that (more or less) surely cannot be caused by d alone. Thus μ M(d)− (m)=1 . (3.134) This means that the manifestation m does not exist in the fuzzy set of impossible manifestations fora given disorder d. This also meansthat m isnever present when d alone is present. Complete ignorance regarding the relation between a d isorder and a manifesta- tion (we do not know whether m can be a consequence of d) is expressed by μ M(d)+ (m)= μ M(d)− (m)=0 . (3.135) Intermediate membership degrees allow a gradation of the uncertainty. The fuzzy sets M(d)+ and M(d)− are not possibility distributions because man- ifestations are clearly not mutually exclusive. Furthermore, the two membership functions μ M(d)+ (m) and μ M(d)− (m) both express certainty levels that the manifes- tation m is present and absent respectively, when disorder d alone takes place. 3.3 Analytic Development of Reliability and Performance in Engineering Design 175 a) Logical Expression of FMECA FMECA information (without uncertainty) can be expressed as a theory T consist- ing of a collection of clauses: ¬d i ∨m j corresponds to a non-fuzzyset of certain manifestations M(d i )+,which means either that the disorders ¬d i are impossible or that the man ifestations m j are possible in a non-fuzzy set of manifestations M(d i )+, ¬d i ∨¬m k corresponds to a non-fuzzy set of impossible manifestations M(d i )−, which means either that th e disorders ¬d i are impossible or that manifesta- tions ¬m k are impossible in a non-fuzzy set of manifestations M(d i )− (i.e. man- ifestations that cannot be caused by d i alone), where ∨ denotes the Boolean disjunction operation (¬d i ∨m j = 0if¬d i = m j = 0, and ¬d i ∨m j = 1otherwise). A disjunction is associated with indicative linguistic statements compounded with either or,suchas(¬d i ∨m j ) ⇒ either the disorders are impossible o r the mani- festations are possible.However,thetermdisjunction is currently more often used with reference to linguistic statements or well-formed formulae (wff) of associated form occurring in formal languages. Logicians distinguish between the abstracted form of such linguistic statements and their roles in arguments and proofs, and the meanings that must be assigned to such statements to account for those roles (Ar- tale et al. 1998). The abstracted form represents the syntactic and proof-theoretic concept, and the meanings the semantic or truth-theoretic concept in disjunction. Disjunction is a binary truth-function, the output of which is true if at least one of the input values (disjuncts) is true, and false otherwise. Disjunction together with negation provide sufficient means to define all truth-functions—hence, the use in a logical expression of FMECA. If the disjunctive constant ∨ (historically suggestive of the Latin vel (or )) is a primitive constantof the linguistic statement, there will be a clause in the inductive definition of the set of well-formed formulae (wffs). Using α and β as variables ranging over the set of well-formed formulae, such a clause will be: If α is a wff and β is a wff, then α ∨ β is a wff where α ∨ β is the disjunction of the wffs α and β , and interpreted as ‘[name of first wff] vel (‘or’) [name of second wff]’. In presentations of classical systems in which the conditional implication → or the subset ⊃ and the negational constant ¬ are taken as primitive, the disjunctive constant ∨ will also feature in the abbreviation of a wff: ¬ α → β (or ¬ α ¬ β )as α ∨ β Alternatively, if the conjunctive& has already been introducedas a defined constant, then ∨ will also feature in the abbreviation of a wff: ¬(¬ α & ¬ β ) as α ∨ β 176 3 Reliability and Performance in Engineering Design In its simplest, classical semantic analysis, a disjunction is understood by reference to the conditions under which it is true, and under which it is false. Central to the definition is a valuation, a function that assigns a value in the set {1,0}. In general, the inductive truth definition for a linguistic statement corresponds to the definition of its well-formed formulae. Thus, for a p ropositional linguistic statement, it will take as its basis a clause according to which an elemental part is true or false ac- cordingly as the valuation maps it to 1 or to 0. In systems in which ∨ is a primitive constant, the clause corresponding to disjunction takes α ∨ β to be true if at least one of α , β is true, and takes it to be false otherwise. Where ∨ is introduced by the definition s given earlier, the tru th condition can be computed for α ∨ β from those of the conditional (→ or ⊃) or conjunction (&) and negation (¬). In slightly more general perspective, then, if the disorders interact in the mani- festations they cause, d i can be replaced by a conjunction of d k . This general perspective is justification of the form (Cayrac et al. 1994): ¬d i1 ∧···∧¬d i(k) ∨m j (3.136) where the conjunctive ∧is used in place of & . Thus, ‘intermediary entities’ between disorders and manifestations are allowed. In other words, in failure analysis, inter- mediary ‘effects’ feature between failure modes and their consequences, which is appropriate to the theory on which the FMECA is based . This logical modelling of FMECA is, however, not completely satisfactory, as ¬d i ∨¬m k means either that the disorder ¬d i is impossible or that the manifestations ¬m k are impossible. This could mean that d i disallows m k , which is different to the fuzzy set μ M(d)− (m) > 0, since the disorder ¬d i being impossible only means that d i alone is not capable of produc- ing m k . This does not present a problem under a single failure mode assumption but it does complicate the issue if simultaneous failure modes or disorders are allowed. In Sect. 3.3.2.1, failure mode was described from three points of v iew: • A complete functional loss. • A partial functional loss. • An identifiable condition. For reliability assessment during the engineering design process, the first two fail- ure modes—specifically, a complete functional loss, and a partial functional loss— can be practically considered. The determination of an identifiable condition would be considered when contemplating the possible causes of a complete functional loss or of a partial functional loss. Thus, simultaneous failure modes or disorders in FMECA would imply both a complete functional loss and a partial functional loss—which is contradictory. The application of the fuzzy set μ M(d)− (m) > 0is thus valid in FMECA, since the implication is valid that d i alone is not capable of producing m k . However, in the logical expressions of FMECA, two difficulties arise ¬d i ∨m k and ¬d j ∨m k imply ¬(d i ∧d j ) ∨m k (3.137) 3.3 Analytic Development of Reliability and Performance in Engineering Design 177 Equation (3.137) implies that those clauses where either disorder ¬d i is im- possible or manifestations m k are possible in a non-fuzzy set of certain man- ifestations M(d i )+,andwhereeither disorder ¬d j is impossible or manifesta- tions m k are possible in a non-fuzzy set of certain manifestationsM(d j )+ imply that either disorder ¬d i and disorder ¬d j are impossible or manifestations m k are pos- sible in non-fuzzy sets of certain manifestations M(d i )+ and M(d j )+. This logi- cal approach implicitly involves the assumption of disord er independence (i.e. in- dependent failure modes), leading to manifestations of simultaneous disorders. In other words, it assumes failure modes are independent but may occur simultane- ously. This approach may be in contradiction with knowledge about joint failure modes expressing ¬(d i ∧d j )∨¬m k where either disorder ¬d i and disorder ¬d j are impos- sible or where the relating manifestations m k are impossible in the non-fuzzy sets of manifestations M(d i )− and M(d j )−. The second difficulty that arises in the logical expressions of FMECA is ¬d i ∨¬m k and ¬d j ∨¬m k imply ¬(d i ∧d j ) ∨¬m k (3.138) Equation (3.138) implies that those clauses where either disorder ¬d i is im- possible or manifestations ¬m k are impossible in the non-fuzzy set of M(d i )− that contains manifestations that cannot be caused by d i alone, and where either disorder ¬d j is impossible or manifestations ¬m k are impossible in a non-fuzzy set M(d j )− that contains manifestations that cannot be caused by d j alone imply that either disorder ¬d i and disorder ¬d j are impossible or manifestations ¬m k are impossible in the non-fuzzy sets M(d i )− and M(d j )−, which together contain manifestations that cannot be caused b y d i and d j alone. This is, however, in dis- agreement with the assumption M −  d i ,d j  = M −({d i }) ∩M −  d j  (3.139) Equation (3.139) implies that the fuzzy set of accumulated manifestations that cannot be caused by the simultaneous disorders {d i ,d j } is eq uivalent to the intersect of the fuzzy set of manifestations that cannot be caused by the disorder d i alone, and the fuzzy set of manifestations that cannot be caused by the disorder d j alone (it enforces a union for M +({d i ,d j }). In the logical approach, if ¬d i ∨¬m k and ¬d j ∨¬m k hold, this disallows the simultaneous assumption that d i and d j are present, which is then not a problem under the single failure mode assumption, as indicated in Sect. 3.3.2.1. On the contrary, m k ∈ M +(d j ) ∩M −(d i ) does not forbid {d i ,d j } from being a potential explanation of m k even if the presence (or absence) of m k eliminates d i (or d j ) alone. 178 3 Reliability and Performance in Engineering Design b) Expression of Uncertainty in FMECA In the following logical expressions of FMECA, the single failure mode assumption is made (i.e. either a complete functional loss or a partial functional loss). Uncer- tainty in FMECA can be expressed using possibilistic logic in terms of a necessity measure N. For example N (¬d i ∨m j ) ≥ α ij (3.140) where: N(¬d i ∨m j ) is the certainty measure of a particular proposition that either disorder ¬d i is impossible or manifestations m j are possible in a n on-fuzzy set of certain manifestations M(d i )+,and α ij is the possibility distribution relating to constraint i of the disorder d i and constraint j of manifestation m j . The generalised modus ponens of possibilistic logic (Dubois et al. 1994) is N(d i ) ≥ γ i and N(¬d i ∨m j ) ≥ α ij ⇒ N(m j ) ≥ min( γ i , α ij ) (3.141) where: N(d i ) is the certainty measure of the proposition that the disorder d i is certain, γ i is the possibility distribution relating to constraint i of disorder d i and N(m j ) is the certainty measure of the proposition that the manifestation m j is certain, and bound by the minimum cut set of the possibility distribu- tions γ i and α ij . In other words, the presence of the manifestation m j is all the more certain, as the disorder d i is certainly present, and that m j is a certain consequence of d i . 3.3.2.10 Development of the Qualitative FMECA A further extension of the FMECA is considered,in which representation of indirect links between disorders and manifestations are a lso made. In addition to disorders and manifestations, intermediate entities called events are considered (Cayrac et al. 1994). Referring to Sect. 3.3.2.1, these events may be viewed as effects,wherethe ef- fects of failure are associated with the immediate results within the component’s or assembly’s environment. Disorders (failure modes) can cause events (effects) and/or manifestations (con- sequences), where events themselves can cause other events and/or manifestations (i.e. failure modes can cause effects and/or consequences, where effects themselves can cause other effects and/or consequences). Events may not be directly observ- able. 3.3 Analytic Development of Reliability and Performance in Engineering Design 179 An FMECA can therefore be defined by a theory consisting of a collection of clauses of the form ¬d i ∨m j , ¬d k ∨e 1 , ¬e m ∨e n , ¬e p ∨m q and, to express negative information, ¬d i  ∨¬m j  , ¬d k  ∨¬e 1  , ¬e m  ∨¬e  n , ¬e p  ∨m q  where d represents disorders (failure modes), m represents manifestations (con- sequences), and e represents events (effects). All these one-condition clauses are weighted by a lower bound equal to 1 if the implication is certain. The positive and negative observations (m or ¬m) can also be weighted by a lower bound of a necessity degree. From the definitions above, it is possible to derive the direct relation between disorders and manifestations (failure modes and consequences), characterised by the fuzzy sets μ M(d)+ (m) and μ M(d)− (m) asshowninthefollowing relations (Dubois et al. 1994): μ M(d i )+ (m j )= α ij μ M(d i )− (m j )= γ ij (3.142) The extended FMECA allows for an expression of uncertainty in engineering design analysis that evaluates the extent to which the identified fault modes can be discriminated during the detail design phase of the engineering design process. The various failure modes are expressed with their (more or less) certain effects and consequences. The categories of more or less impossible consequences are also expressed if necessary. After this refinement stage, if a set o f failure modes cannot be discriminated in a satisfying way, the inclusion of the failure mode in the analysis is questioned. The discriminability of two failure modes d i and d j is maximum when a sure consequence of one is an impossible consequence of the other. This can be extended to the fuzzy sets previously defined. The discriminability of a set of disorders D can be defined by Discrimin(D)= min d i ,d j ∈D,i= j max(F) Where: F = cons(M(d i )+,M(d j )−) , cons(M(d i )−,M(d j )+) (3.143) and cons(M(d i )+, M(d j )−) is the consistency of disorders d i and d j in the non- fuzzy set of certain manifestations M(d i )+, as well as in the non-fuzzy set of impossible manifestations M (d j )−: and cons(M(d i )−, M(d j )+) is the consistency of disorders d i and d j in the non- fuzzy set of impossible manifestations M(d i )−, as well as in the non-fuzzy set of certain manifestations M(d j )+. 180 3 Reliability and Performance in Engineering Design For example, referring to the three types of failure modes: The discriminability of the failure m ode total loss of function (TLF) represented by the disorder d 1 and failure mode partial loss of function (PLF) represented by disorder d 2 is: Discrimin ({d 1 ,d 2 })=0. The discriminability of the failure m ode total loss of function (TLF) represented by disorder d 1 and failure mode potential failure condition (PFC) represented by disorder d 3 is: Discrimin ({d 1 ,d 3 })=0.5. The discriminability of the failur e mode partial loss of function (PLF) repre- sented by disorder d 2 and failure mode potential failure condition (PFC) repre- sented by disorder d 3 is: Discrimin ({d 2 ,d 3 })=0.5. a) Example of Uncertainty in the Extended FMECA Tables 3.15 to 3.19 are extracts from an FMECA worksheet of a RAM analysis field study conducted on an environmental plant for the recovery of sulphur dioxide emissions froma non-ferrousmetals smelterto producesulphuricacid. TheFMECA covers the pump assembly, pump motor, MCC and control valve components, as well as the pressure instrument loops of the reverse jet scrubber pump no. 1. Three failure modes are normally defined in the FMECA as: • TLF ⇒ ‘total loss of function’, • PLF ⇒ ‘partial loss of function’, • PFC ⇒ ‘potential failure condition’. Five consequences are normally defined in the FMECA as: • Safety (by risk description) • Environmental • Production • Process • Maintenance. The ‘critical analysis’ column of the FMECA worksheet includes items num- bered 1 to 5 that indicate the following: (1) Probability of occurr ence (given as a percentage value) (2) Estim ated failure rate (the number of failures per year) (3) Severity (expressed as a number from 0 to 10) (4) Risk (product of 1 and 3) (5) Criticality value (product of 2 and 4). The semi-qualitative criticality values are ranked accordingly: (1) High criticality ⇒ +6 onwards (2) Med ium criticality ⇒ +3to6(i.e.3.1to6.0) (3) Low criticality ⇒ + 0to3(i.e.0.1to3.0) 3.3 Analytic Development of Reliability and Performance in Engineering Design 181 Table 3.15 Extract from FMECA worksheet of quantitative RAM analysis field study: RJS pump no. 1 assembly System Assembly Failure Failure Failure effect Failure Cause of failure Critical analysis description mode consequence Reverse jet scrubber RJS pump no. 1 Shaft leakage TLF Unsafe operating conditions for personnel Injury risk Seal elements broken or pump shaft damaged due to loss of alignment or seals not correctly fitted (1) 50% (2) 2.50 (3) 11 (4) 5.5 (5) 13.75 High criticality Reverse jet scrubber RJS pump no. 1 Shaft leakage TLF Unsafe operating conditions for personnel Injury risk Seal elements broken or pump shaft damaged due to the seal bellow cracking because the rubber hardens in service (1) 50% (2) 2.50 (3) 11 (4) 5.5 (5) 13.75 High criticality Reverse jet scrubber RJS pump no. 1 Restricted or no circulation TLF Prevents quenching of the gas and protection of the RJS structure due to reduced flow. Standby pump should start up and emergency water system may start up and supply water to weir bowl. Gas supply may be cut to plant. RJS damage unlikely Maintenance Loss of drive due to coupling connection failure caused by loss of alignment or loose studs (1) 100% (2) 3.00 (3) 2 (4) 2.00 (5) 6.00 Medium/high criticality 182 3 Reliability and Performance in Engineering Design Table 3.15 (continued) System Assembly Failure Failure Failure effect Failure Cause of failure Critical analysis description mode consequence Reverse jet scrubber RJS pump no. 1 Restricted or no circulation TLF Prevents quenching of the gas and protection of the RJS structure due to reduced flo w. Standby pump should start up and emergenc y water system may start up and supply water to weir bowl. Gas supply may be cut to plant. RJS damage unlikely Maintenance Air intake at shaft seal area due to worn or damaged seal faces caused by solids ingress or loss of seal flushing (1) 100% (2) 2.50 (3) 2 (4) 2.00 (5) 5.00 Medium criticality Reverse jet scrubber RJS pump no. 1 Excessiv e vibration PFC No immediate ef f ect other than potential equipment damage Maintenance Bearing deterioration due to worn coupling out of alignment (1) 100% (2) 2.00 (3) 1 (4) 1.0 (5) 2.00 Low criticality Reverse jet scrubber RJS pump no. 1 Excessiv e vibration PFC No immediate ef f ect other than potential equipment damage Maintenance Bearing deterioration due to low barrel oil lev el or leaking seals (1) 100% (2) 1.00 (3) 1 (4) 1.0 (5) 1.00 Low criticality Reverse jet scrubber RJS pump no. 1 Excessiv e vibration PFC No immediate ef f ect other than potential equipment damage Maintenance Cavitations due to excessi ve flow or restricted suction condition (1) 100% (2) 1.50 (3) 1 (4) 1.0 (5) 1.50 Low criticality . Development of Reliability and Performance in Engineering Design 173 3.3.2.8 Uncertainty and Incompleteness in Engineering Design Analysis Uncertainty and incompleteness is inherent to engineering design. eliminating any ambiguity. A possi- ble explanation for the concern may be that two predominate types of engineering reasoning applied in engineering design analysis—systems engineering and knowl- edge. clearly stand at the crossroad of these two types of engineering applied to engineering design analysis. In the use of FMECA for engineering design analysis, the objective is to de- velop a flexible