What is the most appropriate name for a risk event that has already occurred?

Criticality Assessment

This assessment ranks potential failures identified during the system analysis based on the severity of their effects and the likelihood of their occurrence. The two methods most often used for making a criticality assessment are risk priority number (RPN) method and military standard method.

Military Standard Method

The Department of Defense, in Procedures for Performing a Failure Mode, Effects, and Criticality Analysis [5] set forward a technique for ranking potential failure modes that is often used in the defense, aerospace, and nuclear power generation industries. The military standard method consists of distinct qualitative and quantitative approaches. The qualitative approach, used when failure rate data are not available, groups occurrence probabilities for individual item failures together into levels that establish qualitative failure probabilities.

Table 4.4 presents the set of levels and associated guidelines used in the military standard method. After the failure-mode probability level is determined, the probability level and severity classification of the failure mode are plotted on a criticality matrix, as shown in Figure 4-1. Table 4.5 presents the failure mode severity classifications.

Table 4.4. Qualitative Ranking of Failure Probabilities

Level of Probability of OccurrenceShort Description of the Rank LevelDetailed Description of the Rank LevelVExtremely unlikelyThe probability of a failure during the item's functional period is virtually negligible.IVRemoteThe probability of a failure during the item's functional period is remote.IIILow to moderateThe probability of a failure during the item's functional period is low to moderate.IIModerateThe probability of a failure during the item's functional period is moderate.IHighThe probability of a failure during the item's functional period is high.

Figure 4-1. Criticality matrix for comparing failure modes with respect to severity.

Table 4.5. Classification of Failure-mode Severity

Severity ClassificationShort Description of the ClassificationDetailed Description of the ClassificationDMinorThe failure will lead to unscheduled maintenance or repair but will not be serious enough to result in injury, property damage, or system damage.CMarginalThe failure will lead to delay or loss of availability or mission degradation and may also cause minor injury, minor property damage, or minor system damage.BCriticalThe failure will lead to mission loss and may also cause severe injury, major property damage, or major system damage.ACatastrophicThe failure may result in death or system loss.

The criticality matrix presented in Figure 4-1 provides a mechanism for comparing the probability and severity of failure modes. The criticality matrix represents the combined factors of the severity of the potential failure's effects and the probability that the failure will occur. This matrix can help set priorities for addressing potential failures and developing appropriate corrective measures. The area of the matrix labeled “approximate desirable design region” indicates a low probability of failures with class A and B severity effects and anywhere from a low to high probability of class C and D failures that can be tolerated. Nonetheless, every possible step should be taken to eliminate class A and B failure modes, or at least to reduce their probability of occurrence, by making appropriate design changes.

The quantitative approach, used when failure rate data are available, defines the failure-mode criticality number, Ncf, by

(4.2)Ncf=λpTθn

where λp is the constant failure rate of the item.

T is the item operating time.

θ is the conditional probability that the effect of the failure will match the identified severity classification. Table 4.6 presents quantified values for θ.

Table 4.6. Failure Effect Probability Values

Failure Effect DescriptionValue for θ (probability)No effect0Possible lossBetween 0 and 0.10Probable lossBetween 0.10 and 1.00Actual loss1

n is the failure mode apportionment ratio, or the probability that the item will fail in the specific failure mode under consideration. In other words, it is the fraction of the item failure rate that can be apportioned to the failure mode of interest. Furthermore, when all failure modes of an item are specified, the sum or addition of the apportionments is equal to unity. Table 4.7 presents examples of failure mode apportionment ratios.

Table 4.7. Examples of Part Failure Mode Apportionments

Item DescriptionItem Failure ModeApportionment Value (or probability value for n)Hydraulic valvea)Stuck closed0.12b)Stuck open0.11c)Leaking0.77Variable resistora) Open0.53b) Short0.07c) Erratic output0.40Relief valvea) Prematurely open0.77b) Leaking0.23Fixed resistora) Short0.05b) Open0.84c) Parameter change0.11

The item criticality number, Ci, is calculated for each severity class. It is the total of the critical numbers associated with each of the item's failure modes that fall into the severity class under consideration:

(4.3)Ci=Σi=1k(Ncf)i=Σi=1k(λpTθn)i

where k is the number of item failure modes that fall into the severity classification under consideration.

When an item failure mode results in multiple severity-class effects, each with its own occurrence probability, only the most critical should be used in the computation Ci [8]. Otherwise, the result may be mistakenly low values of Ci for the less critical severity classes. Therefore, θ values should be calculated for all severity classes associated with a failure mode, including those associated with class B, C, and D failures.

9.5 Case study1

The case study of environmental control and life support system (ECLSS) of orbital space station's (OSS) is selected as an example to illustrate the presented methodology. Maintenance of complex system like OSS ECLSS is a challenging task for the modern day maintenance engineers, as high skills and expertise are required to accomplish these tasks proficiently. The ECLSS of an OSS is a critical system, which includes several complex subsystems, such as atmosphere management, water management, food production, waste management and crew safety. Moreover, the systems are interrelated with each other for proper functionability of entire subsystem. On failure, ECLSS subsystems are generally exposed to imperfect repairs, which imply that the repair actions bring the subsystems to a state that is in between the new state and the state prior to failure.

The first step is to identify important decision criteria relevant to the current maintenance of OSS ECLSS and that could be 1) skill, 2) environment, 3) procedure, and 4) resources. The skills are required to undertake a number of processes including inspection, servicing, troubleshooting, removal, installation, rigging, testing, and repairing during maintenance of OSS ECLSS. The environmental conditions inside OSS is adverse due to microgravity conditions. Since the crew is unable to bear weight on their feet, in the long term there are many health problems associated with it. Bones and muscles weaken, and other changes also take place within the body. This adversely affects the working conditions in executing the maintenance task of OSS ECLSS. Adherence to the procedure helps ensure that the crew is properly trained and each workplace has the necessary equipment and other resources to perform the job. Approved written procedures are required to be followed for performance of all maintenance and repair activities by the crew. Maintenance resources are needed to facilitate the successful completion of the maintenance task. The resource is the crew's most important requirement to get the given work done. Generally, requirement of resources is dictated by the features of the environmental factors, and actions of the crew for OSS ECLSS maintenance.

Now, considering these four criteria, fuzzy-AHP weights are estimated with the help of fuzzy extent analysis as explained in Section 9.3.1 and the obtained weights are as appended below:

(9.28)[WFM(Skill)WFM(Environment)WFM(Procedure)WFM(Resources)]=[0.170.380.060.38]

The RPNSystem[Eq. (9.25)] in case of ECLSS can be written as:

RPNECLSS(M)=RPNSkill+RPNEnvironment+RPNProcedure+RPNResources

Where:

RPNECLSS(M) : risk priority number of ECLSS due to maintenance

RPNSkill : risk priority number of ECLSS due to skill

RPNEnvironment : risk priority number of ECLSS due to environment

RPNProcedure : risk priority number of ECLSS due to procedure

RPNResources : risk priority number of ECLSS due to procedure

Thus from Eq. (9.26),

RPNSkill=qFM(Skill)×WFM(Skill)×SFM(Skill)×DFM(Skill)RPNEnvironment=qFM(Environment)×WFM(Environment)×SFM(Environment)×DFM(Environment)RPNProcedure=qFM(Procedure)×WFM(Procedure)×SFM(Procedure)×DFM(Procedure)RPNResources=qFM(Resources)×WFM(Resources)×SFM(Resources)×DFM(Resources)

Where

qFM(Skill) , qFM(Environment), qFM(Procedure) and qFM(Resources) : repair effectiveness indices due to skill, environment, procedure, and resources.

WFM(Skill) , WFM(Environment), WFM(Procedure) and WFM(Resources) : importance weights of all the four criteria estimated through fuzzy- AHP.

SFM(Skill) , SFM(Environment), SFM(Procedure)and  SFM(Resources) : severity level due to skill, environment, procedure, and resources.

DFM(Skill) , DFM(Environment), DFM(Procedure), and DFM(Resources): detection Level of failures due to skill, environment, procedure, and resources.

Thus the final algorithm for the RPN of ECLSS due to maintenance is:

RPNECLSS(M)={[qFM(Skill)×WFM(Skill)×SFM(Skill)×DFM(Skill)]+[qFM(Environment)×WFM(Environment)×SFM(Environment)×DFM(Environment)]+[qFM(Procedure)×WFM(Procedure)×SFM(Procedure)×DFM(Procedure)]+[qFM(Resources)×WFM(Resources)×SFM(Resources)×DFM(Resources)]}

The values of weights for the four criterions as shown in Eq. (9.28) are also scaled on a numeric scale of 1 − 10 on similar lines as that of scaling of the probability of occurrence (O) (Ebeling, 2004; Rai and Bolia, 2015). The scale decided for the weights for the RPN estimation is as follows:

For 0  ≤ W ≤ 0.2, the values assigned are from (1 − 6) and

For 0.2  ≤ W  ≤ 0.3, the values assigned are from (7 − 10)

Based on Eq. (9.28) and the scale explained above following values are assigned to the weights of all four criteria:

[WFM(Skill)WFM(Environment)WFM(Procedure)WFM(Resources)]=[610210]

The severity values designated to the four criteria respectively as explained in sub-section 9.4.1 are as follows: (T means transpose of matrix)

The detection values assigned to all the four criteria as explained in sub-section 9.4.2 are as follows:

[DFM(Skill),DFM(Environment),DFM(Procedure),DFM(Resources)]T=[5,4,6,2]T

The values of RPN as a function of the corresponding q obtained for all the criterions are as appended below:

RPNSkill=6×5×5×qFM(Skill)=150qFM(Skill)RPNEnvironmentill=10×8×4×qFM(Environment)=320qFM(Environment)RPNProcedure=2×6×6×qFM(Procedure)=72qFM(Skill)RPNResources=10×10×2×qFM(Resources)=200qFM(Resources)

As explained in Section 9.2, the values of q varies from 0 to 1. Hence the sensitivity graph of RPNi is plotted for different values of q and are placed at Fig. 9.2.

The final value of RPNECLSS(M) can be obtained using Eq. (9.25). It can be seen from Fig. 9.2 that as the values of q increases from 0 to 1, the RPN also increases. Thus if the RPN has to be kept low the value of REI (q) should be as low as possible.

2.2.3 Risk Priority Number (RPN)

In addition to the other risk assessment tools discussed in Chapter I, an organization may choose to develop risk ranking tables based on RPN to assist the decision-making process. The RPN approach is an alternative to the risk matrix, also found in FMEA/FMECA. In FMEA/FMECA, the analyzing team assigns each failure mode numeric values that quantify likelihood of occurrence, likelihood of detection, and severity of impact. So, each failure mode has a numeric score to quantify (1) likelihood of failure occurrence, (2) likelihood of failure undetected, and (3) severity of harm or damage the failure mode may cause. All ranks are given on a scale from 1 to 10 (or 1–5). The specific rating descriptions and criteria for the ranking of occurrence (O), severity (S), and detection (D) are defined by the organization, FMECA standard, and/or the analysis team to fit the products or processes that are being analyzed. Fig. IV/2.2.3-1 shows typical S,O and D in scale of 10, for RPN calculation facility. Here, one thing worth noting is that in the case of occurrence likelihood, generally, component failures in E/E/PE, etc. are expressed in terms of once in number of years, whereas in other cases it is expressed in terms of number of items failed per (say) 1000 items.

When using this risk assessment technique, it is important to remember that RPN ratings are relative to a particular analysis. Therefore RPN in one analysis is comparable to RPNs in the same analysis but it may not be comparable to RPNs in another analysis. So, it is not possible to share these numbers with other applications.

The RPN = S × O × D. Higher RPN is worse than lower RPN, that is, higher RPN numbers signify more risks. Here, one needs to note that RPN (simple product of three parameters) is not a perfect representation of risks because these number assignments are subjective and not continuous. Another interesting factor worth noting is that RPN (in its simplest product form, i.e., RPN = S × O × D) cannot assume any number, for example, the RPN value cannot be 13 because this is a prime number >10 (since the scale is 10, and 13 can have only factors 13 and 1). Another interesting fact is that with same RPN value, risks are not same, for example, (S)(O)(D) = 2 × 6 × 10 = 120 and 8 × 3 × 5 = 120; in one case severity is at the lowest end, whereas in other case it is at the higher end of the scale. Naturally, in the second case, severity is more significant than in the first, though both have same RPN.

An organization may consider issues with high severity and/or high occurrence ratings to represent a higher risk than issues with high detection ratings. Therefore basing decisions solely on the RPN (considered in isolation) may result in inefficiency and/or increased risk. In view of this, for better assessments, instead of using a simple product form, many companies use other calculation methods suitable for the application, that is, in some cases it is quite possible to use a weighted sum so that specific weightings could be more transparent and the result is more accurate and may be free from the limitations discussed previously. A particular analysis team may choose to supplement or replace the basic RPN methodology with other related techniques, such as revised RPNs, the occurrence/severity matrix, ranking lists, risk ranking tables, and/or higher-level RPNs. All of these techniques rely heavily on engineering judgment and must be customized to fit the product or process that is being analyzed and the particular needs/priorities of the organization.

FMEA worksheets will typically identify whether corrective action is required based on a combination of severity, occurrence, detection, and/or RPN values. After RPN assessment, recommended actions are suggested. After implementation of the recommended action, the entire issue is reassessed to get an indication the effectiveness of the corrective action. Naturally, with a revised set of severity, occurrence and detection ratings a new RPN is calculated. From these two values it is possible to get % reduction in RPN:

%reduction in RPN = 100 ∗ {RPNinitial − RPNrevised}/RPNinitial

Let initial S, O, and D values be 7, 8, and 6, so RPN = 336 and revised S, O, and D values be 7, 5, and 4, so RPN = 140.

Therefore %reduction in RPN = 100∗(336 − 140)/336 = 58.3%. From here it can be concluded that RPN is a method to assess the relative risk for a particular analysis and is a helpful tool. Also there can be several revised methods or techniques to calculate this and apply it for the analysis best suited. Another important term, explained in Fig. IV/2.2.3-2 is “error proofing.” Readers are advised to take a note of this as the same will be referred to in subsequent chapters.

Risk Priority Number (RPN)

For each potential cause, the individual factors are rated and multiplied together (RPN = S × P × C) to produce the RPN.

The design FMEA forms the basis of the draft control plan for the product (see Section 10.3).

Action can then be taken and recorded on the significant RPNs to:

Reduce the severity.

Reduce the probability.

Improve the design or temporarily improve the controls.

The RPN is then reassessed after completing the actions.

Tip - Action should be mandatory for any severity rating of 9 or above.

Tip - A design FMEA should be reviewed and revised with time (it is a ‘live document’) to reflect new equipment, processes and procedures. This will allow the control plan to be reviewed with the experience gained.

The FMEA is a ‘live’ document and needs to be maintained and kept up-to-date.

Severity of event (S)RankingProbability of event (P)RankingCurrent controls (C)RankingHazardous: without warning10Very High: event is inevitable10Absolute uncertainty of detection10Hazardous with warning99Very remote chance of detection9Very High8High: Repeated events8Remote8High77Very low7Moderate6Moderate: Occasional events6Low6Low55Moderate5Very low44Moderately high4Minor3Low: Relatively few events3High3Very minor22Very high2None1Remote: Event is unlikely1Almost certain to detect1

Wear with intermediary means

If the specimen contaminated with dust is exposed (Figure 10.22) to long-term stress, the stick-slip probability (RPN) increases for all lacquers from about 40 cycles, except L2. After cleaning using a brush the original stick-slip-free condition can almost be regained. The friction force increases with increasing number of cycles and remains at a considerably higher level compared to the initial value after cleaning (Figure 10.23). The dust-induced, optically visible wear concerns all specimens, except L2, and thus accompanies the stick-slip-behavior. Intensification of the test to 1,000 cycles also results in wear of the specimen L2. There is no self-cleaning with long-term stress.

12.3.5 Level 5: prognostics

The primary function of the prognostics level is to project the current health and performance state of equipment into the future, taking into account estimates of future usage profiles. The prognostics level may report health and performance status at a future time, or may estimate the remaining useful life of an asset given its projected usage profile. Assessments of future health or remaining useful life may also have an associated diagnosis of the projected fault condition.

Assessments of future health or remaining life may also have an associated prognosis of the projected fault condition. A calculation of the future RPN may also be performed. This module includes the component/system’s future health grade and future failure events with associated likelihood probability. The output from this level includes:

Estimates of future health grade.

Predictions of faults and failures.

Estimates of remaining life.

Recommendations.

So prognostics allow us to predict the onset of hot gas path component failure to match its used, or to enhance maintenance support. Prognostic capabilities expand support options and allow for cost-effective planning and management. Component remaining-life-assessment and plant modelling are required for prognostic purposes:

Life consumption tracking module of hot gas path components:

Assessment model for coating degradation.

Assessment model for creep fatigue damage.

Assessment model for thermo-mechanical fatigue.

Hot gas path components lifing prognostics.

‘What if’ analysis for performance and health of hot gas path components.

5.3 Risk analysis techniques

There are several commonly used risk analysis techniques each with its strengths and weaknesses. Examples of risk analysis include preliminary hazard analysis (PHA), fault tree analysis (FTA), failure mode and effect analysis (FMEA), and hazard and operability analysis (HAZOP). Two techniques will be discussed here to illustrate risk analysis based on a top-down system approach and a bottom-up approach.

5.3.2 Fault tree analysis

The FTA is a systematic top-down method which starts from an assumption of a system failure followed by identification of the modes of system or component behavior that has contributed to this failure. These modes of system or component are not confined to hardware or software but include other factors such as human factors or interaction. FTA is particularly useful when quantitative data on probability is available although qualitative analysis can also be performed. In either case, an FTA can pinpoint common factors or the factors that are the highest contributor of system failure. This is not as readily identifiable using other risk analysis techniques such as FMEA. Its visual representation of the causes of the failure allows easy identification of a single fault event (a single failure that triggers a complete system failure). Where quantitative data is available, the probability of failures can be anticipated through mathematical calculations.

The FTA is comprised of a top event and a series of symbols, events, and logic gates for the construction of the tree. Some of the symbols commonly used in an FTA are shown in Table 5.6. Refer to IEC 61025 [154] for more symbols used in an FTA.

Table 5.6. Common symbols used in FTA

SymbolNameDescriptionBasic eventFailure mode of a component or an individual failure causeUndeveloped eventA potential failure mode or failure cause. However, relevant information is unavailable at the momentOR gateOutput event occur if any of the input events occurAND gateOutput event occur only if all the input events occurNOT gateOutput event occur only if all the input events DOES NOT occur

For complicated systems, the FTA diagram may become very large when the system failure is at a very high level. For example, a top event such as “system no response” in an electrical device may be due to numerous causes. In the absence of software to track the FTA, it is more practical to consider intermediate undesirable events such as “input power cut” or “transformer failure.” This also allows different functional teams to work on various aspects of the FTA before combining at a later stage. Figure 5.3 is an illustration of how an FTA diagram looks for an alarm-related harm to patient in a medical system [155].

Figure 5.3. Illustration of FTA for alarm in a medical system [155].

A SIMPLIFIED FMEA APPROACH

The objective of the FMEA is to create a living document that becomes a basis for making strategic engineering decisions. In a similar fashion to others, we characterize the relative risk contribution of potential failure scenarios associated with the process or product in terms of a risk priority number (RPN). This RPN is obtained as a product of three indices representing, respectively, the severity of the failure consequences, it's likelihood of occurrence, and it's detectability.

The process we have developed to simplify the FMEA process employs a three-phase approach. In the first phase we develop a common and consistent framework for the analysis. We assemble an FMEA team and use a combination of brainstorming sessions (which is the traditional FMEA method) and focused evaluations of the functionality of each component under both normal and abnormal conditions. We then use the deductive approach and develop a handful of “generic” failure modes, each with an associated relative severity index representing its potential safety or business impact, and numerous potential failure scenarios involving these modes.

Depending on the nature of the information in this phase, we also develop a relative scale for the likelihood of occurrence and detectability indices, from which values are objectively assigned to individual scenarios. These indices are constructed to be broad brush, rather than detailed, and are usually qualitative rather than quantitative. For example, instead of trying to precisely evaluate specific frequencies of occurrence, we will simply construct a scale based on “occasionally”, “more than a few times”, “observed once or twice in a product's lifetime”, and “never observed”. In almost all cases, we find that this simplification provides adequate resolution yet shortens the analysis time substantially. A typical example of simplified occurrence indices is displayed n Table 1.

Table 1. Sample simplified frequency of occurrence index

Evidence About the Failure ScenarioOccurrence IndexDocumented “frequent” occurrence in this or similar application.10Known to have occurred “a few times” with documented evidence.8Known to have occurred once with documented or reported evidence in this or similar application.6Anecdotal evidence of previous occurrence of this or related failure scenario.4No previous history, but greater potential to occur.2No previous history, but potential to occur.1

In the second phase, we compile information relevant to each individual failure scenario in “evidence sheets”. This can range from qualitative or anecdotal information to formally documented, quantitative information. Typical information sources are field service data from previous generation or similar products, supplier quality control data, process control and production quality assurance data, descriptions of previous failure experiences, and published failure data.

The information collected and tabulated in this phase has applicability beyond the FMEA, and forms the basis of the “living” document. It is critically important that the document remain “living”, that is, it must be continually updated. An FMEA which is performed and never acted upon or updated can represent a potential liability to a company in the event of subsequent litigation concerning the component being analyzed.

In the third phase, we calculate the RPNs and graphically analyze their distribution. This provides guidance as to the risk contributors that may require action. We also develop appropriate action strategies in this phase and evaluate their potential for risk mitigation.

2.2 Step 2: Setting Priorities for the Contaminating Steps

In the first step, events are identified that will cause an out-of-specification situation for the process or product. Since contamination control has a larger scope than only an isolated event, more than one contaminating step can be found. For the sake of efficiency the largest risks should be considered first. This requires a system for setting priorities.

A good method, which is widely used in the semiconductor industry for yield optimization, is FMEA [22]. In this method, the process or equipment is divided into subprocesses and for each step or module a failure mode is defined. Finally, a risk priority number (RPN) is calculated for each failure mode. The RPN is calculated from the scores for three different parameters described below: Severity, Occurrence, and Detection. When the failure modes are ranked from high RPN to low RPN, the failure mode with the highest risk will appear at the top of the list.

Severity is related to the impact of a failure mode on the functionality of the product or process. The score on Severity increases when the influence of a contaminant on a critical functional property increases. The scores depend on the application and failure mode. In the literature [22] the definitions of the scores for Severity differ slightly. They are all related either to customer dissatisfaction or to damage to equipment or people. Scoring is very different for experimental equipment that is still under development than for improvement of mature processes. For experimental equipment, Severity is often ranked between “no impact” and “extensive damage to equipment”.

Occurrence is related to frequency of the failure mode. The score for Occurrence increases when the failure mode takes place more frequently. Scoring tables vary slightly from source to source. For the semiconductor industry, the Sematech ratings [22] can be used. Score 1 is defined as “An unlikely probability of occurrence during operating time interval. Single failure mode (FM) probability < 0.001.” Score 10 is defined as “A high probability of occurrence during the operation interval FM > 0.2.”

Detection is related to the detectability of the failure mode. If the occurrence of a failure mode can be detected instantaneously, the score for Detection will be low. If no detection method is available for the failure mode, then the score will increase to 10.

The RPN is then calculated from the following expression:

RPN=Severity×Occurrence×Detection

The accuracy of the RPN is strongly dependent on the accuracy of the input data. For equipment in operation, the experimental data on Severity, Occurrence, and Detection can be gathered. If the equipment is still in the design phase scores can only be estimated. For Severity and Detection, the first estimates can be quite accurate, since they can be derived from the process design and requirements. If Step 1 has been carried out, this information is available. Finding a score for Occurrence is more difficult. If no experimental data are available, only estimates can be made that are mainly based on experience.

What are the 4 types of risk?

What is the term for something that creates a risk?

What are the 3 main types of risk?

What is risk of occurrence?