Component reliability specification

ARTICLE IN PRESS Reliability Engineering and System Safety 94 (2009) 1609–1617

Contents lists available at ScienceDirect

Reliability Engineering and System Safety journal homepage: www.elsevier.com/locate/ress

Component reliability specification D.N.P. Murthy a,, T. Østera˚s b, M. Rausand b a b

Division of Mechanical Engineering, The University of Queensland, Brisbane Q 4072, Australia Department of Production and Quality, Norwegian University of Science and Technology, Trondheim, Norway

a r t i c l e in fo

abstract

Article history: Received 28 April 2007 Received in revised form 25 January 2009 Accepted 28 February 2009 Available online 26 March 2009

Building reliability into a product is costly and needs to be traded against the consequences of product unreliability. This article is the third in a series of three articles, where the first deals with optimal investment in reliability, which involves executing two tasks—(i) deciding on the reliability requirements and (ii) deciding on component specifications (SP) to achieve the desired reliability. The second article deals with the first task and in this third article, we focus on the second task. & 2009 Elsevier Ltd. All rights reserved.

Keywords: Reliability specification Redundancy Preventive maintenance Development

1. Introduction Product reliability is of importance to both manufacturers and consumers since inadequate reliability results in higher costs to both parties. Murthy et al. [1] examine this issue and look at the optimal investment in reliability. It involves two tasks—(i) deciding on the reliability requirements and (ii) deciding on component specifications (SP) to achieve the desired reliability. Murthy et al. [2] deal with the first task and in this article we discuss the second task. The design process defines how the product is to be built. This involves decomposing the product, starting at the product level and proceeding down to the component level, with several intermediate levels. At each level there are several elements. The specification of an element at any level is derived from the performance of the elements at the level above it. As a result, there is a sequence of performances and specifications that leads to specifications at the component level. In this article we focus on the sequence of performances and specification throughout the design process, and define the reliability specification at the component level that will ensure that the product reliability requirements are met. The outline of the article is as follows. We start with a brief general discussion of performance and specification and the links between the two in the context of new product development in Section 2. This is followed by a brief discussion of the design process in Section 3. Section 4 deals with the process of arriving at the reliability specifications at the component level. Two key elements of the process are discussed in the next two sections. In Section 5, we  Corresponding author.

E-mail address: [email protected] (D.N.P. Murthy). 0951-8320/$ - see front matter & 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.ress.2009.02.029

look at reliability allocation and the alternative options to ensure that the target values assigned for component reliability are achieved. Section 6 deals with optimal decision making in reliability specification at component level.

2. Performances and specifications 2.1. Definitions There are several different notions of performance and specifications in the context of the new product development process and these are discussed in detail in [3]. We confine our attention to a subset of these that is relevant for deriving the reliability specification at component level:

 Desired performance (DP) is a statement about the performance desired from an object (product or component).

 Specifications describe how the desired performance can be



achieved (using a synthesis process involving evaluation of potential solutions to select the best), with desired performance as input to the process. Predicted performance (PP) is an estimate of the performance of the object for a given set of specifications.

2.2. Relationship between performance and specifications Performance and specifications are strongly interlinked, and play a central role in the new product development process (e.g., [4–6] discuss the critical importance of performance and

ARTICLE IN PRESS 1610

D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

Nomenclature

RkC(t)

F~ jm DSj Ejn DPj SPj PPj RD(t) RP(t) K RkA(t)

RkP(t)

function m, 1pmpmj, at sub-phase j set of design option at sub-phase j element n, 1pnpnj, at sub-phase j desired performance at sub-phase j specifications at sub-phase j predicted performance at sub-phase j desired product reliability predicted product reliability number of components in the final product design assigned reliability for component k, 1pkpK

specification throughout new product development processes). There are two kinds of relationships between performance and specifications as indicated in Fig. 1:

 Forward relationship (performance-to-specifications): Often,



there are several alternative specifications meeting the desired performance. As a result, the forward relationship is one-tomany and the decision problem is to select the best one. Backward relationship (specification-to-performance): The predicted performance depends on the specifications and this is a one-to-one relationship.

Comment: The actual performance (AP) is the performance of an object (product, component, or some intermediate level) during the development and post launch phases [7]. The actual performance will most likely differ from the predicted performance (in the front-end and design phases) due to several uncertain factors beyond the control of the manufacturer. In this case, one measures performance in a statistical sense so that the expected (or average) actual performance is related to the specification through a one-to-one relationship.

3. The design process The design activities evolve with an increasing level of detail, starting at product level and ending at component level. The design process starts with the design team examining alternative system architectures for the product and ends with all individual components and parts fully specified and laid down in assembly drawings and parts lists. They can be classified into two different groups as indicated below (e.g., see [8]):

 Conceptual design is concerned with establishing the functions (what the product should do) and then means/design solutions (how these functions can be carried out technologically). Functions and means are specified at an ever-increasing level of detail, until the main product components and their structural and spatial relationships are arrived at.

NkW Ck CkP CkD CD CP

reliability of currently available component k, 1pkpK (option 0) predicted reliability for component k, 1pkpK (options 1–3) number of PM replacements over the warranty period (option 2) cost (per unit) of currently available component k, 1pkpK (option 0) production cost (per unit) for component k, 1pkpK (options 1–3)) development cost for component k, 1pkpK (option 3) total development cost production cost (per unit)

 Detail design is concerned with elaborating the concept up to the point where all decisions about the product have been taken, and tests of the product’s functionality, operation and use, appearance, consumer preference, and so on, can be carried out. A good conceptual design process is characterized by the identification of several means/solutions for carrying out each function. Subsequently, this requires an evaluation of the alternatives to allow for an optimal choice of means/solutions for each function, before decomposing functions further. Some solutions may prove unfeasible as they are further decomposed. This requires re-iterations of the functional decomposition process until a feasible concept is found, or the solution space is exhausted without finding a feasible concept. This mode of thinking is essential in new product development processes, as a bad concept never can be turned into a good product in the detail design. For re-designing an existing product (where the concept is more or less known prior to the development process), the conceptual design is less significant. For products where reliability is essential, it is important that reliability engineering participates in the screening and selection of means/solutions at each level to ensure that the design process provides a product that will yield the desired reliability characteristics.

4. Reliability specification process As described above, the product development process can be viewed as a process of functionally decomposing the product into several sub-systems. Each sub-system can be decomposed into assemblies; each assembly into sub-assemblies, and so on, till one reaches the component level. Let J denote the number of levels with level 1 corresponding to the product, level 2 corresponding to the subsystems, and so on. The number of levels needed depends on the complexity of the product, and some subsystems may require more decomposition than others. The functional decomposition leads to (J1) levels—numbered 1 through (J1)

Fig. 1. Link between specification and performance.

ARTICLE IN PRESS D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

as indicated in Fig. 2, and level J corresponds to the component level. We confine our discussion to the case of a single product. Each level involves several elements and let nj denote the number of elements in level j. The elements in sub-phase j are given by the set {Ejn, 0pnpnj}. Note that n1 ¼ 1, and that nj+14nj. The number of elements in the later levels depends on the design of the product. Each level can be characterized in terms of inputs, outputs, and the processes involved. We discuss these for level j.

4.1. Inputs It is necessary to define the different functions that the elements at level j need to perform. Let fF~ jm ; 1pmpmj g denote these functions. This is achieved by linking the elements at level (j+1) in a proper manner. Good design involves defining the elements at level (j+1) to ensure this and is product specific. From a reliability point of view, we need to define the desired reliability for each element in the level. Let DPjn denote the desired reliability of the element Ejn for 1pnpnj and let DPj be a vector of dimension nj given by DP j ¼ ðDPj1 ; DP j2 ; . . . ; DP jnj Þ. Comment: In [2], the definition of DP1 was discussed based on the business objectives (Task 1 of reliability design).

1611

One needs to use models to predict the reliability of the elements at level j based on the reliability allocated to the elements of level (j+1). This involves the use of structure functions (see, [9]) to determine the predicted reliability PPjn, for element {Ejn, 1pnpnj}. PPj (a vector of dimension nj) is the predicted reliability of the elements in level j and given by PP j ¼ ðPP j1 ; PP j2 ; . . . ; PP jnj Þ. The predicted reliability PPj is compared with the desired reliability DPj to determine whether the two match or not. If they match, one proceeds to the next level with DP(j+1)n ¼ SPjn, 1pnpnj+1 if joJ1, and when j ¼ J1, we have the reliability specifications at the component level. If the two do not match, then one iterates back to the conceptual design if j ¼ 1 or to the previous level if j41. The process discussed above is shown in Fig. 3 and discussed in more detail in [10]. 4.3. Outputs The output of level j is the specifications {SPjn,1pnpnj+1}. 4.4. Comments

 The dimension of SPj increases with j, 1pjp(J1).  The reliability allocation (at each level) must take into account the current state of technology and the implications in terms of research and development, cost constraints, and so on.

4.2. Process Let DSj ¼ ðDSj1 ; DSj2 ; . . . ; DSjkj Þ be a vector of design options that look promising for level j. For each option, there can be elements that need no further decomposition (e.g., element Ej1 in Fig. 2) whilst other elements need to be decomposed into two or more elements at sub-phase (j+1) (e.g., element Ej2 decomposed into three elements in Fig. 2). The various elements at level (j+1) need to be linked so as to ensure that all the functions fF~ jm ; 1pmpmj g at level j can be achieved. A design option is selected from DSj and is first evaluated in a qualitative analysis (such as an FMECA analysis). If the analysis indicates unacceptable options, one needs to discard these and look at other design options. If the risks associated are acceptable, one proceeds to a quantitative analysis. This involves allocating reliabilities to the elements of level (j+1) and these define the specifications {SPjn, 1pnpnj+1}. SPj is a vector of specifications at level j (of dimension nj+1) with SP j ¼ ðSP j1 ; SP j2 ; . . . ; SP jnjþ1 Þ.

4.5. Example 1 (safety instrumented system) Safety instrumented systems are used as protection layers in many application areas, for example as automatic train control systems, emergency shutdown systems and fire and gas detection systems in the process industry, airbag and ESP system in automobiles, and so on. Requirements to such systems are given in the standard IEC 61508 [11]. We will exemplify our approach by a simple example of a safety instrumented system used in the process industry. Consider a gas pipeline feeding a process plant. If a gas leakage occurs in the process area, it is important to shut down the gas flow in the pipeline as soon as possible. A shutdown system is therefore installed as a protection layer, comprising one or more gas detectors, a logic solver, and one or more automatic fail-safe valves. If a gas leakage occurs, it will

Fig. 2. Decomposition into sub-phases during the design process.

ARTICLE IN PRESS 1612

D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

Fig. 3. Reliability specification process.

be detected by the gas detector(s), the logic solver will interpret the signals from the detector(s) and send a closure signal to the valve(s), which will be closed by aid of the built-in fail-safe mechanism.

4.5.1. Decomposition of the system Level 1 is here the protection layer (the product), while level 2 comprises the three subsystems: detector(s), logic solver, and shutdown valve(s). Each subsystem can be broken down into assemblies on level 3. A shutdown valve can, for example, have the following assemblies: valve body, fail-safe actuator, hydraulic control system. On level 4, each assembly can be broken down into sub-assemblies. For the valve body, these can be: valve

housing, closing element, stem, valve seats, flange seals, stem seals, and so on. How far the system is broken down depends on the complexity of the system, the objectives of the study, and on the availability of reliability data. The functions on level 1 are:

1. If there is a gas leakage in the process area, the protection layer (the product) shall detect the gas and close the gas flow in the pipeline. 2. When the flow is closed, the valve(s) shall remain closed without any leakage through the valve(s) in closed position. 3. The valves shall not close the flow when there is no gas leakage in the process area.

ARTICLE IN PRESS D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

1613

Fig. 4. Assigned versus actual component reliability.

4. It shall be possible to verify specified failure conditions of the protection layer by diagnostic testing. The first function is the most important and is called the essential function of the protection layer [9]. To fulfil this essential function, sub-phase 2 involves securing the following functions: 1.1 Detection of the gas in the process area. A functional requirement may be that a gas concentration above a specified limit must be detected. 1.2 Interpretation of signals from the gas detection and transmission of these signals. 1.3 Closure of the gas flow in the pipeline. A functional requirement may be that the flow is closed within 5 s after the gas is detected. Sub-functions to each of these functions may be further specified in sub-phase 3, and so forth. Note that the functions in all phases may be conflicting. If one, for example, specifies very strict functional requirements to the essential function (function 1), this will influence, and make it more difficult to fulfil function 3. Various design options can now be proposed for each level. Consider, for example, a shutdown valve actuator (level 3). One requires the actuator to be fail-safe, but this feature can be achieved in different ways: by a single compressed spring, by multiple springs, by a hydraulic pressure accumulator, by a pneumatic pressure accumulator, and so on. The valve body may be a gate valve, a ball valve, or a flapper valve, and the seat seals may be static or rotating. The failure modes for the various options can be identified and evaluated by an FMECA.

that is, less than one failure of the essential function per 1000 demands. Based on an evaluation what is technically feasible, we may, for example, apportion this requirement to the subsystems and come up with the following requirements: 1. Detection sub-system: 35% of the required value, i.e., PFDDetp3.5  104. 2. Logic solver: 15% of the required value, i.e., PFDLSp1.5  104. 3. Shutdown valve(s): 50% of the required value, i.e., PFDSDVp5.0  104. This allocation will meet the SIL 3 requirement.

5. Achieving the allocated reliability at component level Let K denote the number of elements which linked together constitute the elements {E(J1)n,1pnpn(J1)} at level J1. The allocated reliabilities RAk are given by RAk ¼ SP(J1)k, 1pkpK. These define the specifications at the component level. If the allocated reliability for a component matches the reliability of a standard commercially available component (with similar functional features), then the decision problem is trivial. However, when the allocated reliability is higher (see Fig. 4) then the manufacturer has three options and these are (i) redundancy, (ii) preventive maintenance and, (iii) reliability growth through development.1 Fig. 5 indicates the process for making the choice between the options. In this section, we first discuss these options and then look at the optimal decision problem. 5.1. Redundancy

4.5.2. Reliability allocation The reliability requirements to the protection layer may be specified based on a system risk analysis and are often stated as a safety integrity level (SIL) [9]. In this case, it is assumed that the demands for the protection layer occur as a homogeneous Poisson process with a rather low rate, typically less than once a year. The reliability requirements to the protection layer are based on the estimated demand rate and the risk acceptance criteria for the process plant. The SIL for this system is related to the essential function and is quantified as a probability of failure on demand (PFD). The PFD is here the probability that the essential function cannot be performed when a gas leakage is present in the process area. The requirements are specified as four distinct levels, 1–4, where SIL 4 is the strictest requirement [11]. Assume that a SIL 3 has been specified. This means that the PFD must be less than 103,

Redundancy is a technique used to improve component reliability through the use of replicated components. Redundancy can only be used when the functional design of the system allows for the incorporation of replicated components and is used extensively in electronic products and safety systems to achieve high reliability when individual components have unacceptably low reliability. Building in redundancy corresponds to using a module consisting of M replications of a component. The manner in which these replicates are put to use depends on the type of 1 The manufacturer can have more options by combining two or more the above three options to achieve the reliability targets. Also to note is that strategies to improve reliability performance can be carried out at a higher level—in other words, at earlier sub-phases.

ARTICLE IN PRESS 1614

D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

Fig. 5. Achieving the reliability requirement at the component level.

Fig. 6. Achieving assigned reliability target through redundancy.

redundancy. In active redundancy, all M components of the module are fully energized. In contrast, in passive redundancy, only some components are fully energized and the remaining are either partially energized (in the case of warm standby) or kept in reserve and not energized (in the case of cold standby). When a fully energized component fails, it is replaced by one of the partially energized components in the case of warm standby, or, in the case of cold standby, by a component from the reserve using a switching mechanism, provided that not all of the partially energized or reserve components in the module have failed. For further details, see [12]. The number of replications needed depends on the actual and the allocated reliability. The reliability increases as the number of replicated components increase (see Fig. 6). The decision

regarding the use of redundancy has implications for product and production cost and must take into account other constraints such as weight and/or volume. One needs to ensure that these constraints are not violated.

5.2. Preventive maintenance One way of achieving the assigned target for component reliability is through the use of preventive maintenance actions that involve replacing the component periodically. The replacement interval depends on the actual and assigned component reliabilities as indicated in Fig. 7. The decision regarding the use of

ARTICLE IN PRESS D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

1615

Fig. 7. Achieving assigned reliability target through preventive maintenance.

Fig. 8. Achieving assigned reliability target through development.

preventive maintenance needs to take into account implications on life cycle cost, availability, and so on.

its

Table 1 Task 2 decision variables.

gk

Options

Secondary decision variables

0 1 2 3

Standard component Use redundancy Use preventive maintenance Initiate development program

None Mk (number of replicates) Tk (replacement interval) tk (development time)

5.3. Reliability growth through development Here the improvement in component reliability is achieved through a Test-Analyze-And-Fix (TAAF) program. The process begins with the testing of a component, usually under increasing levels of stress till failure and the collection of failure data, including modes of failure, time to failure, and any other relevant information, are collected and analyzed by engineers to discover the causes of failure. Corrective actions in the form of changes to the component design are then taken to reduce the frequency of future failures and the process is repeated until the reliability targets are achieved.2 The effort (in terms of resources, development time, etc.), needed depends on the actual and the assigned reliabilities as shown in Fig. 8. Also to note is the uncertain outcome of any such development programs. This has implications in terms of some of the constraints being not satisfied with nonzero probability. 5.4. Predicted reliability performance

the K components. Then, we have PP1 ¼ Rp ðtÞ ¼ hðR1A ðtÞ; R2A ðtÞ; . . . ; RKA ðtÞÞ

(1)

where h(  ) is the (reduced) structure function that may be obtained using either a reliability block diagram or a fault tree diagram. For more details, see [9].

6. Optimal decisions

The predicted reliability is obtained using models. Let K be the number of components in the final detail design, let RkA(t) denote the reliability assigned to component k, 1pkpK, and let Rp(t) denote the predicted reliability based on the assigned values to

For each component there are two decision variables—(i) primary and (ii) secondary. For component k the primary decision variable is denoted by gk and it can assume one of four values (0–3) as indicated in Table 1. When the assigned value is nonzero, we have a set of secondary decision variables that depend on the value assigned to gk and these are also indicated in Table 1.3

2 For further discussion of TAAF, TAAF test design principles, and relationship of TAAF to other testing programs (see [13]).

3 If one uses combination strategy involving two or more of the options discussed earlier, then gk can assume additional values.

ARTICLE IN PRESS 1616

D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

When gk ¼ 0 there is no secondary decision variable. In this case, the assigned reliability RkA(t) ¼ RkC(t), the reliability of the available component selected. The secondary decision variables for the remaining three cases are (i) Mk, the number of replicates when gk ¼ 1, (ii) Tk, the replacement interval when gk ¼ 2 and, (iii) tk, the development time when gk ¼ 3. As a result, the set of decision variables is given by {gk, Mk, Tk, tk, 1pkpK}. 6.1. Optimal component reliability specification

involves mixed integer optimization. A variety of tools are available for carrying out this optimization and can be found in many books (see for example, [14]). The outcomes of detail design are (i) a qualitative failure mode, effects and criticality analysis (FMECA) of the product, and (ii) a qualitative analysis that defines the reliability requirement {RkA(t), 1pkpK}, for the K components and the strategies (redundancy, preventive maintenance and/or reliability development) to achieve these stated requirements.

The choice of decision variables affects various costs. The two costs that are of relevance in reliability design are the following:

6.2. Example 2 (detection sub-system)

P 1. Production cost per unit given by C P ¼ Kk¼1 C kP PK 2. Total development cost given by C D ¼ k¼1 C kD

We return to the protection layer system in Example 1, and consider, for example the detection sub-system that was specified to have the reliability requirement: PFDDetp3.5  104. The essential function is a so-called dormant function and failures of this function are normally only detected by functional testing. To be able to meet the reliability requirement, one therefore has to proof test the detector(s) at regular intervals, say of length t ¼ 6 months. We assume that a detector has a constant failure rate l with respect to failures of the essential function. When a failure or degradation is revealed during a proof test, the problem is rectified such that after the test, the detector is approximately ‘‘as good as new’’. Since the detector has a high reliability, this operating procedure implies that a constant failure rate l is an adequate approximation. With this assumption, the PFD of a detector is approximately lt/2 [9].

CkP is the production cost associated with component k, 1pkpK and is given by 8 if gk ¼ 0 Ck > > > > < 4Mk C k if gk ¼ 1 C kP ¼ 1pkpK (2) if gk ¼ 2 NkW C k > > > > : pP ðRkA ðtÞÞ if g ¼ 3 k where Ck is the purchase price unit cost if component k, 1pkpK, is bought from the ones available on the market. The function pP(RkA(t)) depends on the reliability assigned to component k, 1pkpK. The development cost associated with component k, 1pkpK is given by 8 0 if gk ¼ 0 > > > > <0 if gk ¼ 1 C kD ¼ 1pkpK (3) 0 if gk ¼ 2 > > > > : pD ðR ðtÞ  R ðtÞ; t Þ if g ¼ 3 kA kC k k where the function pD(RkA(t)RkC(t),tk) depends on the gap between the reliability allocated and the current reliability of the component, and the development time. The optimal component reliability specification is obtained by defining a suitable cost function for minimization. One such function is the total manufacturing cost that is the sum of the production and development costs and given by Jðgk ; M k ; T k ; tk ;

1pkpKÞ ¼

K X k¼1

C kP þ

K X

C kD

6.2.1. Redundancy Based on data from generic sources and/or from the suppliers of detectors, one may now check whether or not it will be sufficient with only one detector. In most cases, one needs to introduce redundancy and use two or more detectors. An important issue when introducing redundancy is the possibility of common cause failures, and these have to be included into the logic model when calculating the reliability of the subsystem with respect to the essential function. Another important issue is the configuration of the detectors. Three detectors may, for example, be configured as a 1-out-of-3, a 2-out-of-3, or a 3-out-of-3 system, where a k-out-of-3 means that at least k of the 3 detectors have to perform the essential function to activate the shutdown function. A decision about the configuration will influence the complexity and hence the reliability of the logic solver.

(4)

k¼1

The optimal values are obtained by selecting the decision variables that minimises the above cost function and also satisfies all the constraints. Fig. 9 shows this in a schematic manner and

6.2.2. Preventive maintenance Preventive maintenance can be used to improve the subsystem reliability in two facets, by periodic proof testing and by continuous diagnostic testing. When degradation or latent failure

Fig. 9. Task 2 decision making.

ARTICLE IN PRESS D.N.P. Murthy et al. / Reliability Engineering and System Safety 94 (2009) 1609–1617

conditions are revealed by testing, the problems are rectified. The testing and the subsequent repair are clearly a type of preventive maintenance. Periodic proof testing will often lead to production disturbances and should not be performed too often. In a complex plant the proof testing requires skilled operators and the testing has to be scheduled properly. The proof testing interval can therefore not be tailored to the requirements of specific components. The test interval is often shorter in the first phase of the operating life, to weed out possible low-quality items. The test policy may, for example, be to test the essential function once a month the first 3 months. If the tests do not reveal any failures, the test interval is increased to 3 months for the next three tests. If these tests do not reveal any failures, the test interval is increased to 6 months. The other option is to use diagnostic testing where the logic solver sends automatic signals to each detector to check that the communication is functioning and that specific failure conditions are not present. The returned signals are interpreted by the logic solver and operators are alarmed when deviations are detected. The signals from the logic solver may be sent on a more or less continuous basis, for example, once per minute. Modern gas detectors are rather sophisticated with dedicated software to reveal failure conditions. The percentage of critical failures that can be revealed by diagnostic testing is called the coverage of the testing and is often higher than 85%. 6.2.3. Reliability growth If one is not able to meet the reliability requirements by careful selection of redundancy/configuration and/or preventive maintenance (i.e., proof testing and diagnostics), one may start a reliability growth program to improve the intrinsic reliability of the detectors. This is a costly exercise, but may sometimes be required. 6.3. Example 3 (shutdown valve) Again, we return to the protection layer system in Example 1. Now, we consider the shutdown valve, assume that this is a gate valve, and look at failure of function 2 in Example 1, i.e., leakage through the valve in closed position. This failure mode is caused by erosion and/or corrosion in the valve sealing area. The failure is a degradation failure and the associated failure rate function will therefore be increasing with time t. The failure mode is critical with respect to safety, but will not be detected by the proof test unless we have installed an additional valve on the downstream side of the shutdown valve and pressure sensors between the two valves. We assume that this is not the case for our example. The

1617

reliability requirement for this function can be deduced from the SIL requirement, and will be time dependent as illustrated in Fig. 4. The actual reliability can be assessed based on measurements of the wear depths on the gate and the seals. If the actual reliability is less than the allocated reliability, one needs to improve the reliability by introducing redundancy or preventive maintenance, as described in Section 6.1.

7. Conclusions Product reliability is very important for both manufacturers and customers. Building in reliability is costly but the consequence of unreliability is costlier. In [1] we looked at optimal investment in reliability from a business perspective and it involves executing two tasks. The first task was the focus of [2] and the focus of this article is on the second task. We indicated the reliability specification at the component level to achieve the desired reliability at the product level. There are many other issues (such as data, management, etc.), that need to be addressed as part of the overall process. These are discussed in [7]. References [1] Murthy DNP, Rausand M, Virtanen S. Investment in new product reliability, Reliability Engineering and System Safety, in press, doi:10.1016/ j.ress.2009.02.031. [2] Murthy, DNP, Hagmark PE, Virtanen S. Product variety and reliability. Reliability Engineering and System Safety, in press, doi:10.1016/j.ress. 2009.02.030. [3] Østera˚s T, Murthy DNP, Rausand M. Product performance and specification in new product development. Journal of Engineering Design 2006;17:177–92. [4] Blanchard BS. System Engineering Management. New Jersey: Wiley; 2004. [5] Brodie CH. Integrating a requirements process into new product development. In: Belliveau P, Griffin A, Somermeyer SM, editors. The PDMA Toolbook for New Product Development. New Jersey: Wiley; 2004. [6] Cooper RG. Winning at New Products—Accelerating the Process from Idea to Launch. Cambridge, MA: Perseus Publishing; 2001. [7] Murthy DNP, Rausand M, Østera˚s T. Product Reliability—Specification and Performance. London: Springer; 2008. [8] Pugh S. Total Design: Integrated Methods for Successful Product Engineering. Wokingham, MA: Addison-Wesley; 1991. [9] Rausand M, Høyland A. System Reliability Theory; Models, Statistical Methods and Applications. Hoboken: Wiley; 2004. [10] Østera˚s T, Murthy DNP, Rausand M. Reliability specification in new product development. International Journal on Product Development 2008;5:17–38. [11] IEC 61508. Functional safety of electrical/electronic/programmable electronic safety-related systems. International Electrotechnical Commission, Geneva, 1997. [12] Blischke WR, Murthy DNP. Reliability. New York: Wiley; 2000. [13] Priest JW. Engineering Design for Producibility and Reliability. New York: Marcel Dekker, Inc.; 1998. [14] Kuo W, Prasad VR, Tillman FA, Hwang CL. Optimal Reliability Design. Cambridge: Cambridge University Press; 2000.