- Email: [email protected]
Safety assessment of electro-explosive devices
Reliability Engineering3 (1982)193-202
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
Bo BERGMAN
Aerospace Division, Saab--Scania AB, S-581 88 Link6ping, Sweden (Received: 1 April, 1981)
ABSTRACT
The safety assessment of hot bridgewire electro-explosive devices (EEDs) based on a physical model is studied. The model is judged to be credible when the EEl) production process is under statistical control..4 separate safety analysis of the production process is recommended. Under the suggested model some ideas,on the experimental design and the evaluation of safety experiments are given.
1.
INTRODUCTION AND SUMMARY
Electro-explosive devices (EEDs) are used not only in military systems as, for example, in emergency systems of military aircraft, but also in any device where impulse strengths are applied to initiate functions such as mechanism release, propulsion motor firing, etc. When called upon, they shall perform their required function with a very high probability; this we shall call the reliability aspect. There is, however, another aspect of EEDs--the safety aspect; initiation of an EED when not called upon may result in catastrophic consequences and thus unwanted explosions appear with a very low probability. In this paper we shall primarily discuss the safety aspect from some different points of view. The ideas given here may occasionally also be applicable with respect to reliability aspects. There is, however, a great difference between the reliability and the safety aspects; in order to obtain high system reliability EEDs are often doubled (tripled, and so on) introducing redundancy into the system. This certainly increases the reliability but it reduces the safety of the system. Many types of EEDs are in use, but the most common, and the one to which we confine ourselves in this paper, is the hot bridgewire. An EED of this type consists of 193 Reliability Engineering 0143-8174/82/0003-0193/$02.75 © Applied Science Publishers Ltd, England, 1982 Printed in Great Britain
194
Bo BERGMAN
a wire situated in close contact with the primary charge. When a voltage is applied to the wire the temperature increase initiates the primary charge~ which~ operating the base charge, performs the required function. In order to avoid any inadvertent initiation from extraneous sources of energy careful investigations have to be carried out. Lightning is one of the most critical sources ofenergy~ at least for EEDs in aircraft. Other sources may, for example, be continuity testing, bridgewire resistance measurements, electrostatic discharge from the capacity of the human body, electromagnetic induction from radar and communication equipment, etc. (see, for example, ref. 1.) In Section 2 we shall discuss a physical model of the ignition of an EED and build a mathematical model for the safety assessment of an EED. We compare this model with some other models earlier suggested for the same purpose. For the derivation in Section 2 it is assumed that the EEDs are produced under strict statistical control. This, however, may not always be the case. In Section 3 we suggest that this part of the safety aspect, i.e. the risk that the production process is out of control so that unsafe EEDs are produced, has to be taken care of through a detailed scrutiny of the production process. The technique we suggest is fault tree analysis (FTA), as described, for example, in a series of articles by Barlow e t a l . , 2 which has been used in many other safety applications (see also refs. 3 and 4.) In Section 4 we give a short comment on the system safety assessment and in Section 5 we return to the safety assessment of EEDs manufactured by a production process under statistical control. We discuss some statistical aspects of the safety assessment and suggest some important questions that should be answered in order to give satisfactory safety assessments. We also indicate some statistical methods to be employed. Finally, in Section 6, we give some further comments, including a discussion on the applicability of the given ideas to other fields of interest from safety and reliability points of view as, for example, in the determination of endurance limits under fatigue. It should be emphasised that this note does not give an exhaustive description of how the safety assessment of an EED should be performed. It merely gives some hints on ideas, some of which are new, which should be employed together with other more established rules.
2.
A MODEL
An EED is initiated by a current through a conductor situated in close contact with the primary charge (Fig. la). Thermal energy is transferred from the conductor to the primary charge and if the energy density at some point of the primary charge (Fig. 1b) is higher than the corresponding point of ignition (Fig. 1c) a chain reaction is started; the EED explodes.
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
I..= length ,lo
195
-.-,
I
I
I
i I I
I
Voltage U ( t) (a)
density e IJ)
I
Lo
.t i,~n,,~ t,.,.
So
.l
(b)
critical energy
o~nsity c (1)
(c) Fig. l. Aschematici••ustrati•n•fthec•nduct•randtheprimaryc•arge(a)•theenergydensityc••set• the conductor (b) and the critical energy density (point of ignition) close to the conductor (c). The fact that the ignition process may start somewhere in a volume instead of on a one-dimensional line has been neglected in the figure.
The EED is initiated if in some volume element of the explosive the actual energy density is larger than the corresponding critical one. Depending on local inhomogeneities both actual energy density and critical energy density vary throughout the volume. The actual energy density also varies due to the nature of the thermal dissipation through the EED. The pulse through the EED, both in amplitude and shape, affects the energy density within the explosive. Let us assume a constant shape but a voltage amplitude which is a free variable. For the same EED we cannot vary the amplitude either, since either the EED is initiated at the first pulse or its characteristics may have been significantly changed (so-called 'dudding'). But we may perform imaginary experiments. Assuming a certain 'physical constitution' of the EED we may determine the
196
Bo BERGMAN
critical voltage at which the EED would be initiated. In fact, this "physical constitution', i.e. properties determining actual energy density for a given pulse and the critical energy density, is not known and it is not measurable through direct observation. Let e( U, z') be the actual energy density in the volume element z, if the pulse (voltage) amplitude is U and let c(v) be the critical energy density. It is rather natural to assume that e( U, v) = Ue'(z')
(l)
for some function e'(v) defined on the volume V. The EED is initiated at amplitude U if min c(v) - e( U, z:) < 0 t'E V
or equally if U _> Uc = min c(v)/e'(v) vEV
Since e'(v)/c(v) is a random function depending on local inhomogeneities in the primary charge and in the wire it is natural to assume that the random variable Uc, the critical voltage level, has some sort of extreme value distribution. (For a theory on extremes see ref. 5.) Since the variable is necessarily positive it is natural to assume that Uc is Weibull-distributed with unknown scale and shape parameters a and fl with cumulative distribution function (cdf) P( Uc < u) = 1 - exp ( - (u/~) ~) To our knowledge, this is the first time a Weibull model has been suggested for the critical level of a randomly selected EED in spite of its natural physical interpretation as an extreme value distribution. Earlier models assume normal, lognormal or logistic distributions merely because of the existence of available routines for the interpretation of experimental data. For the safety assessment of EEDs, however, it is very important to have a natural and physically plausible model, since otherwise results obtained by extrapolation to the tails of the distribution function may very easily be misleading. Indeed, from a theoretical point of view, one would prefer a completely non-parametric approach, i.e. no assumptions regarding the shape of the cdf of the threshold values. This, however, would imply that an unrealistically large number of experiments would have to be performed in order to make an acceptable assessment of the safety of a randomly chosen EED. Thus we have to rely on some credible model for the cdf. The above suggested model seems to be realistic, in fact, much more realistic than those previously suggested, which had no plausible physical interpretation. Even if the Weibull model seems realistic some objections may be posed. We have made an assumption that the production process is under strict statistical control, meaning that local properties, e.g. inhomogeneities, introduce much more variation
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
197
among the EEDs than do the more low frequency disturbances such as batch to batch variation. This is a very restrictive assumption. If it is not quite fulfilled the model may still be adequate for a short sequence of produced EEDs but for a larger number of EEDs we may in fact have a mixing between different sub-sequences for each of which the Weibull model is adequate. This means that for an EED randomly selected from a large production we may be forced to assume that its threshold value is distributed as a mixture of Weibull cdf's. Since a mixture of Weibull cdf's generally is not quite a Weibull cdf, we have obtained a very clumsy model since both the parameters in the Weibull cdf's as well as the mixing distribution are unknown. To circumvent this type of problem we recommend that the Weibull model is used but that its validity is restricted only to the left tail, i.e. that part of the cdfwhich is of interest for the safety assessment. This more general model should be adequate even if the production process does not quite fulfil the restrictive assumption of being under strict statistical control, since it is reasonable to approximate the tail of a mixture of Weibull cdf's by using a Weibull cdf. It should be emphasised that this model only gives a partial answer to the safety assessment problem. Other aspects are studied in Sections 3 and 4. However, other model situations might also be of interest, such as, for example, in problems concerning other types of parameter, e.g. pulse shape and duration (in these cases thermal models of the EED become very important; see for example ref. 6) and other types of ignition, e.g. incorrect formation of sparks between wires or between wire and case or by thermal or mechanical energy inputs.
3.
THE PRODUCTION PROCESS
In order to give a complete safety assessment of an EED it is necessary not only to analyse the safety of an EED produced by a production process under (almost) strict statistical control, but also we must analyse the production processper se, especially the risk that the production process goes out of control in a way such that defective and unsafe EEDs are produced and also pass the quality control and eventually come in to use. For this purpose we suggest the use of the FTA (fault tree analysis) technique as presented in ref. 2, for example. A fault tree analysis is a systematic topdown procedure starting from an unwanted event at the top level deduced from lower level events in as few steps as possible. Some good examples are given in refs. 3 and 4. In Fig. 2 the first steps in a fault tree for the analysis of the event 'unsafe EED delivered' are given. In order to go further down the fault tree, as well as for the quantification, a special production process has to be studied and a thorough knowledge of this process is required. That task is out of the scope of this paper. However, it should be noted that a thorough FTA of the production process may
198
BO BERGMAN
Unsafe EED delivered
I
I
I
assume high I local energy I density I
1
I High local I energy density | on conductor I surface I
--I
I assume high I overall energy I density
I accumulation Local energy
--1 I Too small I resistance
Wrong conductor material
I
Production fault
I !Ouafityfault control
I EED prone to assume a low local critical energy density
I
I EED prone to I assume a low I overall critical energy density I
I
Overafl energy accumulation
I
I
1 I
Fig. 2.
The very beginning of a fault tree for the analysis of the event 'unsafe EED delivered'.
[
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
199
give direct improvements in the safety level, since FTA is a very powerful tool for the identification of critical components and procedures in the production process; these critical points may then be eliminated to increase the safety level of the EEDs.
4.
SYSTEM SAFETY
Analyses of system safety for systems in which EEDs are situated require that not only the EED as such is studied from a safety point of view but also that the different sources of energy (cf. Section 1) which may initiate the EED are investigated. We shall not go further into this question here but we recommend fault tree analysis to be used.
5.
STATISTICAL ASPECTS
In order to perform the safety assessment of an EED produced in a production process under strict statistical control some statistical problems arise; from a limited number of firings of EEDs the parameters of the approximating Weibull cdf have to be estimated. This is a difficult problem since only the first firing of each selected EED may be used; this means that the threshold level is not directly observable. If the EED exploded at the level used we only know that the threshold level of this EED was lower than the given level and we have the opposite information if it did not explode. We cannot reuse a fired, unexploded EED because the firing may have changed the characteristics of the EED if it did not explode; this change of characteristics is often called 'dudding'. We have to consider each firing as a destructive test. Two types of statistical problems have to be solved in order to perform the safety assessment: (1) (2)
Experimental design. The estimation procedure.
Similar statistical problems arise in bioassay and in the determination of fatigue endurance limits; they are often called quantal response problems. Methods have been adopted for the normal and logistic distributions, 7,8 and purely nonparametric methods have also been developed. 9 Here we shall indicate how Bayesian statistical analysis may be used in order to determine an experimental design and to estimate the parameters of the approximating cdf. We assume that we have some, possibly vague, ideas about scale and shape parameters of the approximating cdf, and that these ideas may be expressed by using a bivariate density function g'(a, b), 0 < a < oo, 0 < b < ~ , the prior density
200
BO B E R G M A N
function for the parameters ct and 13. After an observed firing result at level x the prior density function is updated to give a posterior density:
(g'(a, b) exp { - (x/a) b} g"(a, b) a: ~g,(a, b)(l - exp { - (x/a)'b})
no explosion explosion
Here the symbol oc means 'proportional to'. The level x is chosen so that, prior to the experiment, the expected increase in the Bayesian confidence limit of an extreme left tail percentile is maximised. However, levels which, according to the prior information, may be from the right tail of the approximating cdf should be avoided. This procedure is repeated until the total number of firings devoted to the experiment is finished. For a more detailed description we refer to a forthcoming paper. Some numerical problems arise when the above procedure is applied, but these problems may be solved by using a discrete prior distribution with a finite support.
5.1. Note 1 The experimental design most popular for the design of EED experiments seems to be the 'Bruceton method' also called the 'up and down method'. For a description of this experimental design see, for example, ref. 10. The Bruceton method certainly gives a reasonable design if one is interested in the median or the central parts of the cdf, but it does not maximise the precision in the tails. Since for the safety assessment we are mainly interested in the extreme left tail, our suggested experimental design should give a much better result than does the Bruceton method. 5.2. Note 2 The previous ideas on the scale and shape parameters ~ and fl of the approximating Weibull distribution may have been gained from experiments on similar EEDs or may also have been gained through an initial experimentation possibly neglecting the effects of dudding. However, since for safety assessment we should be conservative rather than optimistic it is recommended that a rather vague prior is used, i.e. the prior density function should be fiat. 5.3. Note 3 Sometimes we feel that we have much more information than we really want to use since we want to be able to defend the safety assessment against most critics. Then we may use what we shall call the 'proposer-opposer strategy'. According to this strategy the estimation procedure uses a conservative prior density function (the prior of the opposer) but for the experimental design we use all available information formalised in a second prior density function (the prior of the proposer). Hence, for each firing we choose the level x such that the expected (with respect to the prior of the proposer) increase in the Bayesian confidence limit
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
201
(utilising the prior of the opposer) of an extreme left percentile is maximised. This strategy has, to our knowledge, never been suggested before. From a safety point of view the possible existence of dudding introduces at least three different types of problem: (1)
(2)
(3)
Each firing has to be considered as a destructive test even if no ignition occurred. This means that from each firing we obtain a very limited amount of information, forcing us to use extensive testing in order to obtain acceptable safety assessments. If we had had no dudding a safe level might have been obtained for an EED by the use of proof-testing, i.e. by testing each EED at a certain level to assure that its threshold value is above this level. If some dudding, which decreases the threshold level, is present then we cannot claim that EEDs having passed the proof test have a safe level. Even if it was known that dudding makes an EED more insensitive it is not certain that proof-testing should be recommended. In this case safety and reliability efforts are conflicting. In field-use many EEDs will experience small electric shocks, possibly introducing some amount of dudding. In a complete safety assessment of EEDs this fact should be taken into account.
Even if dudding is very important to the safety assessment, very little is found about it in the literature. Therefore we suggest that the degree and effects of dudding are studied in future experiments. It should also be observed that non-ignited EEDs from the earlier suggested experiments may be used for this purpose. New statistical methods useful for these experiments need to be suggested. Another closely related aspect which has to be studied is the effect of ageing. No reasonable model or adequate experimentation seems to be available. 6.
FURTHER COMMENTS
As indicated earlier in this paper, many of the ideas presented may also be useful for safety and reliability assessment procedures for products other than EEDs. Some important points are listed below: (1) (2)
(3)
The statistical model utilised should be based on a physically acceptable model; extrapolation results might otherwise be rather meaningless. The statistical investigation should be based on the assumption that the production process is under statistical control. The risk of unsafe products being produced by a process out of control has to be investigated in a special analysis of the production process. The possibility of mixtures has to be taken into account, e.g. by claiming the suggested model to be adequate only in the tail of the distribution.
202 (4)
Bo BERGMAN Bayesian statistical analysis is a p p r o p r i a t e for experimental design and lbr the estimation procedure. (However, such fallacies as those presented by Brand ~ shall, a n d can, be avoided.) Sometimes the "proposer-opposer strategy' presented in Note 3 m a y be advantageous.
Other points, e.g. the system safety analysis t h r o u g h e n v i r o n m e n t a l analysis and fault tree analysis, are of great general importance, but the study of these techniques lies outside the scope of this paper. A report on an E E D safety experiment designed and evaluated according to the above ideas will be given elsewhere.
ACKNOWLEDGEMENT I wish to t h a n k Mr B. Wahlgren at S a a b - S c a n i a AB for stimulating discussions on safety aspects of EEDs.
REFERENCES 1. STEcr~R~E. J. Safety electr~-explosive devices~ presentexi t~ the 5~th Air F~rce Industry C~nference~ Holex Technical Information, Riverside, California, 1961. 2. BARLOW,R. E., FUSSELL,J. B. and SINGPURWALLA,N. D. (eds). Reliability and fault tree analysis, SIAM, Philadelphia, 1974. 3. LAWLEY,H. G. Safety technology in the chemical industry: A problem in hazard analysis with solution, Reliability Engineering, 1(2) (1980), pp. 89-113. 4. LEa, F. P., ANDOW,P. K. and MURPHY,C. P. The propagation of faults in process plants: A review of the basic event/fault information, Reliability Engineering, 1(2) (1980), pp. 149-63. 5. B~j`RL~w~R. E. and P~s~HAN~ F. Statistical the~ry ~f reliability and life testing: Pr~bability m~dels~ Holt, Rinehart and Winston, Inc., New York, 1975. 6. AUDONE,B. and BOLLA,L. (1976). An approach to aircraft ordnance test requirements of MIL-E6051D, International Symposium on EMC, IEEE, 1976. 7. FINNEY,D. J. Prob# analysis, 3rd edn., Cambridge University Press, London, 1971. 8. BERKSON,J. A statistical, precise and relatively simple method of estimating the bio-assay with quantal response on the logistic function, J. Am. Stat. Ass., 48 (1953), pp. 565-99. 9. RAMSEY,F. L. A Bayesian approach to bioassay, Biometrics, 28 (1972), pp. 841-58. 10. HAMPTON,L. O., BLUM,G. D. and AYRES,J. N. Logistic analysis of Bruceton data, Naval Ordnance Laboratory, NOLTR 73-91, 1973. 11. BRAND,M. R. An examination of certain Bayesian methods used in reliability analysis, Reliability Engineering, 1 (2) (1980), pp. 115-25. 12. LITTLE,R. E. The up and down method for small sampleswith extreme value response distributions, J. Am. Stat. Ass., 69 (1974), pp. 803-6. 13. LITTLE,R. E. and JEBE, E. H. Statistical design of fatigue experiment, Wiley, New York, 1975. 14. YRIBARI~N,J. P. and BENEDETTI,G. Testing electro-explosive devices by Bruceton method with an APL program for the analysis of results, European Space Agency, ESA TM-161 (ESTEC), 1976.
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
Bo BERGMAN
Aerospace Division, Saab--Scania AB, S-581 88 Link6ping, Sweden (Received: 1 April, 1981)
ABSTRACT
The safety assessment of hot bridgewire electro-explosive devices (EEDs) based on a physical model is studied. The model is judged to be credible when the EEl) production process is under statistical control..4 separate safety analysis of the production process is recommended. Under the suggested model some ideas,on the experimental design and the evaluation of safety experiments are given.
1.
INTRODUCTION AND SUMMARY
Electro-explosive devices (EEDs) are used not only in military systems as, for example, in emergency systems of military aircraft, but also in any device where impulse strengths are applied to initiate functions such as mechanism release, propulsion motor firing, etc. When called upon, they shall perform their required function with a very high probability; this we shall call the reliability aspect. There is, however, another aspect of EEDs--the safety aspect; initiation of an EED when not called upon may result in catastrophic consequences and thus unwanted explosions appear with a very low probability. In this paper we shall primarily discuss the safety aspect from some different points of view. The ideas given here may occasionally also be applicable with respect to reliability aspects. There is, however, a great difference between the reliability and the safety aspects; in order to obtain high system reliability EEDs are often doubled (tripled, and so on) introducing redundancy into the system. This certainly increases the reliability but it reduces the safety of the system. Many types of EEDs are in use, but the most common, and the one to which we confine ourselves in this paper, is the hot bridgewire. An EED of this type consists of 193 Reliability Engineering 0143-8174/82/0003-0193/$02.75 © Applied Science Publishers Ltd, England, 1982 Printed in Great Britain
194
Bo BERGMAN
a wire situated in close contact with the primary charge. When a voltage is applied to the wire the temperature increase initiates the primary charge~ which~ operating the base charge, performs the required function. In order to avoid any inadvertent initiation from extraneous sources of energy careful investigations have to be carried out. Lightning is one of the most critical sources ofenergy~ at least for EEDs in aircraft. Other sources may, for example, be continuity testing, bridgewire resistance measurements, electrostatic discharge from the capacity of the human body, electromagnetic induction from radar and communication equipment, etc. (see, for example, ref. 1.) In Section 2 we shall discuss a physical model of the ignition of an EED and build a mathematical model for the safety assessment of an EED. We compare this model with some other models earlier suggested for the same purpose. For the derivation in Section 2 it is assumed that the EEDs are produced under strict statistical control. This, however, may not always be the case. In Section 3 we suggest that this part of the safety aspect, i.e. the risk that the production process is out of control so that unsafe EEDs are produced, has to be taken care of through a detailed scrutiny of the production process. The technique we suggest is fault tree analysis (FTA), as described, for example, in a series of articles by Barlow e t a l . , 2 which has been used in many other safety applications (see also refs. 3 and 4.) In Section 4 we give a short comment on the system safety assessment and in Section 5 we return to the safety assessment of EEDs manufactured by a production process under statistical control. We discuss some statistical aspects of the safety assessment and suggest some important questions that should be answered in order to give satisfactory safety assessments. We also indicate some statistical methods to be employed. Finally, in Section 6, we give some further comments, including a discussion on the applicability of the given ideas to other fields of interest from safety and reliability points of view as, for example, in the determination of endurance limits under fatigue. It should be emphasised that this note does not give an exhaustive description of how the safety assessment of an EED should be performed. It merely gives some hints on ideas, some of which are new, which should be employed together with other more established rules.
2.
A MODEL
An EED is initiated by a current through a conductor situated in close contact with the primary charge (Fig. la). Thermal energy is transferred from the conductor to the primary charge and if the energy density at some point of the primary charge (Fig. 1b) is higher than the corresponding point of ignition (Fig. 1c) a chain reaction is started; the EED explodes.
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
I..= length ,lo
195
-.-,
I
I
I
i I I
I
Voltage U ( t) (a)
density e IJ)
I
Lo
.t i,~n,,~ t,.,.
So
.l
(b)
critical energy
o~nsity c (1)
(c) Fig. l. Aschematici••ustrati•n•fthec•nduct•randtheprimaryc•arge(a)•theenergydensityc••set• the conductor (b) and the critical energy density (point of ignition) close to the conductor (c). The fact that the ignition process may start somewhere in a volume instead of on a one-dimensional line has been neglected in the figure.
The EED is initiated if in some volume element of the explosive the actual energy density is larger than the corresponding critical one. Depending on local inhomogeneities both actual energy density and critical energy density vary throughout the volume. The actual energy density also varies due to the nature of the thermal dissipation through the EED. The pulse through the EED, both in amplitude and shape, affects the energy density within the explosive. Let us assume a constant shape but a voltage amplitude which is a free variable. For the same EED we cannot vary the amplitude either, since either the EED is initiated at the first pulse or its characteristics may have been significantly changed (so-called 'dudding'). But we may perform imaginary experiments. Assuming a certain 'physical constitution' of the EED we may determine the
196
Bo BERGMAN
critical voltage at which the EED would be initiated. In fact, this "physical constitution', i.e. properties determining actual energy density for a given pulse and the critical energy density, is not known and it is not measurable through direct observation. Let e( U, z') be the actual energy density in the volume element z, if the pulse (voltage) amplitude is U and let c(v) be the critical energy density. It is rather natural to assume that e( U, v) = Ue'(z')
(l)
for some function e'(v) defined on the volume V. The EED is initiated at amplitude U if min c(v) - e( U, z:) < 0 t'E V
or equally if U _> Uc = min c(v)/e'(v) vEV
Since e'(v)/c(v) is a random function depending on local inhomogeneities in the primary charge and in the wire it is natural to assume that the random variable Uc, the critical voltage level, has some sort of extreme value distribution. (For a theory on extremes see ref. 5.) Since the variable is necessarily positive it is natural to assume that Uc is Weibull-distributed with unknown scale and shape parameters a and fl with cumulative distribution function (cdf) P( Uc < u) = 1 - exp ( - (u/~) ~) To our knowledge, this is the first time a Weibull model has been suggested for the critical level of a randomly selected EED in spite of its natural physical interpretation as an extreme value distribution. Earlier models assume normal, lognormal or logistic distributions merely because of the existence of available routines for the interpretation of experimental data. For the safety assessment of EEDs, however, it is very important to have a natural and physically plausible model, since otherwise results obtained by extrapolation to the tails of the distribution function may very easily be misleading. Indeed, from a theoretical point of view, one would prefer a completely non-parametric approach, i.e. no assumptions regarding the shape of the cdf of the threshold values. This, however, would imply that an unrealistically large number of experiments would have to be performed in order to make an acceptable assessment of the safety of a randomly chosen EED. Thus we have to rely on some credible model for the cdf. The above suggested model seems to be realistic, in fact, much more realistic than those previously suggested, which had no plausible physical interpretation. Even if the Weibull model seems realistic some objections may be posed. We have made an assumption that the production process is under strict statistical control, meaning that local properties, e.g. inhomogeneities, introduce much more variation
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
197
among the EEDs than do the more low frequency disturbances such as batch to batch variation. This is a very restrictive assumption. If it is not quite fulfilled the model may still be adequate for a short sequence of produced EEDs but for a larger number of EEDs we may in fact have a mixing between different sub-sequences for each of which the Weibull model is adequate. This means that for an EED randomly selected from a large production we may be forced to assume that its threshold value is distributed as a mixture of Weibull cdf's. Since a mixture of Weibull cdf's generally is not quite a Weibull cdf, we have obtained a very clumsy model since both the parameters in the Weibull cdf's as well as the mixing distribution are unknown. To circumvent this type of problem we recommend that the Weibull model is used but that its validity is restricted only to the left tail, i.e. that part of the cdfwhich is of interest for the safety assessment. This more general model should be adequate even if the production process does not quite fulfil the restrictive assumption of being under strict statistical control, since it is reasonable to approximate the tail of a mixture of Weibull cdf's by using a Weibull cdf. It should be emphasised that this model only gives a partial answer to the safety assessment problem. Other aspects are studied in Sections 3 and 4. However, other model situations might also be of interest, such as, for example, in problems concerning other types of parameter, e.g. pulse shape and duration (in these cases thermal models of the EED become very important; see for example ref. 6) and other types of ignition, e.g. incorrect formation of sparks between wires or between wire and case or by thermal or mechanical energy inputs.
3.
THE PRODUCTION PROCESS
In order to give a complete safety assessment of an EED it is necessary not only to analyse the safety of an EED produced by a production process under (almost) strict statistical control, but also we must analyse the production processper se, especially the risk that the production process goes out of control in a way such that defective and unsafe EEDs are produced and also pass the quality control and eventually come in to use. For this purpose we suggest the use of the FTA (fault tree analysis) technique as presented in ref. 2, for example. A fault tree analysis is a systematic topdown procedure starting from an unwanted event at the top level deduced from lower level events in as few steps as possible. Some good examples are given in refs. 3 and 4. In Fig. 2 the first steps in a fault tree for the analysis of the event 'unsafe EED delivered' are given. In order to go further down the fault tree, as well as for the quantification, a special production process has to be studied and a thorough knowledge of this process is required. That task is out of the scope of this paper. However, it should be noted that a thorough FTA of the production process may
198
BO BERGMAN
Unsafe EED delivered
I
I
I
assume high I local energy I density I
1
I High local I energy density | on conductor I surface I
--I
I assume high I overall energy I density
I accumulation Local energy
--1 I Too small I resistance
Wrong conductor material
I
Production fault
I !Ouafityfault control
I EED prone to assume a low local critical energy density
I
I EED prone to I assume a low I overall critical energy density I
I
Overafl energy accumulation
I
I
1 I
Fig. 2.
The very beginning of a fault tree for the analysis of the event 'unsafe EED delivered'.
[
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
199
give direct improvements in the safety level, since FTA is a very powerful tool for the identification of critical components and procedures in the production process; these critical points may then be eliminated to increase the safety level of the EEDs.
4.
SYSTEM SAFETY
Analyses of system safety for systems in which EEDs are situated require that not only the EED as such is studied from a safety point of view but also that the different sources of energy (cf. Section 1) which may initiate the EED are investigated. We shall not go further into this question here but we recommend fault tree analysis to be used.
5.
STATISTICAL ASPECTS
In order to perform the safety assessment of an EED produced in a production process under strict statistical control some statistical problems arise; from a limited number of firings of EEDs the parameters of the approximating Weibull cdf have to be estimated. This is a difficult problem since only the first firing of each selected EED may be used; this means that the threshold level is not directly observable. If the EED exploded at the level used we only know that the threshold level of this EED was lower than the given level and we have the opposite information if it did not explode. We cannot reuse a fired, unexploded EED because the firing may have changed the characteristics of the EED if it did not explode; this change of characteristics is often called 'dudding'. We have to consider each firing as a destructive test. Two types of statistical problems have to be solved in order to perform the safety assessment: (1) (2)
Experimental design. The estimation procedure.
Similar statistical problems arise in bioassay and in the determination of fatigue endurance limits; they are often called quantal response problems. Methods have been adopted for the normal and logistic distributions, 7,8 and purely nonparametric methods have also been developed. 9 Here we shall indicate how Bayesian statistical analysis may be used in order to determine an experimental design and to estimate the parameters of the approximating cdf. We assume that we have some, possibly vague, ideas about scale and shape parameters of the approximating cdf, and that these ideas may be expressed by using a bivariate density function g'(a, b), 0 < a < oo, 0 < b < ~ , the prior density
200
BO B E R G M A N
function for the parameters ct and 13. After an observed firing result at level x the prior density function is updated to give a posterior density:
(g'(a, b) exp { - (x/a) b} g"(a, b) a: ~g,(a, b)(l - exp { - (x/a)'b})
no explosion explosion
Here the symbol oc means 'proportional to'. The level x is chosen so that, prior to the experiment, the expected increase in the Bayesian confidence limit of an extreme left tail percentile is maximised. However, levels which, according to the prior information, may be from the right tail of the approximating cdf should be avoided. This procedure is repeated until the total number of firings devoted to the experiment is finished. For a more detailed description we refer to a forthcoming paper. Some numerical problems arise when the above procedure is applied, but these problems may be solved by using a discrete prior distribution with a finite support.
5.1. Note 1 The experimental design most popular for the design of EED experiments seems to be the 'Bruceton method' also called the 'up and down method'. For a description of this experimental design see, for example, ref. 10. The Bruceton method certainly gives a reasonable design if one is interested in the median or the central parts of the cdf, but it does not maximise the precision in the tails. Since for the safety assessment we are mainly interested in the extreme left tail, our suggested experimental design should give a much better result than does the Bruceton method. 5.2. Note 2 The previous ideas on the scale and shape parameters ~ and fl of the approximating Weibull distribution may have been gained from experiments on similar EEDs or may also have been gained through an initial experimentation possibly neglecting the effects of dudding. However, since for safety assessment we should be conservative rather than optimistic it is recommended that a rather vague prior is used, i.e. the prior density function should be fiat. 5.3. Note 3 Sometimes we feel that we have much more information than we really want to use since we want to be able to defend the safety assessment against most critics. Then we may use what we shall call the 'proposer-opposer strategy'. According to this strategy the estimation procedure uses a conservative prior density function (the prior of the opposer) but for the experimental design we use all available information formalised in a second prior density function (the prior of the proposer). Hence, for each firing we choose the level x such that the expected (with respect to the prior of the proposer) increase in the Bayesian confidence limit
SAFETY ASSESSMENT OF ELECTRO-EXPLOSIVE DEVICES
201
(utilising the prior of the opposer) of an extreme left percentile is maximised. This strategy has, to our knowledge, never been suggested before. From a safety point of view the possible existence of dudding introduces at least three different types of problem: (1)
(2)
(3)
Each firing has to be considered as a destructive test even if no ignition occurred. This means that from each firing we obtain a very limited amount of information, forcing us to use extensive testing in order to obtain acceptable safety assessments. If we had had no dudding a safe level might have been obtained for an EED by the use of proof-testing, i.e. by testing each EED at a certain level to assure that its threshold value is above this level. If some dudding, which decreases the threshold level, is present then we cannot claim that EEDs having passed the proof test have a safe level. Even if it was known that dudding makes an EED more insensitive it is not certain that proof-testing should be recommended. In this case safety and reliability efforts are conflicting. In field-use many EEDs will experience small electric shocks, possibly introducing some amount of dudding. In a complete safety assessment of EEDs this fact should be taken into account.
Even if dudding is very important to the safety assessment, very little is found about it in the literature. Therefore we suggest that the degree and effects of dudding are studied in future experiments. It should also be observed that non-ignited EEDs from the earlier suggested experiments may be used for this purpose. New statistical methods useful for these experiments need to be suggested. Another closely related aspect which has to be studied is the effect of ageing. No reasonable model or adequate experimentation seems to be available. 6.
FURTHER COMMENTS
As indicated earlier in this paper, many of the ideas presented may also be useful for safety and reliability assessment procedures for products other than EEDs. Some important points are listed below: (1) (2)
(3)
The statistical model utilised should be based on a physically acceptable model; extrapolation results might otherwise be rather meaningless. The statistical investigation should be based on the assumption that the production process is under statistical control. The risk of unsafe products being produced by a process out of control has to be investigated in a special analysis of the production process. The possibility of mixtures has to be taken into account, e.g. by claiming the suggested model to be adequate only in the tail of the distribution.
202 (4)
Bo BERGMAN Bayesian statistical analysis is a p p r o p r i a t e for experimental design and lbr the estimation procedure. (However, such fallacies as those presented by Brand ~ shall, a n d can, be avoided.) Sometimes the "proposer-opposer strategy' presented in Note 3 m a y be advantageous.
Other points, e.g. the system safety analysis t h r o u g h e n v i r o n m e n t a l analysis and fault tree analysis, are of great general importance, but the study of these techniques lies outside the scope of this paper. A report on an E E D safety experiment designed and evaluated according to the above ideas will be given elsewhere.
ACKNOWLEDGEMENT I wish to t h a n k Mr B. Wahlgren at S a a b - S c a n i a AB for stimulating discussions on safety aspects of EEDs.
REFERENCES 1. STEcr~R~E. J. Safety electr~-explosive devices~ presentexi t~ the 5~th Air F~rce Industry C~nference~ Holex Technical Information, Riverside, California, 1961. 2. BARLOW,R. E., FUSSELL,J. B. and SINGPURWALLA,N. D. (eds). Reliability and fault tree analysis, SIAM, Philadelphia, 1974. 3. LAWLEY,H. G. Safety technology in the chemical industry: A problem in hazard analysis with solution, Reliability Engineering, 1(2) (1980), pp. 89-113. 4. LEa, F. P., ANDOW,P. K. and MURPHY,C. P. The propagation of faults in process plants: A review of the basic event/fault information, Reliability Engineering, 1(2) (1980), pp. 149-63. 5. B~j`RL~w~R. E. and P~s~HAN~ F. Statistical the~ry ~f reliability and life testing: Pr~bability m~dels~ Holt, Rinehart and Winston, Inc., New York, 1975. 6. AUDONE,B. and BOLLA,L. (1976). An approach to aircraft ordnance test requirements of MIL-E6051D, International Symposium on EMC, IEEE, 1976. 7. FINNEY,D. J. Prob# analysis, 3rd edn., Cambridge University Press, London, 1971. 8. BERKSON,J. A statistical, precise and relatively simple method of estimating the bio-assay with quantal response on the logistic function, J. Am. Stat. Ass., 48 (1953), pp. 565-99. 9. RAMSEY,F. L. A Bayesian approach to bioassay, Biometrics, 28 (1972), pp. 841-58. 10. HAMPTON,L. O., BLUM,G. D. and AYRES,J. N. Logistic analysis of Bruceton data, Naval Ordnance Laboratory, NOLTR 73-91, 1973. 11. BRAND,M. R. An examination of certain Bayesian methods used in reliability analysis, Reliability Engineering, 1 (2) (1980), pp. 115-25. 12. LITTLE,R. E. The up and down method for small sampleswith extreme value response distributions, J. Am. Stat. Ass., 69 (1974), pp. 803-6. 13. LITTLE,R. E. and JEBE, E. H. Statistical design of fatigue experiment, Wiley, New York, 1975. 14. YRIBARI~N,J. P. and BENEDETTI,G. Testing electro-explosive devices by Bruceton method with an APL program for the analysis of results, European Space Agency, ESA TM-161 (ESTEC), 1976.