This application was made with government support under Contract No. NNMO6AB13C awarded by NASA. The Government may therefore have certain rights in this invention.BACKGROUND OF THE INVENTION
This application relates to failure detection systems, and more particularly to a method for determining the risk reduction of a given failure detection system.
A failure detection system (“FDS”) may be used to identify failure signatures (e.g. a loss of engine coolant) indicative of failure modes (e.g. a radiator leak) in the hope that identification of the signature can prevent the failure mode from causing a failure limit (e.g. engine reaching temperature at which engine block will crack).SUMMARY OF THE INVENTION
A process includes determining a probability of a failure mode of a system being analyzed reaching a failure limit as a function of time to failure limit, determining a probability of a mitigation of the failure mode as a function of a time to failure limit, and quantifying a risk reduction based on the probability of the failure mode reaching the failure limit and the probability of the mitigation.
A computer-implemented system includes a storage module and a microprocessor. The storage module stores at least one failure mode and at least one failure signature for a system being analyzed. The microprocessor is operable to determine a probability of the at least one failure mode of the system being analyzed reaching a failure limit as a function of time to failure limit, determine a probability of a mitigation of the failure mode as a function of a time to failure limit, and quantify a risk reduction based on the probability of the failure mode reaching the failure limit and the probability of the mitigation.
These and other features of the present invention can be best understood from the following specification and drawings, the following of which is a brief description.BRIEF DESCRIPTION OF THE DRAWINGS
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
A failure detection system (“FDS”) seeks to predict or provide notification of failures, to give a system operator an opportunity to prevent the occurrence of a failure limit in a system being analyzed (e.g., aircraft, automobile, welding process, etc.). Using the example of an automobile, a FDS could be, for example, a simple engine warning light, or a temperature gauge. A more primitive FDS could correspond to simply performing a manual inspection of a structure, such as a vehicle. As another example, a FDS may correspond to a Health and usage Monitoring System (“HUMS”) used to monitor the health of critical components of a vehicle, such as a rocket, and used to collect operational flight data utilizing on-board accelerometers, sensors, and avionic systems. One example of a HUMS FDS is the Advanced Health Management System (“AHMS”). A system being analyzed may have no FDS, such that a failure mode is simply allowed to follow its natural course which may or may not lead to a failure limit.
In a given system, there may be a plurality of failure modes. A failure mode is a characteristic manner by which a failure occurs. A failure mode may represent a specific way in which a system, device or process (e.g., aircraft, automobile, welding process, etc.) can fail.
Using the example of an automobile, one example failure mode is a radiator leak. This failure mode has many possible consequences. For example, as a result of the radiator leak, the engine could overheat beyond a threshold temperature, resulting in a final outcome of a cracked engine block, causing the engine to no longer work. Another example consequence could be an engine heating causing a gas line to break, with a final outcome of an engine fire.
A failure mode may have an associated failure limit, which is a defined as a failure threshold that can occur if a failure mode is left untreated. For example, a failure limit may be a known engine temperature beyond which engine damage will occur. A FDS seeks to predict or provide notification of a failure mode, to give a system operator an opportunity to prevent a failure limit from occurring.
A signature is a basic failure building block that is indicative of a given failure mode. For example, signatures of a radiator leak failure mode could include loss of engine coolant, and could also include a gas line leak. Each signature may have an associated time-to-failure limit (“TTFL””), which is an elapsed time from an onset of the failure signature until a system reaches a failure limit.
It can be useful to compare different failure detection systems. For example, if a new FDS was very costly, a service provider of the FDS may wish to justify the increased cost of the FDS by demonstrating its improvement over a previous FDS. This improvement could be represented in the form of a risk reduction of the FDS. Equation 1, shown below, may be used to determine a risk reduction of a FDS.
R . R . fraction = FPMM_reduced _by _FDS FPMM_original equation #1
where R.R.fraction is a risk reduction fraction;
FPMM_reduced_by_FDS is a failure limit occurrence probability reduction (optionally measured in failures per million missions) after application of a selected failure detection system; and
FPMM_original is failure limit occurrence probability reduction (optionally measured in failures per million missions) prior to application of the selected failure detection system;
A risk probability is determined for each of the plurality of failure modes (step 106). The risk probability corresponds to a likelihood that a selected failure mode will occur. In one example the probability is determined as a failure per million missions (“FPMM”), which is the failure probability of 10−6 per mission. Of course, other probability benchmarks could be used. Various sources of information may be used for this determination, such as historical data, engineering analysis, and test and field usage data. Engineering analysis data may include, for example, data from computer simulations. Thus, both historical data of actual failures and predicted data of future failures may be used in determining the FPMM risk probability.
A robust risk probability determination may include accounting for variations in a given system. Using the example of an engine, when the engine comes off an assembly line, there are often variations of engine characteristics between engines produced from the same assembly line. For example, dimensions, pump efficiency, duct resistance, etc. may vary from one engine to another due to a margin of error in manufacturing. This can make predicting engine performance and predicting engine failure challenging. To address this difficulty, computer software may be used to generate random values (e.g., engine efficiencies, engine resistances, etc.) within a predicted range of variation. These randomly generated values may be used to produce a predicted cluster of engine builds, which could include both high performing and low performing engines. This predicted cluster could then be used in the determination of step 106. In one example the Monte Carlo class of computational algorithms may be used to determine a predicted cluster of engine builds. Of course, other algorithms and computer-based software and simulations could be used.
A correlation ranking is determined for each of the plurality of failure signatures according to a scale (step 108). The correlation ranking corresponds to a likelihood that a given signature represents the at least one failure mode. In one example the scale is 0-5, with 5 corresponding to a strong correlation between the failure mode and signature, and 0 corresponding to no correlation between the failure mode and the signature. Of course, other scales and values could be used. Sources used in determining the correlation ranking could include, for example, historical data, engineering analysis and expert opinion.
Returning to the example failure mode of an automobile radiator failure, the signature of an engine overheating may be assigned a correlation value of “5” (high correlation to radiator failure), the signature of a gas line rupture may be assigned a ranking of “1” (low correlation to radiator failure), and a signature of loss of tire pressure may be assigned a rank of “0” (no correlation to radiator failure).
A failure mode risk probability is determined for each of the plurality of signatures for that failure mode (step 110). The risk probability compares comparing a ranking of a selected signature to a sum of all rankings for a failure mode, and may be calculated using equation #2 below.
FPMM i , j = Rank * j ∑ m = 1 m = n Rank * m FPMM i equation #2
where i is a failure mode number;
j is a signature number;
n is a quantity of signatures for the failure mode; and
FPMMi,j is a failure limit occurrence probability reduction for the given failure mode (see step 106).
As an example, assume that a automobile radiator failure is a first failure mode, and has a risk probability from step 106 of “10” (FPMM1=“10”) Assume also that signature 1 has a correlation rank of 5, signature 2 has a correlation rank of 1, and signature 3 has a correlation rank of 0. The denominator in equation #2 would be 5+1+0=6 (sum of correlation rankings). Signature 1 would then be assigned a risk probability of
5 6 * 10 = 8.33 ( FPMM 1 , 1 ) ,
signature 2 would be assigned a risk probability of
1 6 * 10 = 1.67 ( FPMM 1 , 2 ) ,
and signature 3 would be assigned a risk probability of
0 6 * 10 = 0.0 ( FPMM 1 , 3 ) .
Adding the various risk probabilities would yield a failure mode 1 total risk probability of 8.33+1.67+00.0=10.0.
For each failure signatures having a non-zero correlation ranking, a distribution is determined (step 112) corresponding to a probability that the signature will occur at a given TTFL. The distribution is a failure probability density function (“f function”). The “f function” captures a tendency of a signature to occur slowly (large TTFL), or quickly (small TTFL). Each “f function” may be determined in response to historical data, engineering modeling, and engineering judgment, for example.
An effectiveness score, or “g function,” corresponding to an ability to respond to each of the signatures to prevent a failure using a FDS as a function of TTFL is determined (step 114). Each “g function” may be determined in response to engineering modeling of a system, the FDS, and failure signatures over a range of TTFL values, for example. A “g function” is solely failure signature dependent, and is considered to be the same for all failure modes. In one example the “g function” values range from “0” in which a failure cannot be prevented (not effective at all) to “1” in which there is adequate time to prevent a failure (fully effective).
A failure limit occurrence probability reduction for each of the plurality of signatures is calculated (step 116) using equation #3 below:
F . L . O . P . R . i , j = FPMM ij T ∫ 0 T ∫ 0 T - t f ij ( TTF ) g j ( TTF ) d TTF ∫ 0 T - t f ij ( TFF ) d TTF t equation #3
where i is a failure mode number;
j is a signature number;
T is a total mission duration;
t is a mission elapsed time; and
F.L.O.P.R.i,j is the probability that a failure mode would reach a failure limit for a selected failure mode and a selected failure signature in the system being analyzed but is mitigated by an FDS.
The FDS F.L.O.P.R. for a given TTFL is the product of “f functions” and “g functions” for that TTFL. For example, if the probability that the failure signature occurs at a TTFL of 0.1 seconds is f (0.1)=0.8 but the effectiveness at 0.1 seconds is g (0.1)=0.0, then there is insufficient time to react to the failure signature, the failure limit will be reached, and no risk reduction can be realized (0.8*0.0=0.0). Equation #3 takes into account the reduction in the TTFL range of interest as a mission proceeds. For example, for a mission duration of 520 seconds, the TTFL range of interest at the beginning of the mission is a range of 0.0-520.0 seconds since a failure can start at time=0.0 and fail right at the end of the mission (time=520). At mission time t, the TTFL range of interest is 520.0−t since any failures taking longer than 520.0−t will occur after the mission is over, and the only time of concern is during the mission. The calculation of equation #3 above assumes that the risk of failure is uniform throughout the mission. The denominator of equation #3 is a normalizing function, which ensures that the result of the integration
∫ 0 T
is in a range of 0-1.
Steps 106-116 may be selectively repeated for a plurality of failure modes (step 118).
A sum of failure limit occurrence probability reductions for all failure modes and signatures is calculated (step 120) to predict the overall failure limit occurrence probability reduction for the FDS, using equation #4 below.
F . L . O . P . R overall = ∑ i = 1 m ∑ j = 1 n F . L . O . P . i , j equation #4
where m is a quantity of failure modes;
n is a quantity of signatures;
F.L.O.P.R.overall is a probability that a failure limit would be reached in the system being analyzed but is mitigated by a FDS.
Once the sum from step 120 is available, the sum may be compared to (e.g. divided by) an overall failure limit occurrence probability in the system being analyzed without implementation of the FDS to determine a FDS risk reduction fraction, as shown in equation #1 (step 122).
Referring again to the example of an automobile, assume that a failure probability before introducing an FDS is 100 FPMM, and assume that each “mission” is a 100 mile drive at 60 MPH. Failure modes may include radiator failure, tire failure, and transmission failure. Failure signatures may include engine heating, loss of power to wheels, and loss of ability to accelerate. A maximum TTFL of interest at the beginning of the mission is 100/600=1.67 hours, which decreases to zero at the end of the mission. Assuming introduction of an FDS reduces an overall risk by 50 FPMM (the sum of the contributions of all the signatures over all the failure modes), yielding a risk reduction of 50% (by using equation #1).
While applications for an automobile have been described for the sake of simplicity of explanation, it is understood that in the disclosed embodiment the method 100 could be utilized in a FDS for other systems, such as gas turbine engines.
Although embodiments of this invention have been disclosed, a worker of ordinary skill in this art would recognize that certain modifications would come within the scope of this invention. For that reason, the following claims should be studied to determine the true scope and content of this invention.