AFRPL-TR-76-99 No. 9006-085-1

RELIABILITY ESTIMATING PROCEDURES FOR ELECTRIC ANDTHERMOCHEMICAL PROPULSION SYSTEMS

FINAL REPORT

VOL I

BOOZ ALLEN APPLIED RESEARCH4733 BETHESDA AVENUEBETHESDA, MARYLAND 20014

FEBRUARY 1977

APPROVED FOR PUBLIC RELEASE

COPY AL DOES M DISTRIBUTION UNLIMITEDFRMIT UI',Y LE5'LE FtOE CTION

cDDCPrepared for:

AIR FORCE ROCKET PROPULSION LABORATORY

DIRECTOR OF SCIENCE AND TECHNOLOGYAIR FORCE SYSTEMS COMMANDEDWARDS APB, CALIFORNIA 93523j D

NOTICES

When U.S. Government drawings, specifications, or other dataare used for any purpose other than a definitely relatedgovernment procurement operation, the government therebyincurs no responsibility nor any obligation whatsoever andthe fact that the government may have formulated, furnished,or in any way supplied the said drawings, specifications orother data, is not tc be regarded by implication or otherwise,or in any manner licensing the holder or any other person orcorpor:,tion, or conveying any rights or permission tomanufacture, use, or sell any patented invention that may inany way be related thereto.

This final report was submitted by Booz, Allen Applied Re-search, 4733 Bethesda Avenue, Bethesda, Maryland 20014,under contract F04611-75-C-0039, job order number 305811TG,with the Air Force Rocket Propulsion Laboratory, EdwardsAFB, California.

This report has been reviewed by the Information Office(01) and is releasable to the National Technical Infor-mation Service (NTIS). At NTIS, it will be available tothe general public, including foreign nations.

This technical report has been reviewed and is approved forpublication.

M LVI -THOMAS W. WADDELLChief, Satellite Propulsion

Section

EDWARD E. STEINDeputy Chief, Liquid Rocket Division

IINVI Ae'sIF IFnSECURITY CLASS' FICATION OF THIS OAGE ("oner Daete Entered)

4 4)PORTDOCUENTAION AGEREAD INSTRUCTIONSj~yEORT OCUENTAION AGEBEFORE COMPLETING FORM2. GOVT ACCESSION No. 3. PECIP'FPTS CATALOG NUMBER

;AFRPL -76-9

RELIABILITY 1.$TIMATING fOCEDURES FOR 'ELECTRIC) -Fna T. ep~-wfttpXAND THERMOCliMICALPRO SOSYSTEMS* Mar*'?"75 - Dec~w ",6

irk 'V*SrWVWURfMING OFIG'EPO RT NUMBER

0, N R ACT OR G3RANT NUMERj')

9. PERFORMING ORGANIZATION NAME AND ADDRESS 10. PROGRAMf ELEMENT. PROJECT, TASK

Booz Allen Applied Research ~4733 Bethesda Avenue V

T.MONITORING AGENCY NAME & AOORESS(II diff.eent fromn Controlling Office; 1S. SECURITY CLX otf*N&?YP

UNCLASSIFIED15a. DECLASSIFICATION/0OWNGRADING

SCHEDULE

is. DISTRIBUTION STATEMENT (of this Report)

APPROVED FOR PUBLIC RE LEASE; DISTRIBUTION UNLIMITED

17. DISTRI u ST TEk Tot asrattred IK ' 1118 20,. h4f*m&ftm 2" --.

III. SUPPLEMENTARY MOTES

19. K EY WORDS (Continue on reverse side it necessary tvnd identify by block number)

Fault tree analysis Bi propellant systemsPulse plasma systems Reliability estimation

Hydrazine Monopropellant systems

ft ABSTRACT (Continue an roverso side if neo.eeery ad Identify by block number)he primary objective of this study was to develop a sound standardized basisfor reliability comparisons of thermochemical and electric propulsion conceptsapplicable to Air Force satellite, spacecraft, and upper-stage mission require-ments. A corollary objective was the identification of those propulsionsystem components which are currently the major contributors to propulsionsystem failiures. eNearly one hundred component level and failure mode levei models were developed__

DO S AN7 1473 1OION OF I NOV 65 IS OBSOLETE IINCLASSIFIED1ECURITY CLASSIFICATION OF THIS PAGE ("oen Data Entoeod) *

UNCLASSIFIEDSECURIT% CLASW1FICATON OF THIS PAGE(When Date Entnted)

in the course of the study. Constant and increasing failure rates wereincluded to address erosion wear, and fatigue failure, as well as randomfailures. Principal varia les in these expres:ions inc;uded mission duration,operating time, and the n mber of operating cycles. For special cases (suchas engine valves, inje rs, thrust chambers) where design approacies werevaried, the design I' e goals for the specific application were included

d u 4ables.

Cnherent in the realiability modeling was a quantitative assessment of theuncertainty associated with each estimate. )The log normal distribution wasused as the uncertainty model for each c onent. The parameters character-izing the log normal distribution f5 ech application were determinedwhere possible from the sc statistical variance of reported failurerates f ach-eacb4poneff.

ISystem level assessments were performed using functionally oriented faulttrees. The functional approach was used to yield fault trees that areleast affected by changes and revisions at the component level. Systemassessments were performed by aggregating the component reliability ariduncertainty results through the fault tree logic using computer programsand approximation techniques which were modified or developed for thispurpose.

'Si"' ;,qH fl

0

0GODEI

_7ECIAI

UNCLASSIFIED

SECURITY CLASSIFICATION OF THIS PAGE(Whn Dot& En'tad)

PREFACE

This final report presents the results of a studyconducted from March 1975 through February 1977. The pri-mary objective of the study was to develoL a sound stand-ardized baqis for reliability comparisons of thermochemi-cal and le'tric propulsion concepts applicable to AirForce satellite, spacecraft, and upper-stage mission re-quirements. A corollary objective was the identificationof those propulsion system components which currently are

4the major contributora to propulsion system failures.This study was performed for the Air Force Rocket Propul-sion Laboratory, Edwards Air Force Base, under contractnumber F04611-75-C-0039 by Booz, Allen Applied Research,a division of Booz, Allen & Hamilton Inc.

The authors are indebted to the following organiza-tions for their cooperation in providing data and es-pecially for their review and critique of preliminaryresults:

j * Aeronutronics Division, Newport Beach, California0 AVCO Corp, Wilmington, Massachusetts.

* Bell Aerospace, Buffalo, New York

* COMSAT, Clarksburg, Maryland

9 Electro Optical Systems, Pasadena, California

0 Fairchild Republic, Farmingdale, New York

0 Hamilton Standard, Windsor Locks, Connecticut

* Hughes Research Laboratory, Malibu, California

0 Lewis Research Center, Cleveland, Ohio

* Lockheed Missiles and Space Corporation,Sunnyvale, Califcrnia

0 Phrasor Technology, Pasadena, California

ODD

APR 1 19"r

iv F jSTIUJD

* SAMSO, Los Angeles, California

TRW Systems, Inc., Redondo Beach, California.

The cooperation of the following organizations in thetechnical survey is also gratefully acknowledged: ChemicalPropulsion Information Agency, Colorado State University,Fairchild Industries, General Electric Space Division, JetPropulsion Laboratory, Lincoln Laboratories, The MarquardtCompany, NASA Goddard Space Flight Center, RCA Astro Elec-tronics, Rockwell International, Applied Physics Laboratory-Johns Hopkins University, Princeton University, WalterKidde, United Technologies Corporation, Tayco Engineering,Aerojet Nuclear, Wright Components, Johnson Space Center,Celesco Industries and Energy Resources Development Ad-ministration.

v

TABLE OF CONTENTS

Page

Number

VOLUME I

PREFACE iv

LIST OF TABLES ix

LIST OF FIGURES x

TECHNICAL APPROACH I-i

Data Base Definition 1-3

Electronic Component Reliability andUncertainty Derivation 1-14

Non-Electronic Component Reliabilityand Uncertainty Derivation 1-27

Systems Reliability Estimation 1-49

RESULTS 1-51

Electric Propulsion Components ReliabilityModels 1-52

Thermochemical Propulsion ComponentsReliability Models 1-124

System Level Fault Trees 1-183

Cesium Ion Electron Bomnardment System 1-183

Mercury Ion Electron Bombardment System 1-196

Pulsed Plasma System 1-207

Colloid System 1-212

vi

Pege

NumberSystem Level Fault Trees (Contirnued)

Catalytic Monopropellant System i-223

Electrothermal Monopropellant System 1-241

Hypergolic Bipropellant System 1-?57

VOLUME II

COMPUTER PROGRA4S

General II-1

Program Descriptions 11-3

COMPI Program Listing 11-13

BETSBI Program Listing 11-38

BETSB2 Program Listing 11-42

BETSB3 Program Listing 11-49

BETFTA Program Listing !1-53BETALI Program Listing 11-56

APPLICATION OF RESULTS 11-63

Systems Applications 11-63

Component and Limited Subsystems Analyses 11-66SUMMARY AND CONCLUSIONS

11-68GLOSSARY OR TERMS 11-70

REFERENCES 11-72

vii

Page

Number

APPENDIX A - Examples A-I

Examples of MIL-HDBK-217-B Procedures A-i

Examples of Methodology Application A-15

APPENDIX B - Aggregates of Beta Distribution B-IVariates

APPENDIX C - BIBLIOGRAPHY C-I

viii

LIST OF TABLES

PageTable Number

1. Literature Search Summary I-l

2. Technical Survey Summary 1-12

3. Crystal Failure Rates 1-17

4. Circuit Breaker Failure Rates 1-17

5. Failure Rate Uncertainties 1-29

6. Examples Distribution with CommonR(40,000) 1-33

7. Two-Point Fitted Distributions 1-35

8. Fault Tree Analysis Symbology 1-184

9. Alpha Numeric Component Code Listing 11-33

ix

LIST OF FIGURES

PageFigure Number

1. Reliability Estimation Procedures Study 1-2Plan

2. Cesium Ion Electron Bombardment GenericSystem Layout 1-4

3. Mercury Ion Electron Bombardment GenericSystem Layout 1-5

4. Pulsed Plasma Generic System Layout 1-6

5. Colloid System Generic System Layout 1-7

6. Catalytic Monopropellant Generic System 1-8Layout

7. Electrothermal Monopropellant GenericSystem Layout 1-9

8. Hypergolic Bipropellant Generic SystemLayout 1-10

9. Crystal Failure Rate (Ground life test) 1-18

10. Circuit Breaker Failure Rates (Ground) 1-19

11. Cesium Ion System Schematic 1-185

12. Cesium Ion System Fault Tree Analysis 1-187

13. Mercury Ion System Schematic 1-197

14. Mercury Ion System Fault Tree Analysis 1-199

15. Pulsed Plasma System Schematic 1-208

16. Pulsed Plasma System Fault Tree Analysis 1-210

17. Colloid System Schematic 1-213

x

PageFigure Number

18. Colloid System Fault Tree Analysis 1-215

19. Catalytic Monopropeliant System Schematic 1-224

20. Catalytic Monopropellant System FaultTree Analysis 1-226

21. Catalytic Electrothermal MonopropellantSystem Schematic 1-241

22. Electrothermal Monopropellant SystemFault Tree Analysis 1-243

23. Hypergolic Bipropellant System FaultTree Schematic 1-258

24. Hypergolic Bipropellant System FaultTree Analysis 1-260

xi

TECHNICAL APPROACH

The development of reliability estimating techniqueswas focused on six generic propulsion systems: ion,pulsed plasma, colloid, catalytic monopropnllant, electro-thermal monopropellant, and hypergolic bipropeilant. Pre-liminary review of these systems, their expected applica-tions, and the available reliability data has indicatedthat the successful approach required the followingcharacteristics:

* The approach had to be synthesis oriented. Ithad to be capable of combining data and pro-cedures that differed in origin, character,and degree of credibility.

* The approach had to take into account the un-certainties associated with the input data andestimation procedures. Furthermore, theseuncertainties had to be reflected with theestimates that resulted. The approach had toavoid point estimate3 alone; it had to yielddistributions or bounds along with centralmeasures.

0 The approac). had to be directed toward definingan explicit, step-by-step methodology and wasto function as a usable data base for use bydesigners and system analysts that are notnecessarily reliability specialists.

With theme considerations in mind, the study plan asshown in Figure 1 was developed and executed. This planconsisted of four general phases:

0 Data Base Definition

0 Electronic Component Reliability and UncertaintyDerivation

* Non Electronic Component Reliability and Uncer-

tainty Derivation

* Propulsion System Reliability Estimation.

These phases are discussed in the following paragraphs.

I-1

14 U) w

H1 H 0 ) i -

E-4 ZU4H) w :

-4

Cl))

0 rr0

>4> 0, l

44 -I

0(4

u 4 0UO:H rq-

>4z 4O( a

0 H

(4

r'zE-40H

0 ZO t

9 E-4 H W-2

DATA BASE DEFINITION

Principally this phase consisted of the definitionof the propulsion system components, data acquisition, anddata representation. The six generic systems identifiedearlier were expanded to seven systems in order to assesstwo approaches to ion thrusters: the electron bombardmentmercury ion thruster utilizing a Kaufman thrust chamberand the electron bombardment cesium ion thruster employinga magneto-electrostatic containment (MESC) thrust chamber.The components to be included in each of these seven sys-tems are shown schematically with typical interfaces inFigures 2 through 8. These figures intentionally excludemultiple thruster and tankage schemes and are intendedmerely to identify the component types and the typical in-terrelationships.

Data Acquisition. Data source identification and theliterature search were begun simultaneously by reviewingsuch data collections as AVCO, FARADA (GIDEP) and NEDCO IIand by the initiation of searches at DDC and ChemicalPropulsion Information Agency (CPIA). A summary represen-tation of literature sources and the applicability of thedata obtained is shown in Table 1. Review of the resultsof the literature search allowed the identification ofthose areas pertinent to reliability estimation requiringfurther attention. An interview guide addressing thoseareas was formulated for use in the technical survey whichfollowed.

The data acquisition survey included 23 GQvernmentagencies, industrial firms and universities. Over 50 in-dividual interviews were conducted to supplement informa-tion available from the literature search. Table 2 sum-marizes the organizations and applicability of data obtainedfrom the survey.

Data Representation. The final portion of the data defi-nition phase involved the categorization and preliminaryanalysis of information and data gathered from the litera-ture search and technical survey activities. This analysisrevealed the following critical characteristics of the database that was available for the development of reliabilityestimation procedures:

* Actual data was limited and concentrated in twoof the seven systems

0 Actual data evidenced wide variability

1-3

ANODE SUPPLY CATHODE SUPPLY NEUTRALIZER SUPPLY

SURFACE TENSIONCESIUM TANK

FILL VALVE

START & CONTROLVALVE

VAPORIZER

POWERCONTROLONDITIONERLOGIC

CATHODE/

ANODIC .HEATER

RING -ANODESRING

MAGNETS 1

SCREEN GRID--~

ACCEL. GRID - . "'

CESIUMPLASMAARCNEUTRALIZER

HEATER PLASMA ARC

MAGNETO-ELECTROSTATIC CONTAINMENT THRUSTER (MESC)

Figure 2. Cesium Ion Electron BombardmentGeneric System Layout

1-4

FILL VALVE

PRESSURANT TANK

DIAPHRAGM

FILL VALVE

0.L

L3.CC

'Laa 4J

I--3d UA

Q >,/ U)

'utH

g IQa I w

IDa

-1-

SELF PRESSURIZING BELLOWS

FILL VALVE

VALVE TWO STAGE INPUT FILTER

CONTROL BELLOWS P.C.C.S.

PROPE LLANT MANIFOLD TELEMETRY SIGNALS

OTHER

IT PINCHMODULESAMMONIA TUBEAMNIR ELECTRO.FLUIDICCANISTER ISOLATION VALVE HEATER AND

THERMISTOR PROBE

~------THRUSTER MANIFOLDF-NEEDLESEXTRACTOR PLATESHIELD ELECTRODE

c::*- MASK ELECTRODE

HOTFILAMENTNEUTRALIZERANDPOSITIVE POTENTIALMONITOR

Figure 5. Colloid System Generic System Layout

I-7

... FILL

ANKPROPELLANT SUPPLY

DIAPHRAGM

FILTER

HEATER

LATCH VALVE

-CONTROL VALVE--'HEATER$

INJECTOR

S cotCHAMBER ASSEMBLY

-- oCATALYST RETAINERAMU' F H EATERS

Figure 6. Catalytic MonopropellantGeneric System Layout

1-8

FILL

VALVE

PRESSURIZEDSURFACE

TENSIONTANK

'-SOLENOIFILL VALVE

.- FILTER

- LATCH VALVE

-< HEATER

," SOLENOID CONTROL VALVE

TO THRUSTER

THRUSTER CONFIGURATIONS

-INJECTOR INJECTOR

PROPE.LANTSWIRL

HEATER SWIRR"I--HEATERS

PLATINUM ROSCREENS HEARHETER -

Figure 7. Electrothermal MonopropellantGeneric System Layout

1-9

PRESSU RANT TANK

C4 FILL VALVE

- - ISOLATION VALVE

- ______ -- FILTER

.4---- REGUILATORii

CHECK VALVE FORPRESSUREINTERCONNECT SYSTEMS

TANK

DIAPHRAGM ___BLADDER (OR SURFACE TENSIONFUEL MANAGEMENT DEVICE)

FILL VALVE

ISOLATION VALVE

CONTROL VALVE(S)

THRUST CHAMBER

Figure 8. Hypergolic Bipropellant Generic System Layout

1-10

x x xxx xxxxx xxx x x xx-xxx xxx x

x x xx x x x00Al

x x x x

>1x x

4.

x xxx x x

$4

4.)

144) N

0 r0

J f31Gu.;.U i

I-lw

x xx x x xx xx

xx x

w

C,,0d,.

x xx x

N >1

rd 0)x x' X X

x Hx

x x x x x

E4

w~11118

1-12

* Component failure mode identification was pos-sible for the most part, but in a qualitativesense only

* All reported data was of the constant failurerate type, and with few exceptions the failurerate vrs based on mission time only

* Few reliability assessments addressed the ques-tion of prediction bounds or uncertainty. Modelsyielding point estimates were the norm.

It was expected that the amount of data would be limited.However, its concentration in the catalytic monopropellantand bipropellant systems posed problems for the componentsof the five remaining systems. A significant amount ofestimation of failure rates by analogy to similar component/environment situations was thereby required. Despite thecare used in selecting analogs for this purpose, this pro-cess of necessity introduced a significant amount of uncer-tainty. Available component failure rate data introducedits own contribution to uncertainty. Estimates of failurerates for the spme component type often differed by severalorders of magnitude. The importance of assessing andtracking, from the outset, the uncertainties associatedwith reliability estimation Was underscored by the fore-going assessments of the data base.

The identification of component failure modes wasmade possible by the descriptive systems and component in-formation acquired through the literature search and tech-nical survey. With the exception of certain valves,failure rates for each of the identified component failuremodes was not ava."lable from the data base. For thisreason the principal reliability models were generated atthe component reliability level. Partitioning to thefailure mode level followed the develolment of system faulttrees. The results of that effort served as a guide indetermining which components required detailed treatment.

Most sources in the compiled data base approached re-liability estimation as the determination of point esti-mates using constant failure rate models with mission timeas the only independent variable. The complete output ofany predictive process is a band of values the parameterin question is likely to assume. Point estimates such asthe median and expected value are simply central measuresof that predicted band. The size of that band is deter-mined by the variance in scatter of the input data and thedesired level of confidence in the expected prediction.

1-13

ELECTRONIC COMPONENT RELIABILITY AND UNCERTAINTYDERIVATION

Electronic parts or components differ from other pro-pulsion system components in a number of important detailsthat influence reliability prediction methodology. Elec-tronic components generally are subject to a relativelyhigh degree of standardization and respond to applicationstresses and requirements in quantitatively predictableways. They also possess a high level of maturity and ex-hibit, with some important exceptions, life distributionsthat are well-approximated by the exponential (constant-failure-rate) distribution.

These characteristics of electronic components permittabulations of failure rates and adjustment factors, suchas those contained in MIL-HDBK-21 7B 1) to be used effec-tively. Considering the availability of reliability es-timation data at the parts level for electronics and theprinciple that reliability estimation should be conducted,when feasible, at the level corresponding to adequate data,it is recommended that reliability prediction be performedat the parts level for electronic assemblies, such aspower processors and switching units.

Failure rate variability. With rare exceptions, standardsources of faiure rate data, such as MIL-HDBK-217B, pro-vide only point estimates of failure rates; that is, asingle estimate of failure rate will be obtained for eachfixed combination of a specific part and a defined appli-cation. It is known, however, that actual failure ratesvary significantly not only from vendor to vendor but also,'from production lot to production lot, under nominallyidentical conditions. Usually, it is impossible not oniyto identify the specific origin of parts that will be uisedin a system but also to determine the specific failur6rate of parts having a particular origin. As a resuft,uncertainty surrounds the failure rate estimates that araused. On the basis of experience, however, it is'possibleto assign a specific form and estimate the para&raeters ofa distribution characterizing that uncertainty. Becausethe failure rate estimates obtained from MIL-HDBK-2178reflect a mix of parts' origins, it is appropriate to treatsuch estimates as defining the means or expected valuesof the corresponding uncertainty distributions.

1-14

By examining the observed failure rates or rejectionrates in screening tests, other laboratory tests, oroperational experience (e.g., as reported in GIDEP/FARADAcompilations), it is possible to estimate the varianceassociated with the uncertainty distribution for specificparts. OperaLional experience data need to be viewedwith caution, however, because application differences arerarely identified sufficiently to permit segregation oftheir effects on failure rates. Similar caveats apply toscreening and laboratory data unless test conditions andfailure definitions are known to be consistent. For allsources except screening test data, many part types pre-sent problems in that, under realistic use conditions,failure rates are low enough so that many observations are"no failures" and at most bounding-type statements can bemade. However, with some exceptions, the coefficient ofvariation is sufficiently consistent over a wide varietyof electronic parts to justify a simpler and less time-consuming approach to uncertainty estimation.

An early examination of lot-to-lot and vendor-to-vendor variability in failure rates indicated that suchvariability could be represented by lognormal distribu-tiuns with the square of the coefficient of variation,72 = 2.74 (-in ' 1.15 corresponding to a 100:1 ratio

between the larcest and smallest failure rates observedin a sample of 40.(2) That analysis was based largely onscreening rejection rates for late-1950's transistors,diodes, resistors, and capacitors. A check on continuingvalidity has been conducted using data from the August1975, revision of GIDEP, volume 1, Summaries of FailureRate Data(3). A scan of this document led to identifica-tion of failure rate data having the desired propertiesfor two electronic part types: quartz crystals and cir-cuit breakers. The desired properties, in terms of mini-mizing extraneous causes of variation, were reasonablesample size, multiple entries for each of several vendors,consistent environmental conditions, and single reportingsource. Calculated values of Tin were 0.995 and 0.937,respectively, indicating that the earlier estimates remainvalid (but may be mildly pessimistic). Accordingly, un-certainty about (constant) electronic part failure rates,with occasional exceptions, will be represented by log-normal distributions with expected values corresponding toestimates from MIL-HDBK-217B, for example, and variancesbased on a in P 1.15. (Examples are provided in Appendix Aof this section.) The following relationships may be use-ful in evaluating subsequent calculations:

1-15

* Parameters of the (normal)distribution of the

natural logarithms of the variate:

P: mean=median=mode

aln: standard deviation

* Relationships to the (lognormal) distributionof the variate:

Expected value EjA} = exp [+ 2]

Coefficient of 2variation 7 = exp (2) -i

Variance vJX} = E2 IX17 2

Analyses and graphic displays of the quartz crystaland circuit breaker data are presented in Tables 3 and 4and Figures 9 and 10.

Nonconstant failure rate contributions. A substantialbody of literature suggests that semiconductor failurerates tend to decrease with age, rather than remainingconstant. Some recent analyses of in-orbit experience ofNASA spacecraft appear to confirm this observation andextend it to some other types of electronic parts.

These observations are consistent with the firsttwo regimes of the traditional "bathtub" curve depic-tion of failure rate behavior. The final regime, wear-out, will be discussed later. In the absence of con-vincing evidence or theoretical support for the conceptof an intrinsic process that leads to monotonically de-creasing failure rates, it is unwise to postulate thatsuch decreases will prevail beyond the period of ob-servation reflected in current data. It is suggestedthat the observed decreases should be disregarded forextended-mission reliability prediction purposes forthe following reasons:

* The observed rate of decrease becomes toosmall to be of practical significance after arelatively short period

0 The decrease can be viewed as reflecting thebehavior of a relatively small subpopulationconsisting of the "weakest" parts, and, there-fore, should not be expected to continue

1-16

TABLE 3. CRYSTAL, FAILURE RATESa

(Ground-Life Test)(Medium Temperature Stress, Failures per 106 Hours)

CR-18A/U CR-56A/U CR-77A/U

Kb 3. 845 K 12.409 W 49. 776H 14.298 E 1.571 M 19.015W 22. 960 Mc 4. 366 M 8. 643B 15.293 E 21.999 H 3.218H 5.957 H 11.357 11 12.872K 5.127 K 1.551 W 54.754B 8.496 H 7.098 H 20.455W 18.785 Mc 1.455 W 41.513K 6.639 M 57.513 I1 17.898K 3.319 K 7.874 M 18.224H 13.378 K 62.992 M 15.621H 16.054 W 59.963B 6.086B 8.114M 5.712M 7.140

MeanLogarithm 2.1457 2.0906 3.0092

LogarithmicStandardDeviation .5925 1.3459 .8476

TABLE 4. CIRCUIT BREAKER FAILURE RATES c

(Ground)(Medium Temperature Stress)

Failures per 106 Hours

.3113.622.621.891.051.34

.2862.352.85

Mean Logarithm .3011Logarithmic Stand-ard Deviation .9366

aSource: GIDEP Vol. 1. Rev. August 1975.The letters indicate manufacturer identification,Source: GIDEP Vol. 1. Rev. August 19'5 (onm apparently

redundant entry omitted).

1-17

-

w

_ _ U)

ZI.- U

Qj)

C)

9 ot X"

Ui

__ __ __0

_A)

t C

:e L

-

- _-~ CD

to Q)I d"

CS-

0C

90L

1-19

" Effective screening of electronic parts, whichis mandatory for extended-duration missions,results in elimination of the individual partswhose early failure otherwise may account forthe observation of decreasing failure rates

" Failure rate data in standard sources usuallyreflect tests or operations of sufficientlylong duration to discount the decreasingfailure rate effects by averaging.

Conversely, processes that may lead to increasingfailure rates must be considered because they may havesubstantial influence late in extended missions. Further-more, the effects of these processes are unlikely to bereflected in failure rate data. From shorter-term obser-vations, candidate failure processes of this kind include:

* Aging of organic materials, especially insulationwhere dielectric properties of the material,rather than physical separation, is relied upon;for example, in coils of electromagnetic devices

* Contaminant accumulation; for example, inlubricants or on electrical contacts

* Corrosion; for example, electrolytic corrosionof electrical connections internal to resistors

0 Depletion of consumable materials; for example,evaporation of lubricants, sublimation of heaterelements/filaments, and erosion of electricalcontacts or electrodes

• Diffusion; for example, of dopants or metalli-zation materials in semiconductor devices, orof metals through insulators

* Radiation effects, including induced changes inbulk or surface properties of semiconductormaterials and chemical changes in organic ma-terials.

Such processes tend to lead to relatively sharplydefined lifetimes for the affected parts, that is, to uni-modal life distributions with small (typically, < 0.3)coefficients of variation. However, the magnitude of themodal life is likely to be very sensitive to interactionsbetween application conditions and part design and the

1-20

low coefficient of variation is attainable only if processcontrols in manufacturing are stringent. Models, such asthe normal distribution or the Weibull distribution withlarge shape parameter ( 0 > 3, which yields results verysimilar to the normal distribution), are often used jointlywith the exponential distribution to describe the onset ofaging or wear-out effects. The problem is that extended-mission reliability estimates can be extremely sensitiveto the time of onset of the effects of aging phenomena.The assumptions needed to make useful reliability estimatesthen become critically important; testing to assure thatthe onset of aging effects occurs sufficiently late willusually be necessary. Fortunately, such tests, which canusually be accelerated, can be conducted with much smallersample sizes than those necessary to determine constantfailure rates.

(From the standpoint of minimizing testing burdens,it also is worth noting that wear-out life characterizationfor components of complex, nonrepairable systems need notbe exhaustive. Usually, the system will have failed bythe time the median life for any component has been reached,thus reducing the interest in statistical details of com-ponent life distribution for longer periods. However, itmay be important to know whether the wear-out failure pro-cess competes as a cause for failure for all members of acomponent population or applies only to a subpopulationhaving special characteristics, such as the presence of acontaminant or the absence of an inhibitor. Truncation oftesting can lead to serious estimation errors in the lattercase.)

Of the candidate failure processes identified pre-viously, some may be ruled out by proper precautions insystem design. Solid-state diffusion and insulation agingare sharply temperature-dependent and, for 10-year orshorter mission durations, can be virtually eliminated assignificant failure processes if component temperaturescan be held to moderate levels. Radiation effects alsocan be minimized if the radiation environment is moderateand/or shielding is possible. For some components, however,wear-out processes constitute potentially significantproblems. A more specific discussion of these componentsappears to be in order.

Components subject to wear-out processes. There are atleast two electronic components of cendidate propulsionsystems for which avoidance of signif'cant wear-out ef-fects may be impracticable. It happens that both components

1-21

are peculiar to high-voltage applications and are found insolid propellant pulsed plasma systems: energy storagecapacitors and arc-initiation ("ignition") electrodes.Such electrodes also may be found in other plasma systemsand may be subject to similar phenomena but are regardedas special cases to be discussed in the context of thesystems with which they are associated.

Energy storage capacitors. Energy storage capacitors forpulsed plasma applications are required to provide un-usually high energy/weight ratios (energy densities). Thecapacitors described in AFRPL-TR-74-50(5) appear to bereasonably typical at 40 J/lb (2,500 volts, 50 microfarads).Energy densities as high as 125J/lb (5,000 volts, 35 micro-farads) have been offered commercially(6 ) but with lifeexpectancies on the order of 3,000 discharges at fullrated voltage. It is widely accepted that life expectancyfor capacitors varies inversely with the fifth power ofapplied voltage.

High-energy densities are obtainable only with di-electrics that are thin or have high dielectric constants;current technology requires both. This limits the choiceof materials and generally prevents choosing conservativederating policies (low ratios of applied voltage to ratedvoltage). Some high dielectric-constant materials alsohave relatively low maximum-temperature limits with sharplydecreasing life expectancy above 50*C, making conservatismimpracticable with respect to operating temperatures. Inaddition, some otherwise desirable dielectrics and impreg-nants are quite vulnerable to radiation. Since shieldingof these capacitors is rather difficult because of theirrelatively large size and location near the thrusters,missions involving substantial radiation doses or ratesplace further restrictions on choices of materials. AFRPL-TR-74-50( 6) describes a construction using a sandwich di-electric (one layer of paper between two layers of poly-vinylidene flouride, a high dielectric-constant material)and castor oil impregnant. The capacitors made by MaxwellLaboratories for Fairchild Republic Company use mylar di-electric and rronoisopropylbiphenol (MIPB) as the impreg-nant, the latter substituted for silicone c~i for reasonsof radiation resistance( 7 ).

There is an indication that Ma>-well Laboratories lackfailure rate and life data for capacitors using MIPB. Oneof the authors of the present report was directly involvedin a major life test experiment on paper/mylar capacitors

1-22

(MIL-C-14157) using related impregnants( 8). The reporton that life test is generally unavailable but a subsequentpaper provides some of the major results and conclusionsIn the absence of more recent, definitive data, aqualitative discussion will be based on the earlierresults. The salient results of the test were:

* The capacitor life test observations could bedescribed reasonably well by Weibull distri-butions, but with both shape and scale para-meters differing among manufacturers and fordiffering voltage stresses.

* In most cases, equally good or better fits tothe data could be obtained by using mixed expo-nential distributions. Suspected heterogeneitywithin capacitor populations makes mixed modelsmore appealing.

• Results for capacitors from one manufacturerare important because certain failures clearlyinvolved impregnant problems and constituted adistinct subpopulation physically and statis-tically. The most satisfactory model consistedof an exponential distribution and a normal dis-tribution.

As noted previously, exponential/normal mixed modelsare attractive and widely used for electronic devicessubject to wear-out phenomena. In the case of the par-ticular capacitor life2 test cited, 9 percent of the capa-citors of one manufacturer failed by case rupture whentested at 100 percent of rated voltage and 125 0C (the tem-perature limit for mylar if phase change is to be avoided).The remainder, and virtually all capacitors from othermanufacturers, failed electrically.

Considered separately, case-rupture failures could bedescribed by a normal distribution with a maan of 9,400hours and a standard deviation of 1,400 hours.* Laterdiagnosis of the case ruptures indicated gas evolutionfrom the impregnant as the cause. A concurrent "blind"analysis of impregnant from new and life-tested capacitorsby infrared spectroscopy indicated bond breakage and in-dependently predicted gas evolution. The capacitor manu-facturer stated that an inhibitor which is customarily

See Example 3 and Figure 6 of preceding reference.

1-23

used had deliberately been reduced or omitted in manufac-ture of the capacitors supplied for the test.

It is not clear whether a distinct subpopulationwould have existed in the absence of the specific actionsreported by the manufacturer. It is also impossible to besure that similar phenomena would not have been encounteredin other capacitors at a later time (the life test was ter-minated at 16,000 hours). However, the results indicatethat wear-out phenomena approximating normal distributionscan exist, that population heterogeneity is a definitepossibility, and that life limitations due to impregnantcharacteristics can be important within the mission dura-tions contemplated. It remains to be considered whichstresses are likely to be important, whether they can bereduced sufficiently to delay failure beyond mission re-quirements, and whether it is possible to devise teststhat can provide the necessary data without prohibitivecosts or durations.

The problem is complicated by further observationsfrom the life test. Infant mortality is in evidence forsome manufacturers at the higher voltage stresses; non-rupture wear-out modes also appear. Failure-rate discon-tinuities indicate that distinct failure mechanisms areoperative, although no physically obvious differences wereobserved. Perhaps the most compelling argument favoringdistinct failure mechanism lies in the differences in theeffects of applied voltage:

" As already noted, the failure rate during theperiod of essentially "random" failures variedapproximately as the fifth power of voltage

* Infant mortality failure rates typically variedapproximately as the seventh to ninth power ofapplied voltage

* Nonrupture wear-out failure rates varied almostdirectly with applied voltage

* Applied voltage nad little or no effect onfailure rates for rupture

" For all types of wear-out failure, the timeof onset of wear-out was virtually independentof applied voltage.

1-24

Clearly, increased voltage would not be useful as away of reducing test time for evaluation of wear-out phe-nomena. (Applied voltage in life tests ranged from about50 to 200 percent of rated voltage).

It remains likely that temperature constitutes a use-ful accelerating stress; unfortunately, the life testcited was restricted to 125*C, a temperature considerablyin excess of most use conditions. The impregnant bond-breakage phenomenon held responsible for ruptures is ofthe kind that would be expected to follow the Eyring (orArrhenius) equations, with the rate doubling for every 70to 100C increase in temperature. For the rupture pheno-menon, one might anticipate an increase in mean life from9,000 hours at 125*C to the vicinity of 3,000,000 to40,000,000 hours at 40*C. It would, of course, be unwiseto rely on such an extrapolation without exploratorytesting at intermediate temperatures, although the modelis supported by a large body of data involving insulationaging in electromagnetic devices.

The potential importance of radiation effects suggeststheir exploration through life tests also. Among a varietyof possible effects, two are likely to be synergistic withheat while a third may be mitigated by elevated temperature:

0 Bond breakage and bond formation (i.e., changesin polymer structure) are likely to be inducedby radiation with rates that may be enhanced byavailable thermal energy

* Radiation may induce ionization; temperaturewill determine ion mobility; and electricalfields may determine the resulting damage, in-cluding the possibility of runaway electricalbreakdown

0 Decreases in electrical conductivity of capa-cltor foils and leads may be reversible byannealing at elevated temperatures.

Potential interactions such as these make it necessaryto conduct tests with stress combinations. Such interac-tions also may interfere with attempts to use acceleratedtesting. Even if radiation testing can be performed inisolation, there may be difficulties due to confoundingof rate and dose effects under accelerated conditions.

1-25

Arc-initiation electrodes. Arc-initiation electrodes inpulsed plasma systems are provided in the form of solid-state plugs that somewhat resemble automotive spark plugs.In an internal combustion engine, spark plugs are intendedto furnish the energy needed to initiate combustion andare exposed to fuel-air mixtures and exhaust gases aboveatmospheric pressure. In a pulsed plasma system, igniterplugs generate ionized debris, which initiates electricalbreakdown-iicross the fuel face. The igniter plugs are ex-posed alternately to hard vacuum and the debris, and toremnants of a plasma derived from tetrafluoroethylene.The two devices share one failure mechanism, electrodeLrosion, but otherwise differ sufficiently to make relia-bility extrapoldtion hazardous.

It appears likely that the reliability of arc-initia-tion electrodes is largely determined by two factors:

0 A low and possibly constant failure rate contri-bution due to manufacturing flaws, such ascracks in in&!.ator bodies

* A relatively narrow wear-out type distributionreflecting electrode and surface erosion.

This conjecture concerning arc-initiation electrodesis supported by laboratory and flight experience describedby the Fairchild Republic Company and the Applied PhysicsLaboratory of the Johns Hopkins University.

Typical applications of pulsed plasma systems involveintermittent use. This suggests the possibility of ac-celerated testing by increasing duty cycles but not to thepoint where effects due to temperature excursions inherentin normal use are averted. In some applications (10),dual igniter plugs have been used in an alternating mode.Where it is feasible to use such a configuration to obtainigniter plug redundancy, the time intervals for demonstratingwear-out free performance can be shortened substantiilly.

Summary. Analyses of applications of electronic componentst- acanced propulsion systems lead to the following keyobservations:

• It is almost always possible to generate somemeaningful reliability predictions for electroniccomponents and assemblies from available data

1-26

6 Inherent variability, not just application un-certainties, makes it necessary to provide quan-titative estimates of prediction uncertainties.

* The validity of such predictions is contingentupon adequate assurance that wear-out phenomenawill not become dominant within anticipated mis-sion durations. Such assurance sometimes willrequire application-oriented life testing. Ac-celerated testing techniques often may be appliedwith care for this purpose.

In general, electronic component failure rate undertaintiescan be represented adequately by lognormal distrib utionswhose expected value is determined from MIL-HDRK-217B, andwhose coefficient of variation is a constant.,, Exceptionsarise when the degree of standardization is low and whenage-dependence of reliability is non-nea.ligible. Examples1, 2, and 3 contained in Appendix A ilolustrate the pro-cedures to be used.

NON ELECTRONIC COMPONENT RELiABILITY AND UNCERTAINTYDERIVATION

As in the case of electronic devices, observed failurerates for nonelectronic components can be expected todeviate substantially from average values due to vendor-to-vendor and lot-to-lot variations. Additional uncer-tainties surround nonelectronic components for severalreasons:

4 Their sensitivity to application-specific efforts

* Probable existence of poorly characterized agingeffects

* A generally lower degree of component standardi-zation.

In the presence of aging or life-limiting effects ofsignificant magnitude, it is impossible to characterizecomponent failure rates, reliability estimates, or lifeexpectancies by single-parameter distribution. At aminimum, two-parameter distributions, such as the normal,gamma, or Weibull (without delay), must be employed; often,a mixture of distributions representing different failureprocesses is appropriate. These conditions increase bothmodel complexity and the difficulties of parameter esti-mation.

1-27

Earlier studies. To put these modeling and estimationproblems into perspective, Table 5 displays some resultsderived from earlier studies of aircraft flight controlcomponents(ll, 12). These results apply to single-parameter (exponential) reliability models and do notdirectly address time-dependent effects; nevertheless,they provide some indication of the magnitude of uncer-taintics.

For each device listed in Table 5, a lognormal dis-tribution was fitted to failure rate data (principallyfrom FARADA). The coefficient of variation and the lower(5 percent) and upper (95 Percent) Bayesian confidencebounds were obtained from the fitted distribution. Theadequacy of fit of the lognormal model was checked fordevice types providing sufficient data; device typesproviding fewer than five data points have been omittedfrom the table.

For the devices marked by c, sufficient data pointshad been available to permit some investigation of signi-ficant time-related failure rate trends out to at least2,500 operating hours. No trends significant from bothstatistical and engineering viewpoints were found. (Un-fortunately, the absence of such trends in 2,500 operatinghours of operation in aircraft environments will notusually justify dismissing the possibility of importanttime-related effects in long-duration space missions.)

It is interesting to note that the coefficient ofvariation tends to be lowest for conponents that arehighly standardized, produced by a small number of manu-facturers, or comparatively insensitive to applicationpeculiarities. (The coefficient of variation used in thisreport for elec-.ronic components is 1.66.) However, valuesat the low end of the range may be illusory in view of apossible unrecognized duplication of specific device de-signs or applicati.ins in a relatively small data base.This does not preclude use of the data as a guide to rela-tive variability as a function of device type.

Some additional considerations. The usual objective ofcomponent-level reliability prediction is to allow theestimation of system reliability for various mission dura-tions or specific time intervals within a mission. Asidefrom modeling of relationships within the system, thisrequires component-level estimates foL corresponding timeintervals.

E-28

TABLE 5. FAILURE RATE UNCERTAINTIESa

Coefficient Failure rate

b of (per million hours)

Device type var)ation Lower bound Mean Upper bound

Bolt 0.5 3.7 9.1 17.7

Regulator, tension 0.6 14.4 41.8 89

Indicator, airspeedc

bomber and transport 0.74 84.3 310 739fighter 1.37 225 2081 6660

Servomechanism, hydraulic 0.78 25.9 102 251

Bearing, ball, low speed i. 0 2.8 15.5 43. 1

Accumulator, hydraulic c 1. 25 28.34 224 689

Gyro, rate 1.3 43.6 367 1150

Actuator, electric 1.49 49. 1 520 !7!5

Bearing, journal 1.6 1.74 21.0 71

Cable, mechanical 1.7 1. 51 20.3 70

Motor, torque 1.8 2. 85 42.4 149

Spring 2.1 2.43 47.9 175

Cylinder, hydraulic" 2,14 10.2 208 761

Bellcrank 2.4 2.64 66.6 249

Accelerometer 2.7 15.9 500 1890

Solenoid 2.8 4.03 136 519

Sheave 2.8 0.23 7.6 29.0

Filter, oil 3.0 4.28 164.2 630

Lamp 3 2 2.0 86.5 333

Tubhe, t0. que 3.2 0.53 22. 8 88

Actuator, hydraulic c 3.52 10.82 559 2160

Switch, pushbutton 5.3 1.6 173 657

aFor selected components, aircraft environment; fitted lognormal

distributions; data from AFFDL)-TH-67-20 (Table 5 and Appendix B)and AFFDL-TR-67-183 (Appendix 11),

bListed in ascending order of coefficient of variation.

CSufficient data to indicate absence of aging effects on failure rate

to 2, 500 hour,%

J-29

The most limited useful component-level estimate forcharacterizing uncertainty consists of a statement of twovalues for a single specific interval; for example, theexpected value and a lower confidence bound on the relia-bility of a component for an interval beginning at 0 andending at some time, To. In the absence of any additionalinformation, the only further statements that can be madefrom such estimates are that the corresponding reliabilityestimates must be at least as high for any elapsed timeending sooner, and no higher for any elapsed time endinglater. More formally, denoting the expected value of re-liability for an interval beginning at 0 and ending at tis denoted by R(t) and the corresponding lower bound byR.05 (t).

R0(t) >R(T o 0

reliability model. For example, one may be willing tostipulate that a Weibull distribution with known and fixedshape parameter applies because this model and parametervalue are "known" to apply to the class of components un-der consideration. Another fairly common type of inter-mediate situation is one in which a great deal is considered"known" to apply to the class of components under consid-eration. Another fairly common type of intermediatesituation is one in which a great deal is considered"known" for tSTO and very little is "known" for t) TO .This would be the case when the failure process(es to Tocan be determined from observation; however, a subsequentwear-out phenomenon due to other processes is anticipated.

Procedures. Since the ultimate use of component-level re-liability prediction will be in the derivation of systemreliability estimates, it is desirable to anticipate therequirements of the latter. The system reliability modelsthat will be used are based on combinatorial calculations,propagation of variance, and beta distribution models forreliability uncertainties at component and higher assemblylevels. This implies a requirement for estimation of com-ponent reliability expectations and uncertainties for anyselected time within the intended mission duration.

For system reliability estimation purposes, the betadistribution model for each component at each selectedtime must be defined. It is possible to fit a beta dis-tribution to any two fractiles, central measures, or mo-ments (e.g., mean and variance) of a reliability uncer-tainty distribution derived from other sources. In general,it is not possible to obtain a beta distribution thatexactly matches another distribution, such as one derivedfrom a lognormal uncertainty distribution of failure ratesover the range of possible values. However, a very goodmatch over the range of maximum interest -- from the fifthpercentile to the expected value -- can be obtained bymaking the distributions congruent at the fifth percentileand at the median. Further discussion of the beta dis-tribution is provided in Appendix B.

If the form of the component life distribution is"known" and has a single uncertain parameter (e.g., theconstant failure rate in the exponential distribution orthe scale parameter of the Weibull distribution), that lifedistribution can be evaluated at any selected time, t, andfor any desired points in the uncertainty distribution.For example, assume that the exponential distributiun

1-31

describes component life and that the failure rate (permillion hours) is described by a lognormal uncertaintydistribution with mean natural logarithm 2.28 and logarith-mic standard deviation 1.2. Then the median and 95th per-centile failure rates (rounded to one decimal place) are:

2.28 06e 2.28 = 9.8 per 1 hours

2.28+1.97 06x95 e = 70.4 per 1 hours.

Since fractiles hold in transformation, we may evaluatethe median and 5th percentile of the reliability uncer-tainty distribution directly for any value of t. Fort = 2,000 hours, the results are:

-6

R = e-2,000 x 9.8 x 10 = 0.981.56

R. 5 e-2, 000 x 70. 4 x 10 "- 6 =089=~Q e2D0O70=1 ~0.869.

Consider the alternative that the observations on whichreliability estimates are to be based involved a 5,000-hour exposure of the components and led to the conclusionthat:

R 5(5, 000) = 0. 5

R 5, 000) = 0.25.

How can these conclusions be translated to uncertaintydistributions for time intervals other than 5,000 hours?In general, estimation procedures will need to be dif-ferent for intervals ending earlier than the 5,000-hourobservation time and for those ending later.

One possibility involves a willingness to attributea particular life-distribution form with fixed parametersto the median (R.05) only. Estimation of the median ofthe uncertainty distribution then involves merely the sub-stitution of the desired values of t. The alternative isto draw a smooth curve connecting the starting point (0,I)with the observed point (5,000, 0.5), choosing a curve

1-32

shape that is consistent with the evaluation of failureprocesses involved (e.g., with an increasing failure rate).In either case, it is extremely important to bear in mindthat:

a The component under consideration uscally willbe only one of many components in a system

0 Time intervals for which the system reliabilityis low are not of interest if the system isnonrepairable

0 Reliability of the component will need to bequite high if the system reliability is not solow as to be uninteresting, unless the componentis used in a highly redundant configuration

* The important component reliability estimationregion (the important part of the life distri-bution), therefore, usually will be one in whichthe predicted reliability is well in excessof 0.9.

These observations have two major implications. Oneis that R.5 = 0.5 is a poor choice for a starting point;a value on the order of R.5 = 0.9 would be much moresuitable. (In practice, it also is much more likely to beavailable for the long-lived components of interest.) Theother implication is that essentially we are dealing withtail behavior of life distributions, which reduces boththe dependability of, and the sensitivity to, distributionalforms and parameters. DependabiTty is reduced becauseextreme tail behavior usually is determined by outliersrather than by the main population; if not, tail behavioris often very sensitive to distribution parameters. Sen-sitivity is reduced by convergence. This point may beillustrated by examining a fairly wide variety of distri-butions in an example shown in Table 6. all having thevalue R(40,000) = 0.9 in common:

TABLE 6 . EXAMPLE: DISTRIBUTION WITH COMMON R(40, 000)

Condition for

Form R(40, 000) = 0. 9 Parameters

Exponential .105361/X = 40,000 X

= 2. 634 x i0

Weilbull (.105361W)1/ - 40,000 0 = 0.5, a = 1,898

1-33

Table 6 (continued)105310)

Weilbuil (. 105361a) 1 40,000 = 2 , a = 1.5186 x 1010

Weilbull (. 1053610) / 40, 000 = 4 ,a = 2.4297 x 1019

Normal .- 128 = 40, 000 60, 000, a = 15, 625

Normal - 1.28 = 40,000 u = 80,000, a = 31,250

Normal w - 1. 28a = 40, 000 g = 100,000, a = 46, 875

For this example shown in Table 6, the reliabilityvalues at four lower ages and one greater age are tabulated:

TABLE 6 . EXAMPLE: DISTRIBUTION WITH COMMON R(40, 000)(Continued)

)istrIbutIon R(5000) R(10, 000) M(20, 000) (R30, 000) R(80. 000)

Exponential2. 634 x 10-6 0. 9869 0. 9740 0. 9487 0.9240 0. 8100

Weioull0.5. 189P 0.9634 0. 947 0.9282 0.9128 0.8616

2, 1.5186 x 10 0.9984 0.9934 0.9740 0.9425 0.6561019

4, 2. 4297 x 10 0. 99997 0. 9996 0. 9934 0. 9672 0. 1853

.Normal60, 000, 15, 625 0. 9998 0. 9993 0.9948 0.9726 0. 100080, 000, 31, 250 0.9918 0.9875 0. 9726 0.9452 0.5000

100, 000, 46, 875 0.9786 0.9726 0.9561 0.9323 0.6652

The differences displayed in Table 6 are far fromtrivial. Selecting the most appropriate distributionalmodels therefore is important. For ages less than thecommon point, however, relatively little added obser-vational information is needed for adequate parameterestimation if the appropriate distributional form hasbeen selected.

If the additional information is substantial, eventhe choice of distributional form may not be too critical.If, for example, we know that R(10,000) = 0.99 as well asR(40,000) = 0.9, the parameters of a Weibull distributionmodel are fixed at f = 1.695, a-- 5.996 x 108, and for a

1-34

normal distrubution model = 76,570, a = 28,570. Thesingle-parameter exponential distribution cannot be fittedto the two known points. If we are willing to consider thetwo-parameter version (exponential distribution with delayor guarantee time), we find X= 3.177 x 10-6, a = 6,840.These models yield the values presented in Table 7.

TABLE 7. TWO-POINT FITTED DISTRIBUTIONS

Distribution B(5000) R(10, 000) R(20, 000) R(30, 000) R(80, 000)

Exponential w/delay3.177 x 10"6, 6,840 1.0000 0.9900 0.9591 0.9291 0.7926

Weilbull1.695, 5.996 x 108 0.9969 0. 9900 0.9680 0.9374 0.7110

Normal76, 570, 28, 570 0.9939 0.9900 0. 9762 0.9485 0.4522

The results displayed in Table 7 serve to illustratean important and obvious, but often neglected, point: Anyreasonable distributional model fitted to observed datacan provide a good description within the range of obser-vations (in the example, for ages up to 40,000 hours), butextrapolation beyond the range of observation is stronglydependent on the model chosen. Furthermore, the existenceof a good observational fit does not guarantee model valid-ity. Thus, it is concluded that extrapolation is riskyeven when no new failure processes need to be anticipatedat greater component ages, and that the choice of the lifedistribution model usually needs to be supported by infor-mation beyond that available from fitting of curves toobservational data. In general, hat information comesfrom insight into manufacturing process variations andfailure processes or from knowledge about the long-termbehavior of related devices.

Selection of a suitable life distribution model forR.5(t) must be accompanied by the choice of a correspondingmodel for R.05(t) or for some other measure of reliabilityestimation uncertainty, unless, as discussed previously,there is sufficient faith in distributional form and para-meters (e.g., exponential with x.95) to permit directevaluation. One difficulty that should be noted immediatelyarises from the fact that life distributions from the samefamily generally cross unless some restrictive conditions

1-35

are met. Two Weibull distributions with parameters a i,0I; a2 , 02, will cross at

(P1 '32)

t)

unless 0I = 2, while two normal distributions will crossat two values of t unless Pl = A2, when R( Pl) = R( I2) =0.5. Unless the crossings occur outside the time periodof interest, R0.5(t) > R.5 (t) for some range of t. In ad-dition to this illogical inversion, there will be under-statement of uncertainty as the crossing point is approached.Modifications of models may be necessary if R.05 (t) is tobe handled in life-distribution form.

Alternatively, one may address the uncertainty dis-tribution or the relationship between R.05(t) and R.5(t)directly. This approach also presents some problems. Asan example, consider the observation R.5(5000) = 0.9032,R.05(5000) = 0.7499. Attributing the exponential distri-bution to R.5(t) yields R.5(2005) = 0.96. Suppose wechoose to model the uncertainty about R(t) by a beta dis-tribution.* The beta distribution having R.5 = 0.9032and R.05 = 0.7499 has the parameters a = 15, = l.+ Froma Bayesian viewpoint, the sum a-+ p can be interpreted asan "equivalent" sample size;' that is, it would charac-terize all possible posterior distributions derivable fromgo-no go testing of a sample of size a + p and the uniformbeta prior distribution with ao + 0o = 0. On the groundsthat any "test" yielding J5 successes and 1 failure as of5,000 hours would have been )bservable in principle at anyearlier time with sample size 16, one may argue in the ab-sence of any other information that a + 0 = 16 should applyto the uncertainty distributionused to describe informationat any lesser age. It happens that R.5 = 0.96 is themedian of the beta distribution with a = 16, J = 0, andfor that distribution, R.05 = 0.8384.

A detailed discussion of this convenient model is pre-

sented in Appendix B.

There are two common notations for the beta distribution;I'( +1+2) R (1.R) 3

the notation used here corresponds to f(R) '( + )R'(13+1)

1-36

In order to determine if the value of R.05 (2005) isconsistent with the available information and/or intuition,one possibility is to seek to define a reasonable lifedistribution that yields R.05(2005) = 0.8384, R.05(5000) =0.7499. These values are satisfied by a Weibull distribu-tion with p = 0.5766, a = 335.81 (not to be conf,,sed withthe similarly labeled parameters of the beta distribution).This is an increasing failure-rate distribution, implyingthat the uncertainty attached to the 2,005-hour reliabilityestimates is larger than would be the case if we werewilling to attribute the exponential distribution to R.05as well as to R.5. That approach would yield R.05 (2005)=0.981. In many cases, the implied increase in uncertaintyfor interpolation would be acceptable as being in accordwith intuition and available information, but the judgmentshould be made on a case-by-case basis after examining theimplications. For example, the model would be inappropriateif additional, contradictory evidence were available froma separate 2,500-hour test.

(It should be evident that the process of reliabilityand uncertainty estimation involves ad hoc procedures andsubjective judgment. This approach is not at all incon-sistent with the Bayesian approach but probably is unac-ceptable to the statistician with a "classical" inclina-tion. Unfortunately, he is powerless to deal with theproblem in any practical way.)

There remains the problem of extrapolation to com-ponent ages beyond the observed data coverage. Statisticaltheory provides no information other than the absoluterequirements that any reliability function be monotonicallynonincreasing and tend to 0 as age approach-s infinity.General experience adds to this that reliability functionsare smooth (i.e., continuous). It is necessary to lookelsewhere for useful reliability estimates.

The act of choosing life disLribution models withinthe span of observable datd and information implies somebelief that the models relate to the physical processesthat lead to device failure. The degree of belief willvary and will be reflected in the uncertainty modelschosen. It follows that the first step in extrapolationinvolves two questions:

0 Is it reasonable to expect the same physicalprocesses to continue?

1-37

0 How rapidly does uncertainty about the validityof the life distribution model or its parametersincrease?

The first question is related primarily to the lifedistribution model; the second, to the uncertainty dis-tribution model. (Continuity and monotonicity are not re-quirements for the latter; it is quite reasonable tospecify increasing uncertainty as one moves away from a"known" point in either direction.)

The answer to the first question almost always willbe affirmative. However, a further question must be asked:Are there additional failure processes (or changes in im-pact of the same failure processes) that may becon'signi-ficant during the time interval to be considered in the -extrapolation? For example; frictional wear may be thepredominant failure process reflected in the life distri-bution model. At greater component ages, wear may coi-tinue, but fatigue may become the primary failure process.

Thus, extrapolation must rely entirely on knowledge,analysis, and judgment, in the domain of engineering andthe physical sciences; statistical methods serve only todescribe the results with one exception. The purpose ofreliability prediction and estimation of uncertainties isto aid in decisionmaking, and Bayesian statistical methodsare closely related to decision theory, especially to thenotion of loss functions. The choice of models may be in-fluenced by the consequences to be expected from decisionsthat formally rely on the models. Most importantly, themodels should be used to decide how to allocate limitedtest resources among tests of the components of a proposedsystem to maximize information gain (uncertainty reduction),a topic addressed in the description of computer programBETALl in the Computer Program Section of this report.

Component Reliability Derivation. Analysis of the database revealed an exclusive use of single parameter con-stant failure rate component reliability expressions.Furthermore, the single parameter was almost always mis-sion time. While this uniformity of approach was veryattractive, especially when aggregation to the systemslevel was intended, it was not the most descriptive ofthe components, their duty cycles, or their operating en-vironments.

1-38

The approach employed in developing this methodologywas the individual assessment of each component and lettingthat assessment determine the type of failure rate to beemployed and the parameter or parameters to be used in themodel. As can be expected, with the broad range of compo-nents, the result of this approach was a diverse collectionof models. However, it decided to proceed along theselines, developing the more complex aggregating techniquesrequiring rather than artificially constraining the com-ponent level models in the interest of methodology simpli-city.

The derivation process can be characterized by thefollowing steps:

a Component assessment in the context of its

system application

• Structuring the component reliability model

0 Model quantification

* Model verification

* Failure mode modeling.

Component Assessment. Rather than impose generalizationacross systems, each component was assessed within thecontext of its system application. While this reqiiiredmultiple assessments of similar components, it yieldedgeneralized component models based on demonstrated simi-larities rather than a priori assumptions. These assess-ments identified the principal failure modes, mechanisms,and the parameters to which component reliability seemedsensitive.

Structuring the Component Reliability Model. The resultsof the foregoing assessment were converted next into dis-crete expressions. Some failure mechanisms (such as manu-facturing flaws) implied random failure situations whichwere best modeled by constant failure rate models. Others(such as erosion, wear, or compaction) implied increasingfailure rate situations. The Weibull model was used tomodel these situations. Several components exhibitedmechanisms of both types. These were modeled using a com-posite expression containing constant failure rate andincreasing failure rate contributions.

1-39

While failure rates and types are of obvious impor-tance, a second equally important consideration is thevariable upon which they are dependent. These, too, wereidentified in the assessment process and were included inthe modeling process. Typically, these parameters werenumber of cycles, operating time, and mission time. Exam-ples of the resulting models are shown below.

Constant Failure Rate, Simple (Fill Valve)

R=exp(-Xt) Where t=elapsed missiontime

Constant Failure Rate, Compound (Relief Valve)

R=exp [- mt-A cN] where t=elapsed missionIn Ctime

N=Number of cycles

Increasing Failure Rate, Simple Electric Isolator)

R=exp where t=elapsed missiont~l time

a=Weibull scaleparameter

1=Weibull shapeparameter

Increasing Failure Rate, Compound (Catalyst Bed - Steady State)R=exp N2 - n3 - t~ss] where N=number of steady

S asstate firibgsn=number of cold starts

t ss=steady state oper-ating time

Composite Model (Filter)

[ tl'5] where tm=elapsed missionR=exp -t hours

op=operating hours

1-40

Uncertainty distribution modeling presented a situationrequiring a different approach. Component failure ratedata was too sparse to directly identify the type of dis-tribution that would best characterize failure rate'svariability. Rather than rely simply on judgment, previousexperience suggested a simplifying alternative. It hasbeen found, almost universally that the uncertainty distri-bution of a generic failure rate is skewed to the right.Values much larger than the expected value are more likelyto occur than values correspondingly smaller. This is alsoin accord with intuition; a failure rate much worse thanthe generic mean seem. more likely to be observed than one!that is much better Good fits to the log normal distri-hution, which corr- ,onds to this behavior, have beenfound to be common. rhis distribution was assessed againstall available failure rate data on a componenc by componentbasis. It was found that this distribution could be usedin the uncertainty distribution to characterize the reportedvariability in all but a few component failure rates. Theexceptions were best modeled using a normal distribution.

Model Quantification. Assigning values to the model para-meters was the next step in the development process.Available data provided overall component failure rates.With the exception of valves there was virtually no parti-tioning of failure rates to failure modes. A secondproblem was the exclusive use of constant failure ratemodels for all components in previous reliability assess-ment efforts. Moreover, virtually all used mission time-related failure rates; only a few developed cycle-orpulse-dependent failure rates. Finally, for some of themore novel propulsive systems, virtually no failure ratedata was available on a large number of components. Forthese items, the failure rates employed were derived fromanalogous component/environment situations for which datawas available. In addition, significant extrapolationwas required to bridge the gap between the documentedendurance tests and the long mission durations ( > 5 yrs)of interest. In short, the process of model quantificationwas ftr from a rigorous statistical exercise. Extensiveuse of engineering judgments was required to yield usablecomponent reliability models. As can be expected, theuncertainty involved in these judgments is relatively high.This situation further underscored the need for trackingthe uncertainties associated with the reliability estimatingprocedures. As the experience base grows with additionaltest and in service use and more explicit failure rates areidentified, this uncertainty can be expected to decrease.

1-41

Two procedures used in the model quantification pro-cess are worth highlihting. The first involved the adap-tation of reported constant failure rate data for use inmodels involving Weibull expressions. Two judgments wererequired by the process: first, an estimate of the pointwhen the failure rate would begin to increase, and second,an assessment of the Weibull shape factor. The shapefactor strongly influences the severity of the slope of theincreasing failure rate. With these two estimates, theconstant failure rate model and the increasing failurerate (Weibull) model could be equated and the Weibullscale factor could be determined. That is, the reliabilitymodel usinq constant failure rate is expressed as:

1=exp, [x] where X = constant failure rate

x = parameter upon whichreliability is dependent

(such as operating time,flight time cycles, etc.)

and the increasing failure rate (Weibull) nmodel is given as:

R=exp a-1 where x = parameter upon which

ai raliabfity is dependent

P= Weibull shape factor

a = Weibull scale factor

At that value of x where the failure rate x begins tochange, both models will yield the same estimate of relia-bility. If this value and the value of 3 (characteris-tically between 1 and 3) are estimated, the Weibull scaleparameter can be found directly:

This approach was used in conjunction with the pro-cedure used to transition from constant to increasingfailure rate models. For components evidencing a strongdesign sensitivity to expected mission life, the transitionpoint to increasing failure rate was defined as a percent ofthe design life rather than a fixed number of hours orcycles.

1-42

R=exp lAx1 = exp [- a0 where x = the value of x where

U I. is expected to change

°= the estimated value of

the shape factor

taking the logarithms,

Ax -IX:0

x 00

The second procedure involved the introduction ofconponent design life into the reliability model. Thedesign of some components is relatively insensitive tooperating life. Whether the planned use calls for onethousand or one million operating hours or cycles, thecomponeat design is virtually the same. Other compo-nents, typically those prone to corrosion, erosion,wear, fatigue, etc., have their design strongly tailoredto the expected mission life. For these components itwould not be appropriate to extrapolate conditions inevidence at the end of one year's use. This wc~ild besimply unrealistic. If a 5-year mission were aricipated,then a component designed for this expected life wouldhave been used. Where comparison of two components (suchas the 1- arnd 5-year designs) was desired, comparisonswere based upon service life as a percent of design life,for example, suppose an estimate of conditions is desiredafter 4 years on a component designed for 5-year life.The data base a%'0lable for assessment is drawn from asimilar component designed for 1-year life. Rather thansimply extrapolating from the available data, examinationof conditions at the four-fifths or 80 percent designlife of the 1-year component should be made. The resultsof this assessment form a more realistic estimate of whatmight be expected after 4 years of the operation of acomponent designed for 5 years life. This approach wasused in conjunction with the procedure used to transitionf.om constant to increasing failure rate models. For com-ponents evidencing a strong design sensitivity to expectedmission life, the transition point to increasing failurerate was defined as a percent of the design life ratherthan a fixed number of hours or cycles.

1-43

Two types of partitioning readily identified them-selves in this modeling process. The first was one wherethe failure modes and portions of the component modelaligned themselves on a one-to-one basis. The second re-quired subdivision of component model elements in orderto generate the failure mode model. These situations arebest described by the following examples.

Example 1. One-to-One Correspondence

Component: Filter

Model: R =exp [_ t

Fail Modes: Leaking, Clogging

Partitioning:

Leaking Mode R = exp(-Xt)

Clogging Mode R expI'a

Example 2. Component Model Subdivision

Component: Isolation Valve (Nornxlly Closed)

Model: R=exp [-AcN - A mtI

Failure Modes: Fail Open. Fail Closed, Fail Partial, Leakto space

Failure Mode Frequency: Based on data base and judgment

Mode Frequency Factor by Failure RateAl A,

Open 10% Ko=.l Koc=. i

Closed 30% Kc=.3 Kc =.3

Partial 55% Kp=.55 Kp=.6

Leak to Space 5% K1-. 05 K1 =O

1-44

The final step in the component reliability modelingprocess was the quantification of the uncertainty distri-bution. As mentioned earlier the log normal distributionwould be used throughout. The variability in reportedfailure rates evidenced by each component was used totailor the log normal distribution to reflect the uncer-tainty associated with that particular component's relia-bility expression. The log normal distributions werecharacterized by specifying the coefficient of variationand the mean. Wherever possible these parameters weredetermined directly from the reported failure rates forthe component. Where no failure rates or a few divergentestimates were available, judgment once again had to berelied upon to yield credible and realistic results.

Model Verification. Upon completion of the component re-liaSility model development, a request for comments wasinitiated. The models, supporting rationale, and otherdescriptive material were submitted to 26 selected Govern-ment and industry organizations representing a cross sec-tion of auxiliary propulbion system designers, developers,manufacturers, prime contractors and user agencies.

The responses, received from more than half of theaddressees, were very useful in refining the methodology.There was general agreement with the approaches taken andthe results achieved. Where differences existed alter-nctives were always suggested. Almost all suggestionswere incorporated in the refinement process. Since ana-logous component/environment combinations were often usedin developing component models, it was found that alter-native analogs were especially useful. A second majoroutcome of this process was the completion of the modelgeneralization process. Component models were initiallygenerated by assessing each component within the contextof its system application. While generalizations weresuspected, it was considered preferable to have thesegeneralizations result fr':n demonstrated similarities inthe models and from concurrence in the review process.As a result of this review it was possible to replace theseven systems categories of components with two:electricpropulsion systems components and thermochemical propul-sion systems components.

Component Model Partitioning. The component level analysisyielded nearly sixty relia ility models. Because of thelimitations of the available data, subdivision of these

1-45

models to the failure mode level was conducted on aselective basis. Indiscriminate (and, for lack of defini-tive data, often arbitrary) partitioning to the failuremode level would have introduced undesirable increases insystem level uncertainty without increasing understandingof component or system reliability behavior.

Approach to Component Model Partitioning. Faulttree requirements were used as the partitioning criteria.Components often appeared in several places in a systemfault tree each time reflecting a different failure mode.For example, under a fault tree portion entitled "Propel-lant Flow Too Low" a number of valves appeared as failingclosed or partially open. In another portion of the sametree "Propellant Flow Too High", the same valves appearedas failing open or leaking to space. Neither situationrequired the entire failure model but rather some subdivision.In these cases partitioning to component failure modes wasconducted.

Partitioning Techniques. Review of the availablecompohent models produced two readily identifiable par-titioning techniques, direct and K-factor.

The direct methoe' was uE in those cases where aone to one relationship existed between a failure modeand a portion of the component model. For example, thedeveloped filter model was:

..0R = exp[- Xt - o_

where X = constant failure rate dependenton mission time

O,a = increasing (Weibull) failurerate parameters dependent onoperating time, tOD

The identified failure modes were clogging and excessiveflow (due to leakage or fracture). The clogging modefailure rate was assessel as increasing with increasingfiltration (that is with increasing operating time) and theleakage mode failure rate as being constant throughout themission. This resulted in a direct partitioning of themodel. The model for the clogging mode became:

-toR = exp [_ o]

and the model for leaking became

R = exp(- t)

1-46

Other component types (principally valves) had failuremodes that reflected part of each of the model constituents,Partitioning factors (k factors) had to be developed in thesecases to subdivide the model. For example the latch valvemodel was formulated as

R = exp [- XcN - Xft]

where Xc = failure mode! per cycleN = number of cyclesXf = failure mode per mission hourt = mission hours elapsed

The identified failure modes for this valve were fail open,fail closed, fail partial, and leak to space. A simplebreakdown was not possible in this case. Both number ofcycles and elapsed mission time influenced the failuremodes and had to be so reflected. The result was thefollowing matrix

Mode K-factor X c Af

Fail Open KD .1 .1

Fail Closed KC .3 .3

Fail Partial Kp .55 .6

Leak to Space KL .05 .0

The values of the K factors were developed from whatever partitioning information was available (principallyfrom the GIDEP sourceY and judgment in application to thecomponent/environment situation. They were then applied tothe expected value of the failure rate, E{X} . [The expectedvalue E{X} was the parameter obtained from analysis of thedata base.] The procedure was as follows. For theFail Open mode:

E (co} KoE { c}

where E {CO)}= expected value of thecyclic failure rate inin the fail open mode.

KO = K factor determined forthe fail open mode.

E {XC ) = expected value of thecomponent model cyclicfailure rate.

1-47

The variance of the failure rate (a basis for uncertaintyabout the component results) must also be carried to thefailure mode level:

V = KV I

where V IAco = is the variance of theexpected value of thecyclic failure rate in

= the open modeV .XC is the variance of the

component model cyclicfailure rate.

The following development of uncertainty parameterswill deal with the cyclic failure rate in the open mode,only so the subscript "CO" will be dropped for clarity.

The coefficient of variation, -, for the log normaldistribution characterizing the failure mode is given by

V xE ~

where V N 1and E Ix cd were defined above.

The standard deviation, a for the required lognormal dis-tribution can be obtained from

71 2 = exp[ u 2 ] - 1

a = Vin72 + 1)

The mean of the distribution, p , is given by

E X= exp ( p +

or

P = ln(E ) 2 -

The median and the bounds on the cyclic failure rate in theopen mode follow:

Median

A.5 = exp( pi)

1-48

* 5% Lower Bound (L.B.)

05= exp[ p - l.64485a,]

95% Upper Bound (U.B.)

.9 5 = exp[ p + 1.64485 a

This process was then repeated for the cyclic failurerate in the closed mode, partial mode and leak mode and forthe flight time failure rate in applicable modes to completethe characterization at the failure mode level.

SYSTEMS RELIABILITY ESTIMATTON

At this point in the development of the methodology,reliability (and uncertainty) models for all the requiredcomponents had been formulated and quantified. What wasrequired at the system level was a framework to:

Describe the systems and identify the appropriatecomponent models required by each.

Provide the system specific logic network to a'L "wfor proper model aggregation.

Alternative Approaches. The most common approaches to theanalysis and description of component/system relationshipsare failure modes, effects and criticality analysis (FMECA)and fault tree analysis (FTA). FMECA displays are intabular form, and are usually accompanied by reliabilityblock diagrams to aid understanding and to facilitate con-struction of mathematical reliability models. FTA analysesand displays are in logic-diagram form, so that the equiva-lent of a reliability block diagram is inherent.

FTA can be characterized as a "top-down" approach; theprincipal thrust is successive definition of all conceivablefailure events at the system level, the subsystem level, andon down to the component failure mode level. FMECA is"bottom-up" and is conducted principally in the inverse orderby identifying component failure modes and tracing theirconsequences up through the system.

1-49

In principle, the results of FTA and FMECA should beequivalent; experienced analysts frequently alternatebetween top-down and bottom-up modes in the process of ana-lyzing a system.

Selection Rationale. The FTA approach was selected as theframework for the systems level assessment. Its principaladvantages included:

Display of functional relationships among systemelements in a graphic form readily understood byengineers and analysts.

Ready assimilation and application by systemsanalysts

Ready isolation of similarities and differencesamong competing system configurations

* Easily converted into algebraic models

Development of a fault tree need be carrieddown only to the level at which failure rateinformation is available.

With respect to the last item, the fault trees pre-sented in the results section of this report were developedbeyond the available failure rate information. The analysiswas continued in this manner to reflect qualitative failuremode information and to accommodate failure rate data (orassessments) that may result from on-g61ng testing and develop-mental efforts.

A further advantage was realized by emphasizing func-tional (system-oriented rather than hardware oriented)failure-event definitions in the upper levels of the faulttrees. This yielded upper portions of the trees that couldbe common to a number of alternative system configurtions.(Lower portions of fault trees are inherently applicable tospecific components types regardless of usage). Faulttree modification to represent an alternative system con-figuration would then entail major changes only in theintermediate levels of the tree. This implied reduced effortfor multiple analyses, and thus, greater flexibility.

1-50

RESULTS

The results of this reliability modeling study arethree fold: the component and failure mode reliabilitymodels, the systems analyses usinq the fault tree frameworkand the mathematical tools developed to support the assess-ment process. Examples of methodology application are pro-vided in Appendix A.

COMPONENT RELIABILITY MODELS

The total number of models developed including failuremode partitioning was nearly one hundred. This was an un-wieldy number for presentation in tabular form. Therefore,the following uniform format was used for each component.

Component Title and Description. The component was identi-fied and a brief description of the approach used and theapplicable failure modes was provided.

Component Reliability Model. The component level reliabilitymodel was presented and- T the parameters dafined.

Failure Rate Uncertainty Distribution Model. The distribu-tion was identified and its principal parameters (coefficientof variation, mean aril standard deviation) were quartified.For cars where maltiple failure rates were present in themodel, uncertainty model parameters were developed and pre-sented for each rate.

It must be noted that the failure rate uncertaintydistribution model can be applied directly to constantfailure rates, A , only. For those models using increasingfailure rates, the uncertainty distribution is implicitlypresented through the upper and lower bound values of a andits equivalent mean and median.

Failure Rate Mean and Bound,. The 5% Lower Bound, Median,Mean and 95% Upper Bound a- presented for eaoh of thefailure rates, X , (or s-Ale factors, a , in the componentmodel.

Partition by Failure Modes. For each of the ide.ntified modes,the model, the failure rates (or scale factors) and the Meanand Bounds are given in the format used at the componentlevel.

1-51

ELECTRIC PROPULSION COMPONENTSRELIABILITY MODELS

1-52

INDEX TO ELECTRIC PROPULSION

RELIABILITY MODELS

PageNumber

Power Conditioners/Converters (P