If a failure is not evident and does not have an immediate effect (a hidden failure) is it automatically classified Noncritical and RTF Run To Failure?

Are there only Critical and Noncritical classifications in RCM?

Terry O

Terry,

Didn't we just discuss a variant of this?

First, critical and non-critical don't actually come into RCM in terms of consequence categorization at all.

So I am not too sure where that came from. Can you add some detail here?

It often seeps in when you look at selecting assets and prioritising the way forward, but it would have to be well defined prior to inclusion within the consequence categorisation area.

Does critical mean that it has either evident safety, evident environmental or evident Operational consequences? Is an evident non-operational failure with high repair and secondary damage costs critical under this definition?

N&H referred to critical failures and critical equipment but that was within a very defined and stated view. Modern RCM generally sticks to managing consequences and taking a decision on each consequence as it comes up.

At what level of operational consequences does it become critical...and who decides this... and how applicable is that outside of your business... and so on.

To the question, a hidden failure is definitely NOT categorised as RTF immediately. At all!

In fact, on the Hidden side of the decision diagram, if a decision diagram approach is used, (Hidden Safety, Hidden Evident, Hidden Operational and Hidden Non Operational) the only times when you could possibly choose RTF as an acceptable option is when you have exhausted all of the options on the Hidden Operational and Hidden Non-Operational decision streams. (In terms of applicability and effectiveness) And are happy to accept that the potential consequences are not enough to warrant a redesign option.

In fact, if you wish to think if things in terms of critical (important) and non-critical (not so important) then hidden failures are often very critical failures to be managed.

It has been my experience in general, in relation to this and the last post you placed on here, that very few areas of reliability engineering and maintenance regime creation are actually able to be automatically managed.

Any use?

Terry,
My simplistic view is that hidden failures by definition will not have an effect unless another failure occurs. So, you must consider the effect of the MULTIPLE FAILURE when determining what type and frequency of maintenance task or failure finding task. One of the beauties of RCM is that it forces you to evaluate the risk or cost of the multiple failure condition, and few other processes have this approach.

The only way a hidden failure can lead to a RTF decision is if there are no feasible or effective tasks that reduce the probability of multiple failure, AND if the consequences do not affect safety or the environment. Otherwise, some task or redesign is required.

Shelley

Terrence,

quote:

If a failure is not evident and does not have an immediate effect (a hidden failure) is it automatically classified Noncritical and RTF Run To Failure?

Can you please provide some examples of hidden function failures that have zero or negligible consequence, assuming a second event also occurs? RTF is only applicable when the consequences are very low or nil. As far as I can tell, such failures usually have a high to very high consequence as soon as they are triggered by a second event or failure, as stated by Shelley.

Consider a (combustible) gas leak in a Plant. If that goes undetected by the gas detector(s), there is no direct consequence. The gas can stay there and do nothing, unless there is also an ignition source. There may be many of the latter, starting with open sparks, static electricity discharges, hot bearings or other metal surfaces etc. If the gas and the ignition source dont meet, or if this takes place in an inert atmosphere (e.g. nitrogen blanket), there is no problem. However, if the gas-air mixture meets a source of ignition you can have a fire and/or an explosion.

So the failure of the gas detector by itself has no consequence. If there is an ignition source, I would run away from there at great speed! Further, the gas detector may fail today and stay that way for weeks or months, till one day there is a gas leak and a cloud around it. NOW, the failure of the gas detector can be serious. For many weeks or months it did not matter, as there was no gas leak. On the day of the big gas leak, IF the detector does not work, would you be a bit worried? Ignition sources are often present, in spite of best efforts, so depending on eliminating them at all times is a bit optimistic.

BTW, the above sort of sequence happened in the Piper Alphs disaster. The gas detectors did work in that case. These should have started up the Fire Water Pumps. But the pumps had been switched from Central Panel Room to Local Panel control. So they had to be turned on manually. This could not be done, because of the explosion and fire (in fact, two people tried to run through the fire to do so and were never seen again). But had they succeeded and the fire water had come on, there still would have been a problem. The sprinkler (deluge) system was plugged, only 30-40% of the sprinkler heads were working. So the hidden failure of the sprinkler heads would have defeated any attempt. As to the source of ignition the Court of Enquiry concluded that there were as many as 13 distinct possibilities. On balance of probability the Court held that static electricity was the most probable cause.
Consequence of hidden function failures : 167 lives, meltdown of a major oil Platform, closuure of Occidental's business in the North Sea.

Vee,

quote:

Can you please provide some examples of hidden function failures that have zero or negligible consequence, assuming a second event also occurs?

1/2" manual drain valve on a 24" potable water line fails to operate due to seized shaft. It's a hidden failure with negligible consequences. Not discovered until operated; maintenance department fixes it upon discovery.

Larry,

What are the consequences of not having the 1/2" drain valve?

quote:

Originally posted by Vee:
What are the consequences of not having the 1/2" drain valve?

Okay, let's say the function of the valve is to enable draining of one of the pipe's low spots in preparation for seasonal hibernation.

It was a modification made years ago so maintenance workers didn't have to rig a portable pump and hose to suction water out of the low points.

Regards,

quote:

Can you please provide some examples of hidden function failures that have zero or negligible consequence

How about a backup generator fuel supply system with redundant fuel pumps? Fuel pressure indicators is downstream of both pumps. Pump 1 fails and pump 2 has no problem meeting supply. The is no immediate consequence and no operator indication.

Terry O

quote:

Originally posted by Terrence O'Hanlon:
If a failure is not evident and does not have an immediate effect (a hidden failure) is it automatically classified Noncritical and RTF Run To Failure?

Terry,
The short answer is no.
Critical / Non-Critical is determined by the component's failure effects. When determining failure effects you assume all components are in a failed condition, regardless if it's hidden or evident.
Hidden failures have delayed consequences. Because the failure cannot be observed during normal operations, the discovery cannot be made until a demand is made on the failed component. That is why hidden failures can be so nasty; if the demand is a safety function such as overpressure relief, secondary damage could occur (a boiler explosion due to over pressurization).

quote:

Are there only Critical and Noncritical classifications in RCM?

It depends on the evaluation method. Classical RCM doesn't use a critical/non-critical classification. Many others do. Some use a simple risk-ranking and others use the risk-priority and Pareto.

Regards,

quote:

Originally posted by Terrence O'Hanlon:
How about a backup generator fuel supply system with redundant fuel pumps? Fuel pressure indicators is downstream of both pumps. Pump 1 fails and pump 2 has no problem meeting supply. The is no immediate consequence and no operator indication.

Now you're mixing in redundancy, which you could take credit for ONLY if the failure of the standby pump is evident during normal operations (no hidden failure). This is because you cannot tell if the standby pump would start just by looking at it.

Larry,

quote:

Okay, let's say the function of the valve is to enable draining of one of the pipe's low spots in preparation for seasonal hibernation................so maintenance workers didn't have to rig a portable pump and hose to suction water out of the low points

Is it therefore,
1. To drain the pipe faster, say within 4 hours, OR
2. To drain the pipe better, so people did not have to spend time bucketing and sponging out water for 2-3 days?, OR
3. It felt like a good idea at the time

If it was (1) or (2), there must be some economic value in terms of downtime. The downtime itself may have public health or other impact, otherwise the 24" pipe itself needs justification.

Turning to the way the RTF task may be performed; would a fitter use some lubricant on the gland packing and 'force' the wheel to turn, e.g., by use of additional leverage? What are the risks involved if he did that? Possible snapping of the nipple? It has been known to happen, so it is not incredible. What are the economic consequences of that?

Low point drains have, in other industries been sources of disasters. They should be assiduously removed, unless there is a strong economic or safety justification, as they are weak points. Redesign is an option one must consider to resolve this type of hidden function failure.

After reviewing the above, if we feel there are no economic or other consequences of the jammed-shut drain, RTF is appropriate. If there are any economic or safety consequences, these will determine whether an FFT is justified.

Terrence,

quote:

How about a backup generator fuel supply system with redundant fuel pumps? Fuel pressure indicators is downstream of both pumps. Pump 1 fails and pump 2 has no problem meeting supply. The is no immediate consequence and no operator indication.

Here is where a Systems approach helps. Some people believe in working at the failure mode level and not at the System level. Your examp;e illustrates the advantage of the Systems approach.

1. The emergency backup generator is normally not running. Is this correct?
2. If so, its failure-to-start is a hidden functional failure. It has ecnomic or safety consequences, so a test-start task is indicated.
3. One reason it can fail-to-start is because its primary fuel pump fails-to-start. It is not relevant whether it has a pressure indicator or not, since while the generator is stopped, the fuel pump is also stopped, so there is no pressure indication anyway. Its failure-to-start will be evident when the generator is started because its pressure guage will show nil reading, so the primary pump needs little or no maintenance action.
4. If the generator does start, the failure of the second pump will be hidden if the first pump works. So it is doubly hidden.
5. If the generator does not start at all, AND there is no fuel oil pressure, clearly both pumps have failed to start.
6. If the two pumps are independantly electrically driven from a differenet power source, e.g., battery bank and invertor, some of these arguments dont hold.

Coming to the Systems approach, what matters is that the generator MUST start on demand. So we must do an FFT and test start it. If during such a test, the pressure on the first fuel pump is low or zero, then its needs repair. This is almost the only action on the first pump. If the second pump also fails to start, that is really bad. If at all there is a way to test the second pump, e.g. by closing a valve of the first pump during a generator test start, do this as an FFT. So this is an FFT nested within another FFT. The pressure guage on the second pump serves no purpose, so remove it and stop calibrating or maintaining it.

With the failure mode level analysis supported by some people, we will almost always end up doing additional analysis as well as additional maintenance. I do not believe that N&H ignored this aspect, and they just happened to propose a system level analysis.

This message has been edited. Last edited by: Vee,

Terry,

To try to keep this to simple easily memorable principles, you could summarise the answer to your original question as follows.

As Larry, Shelley and myself have detailed in different posts:

One of the key criterion for a hidden failure is that by itself it will not have any concequences. (And therefore not be noticeable under normal operation)

So ALL hidden failures have the characteristics that you have mentioned. And therefore, as Shelley pointed out, not noticable until there is a multiple failure.

Note: Modern asset management is focussed on managing the consequences of failure modes, and this is where you need to apply this thinking.

So determining the ultimate strategy to apply will depend on:

a) The consequences of the multiple failure when it does happen
b) The liklihood of it occurring
c) The level of risk that the company is willing to accept that this will occur

These are the basics, they can be applied to any and all of the scenarios that come up in day-to-day operational analyses.

There is no automatic classification of anything here.