RCM - A Practical Guide



       Multiple failure
       FF maintenance mitigates against the effects of multiple failures and endeavours to ensure an
       acceptable level of availability of the hidden function.
       The probability of multiple failures can be calculated using the formula:


          Probability of multiple   =   Probability of failure of   X   Average unavailability
          failure                 the protected function   of the protection

       The underlying assumption, when it comes to FF maintenance, is that it is applied to hidden functions
       that are in place to protect a ‘main’ function.
       The calculation, featured later, uses a ‘target’ or anticipated probability of multiple failure which can
       be predetermined according to industry or specific RCM guidance. For example, the JAP(D) 100C-22
       (UK MoD RCM Guidance for Air platforms) suggests a target probability of multiple failure of 1 in a
       million for combat aircraft or 1 in 10 million for passenger aircraft.
       Protected function
       Many critical functions are protected by backup devices designed to take over, shut down or
       otherwise mitigate the loss of function should unanticipated failure occur. A function with a backup
       device is called the protected function.
       It’s important to recognise when a function is protected (normally captured as a compensating
       provision), in order to answer the basic question 5. Why does each failure matter?. If a function has
       protection or mitigation then, no matter how catastrophic the effects may read, it would be difficult to
       say it has safety (or otherwise important) consequences.
       Protective function
       This works very well, especially in the aviation industry where designers have become very good at
       providing protection to critical functions in an effort to avoid catastrophe, should the unthinkable
       happen. These backup devices are called protective devices.
       Modern rigorous design and techniques like FMEA mean that critical functions that require protection
       tend to be identified early and the number of protective functions on a modern system is higher than
       that of legacy equipment.
       Examples could be:
       Standby Generator - this is primarily to provide power in the event that the main generator fails. If it is
       in a failed state it may have no direct consequences, however, if the main generator also failed
       (second failure) then the consequences may be loss of critical functions due to lack of power and loss
       of equipment or lives.
       Fire-fighting equipment - this is primarily to fight fires in the unfortunate event that they occur. If the
       fire extinguisher is in a state of failure, it would not be evident because it has no direct consequences.
       If there was a fire, however, this could be viewed as the second half of our multiple failure, the
       consequences of which may be loss of lives or property.
       You can see that the availability of the protective functions, in those examples, can be vital to the safe
       working or operational capability of the equipment.


                                                                    42
       © ASPIRE CONSULTING LTD +44 (0) 1827 723820