3.3.2.1 Definition of the life distribution

Much discussion has taken place over the choice to model lifetimes as random variables. Suffice it to say that the most satisfactory explanation is that the factors influencing the lifetime of a unit are numerous, not all fully understood, and sometimes not controllable. In a sense, the choice to describe lifetimes as random is a cover for this (inescapable) ignorance [17, 61] . In some rare cases, it might be possible in principle to identify precisely the lifetime of a particular component. This would involve a deep understanding of the physical, chemical, mechanical, and thermodynamic factors at play in the operation of the component, as well as extremely precise measurements of the geometry, morphology, electrical characteristics, etc., of the component. Even if it were possible in principle to acquire such understanding, it would be prohibitively expensive in practice, and the knowledge obtained about the lifetime of a component A would not be transferrable to any knowledge about the lifetime of a component B from the same population because components A and B are not likely to be identical to the degree necessary to justify not having to perform all the same measurements on component B also. Clearly, this is an impossible situation.

What we do instead is attempt to describe the distribution (in the probabilist’s sense) of the lifetimes of a population of “similar” components. For example, imagine a collection of 8 μF, 35-V tantalum electrolytic capacitors in an epoxy-sealed package manufactured by Company C during July 2011. Assuming the manufacturing process at Company C did not change during July 2011, we may reasonably assume that these are “similar” components for the purposes of calling them a “population” in the sense that a statistician would do. Every member of the population has a (different) lifetime that, under specified operating conditions, is fixed but unknown. The difference in lifetimes may be explainable by differences in raw materials, manufacturing process controls, varying environmental conditions in the factory, etc. Instead of trying to ascertain the lifetime of each individual in a deterministic fashion, what we do instead is consider populations of similar components and assign a distribution of the lifetimes (under specified operating conditions) in each population. A distribution of lifetimes for a population is called the life distribution for that population. The life distribution is a cumulative distribution function (“cdf”), in the sense that it is used in probability theory, and is often (though this is not obligatory) denoted by the upper case letter F (or sometimes F_L if it is necessary to explicitly call out the pertinent lifetime random variable). Thus, denoting by L the lifetime of a component drawn at random from the population,

Here, x is a variable that is at your disposal (we will call this a discretionary variable). You specify a value of x and the life distribution value at that x is the probability that a unit chosen at random from that population has a lifetime no greater than x, or, in other words, fails at or before time x. For instance, suppose a population of components has a life distribution given by F(x) = 1 − exp(−x/1000) for x ≥ 0 measured in hours. Then the probability that a component chosen at random from that population fails at or before 1 year is F(8766) = 1 − exp(−8.766) = 0.999844 which is almost certainty. We will return to this example later to explore some of the other things it has to teach but before we do, here is a picture (Figure 3.1).

The dashes at the end of the curve serve to indicate that the curve continues further to the right. A life distribution need not be continuous (as drawn), and it may have inflection points (not shown), but it is always nondecreasing and continuous from the right (see Section 3.3.2.3).

Example: Suppose the population of tantalum capacitors described earlier has a life distribution given by

when operated at 20°C. Suppose 100 capacitors from this population are placed into operation (at 20°C) at a time we will designate by 0. After 1000 hours of uninterrupted operation have passed, what is the expectation and standard deviation of the number of capacitors that will still be working?

Solution: The number of capacitors still working at time x has a binomial distribution with parameters 100 (the number of trials in the experiment) and the probability of survival of one capacitor past time x. For x = 1000, this probability is

As the expected value of a binomial random variable with parameters n and p is np, the expected number of capacitors still working after 1000 hours is 100 × 0.92364 = 92.364. The variance of a binomial distribution with parameters n and p is np(1 − p), which in this case is equal to 7.05292. Consequently, the standard deviation of the number of capacitors still working after 1000 hours is equal to 2.65573.

Requirements tip: We have carried out the computations in this example to five decimal places, which is far more than would be desirable in almost any systems engineering application, solely for the purposes of illustrating the computations. Choose the appropriate number of decimal places whenever a quantity is specified in a requirement. The choice is often dictated by economic factors, practicality of measurement factors, and/or commonsensical factors that indicate how many places is too many for the application contemplated. For instance, specifying the length of a football field, in feet, to two decimal places is too much precision, whereas specifying the dimensions (in inches) of a surface-mount component may require more than two decimal places. Note that the units chosen bear on the decision as well.

3.3.2.2 Definition of the survivor function

The example points to another useful quantity in reliability modeling of nonmaintained units, and that is the survivor function or reliability function. The survivor function is simply the probability that a unit chosen at random from the population is still working (“alive”) at time x:

and is consequently one minus the life distribution (the complement of the life distribution) at x. Again, a subscript L is sometimes used if it is necessary to avoid ambiguity.

Note that we have consistently pointed out that the discretionary variable x is nonnegative in lifetime applications. This is because, for obvious physical reasons, a life distribution can have no mass to the left of zero. That is, the probability of a negative lifetime is zero. Lifetimes are always nonnegative, so when L is a lifetime random variable, there is no point in asking for P{L ≤ x} when x < 0 because P{L ≤ x} = 0 whenever x < 0.

3.3.2.3 Properties of the life distribution and survivor function

This discussion leads naturally into a discussion of other useful properties of life distributions. We consider four of these:

1. The life distribution is zero for x < 0.
2. The life distribution is a nondecreasing function of x for x ≥ 0.
3. F(0⁻) = 0 and F(+∞) = 1.
4. The life distribution is continuous from the right and has a limit from the left at every point in [0, ∞).

Return to Figure 3.1 to explore how the generic (continuous) life distribution shown there has these properties. We have indicated in Section 3.3.2.1 how the first property comes about. For the second property, consider that F(x) is the probability that a unit⁵ fails before time x. That is, F(x) is the probability that the unit fails in the time interval [0, x]. Choose now x₁ and x₂ with x₁ < x₂ and consider F(x₁) and F(x₂). The interval [0, x₂] is larger than (and in fact contains) the interval [0, x₁], so there are more opportunities for the unit to fail in the additional time from x₁ to x₂.⁶ Thus F(x₂) must be at least as large as F(x₁), which is property 2. From property 3, F(0⁻) = 0 says that the limit as x → 0 from the left (i.e., through negative values) of the probability that a unit fails immediately upon being placed into operation is zero. F(+∞) = 1 says that every unit in the population eventually fails. There are situations in which we may wish to assume F(0) > 0 (an example is given by a switch that fails to operate when called for) or F(+∞) < 1 (an example could be some component that is certain to not fail until after the service life of the system in which it is used is expired). But in most cases, property 3 is used as stated. Finally, the continuity of the life distribution from the right is a consequence of the choice of ≤, rather than <, in the cdf definition of life distribution. An equally satisfactory probability theory can be constructed on the choice of < (and in fact many notable probability textbooks do this), but the convention we have chosen to follow is as above, and in this case the cdf is continuous from the right (in the other case, it is continuous from the left).

Language (and notation) tip: For most of the life distributions in common use in reliability engineering, it is immaterial whether the < sign or the ≤ sign is chosen, because these life distributions are continuous. However, once the choice is made, it is important to continue the current analysis with the same choice throughout for consistency. This only matters when the life distribution has discontinuities (such as the switch life distribution, used in the example in Section 3.4.5.1, which contains a non-zero turn-on failure probability). Even when all life distributions in a study are continuous and it doesn’t make any difference to the outcome, it is just sloppy practice to switch between < and ≤ arbitrarily. When working with someone else’s analysis, endeavor to determine which choice was made and whether it is consistently applied.

Because the survivor function S is the complement of the life distribution F (i.e., S = 1 − F), the corresponding four properties for the survivor function are

1. The survivor function is one for x < 0.
2. The survivor function is a nonincreasing function of x for x ≥ 0.
3. S(0⁻) = 1 and S(+∞) = 0.
4. The survivor function is continuous from the left and has a limit from the right at each point in [0, ∞).

Language tip: The survivor function is also sometimes called the reliability function. Recalling our discussions from the Foreword and Chapter 2, the fact that we have just encountered yet another use of the same word “reliability” should strengthen your resolve to master potential confusions inherent in this language and be prepared to clarify for your teammates, customers, and managers another of the many unfortunate language clashes that abound in reliability engineering.

3.3.2.4 Interpretation of the life distribution and survivor function

The easiest way to maintain a consistent interpretation of the life distribution and survivor function is to visualize

• the population of components to which they apply and
• the “experiment” of choosing an item from that population at random.⁷

When you make this choice at a certain time (call it t, meaning that you have chosen some time to start a clock and that clock now measures t time units later), the probability that the item chosen is still alive (“working”) at that time is given by the value of the survivor function S(t) for that population. Because of the nature of selection at random without replacement, the number of items in the population still alive at time t is a random variable having a binomial distribution. If the initial size of the population is A < ∞ and N(t) denotes the (random) number of items still alive at time t, then

This is a binomial distribution with parameters A and S(t). Its mean is AS(t) and its standard deviation is . So the expected proportion of the population that is still alive at time t is AS(t)/A = S(t). As more time passes (t increases), this proportion does not increase.

Similarly, the (random) number of items that have failed by time t (or, to put it another way, the number of items that have failed in the time interval [0, t] from 0 to t) has a binomial distribution with parameters A and F(t) = 1 − S(t).

Language tip: Note that we have used t and x interchangeably in this section to denote a discretionary variable having the dimensions of time. This is not cause for alarm. It is routinely acceptable provided the definition is clear and the same letter is used consistently throughout each application.

3.3.3.1 Density

Should it happen that the life distribution is absolutely continuous (i.e., can be written as an indefinite integral of some integrable function), that integrable function is called the density of the lifetime random variable. So if we can write

for some integrable function f, then f is called the density of F. If this is the case, then F is necessarily continuous at every x for which this equation holds. More simply, if F is differentiable on an interval (a, b), then it is absolutely continuous there and f(x) = F΄(x) = dF/dx for x ∈ (a, b). Because of properties 1 and 2 of life distributions, we have f(x) = 0 for x < 0 and f(x) ≥ 0 for x ≥ 0. Most of the life distributions in common use in reliability modeling have densities (see the examples in Section 3.3.4) (Figure 3.2).

Example: Suppose F(t) = t/(1 + t) for t ≥ 0 and F(t) = 0 for t < 0. Then properties 1, 3, and 4 (Section 3.3.2.3) are readily verified. Also, F is differentiable on [0, ∞) and F΄(t) = 1/(1 + t)² > 0 there, so F is increasing (property 2) and f(t) = 1/(1 + t)² is its density. Thus, this F is a life distribution with a density.

3.3.3.2 Interpretation of the density

When the lifetime L has a distribution F that has a density in a neighborhood of a point t, we may write

That is, for a small positive increment ε, the probability that an item chosen at random from the population fails in the (small) time interval [t, t + ε] is approximately ε times the value of the density at t. Note that this item may have already failed before time t—there is no requirement that the item be alive at the beginning of this interval. Contrast this with the hazard rate interpretation discussed in Section 3.3.3.5.

3.3.3.3 Return to the stress–strength model

The stress–strength model was introduced in Section 2.2.7 and the example of destruction of a single complementary metal-oxide semiconductor (CMOS) integrated circuit was explained as resulting from a single environmental stress, namely the application of a voltage stress exceeding the strength of the oxide in the device. Here we explore the stress–strength model in a population of devices and an environment that can offer a range of stresses.

Imagine that a population of devices has a range of strengths that is described by a strength density. That is, for some device characteristic V that indicates “strength” (e.g., oxide breakdown voltage), there is a density f_V characterizing that population with respect to that strength variable, or characteristic. That means that we describe the strength of an item drawn at random from the population by a random variable V that has density f_V, and when that item is subjected to a stress greater than V, it fails. Further suppose that the environment offers stresses (on the same scale) described by a random variable S with density g_S. Figure 3.3 shows this relationship graphically. The density of stresses offered by the environment, g_S, and the density of strength in the population of devices, f_V, is shown on the same axes. Figure 3.3 depicts a situation where most of the population strengths are greater than most of the environmental stresses, except for the small area where the two densities overlap. For a stress in this area (a value indicated by the × on the horizontal axis), a device whose strength is to the left of this stress (weaker than this stress) will fail. In this picture, this small area indicates that there are few devices in the population whose strength is less than (to the left of) this value. The area under the stress density to the right of the chosen stress value is also small, and this indicates that stresses so large are rarely offered (most stresses are less than this value, or almost all of the stress density lies to the left of this value).

The probability of failure, P{S > V}, is the probability that a stress chosen at random from the population of stresses (described by the density g_S) exceeds the strength of a device chosen at random from the population of devices whose strength density is f_V. Then the probability of failure of a device drawn at random from that population, when subjected to a stress drawn at random from that environment, is

as long as we assume the environmental stresses are stochastically independent of the population strengths.

Note that neither of these relates to time to failure. The distributions (densities) here are both on a scale of some physical property (e.g., volts). To develop this model further to the point where a lifetime distribution could be obtained, it would be necessary to describe the times at which the environment offers stresses of a given size. This could be done with, for example, a compound Poisson process in which at each (random) time an event occurs, a stress of a random magnitude is applied. Some details of this model may be worked out in Exercise . A deeper discussion of stress–strength models is found in Ref. 38.

3.3.3.4 Hazard rate or force of mortality

The second related quantity, one that is widely used in modeling the reliability of nonmaintained units, is the hazard rate. The hazard rate is customarily denoted by h, and the definition of hazard rate is

when the limit exists. This is the hazard rate of the lifetime random variable L. It is also sometimes spoken of as the hazard rate of the life distribution. Note this definition contains a conditional probability, and, unlike the quantities we have studied so far which are dimensionless, the hazard rate has the dimensions of 1/time (probability is dimensionless and ε has the dimensions of time).

In case F is absolutely continuous at x, the hazard rate may be computed as follows:

If we further assume F is differentiable, the differential equation

with initial condition F(0) = α may be solved to yield

Thus when the life distribution is differentiable, there is a one-to-one correspondence between the life distribution and its hazard rate. Knowing either one enables you to obtain the other. Most often α will be zero, but it is useful to know the expression for life distribution in terms of hazard rate even when α > 0. An example of a component whose life distribution is a switch for which the probability of failure when it is called upon to operate is α > 0.

3.3.3.5 Interpretation of the hazard rate

Return to the definition above to see that

as ε → 0⁺. Imagine for the moment that time is measured in seconds and consider this equation for ε = 1 (second). Then the hazard rate at x is approximately equal to the conditional probability of failure in the next second (i.e., before time x + 1) given that the unit is currently alive (using time x to represent the current time). So the hazard rate is something like the propensity to fail soon given that you are currently alive. In fact, the concept of hazard rate is lifted directly from demography, the study of lifetimes of human populations, where it is called the force of mortality. This description is very apt: the hazard rate, or force of mortality, describes how hard nature is pushing you to die (very) soon when you are alive now.

Example: Let F(x) = 1 − exp((−x/α) ^β) for x ≥ 0 and F(x) = 0 for x < 0, where α and β are positive constants. This is readily verified to be a life distribution (Exercise 2). Its particular properties depend on the choice of the constants α and β which are called parameters. This life distribution is called the Weibull distribution in honor of the Swedish engineer, scientist, and mathematician Ernst Hjalmar Wallodi Weibull (1887–1979). See also Section 3.3.4.3. This distribution has a density

for x ≥ 0. Consequently, the hazard rate of the Weibull distribution is given by

again for x ≥ 0.⁸ It follows from this expression that the hazard rate of the Weibull distribution may be increasing, decreasing, or constant, depending on the choice of β: if β < 1, the hazard rate is decreasing, if β > 1, the hazard rate is increasing, and if β = 1, the hazard rate is constant. The special case β = 1 has a long and extensive usage in reliability modeling: it is the exponential life distribution F(x) = 1 − exp(−(x/α)) (Section 3.3.4.1). We have seen that the hazard rate of the exponential distribution is constant; it has been shown that this is the only life distribution in continuous time whose hazard rate is constant [34] (the geometric probability mass function p(x) = (1 − α)α ^x−1 for x = 0, 1, 2, . . . and 0 < α < 1 is a life distribution on a discrete time scale that has a constant hazard rate, and it is the only life distribution in discrete time that is so blessed [35] ). We will explore additional properties of the exponential distribution when we discuss more examples in Section 3.3.4.

Finally, contrast the interpretation of hazard rate with the interpretation of density given in Section 3.3.3.2. Owing to the equation

ε times the density at t is approximately equal to the probability that a lifetime falls between t and t + ε, that is, the probability that L > t and L ≤ t + ε. Here, we are selecting a unit at random from the population and asking if its lifetime is between t and t + ε. The hazard rate, instead, satisfies

which indicates that ε times the hazard rate at time t is approximately equal to the conditional probability that a lifetime expires (at or) before t + ε, given that it is greater than t. Here, we are selecting from a restricted portion of the population, namely that set of units whose lifetimes are greater than t (those that are still alive at time t). Selecting a unit at random from those, we ask what is the probability that the lifetime of that unit does not exceed t + ε. In more mathematical terms, this is the difference between P(A ∩ B) and P(A | B).

Language tip: The hazard rate or force of mortality is almost always called the failure rate of the relevant life distribution. This is unfortunate, the more so because it is almost universal, because the word “rate” makes engineers think of “number per unit time,” and there is nothing like that going on here (even though the dimensions of the hazard rate are 1 over time). The closest one can come to interpreting “hazard rate” as a rate is as in the following example. Suppose the population of units we are considering initially contains N members and we start all of these operating at an arbitrary time we shall label “zero.” At a later time x, the expected number of failed units is NF(x) (where F is the life distribution for this population) and the expected number of units still working is NS(x) = N(1 − F(x)). One of these still-alive units fails before time x + 1 with probability approximately equal to h(x).⁹ So the hazard rate is like the proportion of the remaining (still-alive) population that is going to fail very soon. This looks like a “rate” when referred to the number of remaining (still-alive or “at-risk”) members of the population. Extended discussion of this deplorable situation is available in Ref. 2. See also the “Language Tips” in Section 4.4.2.

Requirements tip: Be very careful when contemplating writing a requirement for “failure rate.” Because the phrase can be interpreted in (at least three) different ways in reliability engineering, it is vital that you specify which meaning is intended in the requirement. For this reason, it is probably best to avoid “failure rate” altogether in requirements. Instead, spell out the specific reliability effectiveness criterion intended. For example, “The number of system failures shall not exceed 3 in 25 years of operation under the specified conditions” is preferable to “The system failure rate shall not exceed 1.37 × 10⁻⁵ failures per hour during the service life of the system when operated under specified conditions.” Indeed, the latter formulation tends to induce one to think that system failures accrue uniformly over time, while the former formulation allows for arbitrary patterns of failure appearance in time, as long as the total number does not exceed 3 in 25 years.

The concept of cumulative hazard function will be useful later in the study of certain maintained system models (Section 4.4.2). The cumulative hazard function H is simply the integral of the hazard rate over the time scale:

It is easy to see that H(t) can also be written as H(t) = −log S(t) = −log [1 − F(t)].

3.3.4.1 The exponential distribution

The lifetime L has an exponential distribution if P{L ≤ x} = 1 − exp(−x/α) for x ≥ 0 and α > 0. α is called the parameter of the distribution. As x has the dimensions of time, so does α because the exponent must be dimensionless. In fact, α is the mean life:

The exponential distribution has a density, namely (1/α) exp(−x/α). Consequently, the hazard rate of the exponential distribution is constant and is equal to 1/α. Note this has the units of 1 per time as it should. The variance of the exponential distribution is

so its standard deviation is α. The median of the exponential distribution is the value m for which P{L ≤ m} = 0.5; solving exp(−m/α) = 0.5 for m yields m = α log 2.

Frequently, the exponential distribution is seen with the parameterization 1 − exp(−λx) for λ > 0. This is perfectly acceptable; simply replace α by 1/λ in all the earlier statements.

The exponential distribution is also blessed with a peculiar property called the memoryless property. As a consequence of the following computation

we see that if an item’s lifetime L has an exponential distribution, then the probability that the item will fail after the passage of a (additional) units of time is the same no matter how old the item is. That is, if the item is currently x time-units old, then the probability of the item’s surviving to time x + a is the same as the probability that a new item survives to time a, regardless what x may be. To get some sense of how peculiar a property this is, consider the purchase of a used flat-screen television. If reliability were your only concern, and the life distribution of the (population of) flat-screen TV(s) were exponential, then you would be willing to pay the same price for a used flat-screen TV of any age as you would for a new one. Of course, there are other factors at play here, and reliability is not your only concern, but the example serves as a caution you should remember when you contemplate using the exponential distribution for the lifetime or a nonrepairable item. The exponential distribution is the only life distribution (in continuous time) that has this property [34].

One reason for the popularity of the exponential distribution in reliability modeling is that it is the limiting life distribution of a series system (Section 3.4.4) of “substantially similar” components [15] . In this context, “substantially similar” has a precise technical meaning which we will defer discussing until Sections 3.4.4.3 and 4.4.5 when a similar result (Grigelionis’s theorem [53] ) will be seen as relevant to both maintained and nonmaintained systems. Implications for field reliability data collection and analysis are discussed in Chapter 5.

3.3.4.2 The uniform distribution

A random variable L is said to have a uniform distribution on [a, b], a < b, if

If a ≥ 0, the uniform distribution can be used as a life distribution. In this model, the lifetimes are between a and b with probability 1, and the distribution has the name “uniform” because the probability that a lifetime lies within any subset of [a, b] of total measure τ, say, is τ/(b − a) regardless where within [a, b] this subset may lie (as long as it lies wholly within [a, b]). The density of the uniform distribution is 1/(b − a) on [a, b] and zero elsewhere. The expected value of a uniformly distributed lifetime is (a + b)/2 and the variance is (b − a)²/12. In other uses of the uniform distribution, a may be negative, but for use as a life distribution a must be nonnegative. See Exercise 6 for the hazard rate of the uniform distribution.

3.3.4.3 The Weibull distribution

The lifetime L has a Weibull distribution if P{L ≤ x} = 1 − exp(−(x/α) ^β) for x ≥ 0 and α > 0, β > 0. α and β are the parameters of the distribution. As we saw in the example in Section 3.3.3.4, the Weibull distribution has a density

and its hazard rate is

all for x ≥ 0.

As noted previously, the hazard rate for the Weibull distribution can be increasing, decreasing, or constant, depending on the value of β (Table 3.1).

When β = 1, the Weibull distribution reduces to the exponential distribution (Section 3.3.4.1). The Weibull distribution with β > 1 is frequently used to describe the lifetimes in a population of items that may suffer mechanical wear. For example, ball bearings normally exhibit wear (decrease of diameter) as they continue to operate.¹⁰ A population of identically sized ball bearings made of the same material, when operated continuously, will accumulate more and more failures due to wear as time increases. That is, failures will begin to accumulate more rapidly the longer the population continues in operation. This phenomenon is labeled “wearout” in reliability engineering, the term being inspired by the concept of mechanical wear such as illustrated in this example. Note that this example treats a nonrepairable item. Any individual ball bearing may suffer at most one failure; the “accumulation of failures” pertains to multiple failures in a population of many bearings, each of which may fail at most once. See Section 3.3.4.8 for additional development of this idea.

Finally, the Weibull distribution is the limiting distribution of the smallest extreme value (i.e., the minimum) of a set of independent, identically distributed random variables [27] . The lifetime of a component under the competing risk model (Section 2.2.8) is a smallest extreme value. This may account for the frequent appearance of the Weibull distribution as a reasonable description of the lifetime of individual components.

3.3.4.4 a life distribution with a “bathtub-shaped” hazard rate

Demographers have determined that the force of mortality in human populations follows a broad U-shaped, or “bathtub-shaped,” curve (see Figure 3.4).

The commonly accepted explanation for this shape posits that the decreasing force of mortality in early life comes from infant mortality and the diseases that afflict the young, which, after some period of time, are outgrown and subsequently exert little influence on the population. The increasing force of mortality in late life is due in large part to the finite lifetime of human beings (see Exercise 6), but is also due to what are termed “wearout mechanisms” such as atherosclerosis, loss of telomeres, and others, that promote earlier death. The (approximately) constant force of mortality in mid-life is primarily due to deaths caused by accidents that occur at random times and the rarer occurrence of diseases that strike prematurely in middle age. A similar interpretation obtains in reliability engineering: decreasing force of mortality in the early part of the lifetime in a population of components is explained by the early failure of some components in the population that have manufacturing defects (see Section 3.3.6) that cause them to fail prematurely (such failures are often referred to as “infant mortality failures”). Increasing force of mortality in the later part of the lifetimes is explained by physical and chemical wearout mechanisms such as mechanical wear, depletion of reactants, increase of nonradiative recombinations, increase in the number and/or size of oxide pinholes, etc. Indeed, the presence of an increasing hazard rate is often taken as a symptom of the presence of an active wearout failure mode, even if no physical, chemical, or mechanical wearout explanation can be discerned. The constant force of mortality during “useful life” is due primarily to the occurrence at random times of shocks whose stresses exceed the strengths of the components (see Section 3.3.3.3 and Exercise 1).

None of the life distributions discussed elsewhere in this section has a force of mortality with this shape. To develop such a life distribution, we need to employ the method shown in Section 3.3.3.4 in which a life distribution is developed from a hazard rate by the integral formula shown there.

At least one attempt at implementing a practical version of such a life distribution has been made. Holcomb and North [30] introduced a life distribution of this type for electronic components. Their model is a Weibull distribution describing the component’s reliability until a time called the crossover time, at which time it changes to an exponential distribution that applies thereafter. That is, the population life distribution is described by a Weibull distribution up until the crossover time, and the (conditional) life distribution of the subset of the population that survives beyond the crossover time is an exponential distribution. This distribution is continuous everywhere and has a density everywhere except at t_c. The hazard rate model is as follows:

This model contains four parameters, λ₁, λ_L, t_c, and α. λ₁ > 0 is the early life hazard rate coefficient and represents the hazard rate of the life distribution at t = 1 (conventionally, the time unit in this model is hours). α > 0 is the early life hazard rate shape parameter; it represents the rate at which the hazard rate decreases until time t_c. At time t_c, the hazard rate becomes equal to a constant λ_L > 0. The model further imposes the condition that the hazard rate be continuous, so the four parameters are not independent. They are linked by the relation

Note that while this hazard rate model allows for a decreasing hazard rate in early life and a constant hazard rate in “mid-life,” the increasing hazard rate characteristic of wearout is not present. This is because it was reasoned that wearout mechanisms in electronic components take so long to appear that the service life of the equipment or system is over before this occurs.¹¹ Finally, note that in this model the conditional life distribution of components, given that they survive beyond t_c, is exponential with parameter 1/λ_L.

For the life distribution and density corresponding to this hazard rate model, see Exercise 7.

3.3.4.5 the normal (Gaussian) distribution: a special case

A random variable Z has a standard normal (or standard Gaussian) distribution if

the mean of this distribution is 0 and its variance is 1 (this is the definition of “standard” for the normal distribution and the explanation of the subscript on the Φ). The density of this distribution is given by

Clearly, evaluating the normal distribution is not a paper-and-pencil exercise. The old-school method is to use the table of standard normal percentiles, which appears in all elementary statistics textbooks; the tables are usually constructed by numerical integration or polynomial approximation [1] . Now, all statistical software and many scientific calculators include a routine for evaluating the standard normal distribution, and many office software programs, such as Microsoft Excel^®, also include this capability.

If Z is a standard normal random variable, the random variable σZ + μ has mean μ and variance σ² where −∞ < μ < ∞ (could be negative!) and σ > 0; the distribution of σZ + μ is conventionally denoted by Φ_(μ,σ) or simply Φ if μ and σ are clear from the context. Correspondingly, if Z is a normally distributed random variable having mean μ and standard deviation σ, then (Z − μ)/σ has a standard normal distribution. The normal distribution is also called the Gaussian distribution in honor of the great mathematician Carl Friedrich Gauss (1777–1855) who first used it to describe the distribution of errors in statistical observations.

The normal distribution is not a life distribution because it has mass to the left of 0, i.e., it gives positive probability to negative lifetimes. Nonetheless, some studies use a normal distribution with large positive μ and small σ as an approximate life distribution because when μ is large positive and σ is small, the probability that the lifetime is negative is quite small and may for some purposes (e.g., computing moments) be neglected. However, the normal distribution is not appropriate for use with many of the important models for the reliability of a maintainable system. For example, the equations of renewal theory (Section 4.4.1) fail for the normal distribution (even if μ is large positive and σ is small).

Some studies make use of a truncated normal distribution to avoid the difficulty with negative lifetimes. A truncation of a normal distribution with parameters μ and σ is the conditional distribution of a random variable Y that is normally distributed with mean μ and variance σ², conditional on Y belonging to some interval. To use the truncated normal distribution as a life distribution, this interval would be [0, ∞], or the conditioning is on Y ≥ 0. If we denote by W the lifetime random variable described by this truncated distribution, then

and P{W ≤ w} = 0 for w ≤ 0 so that the truncated normal distribution is a bona fide life distribution. Note that the mean and variance of the truncated normal distribution are no longer μ and σ². For more details on the truncated normal distribution, see Ref. 28.

3.3.4.6 the lognormal distribution

A lifetime L is said to have a lognormal distribution if the logarithm of the lifetime has a normal distribution. That is,

Note that while L ≥ 0, log L may have any sign because the logarithms of numbers between 0 and 1 are negative. If Y has a normal distribution, then L = e^Y has a lognormal distribution. If μ and σ are the parameters of the underlying normal distribution, then the mean of the lognormal distribution is and its variance is .

The lognormal distribution has been successfully used for modeling repair times of complex equipment [37, 51]. Its hazard rate is decreasing as t → ∞, leading to the interpretation that when equipment is complex, repairs are often complicated, and the longer a repair lasts, the less likely that it is that it will be completed soon. For example, times to complete repairs for undersea telecommunications cables that require a repair ship to visit the site of the failure have been postulated to follow a lognormal distribution, but citations in the literature are hard to find.¹²

3.3.4.7 The gamma distribution

The lifetime L has a gamma distribution if

where α > 0 and k > 0 are the location and shape parameters, respectively, of the distribution, and Γ is the famous gamma function of Euler (Leonhard Euler, 1707–1783), defined by

for x > 0. The gamma function is perhaps most well-known for being an analytic function that interpolates the factorial function: Γ(n + 1) = n! whenever n is a positive integer. α is a location parameter and k is a shape parameter (α has the units of time and k is dimensionless); when k = 1 the gamma distribution reduces to the exponential distribution (Section 3.3.4.1) with parameter α. The importance of the gamma distribution in reliability modeling lies largely in its property that the gamma distribution with parameters α and n (n an integer) is the distribution¹³ of the sum of n independent exponential random variables, each of which has mean α. Actually, more is true: the sum of two independent gamma-distributed random variables with parameters (α₁, ν) and (α₂, ν) again has a gamma distribution with parameters (α₁ + α₂, ν), and of course this extends to any finite number of summands as long as the shape parameter ν is the same in each. There is a natural connection with the life distribution of a cold-standby redundant system (see Section 3.4.5.2 for further details).

The density of the gamma distribution is given by

Consequently, the hazard rate of the gamma distribution is given by

again for x > 0. When k = 1, this reduces to 1/α, a constant, as it should because for k = 1 the gamma distribution is the exponential distribution. The hazard rate is clearly increasing for k > 1; it is the content of Exercise 3 that the hazard rate is decreasing when 0 < k < 1. So the behavior of the gamma distribution is similar to that of the Weibull distribution according to the shape parameters (Table 3.2).

The mean of the gamma distribution is kα and its variance is kα².

The main importance of the gamma distribution elsewhere comes from its relation to commonly used quantities in statistics that we use in Chapters 2, 5, 10, and 12. The sample variance from a population having a normal distribution has a gamma distribution. Formally, if X₁, X₂, . . ., X_n are normally distributed random variables with mean 0 and variance σ², then X₁ ² + X₂ ² + ⋅ ⋅ ⋅ + X_n ² has a gamma distribution with parameters 1/2σ² and n/2. For historical reasons, this distribution when σ = 1 is also called the chi-squared distribution with n degrees of freedom (Karl Pearson, 1857–1936). Other important quantities in statistics have distributions related to the gamma distribution, including student’s T-statistic (student was a pseudonym adopted by William Sealy Gosset (1876–1937) to enable him to publish his works over the objections of his employer, the Guinness brewing company), Snedecor’s F-statistic (George W. Snedecor, 1871–1974), and Fisher’s Z-statistic (Sir Ronald A. Fisher, 1890–1962) all have distributions than can be expressed in terms of the gamma function and distribution. For details, see Ref. 21.

3.3.4.8 mechanical wearout and statistical wearout

“Wearout” is used in two senses in reliability engineering. Mechanical wearout is the physical phenomenon of loss of material during sliding, rolling, or other motion of materials against one another. Statistical wearout is the mathematical property of increasing hazard rate of a life distribution when the hazard rate does not decrease after the period of increase being described. The second interpretation arose because of the first: a population of devices subject to (physical) wearout will exhibit a life distribution with an increasing hazard rate in later life. The following example may help illustrate this phenomenon.

Example: A population of 5/8″ ball bearings is operated under nominal conditions under which their diameter decreases by X ten-thousandths of an inch per hour, where X is a random variable having a uniform distribution on [1, 4] (see Section 3.3.4.2). A ball bearing is declared failed when its diameter has decreased by 0.010″. What is the distribution of lifetimes L in this population of ball bearings? For a ball bearing that we label ω, the rate of decrease of its diameter is X(ω), and the amount of time (in hours) it takes for that ball bearing to decrease by 0.010″, which is 100 ten-thousandths, is 100/X(ω) hours. Our task, then, is to find the distribution of 100/X when X has the stated uniform distribution. We know that

Then

The density of this distribution is 100/3y ² for 25 ≤ y ≤ 100, and zero elsewhere. So the hazard rate of this distribution is 100/y(100 − y) for 25 ≤ y ≤ 100, and zero elsewhere. This is clearly seen to be an increasing function of y as y → 100⁻ (i.e., as y approaches 100 from the left, or through smaller values, which is what the superscripted minus sign is supposed to convey). This example, while not generic, does illustrate the connection between physical wearout and the mathematical interpretation of wearout as an increasing hazard rate with increasing time. See also Exercises 6, 20, and . Further discussion may be found in Ref. 24.

Another way to understand this phenomenon is to imagine that all the ball bearings wear at exactly the same (constant) rate, say 2.5 ten-thousandths of an inch per hour. Then every ball bearing fails at 40 hours exactly. Then a small variation in the rate of wear (i.e., 0.00025″/hour ± a little bit) will translate into some variation in the failure times (40 hours ± a little bit¹⁴). The failure time density will be zero until shortly before 40 hours (i.e., up until 40 – the little bit) and then it will increase rapidly to a maximum near 40 hours and then decrease again rapidly to zero (at 40 + the little bit). The survivor function of the lifetimes will be zero until shortly before 40 hours, and then will decrease rapidly to zero shortly after 40 hours. Think about the quotient of these two quantities (the hazard rate): from shortly before 40 hours until at least 40 hours, the numerator is increasing rapidly while the denominator is decreasing. The quotient is therefore increasing, at least until the density peaks. Deeper analysis would reveal that the hazard rate continues to increase until “shortly after 40 hours,” but that is not the point of this illustration. The point is that under very general conditions, physical wearout, even at random rates, leads to an increasing hazard rate life distribution, which is the characteristic of wearout in the statistical (or mathematical) sense.

3.3.5.1 accelerated life models

Accelerated life models are among the simplest models for relating the life distribution of a population of objects operated under a given set of environmental conditions to the life distribution of that population operated under a different set of environmental conditions. We describe two accelerated life models in this book, the strong accelerated life model and the weak accelerated life model, and the proportional hazards model which in analogous terminology might be called the accelerated hazard model.

The strong accelerated life model postulates that there is a linear relationship between the individual lifetimes at the different conditions. If L₁ and L₂ are the lifetimes of an object when the conditions under which it is operated are C₁ and C₂, respectively, then the strong accelerated life model asserts that L₂ = A(C₁, C₂)L₁, where A is a constant depending on the two conditions C₁ and C₂.¹⁵ If many conditions change from one application to another, it is possible that C₁ and C₂ may be vectors. If the conditions are dynamic (may change with time), then C₁ and C₂ may be functions of time.

We begin our study with the simplest case in which the two conditions are constant. For example, condition C₁ may be a constant temperature of 10°C, while condition C₂ may be a constant temperature of 40°C. Typically, one of these conditions, say C₁, represents a “nominal” operating condition, that is, a condition under which life distribution estimates for the population are known (or the conditions prevailing when the data for these estimates were collected), and the other condition C₂ represents a condition under which operation of the system is anticipated in service with the customer. The types of environmental conditions that are typically encountered in engineering systems include

• temperature,
• humidity,
• vibration,
• shock, and
• mechanical load.

This list is far from all-inclusive. It includes only those conditions that are commonly encountered. Other more specialized conditions may include salt spray and immersion for marine environments, dust and oil spray for automotive environments, etc.

If a population follows the strong accelerated life model, the life distributions at the different environmental conditions differ only by a scale factor. In fact we have, for F₁ the life distribution of L₁ and F₂ that of L₂,

showing that the scale factor is 1/A(C₁, C₂). For the densities, we have

and for the hazard rates, we have

Example: Suppose that, under nominal conditions, a population of devices has a Weibull life distribution with parameters α = 20,000 and β = 1.4 (see Section 3.3.4.3). Under the strong accelerated life model, what are the new parameters of the life distribution when the population is operated at conditions for which the acceleration factor is 8? Denote by the subscript 1 the nominal conditions and by the subscript 2 the operating conditions (for which the acceleration factor is 8). Then

so the life distribution parameters under the operating conditions are α = 160,000 and β = 1.4.

From the example, we may gather that if the life distribution at nominal conditions has a certain parametric form, then the life distribution at any altered conditions continues to have the same parametric form when the strong accelerated life model applies (see Exercise 8).

We summarize the strong accelerated life model in Table 3.3.

In the strong accelerated life model, the defining equation L₂ = A(C₁, C₂)L₁ shows that the individual lifetimes under the two conditions are proportional. In fact, the probabilist would write L₂(ω) = A(C₁, C₂)L₁(ω) to emphasize that the proportional relationship holds for each individual lifetime (sample point ω in the sample space, or individual member of the population). This is a very strong assumption, but one that is in very common use. Weaker versions of the accelerated life model are available. One such is the weak accelerated life model that postulates the life distribution relationship F₂(t) = F₁(t/A(C₁, C₂)) without the assumption that the lifetimes are proportional as individuals. For this weaker model, all the relationships in Table 3.3 apply except for that in the first row. In practice, usually the weak accelerated life model is all that is needed to make sensible use of the accelerated life model ideas.

Requirements tip: In a reliability requirement, while you do specify the environmental conditions that will prevail during operation with the customer and under which the specified reliability is to be achieved, the model to be used when projecting reliability under the operating conditions when the base reliability estimates pertain under some other, “nominal,” conditions is not normally part of the requirement. The choice of model to use when projecting potential system life distributions or when analyzing field reliability data would normally be made by a reliability engineer who is familiar with the system, its components, and the operating environment(s). Systems engineers, while not necessarily themselves carrying out the computations involved, need to be aware of the options available and be able to ascertain whether the reliability engineer’s choice is suitable given all the conditions prevailing.

How do you tell whether an accelerated life model is appropriate? If you have lifetime data collected under two different operating conditions, then the strong accelerated life assumption is easily tested. From the defining equation of the strong accelerated life model, we have

Therefore, if the strong accelerated life model applies, a quantile–quantile plot (Q–Q plot) [45] of the logarithms of the lifetimes should have slope 1 and vertical intercept log A. The Q–Q plot is a graphical aid for determining when the strong accelerated life model might be appropriate and provides a method for an initial guess at the value of A.

The foregoing development leaves open the structure of the function A. In practice, different functions A are associated with different types of stresses (temperature, voltage, vibration, etc.). One of the most commonly used in reliability modeling is the Arrhenius relationship (Svante August Arrhenius, 1859–1927) for temperature:

where C and C₀ represent the two temperatures in °K (Kelvins), E is an activation energy in electron-volts (eV) particular to the material, and k is Boltzmann’s constant 8.62 × 10^–5 eV/°K. This equation was first used to describe the speeding up of chemical reactions when heat is added and has been widely used in reliability engineering as an empirical acceleration factor, even for phenomena that do not involve heat.

Example: Suppose that, when operated at 10°C, a population of devices has a Weibull life distribution with parameters α = 20,000 and β = 1.4 (see Section 3.3.4.3). Under the strong accelerated life model, what are the new parameters of the life distribution when the population is operated at 35°C? Assume the weak accelerated life model and that the Arrhenius relation holds for these devices with an activation energy of 1.2 eV.

Solution: The Kelvin temperatures corresponding to 10 and 35°C are 283.15 and 308.15, respectively. Then the acceleration factor is

so the life distribution of the population at 35°C is

Many other parametric acceleration functions are used for stress modeling. These include

• the Eyring equation , with the single parameter β, is used for temperature, humidity, and other stresses [16] ;
• the inverse power law model , with the single parameter n, is usually used for voltage [16] ; and
• the Coffin–Manson equation [18], similar to the inverse power law model, used for modeling fatigue under thermal cycling and modeling solder joint reliability.

Environmental conditions in operation may also vary with time. In this case, C₁ and C₂ may be functions of time. Generalizations of the accelerated life model can be devised to cover this case. One such generalization is a differential accelerated life model. This model postulates that the differential change in the lifetime of a unit is proportional to the current value of stress on the unit. Begin with the equation for the strong accelerated life model:

and include the time dependence of C:

If the life distribution in the population at condition C₀ is F₀, then the population life distribution after t time units has passed is

(see Section 6.4.3 of [41]). This model is used in analysis of data from accelerated life tests that use time-varying stresses such as ramp stress in which the stress takes the form C(t) = a + bt.

Many other models exist for relating the life distribution of a population operated at some set of environmental conditions to the life distribution of the same population operated at a different set of environmental conditions. Perhaps the most flexible of these is the acceleration transform developed by LuValle et al. [42] . See also Refs. 20, 43.

3.3.5.2 the proportional hazards model

The proportional hazards model is similar to the accelerated life model in that it postulates that certain quantities are proportional: in this case, it is the hazard rates, not the lifetimes, that are proportional. That is, the model postulates that

where h₁(t) (resp., h₂(t)) denotes the hazard rate of the population when the conditions under which the population is operated are described by C₁ (resp., C₂). Note the difference with the accelerated life model (Table 4.1). The proportional hazards model was first described by Cox [13] and is widely used in biomedical studies. h₁(t) is referred to as the “baseline hazard rate” and is usually associated with a nominal set of conditions such as the conditions under which the data characterizing the population were collected (i.e., the same idea as seen in the accelerated life model, Section 3.3.5.1). See Exercise 22.

3.4.1.1 system functional decomposition for tangible products and systems

Most often, nonmaintained items are not operated as individuals in isolation. There are exceptions, of course (the famous light bulb being a notable one), but real engineering systems almost always comprise many nonmaintained items and (possibly) maintained items and subassemblies operating together to perform the functions required of the system. So we would like to know how the lifetimes of such ensembles of nonmaintained items are related to the lifetimes of the individual items themselves. The system functional decomposition is a systematic description of how individual components and subassemblies operate together to enable the system to perform its required functions. There is a functional decomposition for every system requirement (of course it is possible that the same functional decomposition may apply to more than one requirement). The system functional decomposition is carried out to a level of detail necessary for which the life distributions of the components or subassemblies in the last layer of the decomposition are known or can be estimated. Before proceeding to the calculus of system reliability, that is, the methods for calculating the life distributions of higher level assemblies from their constituent components, we look at a few examples of system functional decompositions.

3.4.1.2 functional decomposition for services

The services share of the world economy is large and growing. Our study of systems engineering for sustainability includes reliability, maintainability, and supportability of services. Services as understood here include not only the activities traditionally understood as “services” such as telecom services, auto repair service, fuel delivery service, and the like but also the emerging category of computer-based services such as personal computer and smartphone applications, cloud computing services, etc. All of these have the properties that they are intangible and do not exist outside the context of transactions taking place between users and service providers. The key to successful sustainability engineering for services is the realization that all such services are provided by elements of some tangible infrastructure of systems and humans that have to operate together in specified ways to deliver a transaction in the service.

Consequently, the functional decomposition required for reliability engineering for services requires peeling back an additional layer. To properly understand service reliability requires adopting the perspective of the user of the service, and the service functional decomposition consists of a detailed step-by-step description of how the service is provided. That is, a service functional decomposition acts as a bridge between the infrastructure the service provider uses to deliver the service and the user’s understanding of the parts of a service transaction. Then with each step is associated the part(s) of the service delivery infrastructure that are involved in successful completion of that step. In this way, the reliability of the service (service accessibility, service continuity, and service release) [57] is expressed in terms of the reliability characteristics of those infrastructure components [58].

3.4.2.1 an automobile drivetrain

The drivetrain in an automobile consists of those components that are required for the automobile to move forward. At a level of detail appropriate for this example, we may list these components as the engine, transmission, driveshaft, differential, and the four wheels¹⁸ (a wheel comprises a rim and a tire). Each component listed is required for forward motion. If any component ceases to function, then the auto cannot be driven (for the purposes of this simple example, we are ignoring the possibility of partial failures such as loss of a single gear in the transmission) because one of the requirements of the auto is that be able to drive forward. Each component is a “single point of failure” in the sense that if it fails, then the system fails. Systems of this type are discussed in Section 3.4.4.

This example offers further instructional value. Most autos also carry a spare wheel so that if one of the active wheels fails (usually from a tire puncture), the wheel may be removed and replaced by the spare. This is an example of a system with “built-in redundancy.” Redundancy means that there are additional components or subsystems built into the system that may be called on to restore the system to functioning condition when some component of the system fails (of course, the redundant component must be of the same type as the component that failed). In this example, the spare wheel assembly is a “cold standby” redundant unit. This terminology arises from the idea that the spare unit does not operate and accumulate age until it begins service. Systems containing redundant units are discussed in Section 3.4.5.

3.4.2.2 A telecommunications circuit switch

Automatic circuit switching has a long history in the telecommunications industry, starting with the panel office of the 1920s through the step-by-step, crossbar, and stored-program-control electronic systems that were the last generation of circuit switches. Many electronic switching systems were designed for high reliability by being “fully duplicated.” That is, the system comprised two separate, identical call processing units that operated together. Every incoming call was handled by both processing units and sent on to its next destination. The idea was that should one of the call processing units suffer a failure, the other was operating right alongside it and would successfully route the call regardless. This is an example of a “hot standby” redundant system in which the standby or redundant unit(s) are operating (and aging) all the while the main or primary unit is providing service. Within each call processing unit, there are many line-replaceable units that are single points of failure for that individual call processing unit (but not for the system as a whole). This architecture, while costly, enabled extremely high availability: the availability objective for such systems in Bell System service was availability should be greater than 0.9999943, equivalent to an expected outage time of no more than 2 hours in 40 years of operation. See again Section 3.4.5 for discussion of redundant systems.

3.4.2.3 Voice over IP service using a session initiation protocol server

Here is an example of a functional decomposition for a service. Voice over Internet Protocol (VoIP) service is an example of a voice telecom service carried on a packet network. Session initiation protocol (SIP) is one of the ways of setting up VoIP calls from one user to another. There are several different SIP implementations, but all SIP VoIP call setups involve interaction between the user (a “user agent client” (UAC) which is the user’s local VoIP phone or computer) and a server (“user agent server” (UAS) which is part of the service provider’s infrastructure). To successfully set up and carry an SIP VoIP call, certain messages must be exchanged between the UAC and the UAS; these messages are mediated by an application server (AS). Failure of the UAC, the UAS, or the application server at various times during the process of call setup and carriage will result in different kinds of user-perceived service failures. The service functional decomposition in this example consists of a chronological listing of those messages, called a “call flow,” together with a description of how failures in the application server can disrupt the call flow. The listing of messages is facilitated by Figure 3.6.

In this diagram, time increases in the downward vertical direction. Failures of the UAC, AS, or UAS during the time from start to the first dotted horizontal line results in a call setup denial which is experienced by the user as a call attempt that did not succeed (a service accessibility failure). Failures at any time between the first and third dotted horizontal lines result in dropping the call which is already in progress, and is experienced by the user as a cutoff call (a service continuity failure). Failures after the third dotted horizontal line results in a call that is “hung” and the user perceives an inability to make his/her phone idle again (a service release failure). Additional discussion of service functional decomposition is found in Section 8.3.

3.4.4.1 Life distribution

In many cases, the failure of a single item causes the system to fail. For example, consider the failure of a single diode in a four-diode-bridge balanced modulator in a single sideband transmitter. When the diode fails, the balanced modulator no longer functions as a mixer and the transmitter cannot emit properly formed single sideband signals. If emission of properly formed single sideband signals is a requirement for the transmitter, then the transmitter fails when the diode fails. In this situation, the diode is called a single point of failure, or a single-point-of-failure component, of the system. A single point of failure is a component of a system whose failure causes failure of the system (reminder: violation of one or more system requirements). A single-point-of-failure component may be a nonmaintained item, or it may be an ensemble comprising many items, and the ensemble may be maintainable or nonmaintainable (depending on the system maintenance concept).

The reliability block diagram for a series system is simply a picture of several (as many as there are single points of failure) elements in a linear configuration. An example with five single points of failure is shown in the Figure 3.7.

Reliability engineers call ensembles of single-point-of-failure components series systems because of the obvious nature of the reliability block diagram in Figure 3.7.

To introduce the method for quantitatively describing the life distribution of such ensembles, consider first an ensemble consisting of two (and only two) single points of failure. Letting L denote the lifetime of the ensemble and L₁ and L₂ denote the lifetimes of the first and second single points of failure, respectively, we can write

because the first lifetime to expire determines the lifetime of the ensemble. That is, the ensemble survives only as long as the shorter of the lifetimes of the two single points of failure comprising it (“a chain is only as strong as its weakest link”). It is then a straightforward matter to write

Provided we are willing to postulate that the two lifetimes L₁ and L₂ are stochastically independent, we may write

which brings us to the end of this story if we know the survivor functions of L₁ and L₂. For purposes of this exercise, we assume we do know these survivor functions, because what we were trying to do was write the life distribution of L in terms of the life distributions for L₁ and L₂, and so we have done (at least for the survivor functions). In terms of the life distributions, we have

or

with the obvious notation. Absent independence, of course, we cannot go this far. All we can do is express the distribution of L in terms of the joint distribution of L₁ and L₂ as was shown earlier. Considerably more resources usually are needed to obtain the joint life distribution of L₁ and L₂ than are required to obtain the life distributions of L₁ and L₂ separately because a more complicated experimental design is required to collect suitable data. This is beyond the scope of this book. Interested readers may consult Ref. 45 for some ideas pertaining to this endeavor.

This argument generalizes to ensembles of many (more than two, say n) single points of failure. The formulas are

and

when it is possible to postulate that the individual lifetimes are stochastically independent. This principle takes its simplest form when written in terms of the survivor functions:

Modeling tip: Almost all routine reliability modeling proceeds on the basis of stochastic independence (henceforth, simply: independence) of the constituent lifetimes. This is because the calculus of probabilities is simple for independent random variables or events, while accommodating random variables or events that are not independent requires dealing with joint distributions. As a rule, it is more difficult to ascertain the joint distribution of two or more random variables or events because the data collection and distribution estimation grows more complicated as the number of dimensions increases. We mention this here because it is often forgotten, and there are realistic reliability engineering situations in which independence cannot be assumed [44].

3.4.4.2 the competing risk model

It is not unusual that there may be more than one failure mechanism active in a single component. For instance, CMOS semiconductors are susceptible to failure by oxide breakdown, hot carrier damage, and electromigration. The series system model is readily adapted to use for this competing risk situation. The lifetime of the component is the minimum of the lifetimes of the competing failure mechanisms, that is, the component fails at the time the fastest failure mechanism has progressed to failure. On a macro level, every series system is a competing risk model: the system fails at the first time any of its elements fails.

3.4.4.3 approximate life distribution for large series systems

Many practical engineered systems contain a large number of components. For example, printed wiring boards in defense and telecommunications systems typically contain thousands of components. Faced with such situations, the probabilist would inquire whether there might be some useful limit theorem that may simplify applications. In this case, Drenick’s theorem [15] provides useful guidance. Drenick’s theorem essentially says that in the limit as the number of components in a series system grows without bound, its life distribution tends to the exponential distribution, regardless what the life distributions of the individual components may be. But there are two important conditions: first is that the component lifetimes are stochastically independent; we have already discussed the use of this assumption in reliability modeling work (Section 3.4.4.1). The second is even more important: it requires that all the components have “similar” aging (aging in this context means “progression to failure”) properties. That is, there is no one (or finitely many) component in the series system whose speed to failure dominates all the others. That is (and this condition is expressed in Drenick’s work in technical terms which need not concern us now), there is no one component (or finitely many components) whose lifetime is so short that it is almost always responsible for the failure of the series system. This makes sense: if this one component almost always fails soonest, the life distribution of the ensemble is going to be very nearly the life distribution of that component.

Drenick’s theorem is a kind of invariance principle. The limiting life distribution of the series ensemble is exponential, no matter what the individual life distributions may be (as long as the conditions of the theorem are satisfied). The mean of the limiting distribution is the harmonic mean of the mean lives of each of the constituent components:

Referring to the formulas in Section 3.4.4.1, you can see that the life distribution of a series system of independent components (i.e., components whose lifetimes are stochastically independent) is not going to be exponential unless all the constituent life distributions are individually exponential. However, in many practical reliability modeling exercises, the life distribution of complex equipment, even equipment that is not an ensemble of single points of failure, is often postulated to be exponential. One reason for this is that the exponential distribution is particularly easy to work with in pencil-and-paper studies (although with the widespread availability of computer-based methods ( [60] and many others), this is not a real attraction anymore; see also Section 4.6). Another reason is that enough data may be lacking to estimate more than one parameter, and the exponential, besides being simple, is a one-parameter family. These are rather weak justifications at best. But Drenick’s theorem provides a more substantial justification for this. It is a sound theoretical basis for this choice, provided that the relevant conditions are satisfied. In particular, an exponential life distribution is often used for ensembles that are not series systems (the ease-of-use argument). Strictly speaking, this is not supported by Drenick’s theorem. However, for subassemblies that are separately maintained (Section 4.4.4), the superposition theorem for point processes [25], [53] is employed to model the failure times of a complex repairable system as a Poisson process, which has exponentially distributed times between failures when the Poisson process is homogeneous [36] . In particular, the time to the first event (failure) has an exponential distribution under this model. Again, the superposition theorem is a kind of invariance principle in that it holds no matter what the point processes modeling the failure times of the individual subassemblies may be (again subject to a nondominance condition like that in Drenick’s theorem). We will return to this discussion in Section 4.4.5.

Finally, the invariance principle represented by Drenick’s theorem supports the following reasoning: if the limiting distribution of a series system is exponential, regardless of what the original component life distribution may be, and if the life distribution of a series system of exponentially distributed component lifetimes is also exponential (which it is), then you may as well assume the original component life distributions were exponential too because

• you get the same life distribution for the series system in either case and
• assuming the component life distributions are exponential will simplify any data collection and parameter estimation for the components.

This is not necessarily a bad approach as long as it does not hide unusual behavior in any of the components. The key concept in design for reliability is the anticipation and prevention of failures, and to do this effectively usually requires more, rather than less, detail. In particular, the response of a component’s lifetime to various environmental stresses, and the stress–strength relationship for the component, may differ depending on the particular life distribution involved. We will see how similar reasoning is applied in repairable systems in Section 4.4.5.

Confidence limits for the parameters of the life distribution of a series system

In practice, system subassemblies and line-replaceable units (LRUs) often are series systems of their constituent components. Reliability estimates for these components are derived either from life testing or from time-to-failure data collected during system operation. In either case, the component reliability estimates are statistics, or random variables, because they are a function of observational data. As such, they have distributions (Section 3.3.2). When they are combined using the formulas of Section 3.4.4.1, the result is another random variable (because the result is a function of the random variables that describe the component reliability). As such, it too has a distribution. In this section, we will describe a technique for obtaining information about this distribution when certain information about the component life distributions is available. This technique is based on the work of Baxter [6] which is in turn based on procedures developed by Grubbs [26], Myhre and Saunders [48], and others (see Ref. 6 for a review of the literature).

In this introductory material, we confine our discussion to the case in which the series system comprises components all of whose life distributions are exponential. Let the system contain n components and the parameters (hazard rates) of these components be λ₁, . . ., λ_n. Suppose also that each parameter has been estimated from some data and has a 90% upper confidence limit (UCL) that for component i is denoted by u_i. To find an approximate 90% UCL (one-sided) for the hazard rate λ = λ₁ + ⋅ ⋅ ⋅ + λ_n of the series system, first form the quantities s_i = (u_i − λ_i)/1.282, S = s₁ ² + ⋅ ⋅ ⋅ + s_n ², and δ = 2λ²/S. Then an approximate 90% UCL for λ is given by

where is the 90th percentile of the chi-squared distribution on δ degrees of freedom. In most cases, δ will not be an integer, so interpolation between the nearest integers is used. If a UCL other than 90% is desired, change 1.282 to the appropriate confidence coefficient as found in Table 3.4.

Confidence Level (%)	Confidence Coefficient
90	1.282
95	1.645
99	2.326

We may also consider the use of two-sided confidence limits for λ. These would be useful when the quality of our knowledge about the λ_i is good as would be the case if u_i and λ_i are close together. The two-sided confidence 90% confidence interval for λ is then

As with the one-sided case, if a confidence level other than 90% is desired, adjust the computation of the s_i according to Table 3.4. For details of these methods, consult Ref. 6.

Development of a more generally applicable method for confidence intervals for coherent systems with components whose life distributions are other than exponential has been attempted, but no satisfactory method yet exists that is fully applicable and easy to use. Use of the method given here will provide important insight into the quality of knowledge about the reliability prediction for a series system. In particular, this quality of knowledge information is important when using a reliability prediction of this kind to assess the likelihood that the design on which the prediction was made will meet its reliability requirements.

3.4.5.1 Hot standby redundancy

The simplest redundancy scheme is hot standby redundancy in which a single unit (the “primary unit”) is supported by one or more “redundant units” (or “backup units”), all of which are powered on and aging along with the primary unit. When the primary unit fails, some switching mechanism operates to bring the failed unit off line and one of the redundant units on line to take over the operation that was being performed by the primary unit before it failed (assuming the switching operation does not fail). Thus, the ensemble fails only when all units, the primary unit and all the redundant units, fail. In the case of hot standby, or active, redundancy, we have for the lifetime L of the ensemble in terms of the lifetimes L₁, . . ., L_n of its constituent units, again assuming the switching mechanisms does not fail,

From here, it is a routine matter to obtain the distribution of L:

where the last equality is valid if the individual lifetimes are stochastically independent. We may also write

In terms of the survivor functions, we have

Note the duality between the series system discussed in Section 3.4.4 and the hot-standby parallel system discussed here: in the series system, the expression for the life distribution looks like the expression for the survivor function of a hot-standby parallel system, and vice versa.

Example: A Two-Unit Hot Standby Redundancy Arrangement with an Unreliable Switch

Consider the hot standby arrangement depicted in Figure 3.9.

Denote by L₁ and L₂ the lifetimes of the first (topmost in the figure) and second units, respectively, let the corresponding survivor functions be denoted by S₁ and S₂, and denote by L the lifetime of the entire ensemble. Let W(t) denote the indicator of the event that the switch operates correctly when it is called upon to do so at time t, let p(t) = P{W(t) = 1}, and Z_t denote the lifetime of the switch given that it operates correctly at time t (if the switch fails to operate correctly when called for, then L = L₁ and the value of Z_t is irrelevant). Furthermore, we assume there is no “rejuvenation” of the switch if it fails when called for: once this failure occurs, the ensemble is failed. Let G_t denote the life distribution of Z_t. If there were no switch involved (usually not feasible in an engineering sense), then L would be equal to max{L₁, L₂}, and the life distribution at time t of the ensemble would be F₁(t)F₂(t). If the switch operation were perfectly reliable (i.e., p(t) ≡ 1 for all t), then L would be equal to the maximum of L₁, L₂, and min{L₁, L₂} + min{Z_T, max{L₁, L₂}} because the switch will be called for at time T = min{L₁, L₂}. In this case, the survivor function of L would be

Now assuming that L₁ and L₂ are independent, and the distribution of is equal to for i = 1, 2, assuming that L₁ and L₂ are conditionally independent of Z_t for all t. These may now be substituted into the expression above for P{L > x} to complete the development (see Exercise 16). In case the switching action may be unreliable (i.e., p(t) < 1 for at least one t), then the survivor function of L is given by

again assuming the necessary independence (in this case, that of W(T) from everything else in sight).

Requirements tip: It is clear from this example that reliability models that include imperfect switching for redundant systems may be considerably more complicated than those that ignore the effect of potentially unreliable switching. Systems engineers need to be aware that switching mechanism unreliability can be a significant contributor to overall system unreliability in cases where redundancy is being used to increase system reliability overall. Be sure that reliability engineers on the project provide realistic reliability projections in these cases because the high cost of redundancy can be rendered for naught by a relatively low-cost switching mechanism that may be unreliable.

3.4.5.2 Cold standby redundancy

Cold standby, or passive, redundancy differs from hot standby redundancy in that the redundant units are not active while the primary unit is in service. This model postulates that the standby units do not age while they are not operating, that is, the “lifetime clock” does not start for these units until they are put into service. When the primary unit fails, the switching operation activates the first redundant unit and takes the failed unit off line, and puts the now-active redundant unit on line so that the ensemble continues to perform its function. In this case, the lifetime of the ensemble is the sum of the lifetimes of all its constituent units (again assuming that all the switching operations are perfect). That is,

To find the distribution of L when the lifetimes L₁, . . ., L_n are independent, we introduce the notion of convolution of distribution functions. Suppose X and Y are independent lifetimes having distributions F and G, respectively. Then the distribution of X + Y is given by

The last integral is called the convolution of F and G and is denoted F*G(t). Thus, if F₁, . . ., F_n represent the life distributions of L₁, . . ., L_n, respectively, then the life distribution of the cold standby ensemble is given by F₁* ⋅ ⋅ ⋅ *F_n. The family of gamma distributions is closed under convolution. As was noted in Section 3.3.4.7, the sum of two independent random variables having gamma distributions with parameters (α₁, ν) and (α₂, ν) again has a gamma distribution with parameters (α₁ + α₂, ν). So a cold standby redundant system whose first unit’s lifetime has a gamma distribution with parameters (α₁, ν) and whose second unit’s life distribution has a gamma distribution with parameters (α₂, ν) has a life distribution with parameters (α₁ + α₂, ν). In most other cases, it is not possible to evaluate convolution integrals in closed form. Various numerical methods have been developed to enable computation of system reliability when cold standby redundancy is present. Among the simplest are the Newton–Cotes-like rules found in Ref. 54.

The number and variety of reliability models for imperfect switching incorporated into cold standby redundancy schemes is at least as great as the large number of such schemes. We will consider only a simple example to illustrate some possibilities. Suppose that in an n-unit cold standby redundancy scheme there is a switching mechanism whose duty is to switch in the next unit when the unit currently in service fails, and suppose that the indicator event that this switch performs its duty correctly when called upon at time t is W(t), independent of everything else, P{W(t) = 1} = p(t), and if W(t₀) = 0, then W(t) = 0 for all t ≥ t₀. Further suppose that the lifetime of the switch is infinite (i.e., the switch does not fail once the switching operation has completed successfully—the only possible failures of the switch are at the moments of switching). Then the life distribution of the ensemble is

See Exercise 17 to complete this example.

3.4.5.3 k-out-of-n redundancy

The final type of redundancy we study in this chapter is the k-out-of-n scheme. In this scheme, there are n units. The ensemble operates if and only if k of these n units are in an operating condition. One may think of this as a system that requires k units to operate properly and that has in addition n − k spare units on site. This scheme may be implemented as hot standby or cold standby (and other types of warm standby which will not be covered here). In a hot standby arrangement, the lifetime of the ensemble is the kth shortest of the n unit lifetimes. This is an example of an order statistic. The life distribution of the hot standby k-out-of-n ensemble is the cumulative distribution of this order statistic which may be found in Ref. 14.

In a cold standby k-out-of-n scheme, the lifetime is determined by counting the total number of unit failures that occur by a given time. The first time this reaches n − k + 1 is the time of ensemble failure. Let N(t) represent the number of unit failures in the time interval [0, t], and let L represent the system lifetime. Then the “counting argument” is that the time to system failure occurs after time t if and only if there have been no more than n − k unit failures up to and including time t,

Our task will be to obtain the distribution of L as

We will now assume that all primary units have the same reliability characteristics, all standby units have the same reliability characteristics (although these may be different from the primary units), and all units are mutually stochastically independent. We begin by defining the concept of “position.” Consider the primary units that are started operating at time zero. The location or “slot” that each of these occupies is called a “position.” At the time a primary unit fails, a spare unit is immediately placed in service in that position (the pool of spares initially contains n − k units; if this is the (n − k + 1)^st failure in a primary slot, then the ensemble fails at this time and there are no spare units remaining in the pool). Thus, we record the failures in each “position” separately, or, in other words, each “position” is thought of as having a failure process of its own. To illustrate the idea, we will first work through the derivation in the simple case n = 2, k = 1. In this case, denoting by N₁(t) the number of failures in position 1 that occur during [0, t], we have P{L > t} = P{N₁(t) ≤ 1}, because the system fails when the second failure in position 1 occurs. Define T = inf {t : N(t) = 1} and T + S = inf{t : N(t) = 2}. Thus, P{N(t) ≤ 1} = P{T + S > t} = 1 − F*G(t). Obviously, in this case we have L = T + S, so there was really no need to go through the counting argument, but it is valuable to see how it works in this simple case first. In the general case, let N_i(t) denote the number replacements in position i by spare units, i = 1, . . ., k. Then we have because the spare units only operate (and fail) in the primary (first k) positions. This gives us the opening we need to get the distribution of N(t). Define W₀(t) = 0 and . Then W₁(t) = N₁(t) and W_k(t) = N(t). Using the relation W_i(t) = W_i−1(t) + N_i(t), i = 1, . . ., k, and the mutual independence of N₁(t), . . ., N_k(t), we can get the distribution of each W_i(t) by successive discrete convolutions:

To model the failure counting processes N_i(t), i = 1, . . ., k, in the k primary positions, we assume that the primary units are identical, and all have life distribution F, say, and the spare units are identical, and all have life distribution G, say. Then we have P{N_i(t) = 0} = 1 − F(t), i = l, . . ., k, and

Here, G_j−1 represents the convolution of G with itself j − 1 times, and G₀ is the unit step function at the origin. Working backward to the equation for P{L ≤ t} completes the derivation.