Target Reliability Informed Design Optimisation ISPMNA 2019 Peter

Target Reliability Informed Design Optimisation ISPMNA 2019 Peter Reed, Core Stress Engineer The information in this document is proprietary and confidential to Rolls ‑Royce and is available to authorised recipients only – copying and onward distribution is prohibited other than for the purpose for which it was made available Rolls-Royce © 2019 Rolls-Royce Export Control classification UK – not listed Rob Marshall, Principal Engineer Core Structural Integrity 22 October 2019

Agenda Rolls-Royce 2 © 2019 Rolls-Royce Export Control classification UK – not listed 01 Introduction and Background 02 Target Reliability Approach 03 Higher Level Safety Case 04 Next Steps, Conclusions, Questions?

01 Rolls-Royce 3 © 2019 Rolls-Royce Export Control classification UK – not listed Introduction

Introduction & Background Rolls-Royce 4 © 2019 Rolls-Royce Export Control classification UK – not

Probabilistic Safety Justifications made for in-service product Introduction & Background Design Manufacture Probabilistic Safety Justifications made at design stage for optimised design Rolls-Royce 5 © 2019 Rolls-Royce Export Control classification UK – not listed Service Life Influencing design and optimising through the use target reliability methods Decommissioning What is the impact of optimisation on the whole system safety case?

Introduction & Background Problem • • • Rolls-Royce 6 © 2019 Rolls-Royce Export Control classification UK – not listed Welded Component (eg. pipe section) Sharp features in weld underbead. Justifiable?

“Deterministic” Assessment Introduction & Background Material parameters Stress Intensity Factor Rolls-Royce 7 © 2019 Rolls-Royce Export Control classification UK – not listed Geometric parameters Performance parameters

“Deterministic” Assessment Introduction & Background • • • Rolls-Royce 8 © 2019 Rolls-Royce Export Control classification UK – not listed • Traditional Approach Set each parameter to its perceived worst case. Upper or lower bound, based on tolerances or statistical analysis of asbuilt data Reserve factor less than 1. 00. Crack like geometry not tolerable within the design.

Problem Introduction & Background Machining operation can expose buried defects from the welding process. Machine out weld geometry Rolls-Royce 9 © 2019 Rolls-Royce Export Control classification UK – not listed Machining operation causes damage to other components

Machining is costly Introduction & Background Cost Machining is time consuming Delivery Machining generates inspection Quality ALARP/ALARA Safety Case Desired Performance Rolls-Royce 10 © 2019 Rolls-Royce Export Control classification UK – not listed

Suitably “Deterministic”? Introduction & Background K LIM K ? Stress Intensity (MPa √m) Rolls-Royce

02 Rolls-Royce 12 © 2019 Rolls-Royce Export Control classification UK – not listed Target

1 ? Target Reliability Approach Design of Experiments – 256 FE Runs System Representation (Surrogate Model) Rolls-Royce 13 © 2019 Rolls-Royce Export Control classification UK – not listed Probabilistic Framework (FORM) 2

Target Reliability Approach Probabilistic Inputs in the Design Stage, options? § Use Capability Analysis (Process capability index, Cpk). § Use historic data from previous manufacturing campaigns. § Perform variation studies to guard against “cliff edge” effects. Rolls-Royce 14 © 2019 Rolls-Royce Export Control classification UK – not listed

Target Reliability Approach Assumed Level of Capability µ LSL USL- µ USL Assuming a nominally centred, normally distributed process Rolls-Royce 15 © 2019 Rolls-Royce Export Control classification UK – not listed Cpk targets of 1. 33 and beyond.

Target Reliability Approach Rolls-Royce 16 © 2019 Rolls-Royce Export Control classification UK – not

Target Reliability Approach Rolls-Royce 17 © 2019 Rolls-Royce Export Control classification UK – not

Target Reliability Approach First Order Reliability Method Near instantaneous run time. Ideal for sensitivity studies. Validated against Monte. Carlo with near perfect agreement. Used for this assessment Rolls-Royce 18 © 2019 Rolls-Royce Export Control classification UK – not listed Monte Carlo Allows complex systems and nonnormal distributions FORM Rapid, but requires several assumptions

Target Reliability Approach Un-machined design, RF all > 1. 00 at Cpk > 0. 8 K Rolls-Royce 19 © 2019 Rolls-Royce Export Control classification UK – not listed Previous “Deterministic” Case (RF = 0. 85) Probability beyond 1 e-20

Target Reliability Approach Rolls-Royce 20 © 2019 Rolls-Royce Export Control classification UK – not

Target Reliability Approach Summary § Sensitivity Studies to parameter variation demonstrate tolerance to leaving geometry un-machined. § Machining is being conducted to guard against a failure predicted to be of the order of 1 e-13 § What is the target reliability? § What is an appropriate level of risk? Rolls-Royce 21 © 2019 Rolls-Royce Export Control classification UK – not listed

03 Rolls-Royce 22 © 2019 Rolls-Royce Export Control classification UK – not listed Higher

Higher Level Safety Case Interdependencies between failure modes with variation of the same parameters. Overall probability of system failure is of concern. How do we aggregate failures? Rolls-Royce 23 © 2019 Rolls-Royce Export Control classification UK – not listed

Higher Level Safety Case Systems Approach § Review FMEA, identify failure modes and effects. § Understand interdependencies. § Understand links between fracture events and failure. § Understand consequences. Rolls-Royce 24 © 2019 Rolls-Royce Export Control classification UK – not listed

Higher Level Safety Case Failure Mode 1 Component 1 Failure Mode 2 Failure Mode 3 Failure Mode 4 Overall System Failure 10 -5 Failure Progression 10 -1 Structural Failures 10 -4 Component 2 Failure Mode 1 Failure Mode 2 Failure Mode 3 Failure Mode 1 Component 3 Failure Mode 2 Failure Mode 3 10 independent failure modes Rolls-Royce 25 © 2019 Rolls-Royce Export Control classification UK – not listed Design stage, apportion an equal reliability per failure mode = 10 -5

Higher Level Safety Case Failure Mode 1 Component 1 Failure Mode 2 Failure Mode 3 Failure Mode 4 Overall System Failure Progression 10 -5 10 -1 Structural Failures 10 -4 Component 2 Failure Mode 1 Failure Mode 2 Failure Mode 3 Bounding Failure progression, different for different failure modes Failure Mode 1 Component 3 Failure Mode 2 Failure Mode 3 10 independent failure modes Rolls-Royce 26 © 2019 Rolls-Royce Export Control classification UK – not listed Design stage, apportion an equal reliability per failure mode = 10 -5

Which failure modes are affected by this change? Higher Level Safety Case Failure Mode 1 Component 1 Failure Mode 2 Failure Mode 3 Failure Mode 4 Overall System Failure 10 -5 Failure Progression 10 -1 Structural Failures 10 -4 Component 2 Failure Mode 1 Failure Mode 2 Failure Mode 3 Failure Mode 1 Component 3 Failure Mode 2 Failure Mode 3 Is the overall risk tolerable? Rolls-Royce 27 © 2019 Rolls-Royce Export Control classification UK – not listed Is the impact of the design optimisation safe?

Higher Level Safety Case Failure Mode 1 Component 1 Failure Mode 2 Failure Mode 3 Failure Mode 4 Overall System Failure 10 -5 Failure Progression 10 -1 Structural Failures 10 -4 Component 2 Failure Mode 1 Failure Mode 2 Failure Mode 3 Failure Mode 1 Component 3 Failure Mode 2 Failure Mode 3 Rolls-Royce 28 © 2019 Rolls-Royce Export Control classification UK – not listed Overall system failure is improved by design change.

04 Rolls-Royce 29 © 2019 Rolls-Royce Export Control classification UK – not listed Next

Next Steps, Conclusions, Questions? Rolls-Royce 30 © 2019 Rolls-Royce Export Control classification UK – not listed Conclusions Reliability assuming a Cpk of 1. 33 RF for an un-machined component RF for a machined component << 1 e-20 (original ‘deterministic’ case) 0. 85 1. 48 1 e-5 (proposed reliability from an aggregated safety case) 1. 20 2. 15 Effect on other higher level system reliability Beneficial Detrimental

Next Steps, Conclusions, Questions? Rolls-Royce 31 © 2019 Rolls-Royce Export Control classification UK – not listed Next Steps • Continue to engage with regulatory community. • Monitor manufacturing development with statistical process control. • Live FORM updates based on manufacturing run charts.