Ministry of Defence

Defence Standard 00-42 Part 1

Issue 2 Publication Date 15 February 2008

Reliability and Maintainability

(R&M) Assurance Activity
Part 1
One-Shot Devices/Systems
 Unclassified
Def Stan 00-42 Part 1 Issue 2

Contents
SECTION 1 GENERAL ......................................................................................................................................1
1 Scope ..................................................................................................................................................1
2 Warning...............................................................................................................................................1
3 References..........................................................................................................................................1
4 Definitions ..........................................................................................................................................2
SECTION 2 OVERVIEW ....................................................................................................................................3
5 Introduction ........................................................................................................................................3
6 Aim ......................................................................................................................................................3
7 Practical Considerations...................................................................................................................3
8 Reliability of a One-Shot Device.......................................................................................................5
9 Maintenance of a One-Shot device ..................................................................................................5
SECTION 3 SPECIFICATION OF RELIABILITY ..............................................................................................6
10 Criterion ..............................................................................................................................................6
11 Degradation ........................................................................................................................................6
12 Appointment.......................................................................................................................................6
13 Fuses...................................................................................................................................................6
SECTION 4 RELIABILITY DESIGN PHILOSOPHY..........................................................................................7
14 Integration of R&M in Design ...........................................................................................................7
15 Reliability Design Criteria .................................................................................................................7
16 Maintainability Design Criteria .........................................................................................................8
SECTION 5 APPORTIONMENT, MODELLING, CALCULATIONS and PREDICTIONS ................................9
17 Reliability ............................................................................................................................................9
18 Reliability Predictions .......................................................................................................................9
19 Maintainability ....................................................................................................................................9
SECTION 6 ENGINEERING PROCEDURES ..................................................................................................11
20 R&M Trade-off Studies ....................................................................................................................11
21 Parts and Materials Reliability........................................................................................................11
22 Failure Modes Effects (and Criticality) Analysis (FMEA/FMECA)...............................................11
23 Fault Tree Analysis ..........................................................................................................................12
24 Sneak Analysis.................................................................................................................................13
25 Impact of Software...........................................................................................................................13
26 Human Impact on Reliability and Maintainability .........................................................................13
27 Derating ............................................................................................................................................13
28 Critical Items ....................................................................................................................................14
29 Life-Limited Items ............................................................................................................................14

Unclassified
ii
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 7 TEST AND SCREENING ASSESSMENT ...................................................................................15

30 Testing ..............................................................................................................................................15
31 Sample Testing ................................................................................................................................15
32 Accelerated Testing.........................................................................................................................19
33 Growth Testing ................................................................................................................................20
34 Environmental Stress Screening (ESS).........................................................................................21
SECTION 8 MANAGEMENT ...........................................................................................................................23
35 Planning............................................................................................................................................23
36 R&M Case and Progressive Assurance ........................................................................................23

Figures

Figure 1 - Typical Operating Characteristic (OC) Curves……………………………………………………..18

Tables

Table 1 - Typical Failure Rates of One-Shot Assemblies……………………………………………………...10

Unclassified
iii
 Unclassified
Def Stan 00-42 Part 1 Issue 2

Foreword
AMENDMENT RECORD

Amd No Date Text Affected Signature and Date

REVISION NOTE

This standard is raised to Defence Standard 00-42, Part 1 Issue 2 to update its content.

HISTORICAL RECORD

This standard supersedes the following:

Defence Standard 00-42, Part 1 Issue 1

a) This standard provides Guidance for Reliability and Maintainability Assurance Activity One Shot
Devices/Systems.

b) This standard has been produced on behalf of the Defence Material Standardization Committee (DMSC)
by Committee for Defence Equipment Reliability and Maintainability (CODERM) and reflects the
conclusions of consultants among the relevant authorities within the MoD and within Industry.

c) This standard has been agreed by the authorities concerned with its use and is intended to be used
whenever relevant in all future designs, contracts, orders etc. and whenever practicable by amendment
to those already in existence. If any difficulty arises which prevents application of the Defence Standard,
UK Defence Standardization (DStan) shall be informed so that a remedy may be sought.

d) Any enquiries regarding this standard in relation to an invitation to tender or a contract in which it is
incorporated are to be addressed to the responsible technical or supervising authority named in the
invitation to tender or contract.

e) Compliance with this Defence Standard shall not in itself relieve any person from any legal obligations
imposed upon them.

f) This standard has been devised solely for the use of the Ministry of Defence (MOD) and its contractors
in the execution of contracts for the MOD. To the extent permitted by law, the MOD hereby excludes all
liability whatsoever and howsoever arising (including, but without limitation, liability resulting from
negligence) for any loss or damage however caused when the standard is used for any other purpose.

Unclassified
iv
 Unclassified
Def Stan 00-42 Part 1 Issue 2

Introduction
One-shot devices and one-shot systems, either electronic, mechanical or structural, by definition, cannot be
fully tested prior to use because testing in the full mode of operation usually results in their total or partial
destruction; or an irreversibility of a discrete part. One-shot devices for military applications are,
conventionally, stored for long periods, often in excess of 10 or 20 years and, during this time, may be
transported between and stored in different climatic conditions before being finally expended in the manner
for which they are designed.

Reliability can, therefore often only be demonstrated statistically by sampling some of the items and fully
testing these. This leads to: a need to identify discrete parts of production by batch or lot; a requirement to
apply sampling knowledge; and the necessity to apply viable probability theory to deduce correct statistical
inferences. The requirements of Def Stan 00-40, Part 1 in whole or tailored, can be made contractual during
the design and development stages of the acquisition cycle however it will need to be conducted with a
detailed understanding of the solution and it’s associated R&M specification.

Unclassified
v
 Unclassified
Def Stan 00-42 Part 1 Issue 2

STANDARDS FOR DEFENCE - RELIABILITY AND

MAINTAINABILITY ASSURANCE ACTIVITY – ONE-SHOT
DEVICES/SYSTEMS

SECTION 1 GENERAL

1 Scope
1.1 Practical definitions are stated for:

1.1.1 a one-shot device (see 4.1);

1.1.2 reliability of a one-shot device (see 8.1);

1.1.3 maintenance of a one-shot device (see 9.1).

1.2 This Part of Defence Standard 00-42:

1.2.1 addresses the R&M aspects of one-shot devices and one-shot systems;

1.2.2 supports the needs of contractors, MOD Project Managers and end users.

1.3 It is emphasised that this Defence Standard is a guidance document and shall not be contractual;
unless specific clauses are cited in the contract.

2 Warning
The Ministry of Defence (MOD), like its contractors, is subject to both United Kingdom and European laws
regarding Health and Safety at Work. All Defence Standards either directly or indirectly invoke the use of
processes and procedures that could be injurious to health if adequate precautions are not taken. Defence
Standards or their use in no way absolves users from complying with statutory and legal requirements
relating to Health and Safety at Work.

3 References
3.1 The publications shown below are referred to in the text of this standard. Publications are grouped and
listed in alpha-numeric order.

ARMP-7 NATO R&M Terminology Applicable to Allied Reliability and Maintainability Publications
(ARMPs)

ISO 2859 Sampling Procedures and Tables for Inspection by Attribute (BS 6001)

ISO 3951 Sampling Procedures for Inspection by Variables (BS 6002)

BS 4778 Quality Vocabulary

BS 5760 Reliability of Constructional or Manufactured Products, Systems, Equipments and

Components

Def Stan 00-25 Human Factors for Designers of Equipment,

Part 15: Principles and Processes

Unclassified
1
 Unclassified
Def Stan 00-42 Part 1 Issue 2

Part 20: Health Hazard Assessment Domain, Technical Guidance and Data
Part 21: System Safety Domain, Technical Guidance and Data
Part 25: Supporting Information, Technical Guidance and Data

Def Stan 00-35 Environmental Handbook for Defence Materiel

Def Stan 00-40 Reliability and Maintainability,

Part 1: Management Responsibilities and Requirements for Programmes and Plans

Def Stan 00-42 Reliability and Maintainability (R&M) Assurance Activity,

Part 3: R&M Case
Part 4: Testability

Def Stan 00-49 Reliability and Maintainability MOD Guide to Terminology Definitions

Def Stan 07-85 Design Requirements for Weapons and Associated Systems

Def Stan 08-5 Design Requirements for Weapon Systems

Def Stan 13-96 Lotting and Batching of Ammunition

3.2 Reference in this Standard to any normative references means in any ITT or contract the edition and
all amendments current at the date of such tender or contract unless a specific edition is indicated.

3.3 In consideration of clause 3.2 above, users shall be fully aware of the issue and amendment status of
all normative references, particularly when forming part of an ITT or contract. Responsibility for the correct
application of standards rests with users.

3.4 DStan can advise regarding where normative references documents are obtained from. Requests for
such information can be made to the DStan Helpdesk. How to contact the helpdesk is shown on the outside
rear cover of Def Stans.

4 Definitions
4.1 There is no universally accepted definition for a one-shot device or a one-shot system. Per BS 5760:
Part 2 1994, a one-shot device:

“is an item which is required to perform its function only once during normal use. Such items will usually be
destroyed during their normal operation and cannot therefore be fully tested. The reliability required from
one-shot devices is normally high”.

4.1.1 The BS further notes that “Batch proof testing of one-shot devices to determine the batch reliability
assumes homogeneity of manufacture”.

4.1.2 This description of a one-shot device and the assumption of homogeneity of manufacture will be
inferred throughout this Defence Standard.

4.2 For terms not defined in the text ARMP-7 applies;

4.2.1 For terms not defined in the text nor in ARMP-7, Def Stan 00-49 applies;

4.2.2 For definitions of all other terms refer to BS 4778.

Unclassified
2
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 2 OVERVIEW

5 Introduction
5.1 Def Stan 00-40 (Part 1): Management Responsibilities and Requirements for Programmes and Plans
implements Allied Reliability and Maintainability Publication (ARMP) 1) provides requirements for the
management responsibilities and requirements for R&M programmes and plans, 2) also provides guidance
to implement these requirements. The requirements of Def Stan 00-40, Part 1 in whole or tailored, can be
made contractual during the design and development stages of the procurement cycle.

5.2 Def Stan 00-42 is grouped under the general title of “Assurance Activities” and provides further
guidance to accommodating MOD R&M practices, procedures and requirements in the design process.
Specifically this standard embraces such guidance pertaining to one shot devices and systems which make
them unique in terms of the ability to establish the level of their development and methods by which R&M
compliance can be determined and measured.

6 Aim
The aim of this document is to complement Def Stan 00-42, Part 3 and provide additional advice and
guidance unique to one-shot devices and one shot systems to support the acquisition process and the
development of R&M assurance.

7 Practical Considerations
7.1 One-shot devices and one-shot systems have unique characteristics that necessitate evaluation and
classification at the design stage. These are:

7.1.1 One-shot devices and one-shot systems are required to perform a function once only since their use is
normally accompanied by an irreversible reaction or process, e.g. chemical reaction or physical destruction.

7.1.2 One-shot devices and one-shot systems, either electronic, mechanical or structural, by definition,
cannot be fully tested prior to use because testing in the full mode of operation usually results in their total or
partial destruction; or an irreversibility of a discrete part. Reliability can, therefore, only be demonstrated
statistically by sampling some of the items and fully testing these. This leads to: a need to identify discrete
parts of production by batch or lot; a requirement to apply sampling knowledge; a necessity to apply viable
probability theory to deduce correct statistical inferences. Each separate batch or lot should be uniquely
identified by the name of the manufacturer, date of manufacture, date of assembly/filling and a sequential
number. These details (see Def Stan 13-96) should, wherever possible, be marked permanently on the item
for future identification. For sampling to be successfully applied homogeneity of production is necessary so
that all the items in a batch or lot are likely to perform as one population. The results from the sample
consumed at test can then be extrapolated to the remaining population of the batch or lot. These procedures
should form part of the quality assurance procedures to assure the quality of production and to record the
history of manufacture.

7.1.3 One-shot devices for military applications are, conventionally, stored for long periods, often in excess
of 10 or 20 years and, during this time, may be transported between and stored in different climatic
categories (see Def Stan 00-35 for details of climatic categories), before being finally expended in the
manner for which they are designed. A full appreciation of such variable environmental conditions
throughout the life of a device or system needs to be obtained when determining requirements to ensure that
R&M integrity is maintained throughout the products life cycle.

7.1.4 Many one-shot devices and one-shot systems will not be used in the final manner for which they were
designed and intended, and will therefore require to be de-militarised by safe break-down and disposal in an
environmentally acceptable manner.

7.1.5 One-shot devices frequently contain energetic materials such as explosives, propellants and
pyrotechnics that are subject to physical and chemical changes over time; with the rate of such changes

Unclassified
3
 Unclassified
Def Stan 00-42 Part 1 Issue 2

being normally dependent on temperature. These energetic materials can readily react with water, degrading
their ability to function as intended. The source of water can be the energetic materials themselves, materials
used as spacers or fillers and the plastics used in packaging. Water can arise from the method of filling with
the energetic material, eg filling with white phosphorous is done under water because of the fire hazard.
Water can also arise from diurnal breathing of the package where moist warm air enters the package during
the warm day and then condenses when the temperature falls at night; the cycle of events being repeated
each day thus, potentially, accumulating relatively substantial quantities of water. Water can react with
vapours from the energetic materials, and also from plastics in packaging and encapsulation, to form acidic
compounds that then adversely affect metals and insulations. Energetic materials can also readily react with
other materials that degrade their function and, by the generation of the heat of reaction or the formation of
materials sensitive to friction and shock, can give rise to unsafe conditions. The compatibility of materials is
therefore an essential consideration. Safety is an essential and fundamental consideration for any device
containing energetic material and any design containing these materials must ensure safety in manufacture,
storage, transport, test and use. One-shot devices and/or systems containing explosives need to be
designed, tested and assessed in accordance with Defence Ordnance Safety Group (DOSG) procedures,
related Defence Standards (e.g. Def Stan 08-5), NATO Standardization Agreements (STANAGS) and other
regulations pertaining to explosive safety requirement, and armament stores requirements.

7.1.6 If a catastrophic event occurs there is a necessity to identify all the one-shot devices of similar
manufacture and age to preclude their use by the elimination of further potential catastrophic events and
improving long term safety and reliability. This necessity to be able to physically identify one-shot devices
(traceability) reinforces the requirements for batching and marking stated for sampling above. This need for
traceability also arises in order to:

a) implement an in-service surveillance policy to identify any deterioration in storage;

b) extrapolate to the population any evidence of deterioration in any sample;

c) ensure that all items found to be deteriorated are replaced;

d) replace items deemed to have a limited life.

NOTE: Storage life is defined to be the time for which an item, in specified storage conditions, may be
expected to remain safe and serviceable (refer to DOSG procedures). Operational life is defined to be the
time for which an item may be expected to remain safe and serviceable, when used under its operational or
training conditions, when these are different from its storage conditions, but which is within the envelope of
its storage life.

7.1.7 One-shot devices may be fitted to systems that are re-usable; for such systems to be re-used a
replacement one-shot device needs to be fitted. Statements of reliability requirements need to differentiate
between that for the one-shot device and that for the re-usable system. Some systems contain a multiple
number of devices, one or more of which is a one-shot device. If such systems are designed to be used
once only then they are referred to as one-shot systems. Statements for reliability need to differentiate
between those for each of the one-shot devices and those for the one-shot systems, and thus required
apportionment of reliability.

7.1.8 The correlation between reliability and safety of one-shot devices or one-shot systems is particularly
strong. The probability of faults causing an inadvertent initiation of any one-shot device leading to the hazard
of personnel or equipment must be minimal. Similar probabilities should apply to the failure of one-shot
systems to operate when required and not operate when not required. Additionally, failure to function as
required must not create an unsafe condition. These probabilities are much lower than for standard
operational requirements and achievements may require enhancement techniques such as redundancy. The
assessments of reliabilities to give assurance that these low levels of probability have been achieved also
present particular difficulties. The design procedures to achieve these safety aspects are laid down by the
DOSG and shall be followed. However, it should be noted that the correlation between reliability and safety
may result in a “trade-off” between the respective requirements stated.

7.1.9 Although one-shot devices and one-shot systems cannot be fully tested prior to use it may, however,
be possible to gain some degree of confidence in the design by comparison with the results of full testing of

Unclassified
4
 Unclassified
Def Stan 00-42 Part 1 Issue 2

similar designs. Non-destructive partial testing of some one-shot devices and one-shot systems may be
possible and may assist in establishing confidence in the manufacturing process, eg X-ray and ultra sonic
testing of fillings for cracks and voids in main charges, discontinuities in explosive trains of detonators or
pyrotechnic delay mechanisms.

8 Reliability of a One-Shot Device

Following from the definition of reliability given in Def Stan 00-40, Part 1 the reliability of a one-shot device is
defined in this Defence Standard to be: the ability to perform the required function only once, and only when
demanded, under stated conditions and for the specified period of time. The reliability of a one-shot device
should normally be expressed or quantified as a probability of success (success ratio) (see 17.1).

9 Maintenance of a One-Shot device

9.1 Maintenance of a one-shot device is not normally possible in the usually accepted sense of servicing or
repair to correct a fault. Maintenance is usually limited to the replacement of items due to:

9.1.1 in-service maintenance policy, e.g. life-limited items;

9.1.2 in-service surveillance policy, e.g. degraded items;

9.1.3 in-service updates, e.g. post design improvements.

Unclassified
5
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 3 SPECIFICATION OF RELIABILITY

10 Criterion
The probability of success (success ratio) is the only criterion for specifying the reliability of one-shot devices
and one-shot systems. For one-shot systems it is essential, however, to define, at the outset, the specific
parameters that constitute success. For example, in the case of a guided missile, success could be defined
as a successful detonation of the explosive charge on the target; or in the case of a proximity fuse, within a
given distance from the target. The fact that, in a trial, the missile hit the target and destroyed it without
detonation of the warhead would be immaterial; the trial records would in that case register a failure.

11 Degradation
11.1 One-shot devices and one-shot systems for military applications are often stored for an appreciable
period of time before use. During this period, they may be moved, tested and handled in various ways;
subjecting the devices and systems to degrading influences. It may, therefore, be necessary to include, in
the specification of reliability, some definition of the factory to target sequence. At each stage in the
sequence, (e.g. ex-factory, after transport and a stated storage period, after uploaded to the launch
platform), the required success ratio can be specified. The storage and transport environmental conditions
need to be stated.

11.2 Such requirements will often in practice need to be detailed to enable the required through life
reliability to be delivered (see 10). Subject to the device or system and the methods of transportation and
delivery this may include but not be limited to:

11.2.1 the probability of success after being stored in stated conditions for a given period of time.

11.2.2 the probability of success after being deployed a stated number of times under stated conditions.

12 Appointment
Where the manufacturer is responsible solely for the "round", it is often convenient to specify the reliability of
a device excluding the reliability of the launch system. In this case a simple, unambiguous and suitable
wording could be given in the event of a successful launch, the probability that the round will detonate on the
target shall be “x".

13 Fuses
For devices such as fuses or squibs it is usually necessary to specify the complete chain of events that
constitutes success. These could include pressure rise, rise time, etc; in a stated environment.

Unclassified
6
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 4 RELIABILITY DESIGN PHILOSOPHY

14 Integration of R&M in Design

14.1 Design philosophy is defined as those systematic, rational and logical disciplines by which the
design process is governed. Where applicable, the design processes should be tailored to one-shot devices
and one-shot systems.

14.2 Reliability of one-shot devices and one-shot systems may be improved by application of redundancy
designs in electronic circuits and/or by duplication of explosive/pyrotechnic chains; together with enhanced
structural integrity where appropriate.

14.3 The maximum potential reliability of a one-shot device or a one-shot system is often referred to as
the inherent design reliability. Many factors can influence the inherent design reliability of a one-shot device
or a one-shot system; such as the materials, the manufacturing processes, the components selected, the
maintenance procedures adopted, etc. Inherent design reliability should be a paramount consideration.

14.4 Inherent design reliability requires adherence to strict discipline on the part of both purchaser and
contractor in the application and control of the engineering processes and philosophy. The same disciplines
apply equally to one-shot devices and one-shot systems.

15 Reliability Design Criteria

15.1 One-shot devices and one-shot systems cannot be re-used without refurbishment and/or
replacement to bring them back to their original condition. Therefore, throughout the design process there is
a need for confirmatory testing of reliability concepts. This allows the reliability to be monitored and its
implications on the project, as a whole, to be evaluated at every stage. The fundamental problem with one-
shot devices and one-shot systems is that full functional testing either:

15.1.1 irreversibly expends “the One-Shot”;

15.1.2 strains a structural part, i.e. a part for which strength and/or stiffness is a design requisite, to loads
well in excess of the service loading, and usually to failure. Def Stan 08-5, Part 5 describes this testing
procedure and other DOSG procedures gives methods of estimation of the probability of structural failure.

15.2 A clear performance specification, including the storage, transportation and operating environments,
needs to be agreed before the design process can begin. Because the period of storage is often very long
and the environment very austere, it is essential that the designs of one-shot devices and one-shot systems
are as robust as possible within the overall system design constraints.

15.3 Emphasis has to be placed upon design analysis, (FTA, FMEA/FMECA etc) to assess the design
reliability because of the inherent difficulties in conducting reliability tests on one-shot devices and one-shot
systems.

15.4 Where possible, other design concepts should be considered to replace those functions that have
been traditionally fulfilled using energetic materials, eg the replacement of pyrotechnic delays by mechanical
or electronic timers with more predictable, and potentially improved, reliability; together with a much slower
rate of degradation.

15.5 Where possible, sub-systems that can be subjected to a conventional reliability assessment should
be tested independently; ensuring that all test parameters reflect the true environments and interfaces in
which the sub-system would be expected to operate.

15.6 One-shot devices, by definition, can normally only be sample tested (see 31.1) to give assurance of
the production standard. Because some degree of variability will always be present, and degradation always
possible following long term storage, it is essential that traceability of critical components and subsystems is
installed and maintained.

Unclassified
7
 Unclassified
Def Stan 00-42 Part 1 Issue 2

15.7 During the design formulation period a balance between the number of one-shot devices required
and the overall reliability, maintainability and performance requirements should be derived to fulfil the
capability.

16 Maintainability Design Criteria

16.1 The design process needs to take into account the maintainability and testability aspects of a one-
shot system. For a guided missile, it may be required to be stored for a long period of time, taken out of
storage, subjected to a minimum amount of testing and then deployed in a ready to be used state. The
system should be designed such that failures can be detected, diagnosed and repaired by the operator, or a
minimum of people, in a minimum amount of time and with the minimum amount of disturbance to the
remainder of the system.

16.2 The provision of system test points, built-in test facilities, or other diagnostic procedures should be
considered, with the aim of improving both the maintainability and testability of the system, consistent with a
minimum whole life cycle cost estimate. However, the provision of diagnostic capabilities must never
compromise safety and therefore the potential for maintenance points may be, necessarily, constrained.

16.3 Whilst it is not possible to fully test one-shot elements in a system, provisions to monitor functions
and characteristics of the one-shot elements, e.g. continuity, power supply, current etc, and display an
indication of the existence of a fault, or potential for a failure, should be evaluated in terms of reliability,
benefits and cost.

16.4 Some components could have a limited storage or operational life, e.g. batteries. In these instances
a schedule for testing and/or replacement is vital in the maintenance schedule for the system (see 29.1).

Unclassified
8
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 5 APPORTIONMENT, MODELLING, CALCULATIONS and PREDICTIONS

17 Reliability
17.1 Reliabilities of one-shot devices, and one-shot systems, are functions of time but this effect should
not be assumed to be negligible compared to the potential for manufactured or “built-in” faults. Thus, each
one-shot item may be assigned a probability of failure that, initially, is considered time independent.
However, long periods of storage, if specified by the purchaser, may invalidate this assumption and a time
dependent failure rate may need to be separately accommodated within the overall system reliability model.

17.2 Reliability models for systems containing one-shot devices are frequently used as a basis for
evolving a proof or acceptance test philosophy. Therefore, apportioned reliability levels of one-shot devices
need to be realistically set such that they are economically testable.

17.3 If component reliabilities are assumed to be statistically independent, the reliability of all one-shot
devices may be incorporated into the final calculation of system reliability by multiplying the time dependent
portion of the model by a time independent portion, representing the one-shot elements. Thus:

Rsys = n∏i = 1 (1-f i ) . m∏j-1(Rj)

where: Rsys = System reliability

n = Number of one-shot items
f i = Failure probability of the ith one-shot item
m = Number of time dependent items
R j = Reliability of the jth time dependent item
However, the assumption of statistically independent component reliabilities is not usually valid in practice;
but the above equation gives a useful lower bound on reliability. Also, in practice, it may be necessary to
take into account a number of different failure modes applicable to the same component.

17.4 Time dependent phases of a one-shot item’s mission covering handling and transport may also be
modelled using this approach.

18 Reliability Predictions
18.1 For illustrative purposes only Table 1 provides an example of typical failure rates of one-shot device
assemblies.

18.2 Reliability predictions should be derived through approved methods and presented and argued in
accordance with Def Stan 00-42, Part 3, the R&M Case.

19 Maintainability
Corrective maintenance is not normally considered relevant to one-shot devices. However, the presence of
life-limited items, such as batteries, will require a preventive replacement policy that may, for example,
outline the use of special breakdown and retest procedures.

Unclassified
9
 Unclassified
Def Stan 00-42 Part 1 Issue 2

Item One-Shot Device Reliability 95% Confidence Failures 10-6

No Limits Trials
1 Actuator, hot gas. 0.9983 0.9992 / 0.9960 1750
2 Cartridge, ejector release unit 0.9992 0.9998 / 0.9972 760
3 Cartridge, cover removal. 0.9897 0.9965 / 0.9700 10350
4 Expansive motor, motor, gas piston
0.9998 0.9999 / 0.9992 150
thruster.
5 Flare, guided missile. 0.9994 0.9999 / 0.9986 566
6 Gas generator (actuator or remote gyro). 0.9988 0.9990 / 0.9985 1154
7 Gyro assembly, remote (efflux of remote
gas impinges on buckets cut into rotor 0.9991 0.9999 / 0.9976 928
periphery less gas generator and ignitor).
8 Gyro assembly, integral (cordite charge
built into periphery of rotor; Catherine 0.9936 0.9964 / 0.9889 6359
Wheel principle).
9 Ignitor, electric bridge wire. 0.9996 0.9999 / 0.9990 430
10 Ignitor, fusehead. 0.9983 0.9991 / 0.9969 1700
11 Ignition and safety arming unit (rocket
0.9903 0.9939 / 0.9851 9745
motor).
12 Rocket motor, case-bonded type (less
0.9993* 0.9997* / 0.9983 666*
ignitor and electrical supply failures )
13 Rocket motor, loose-cartridge type
(includes ignitor and electrical supply 0.9988 0.9993 / 0.9978 1246
failures).
14 Switch, fusible link. 0.9992 0.9999 / 0.9957 735
15 Thermal battery, cup and cover type. 0.9996 0.9999 / 0.9985 400
16 Thermal battery, pellet:
0.9997 0.9999 / 0.9982 320
sinconium/barium chlorate pyrotechnic.
17 Typical warhead initiation train
(surface/air-to-air) consisting of
(a) electrical power and wiring;
(b) safety and arming unit (single
channel, mechanical shutter); 0.9929 0.9979 / 0.9768 7100
(c) pressure delay unit or
accelerometer;
(d) infrared fuse;
(e) warhead.
18 Wire guidance mechanism. 0.9986 0.9991 / 0.9978 1400

Table 1 – Typical Failure Rates of One-Shot Assemblies

NOTE: All data (except *) include failures in associated electrical power supplies, including electrical wiring,
switches, plug and/or socket connectors, etc.

Unclassified
10
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 6 ENGINEERING PROCEDURES

20 R&M Trade-off Studies

20.1 The correlation between reliability and safety will dictate a dominating safety reliability superior to the
overall reliability where failures could jeopardise user safety.

20.2 The specific properties and application of one-shot devices and one-shot systems generally effect
reduced opportunities for maintenance. This lack of maintenance may subsequently have grave
consequences with the device or system failing to successfully complete the mission on demand. The
designer should therefore carefully establish both the consequences of mission failure and the opportunity
for maintenance, or recovery action, on failure to complete a mission. Where the consequences are grave,
then high reliability and feasible testability need to be designed according to their ability to cost effectively
avoid the risk of failure and/or respond to the threat should the failure occur. The extent of R&M “trade-off”
will be limited by the scope for maintenance and, in the extreme, this may result in no effective maintenance
being possible in the operational environment.

20.3 For some applications, acceptable reliability may depend on the operating conditions, eg a lower
reliability may be necessarily tolerable when operating in extreme environments.

21 Parts and Materials Reliability

21.1 The designer needs to consider the special demands of one-shot devices and one-shot systems:

21.1.1 Design for all phases. One-shot devices and one-shot systems are characterised by handling and
long periods of storage followed by operation; often in extreme stress environments. The designer needs to
address the demands of each phase. In the former this will require design for dormancy (considering such
aspects as greases drying out, seals sticking, elastomers deteriorating etc) and design for handling
(considering loading and unloading, transportation etc). In the latter phase the designer needs to ensure
adequate stress margins exist to avoid poor reliability i.e. the components should inherently resist or be
protected from the extremes of the established operating environments.

21.1.2 Design for production. Since one-shot devices and one-shot systems offer restricted testing
opportunities, the designer should design for dependable production; such as to minimise the probability of
incorrect assembly or the use of incorrect processes and procedures. This will include such means as
making the correct method of assembly as self-evident as possible and selecting/designing all parts so as to
minimise the probability of their incorrect fitting into the assembly; or to effect such an impossibility. Also,
clear and unambiguous detailed procedures need to be provided for the manufacturing process itself.

21.1.3 Compatible materials. For predictable and acceptable reliability, it is essential that compatible
materials are used. One-shot devices and one-shot systems often contain explosive or dangerous
substances and lack of compatibility will often result in a significant and unplanned reduction in reliability.
(Def Stan 08-5 and DOSG procedures provide detailed guidance.)

21.1.4 Novel materials. The use of novel materials in one-shot devices and one-shot systems that often
undergo long periods of austere storage, harsh conditions of usage and very limited testing can result in
failure modes that are difficult to predict and failure rates that are derived from inadequate data. The
potential benefits of novel materials should therefore be weighed against these difficult to quantify
disadvantages.

22 Failure Modes Effects (and Criticality) Analysis (FMEA/FMECA)

22.1 The FMEA or FMECA are useful tools for establishing the criticality of an item to the overall
functionality of a one-shot device. It is not expected that it will be applied in any novel way for one-shot
devices and/or one-shot systems, but it is especially useful to identify critical areas or related R&M
improvement techniques. FMEA, as an analysis tool, is particularly appropriate to most one-shot devices and
one-shot systems where many components and events are related by predominantly series logic and the

Unclassified
11
 Unclassified
Def Stan 00-42 Part 1 Issue 2

absence of operating experience failures provides only very limited failure characteristics. These
characteristics also mean that it is better to adopt a functional approach to FMEA/FMECA whereby each
event is considered in turn. The benefit of designing for testability can be assessed and general design
weaknesses listed. (See Def Stan 00-42, Part 4) FMEA/FMECA has particular benefits in:

22.1.1 Design. Complex and expensive devices and systems that tend to have low statistical population
numbers can benefit from significant reliability gains at the design stage through the use of FMEA/FMECA.

22.1.2 Manufacturing. Due to the high reliability requirements of one-shot devices and one-shot systems,
and subsequent limited testing opportunities, manufacturing faults need to be minimised. The application of a
process FMEA will enable the examination of how faults can arise during manufacturing, can be found by
quality control procedures and can be avoided during the design and development process.

22.1.3 Hazard analysis. Since many one-shot devices and one-shot systems are potentially hazardous
(explosives, chemicals, etc), the FMEA should include categories for such hazards and the analysis can be
conducted to provide the optimum solution to other system requirements such as safety.

22.1.4 Dependent failures analysis. Dependent failures should be evaluated using FMEA since such
failures can significantly affect the reliability of one-shot devices/systems. The analyses make possible a
study of all the causes that can induce potential dependent failure and where appropriate should include an
examination of the preventive measures in place.

22.1.5 Trials planning. It is helpful when designing trials programmes to consider the failure modes
postulated by the FMEA/FMECA so that evidence can be gained to quantify the risk of the failures occurring
in practice. The need to conduct trials under worst case conditions can also be identified. Gaps in the trials
plan logic may also be exposed by confirming that all failures are given a chance to happen in trials.
Consideration of relative criticality may be helpful in deciding quantities to be trialled.

22.2 It is important to declare the boundaries of the analysis both in physical terms and in terms of the
failure mechanisms that will be considered. For example, it may or may not be appropriate to consider the
effects of manufacturing faults, e.g. components being out of tolerance, omitted or over provisioned. The
analysis needs to decide the boundaries to be applied to this speculation before embarking on the analysis.

22.3 A useful preliminary to a FMEA/FMECA is to list each component and its function(s). This will ensure
that nothing is forgotten and each function is considered and failure modes postulated. With one-shot
devices and one-shot systems it is important to consider failure mechanisms that might occur at any point in
the life of the component; e.g. seals might fail in store and allow moisture ingress to cause corrosion, the
device and/or system effectively failing at this point rather than later when an attempt is made to use it.

22.4 Because many one-shot devices and one-shot systems have limited operating experience it may be
difficult to sensibly propose failure rates for individual failure modes postulated. The effects of failure modes
may be difficult to estimate. For these reasons it is sometimes questionable as to the value of extending an
FMEA to an FMECA.

23 Fault Tree Analysis

23.1 FTA is a top down analysis and as such it is dependent upon the analyst identifying all the possible
failures that could cause the top failure and thence all the possible failures that could affect these failures,
etc. This technique, therefore, relies heavily upon the skills of the analyst. Its principal benefit, compared with
FMECA, is that it can be used to establish the effects of multiple failures and postulates the failure rate of the
top event. Usually, a combination of FTA, FMECA and Critical Items Lists are utilised for the analysis of a
product. Certainly, FTA is an important technique for one-shot devices as safety aspects are of vital concern.

23.2 It is usual for the skills of the analyst to be supplemented by the examination of all failures that occur
during the development and subsequent phases; as well as considering failures from other similar
equipment. These failures can be compared with those within the fault tree so that:

23.2.1 actual failures and their impact can be correlated to those defined in the fault tree;

Unclassified
12
 Unclassified
Def Stan 00-42 Part 1 Issue 2

23.2.2 the theoretical failure rates can be compared with actual failure rates.

23.3 FTA or Event Tree Analysis, if events, as opposed to faults, are being considered, has a further
advantage in that it does not have to be constrained solely to the hardware. It can also include human errors
as possible faults influencing the higher event.

23.4 When addressing the base events, faults at the lowest level within the fault tree, it is useful to
examine the failure rates and to consider possible degradation effects that could escape detection by either
inspection or test. Identifying these failure mechanisms can be the keystone in achieving a high reliability for
the product.

24 Sneak Analysis
24.1 Sneak analysis is a technique designed to uncover inherent design flaws which would not normally
be discovered by other review analyses and testing methods. Sneak analysis is a complex task and, for
other than very simple systems, computerized sneak analysis is the only practicable approach.
Computerized sneak analysis relies on an expert system and this fact should always be considered. This
analysis is particularly suitable for safety critical items

24.2 A sneak is an unexpected path or logic flow within a system which, under certain conditions, can
initiate an undesired function or inhibit a desired function. The path may consist of hardware, software,
operator actions, or combinations of these elements. Sneaks are not the result of failure and cannot
necessarily be analysed by techniques such as FTA or FMECA but are latent conditions, inadvertently
designed into the system or coded into the software program, which can cause it to malfunction under
certain conditions.

24.3 Although originally developed for application to electronic circuit designs, the technique can be
applied to electro-mechanical, electrical and mechanical designs and has also been extended to software
design; and it can be applied directly to integrated hardware-software systems.

25 Impact of Software
Establishing the possible events and their various combinations that could result in a system failure can be a
difficult process, particularly for one-shot devices and one-shot systems where the associated software can
have an extremely short operational period, but is nevertheless influenced by the software of the system as a
whole. Similarly, small changes in the electronic hardware (e.g. due to obsolescence) can result in latent
failures being discovered that could dramatically influence the performance of the one-shot device or one-
shot system. Whenever software is associated with a one-shot device or a one-shot system, great care
needs to be taken during its development and during subsequent design change regardless of how trivial the
change may appear.

26 Human Impact on Reliability and Maintainability

Human error is a principal cause of serious failures and accidents, and the likelihood of such errors can be
influenced by features of the equipment’s design. The equipment designer’s goal should always be to
achieve the lowest possible level of human error. Human reliability analysis is a method of reviewing an
equipment to identify areas where the design could be improved to eliminate or reduce sources of human
error. (See Def Stan 00-25, Parts 15, 20-21 and 25)

27 Derating
27.1 Derating is also an important aspect when considering one-shot devices and one-shot systems. In
addition to the electrical and mechanical attributes, chemical compounds and their mutual influences need to
be considered. An explosive product can contain several propellant fuels, oxidants, stabilisers, plasticisers,
surface lubricants, burning rate moderates, flash inhibitors and coolants. The one-shot device or one-shot
system within itself can also contain a number of distinctly separate explosive products. For explosive
devices and systems it is necessary to consider a number of factors such as stability (including chemical and

Unclassified
13
 Unclassified
Def Stan 00-42 Part 1 Issue 2

ballistic), resistance and affinity to water, compatibility (impurities and dissimilar materials) toxicity, density,
sensitiveness, volatility and melting point, and safety.

27.2 The storage, transport test, operational environments (temperature, humidity and shock) can
influence the estimated life of the product and therefore derating can help to reduce the ageing process.
Impurities within the compound, as with silicon chips, can accelerate the decomposition process. In some
cases, the products of decomposition can themselves act to catalyse this decomposition. Usually, the
impurity levels within any product is a subject of the product’s design and is ignored from a derating aspect;
but an understanding of their effects can be useful in establishing derating factors.

28 Critical Items
The model, criterion or standard, for critical items of one-shot devices and one-shot systems needs to be
formally reviewed. By their very nature, one-shot devices and one-shot systems tend to have a high
proportion of mission and safety critical items. Their significance is also greater since, for example, it is often
not practicable to conduct extensive reliability trials and there is often little opportunity for maintenance or in-
service testing to reveal failed components. Therefore, the designer needs to pay greater attention to critical
items to ensure that the one-shot device or one-shot system achieves its target reliability.

29 Life-Limited Items
The extensive periods of storage often experienced by one-shot devices and one-shot systems require the
designer to analyse and identify all items whose life is less than the design life of the overall one-shot device
or one-shot system. According to the mission consequences of failure, it may be acceptable to allow some
components to run to failure (i.e. single failure may be acceptable within the context of the mission), however
analysis of the design needs to identify all critical items with a limited life. Life-limited items should comply
with the replacement policy of the MOD Project Manager, i.e. generally being modular and compliant with the
design interchangeability requirements of Def Stan 08-5. An effective surveillance programme should be in
place to ensure that life-limited items are replaced before their design life expires.

Unclassified
14
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 7 TEST AND SCREENING ASSESSMENT

30 Testing
30.1 The testing of a one-shot device or a one-shot system usually results in its total destruction or an
irreversibility of a discreet part. In addition, if the cost of the device and/or the cost of operation is high then
growth, qualification and production testing costs can be prohibitively high. In these cases, testing may be
appraised as being compiled of a number of stages, all of which will contribute in providing an overall
confidence in the achievement of the reliability. To ensure that an effective testing regime is implemented,
the R&M programme plan should encompass a test policy. Typical factors for consideration are:

30.1.1 During the design phase, the one-shot device or one-shot system should be defined as comprising
testable and untestable elements (those elements that would be destroyed if fully operated); and the design
should maximise the use of testable elements. The design should consider testing the final product with the
one-shot (untestable) elements removed or suitably simulated. Subsequent incorporation of the one-shot
elements should be achievable with the minimum of disassembly and re-assembly of the tested product.

30.1.2 Ensure that the design margins at the interfaces with the one-shot elements are sufficient to prevent
potential failures due to variability.

30.1.3 Identify areas of largest uncertainty where potential failure mechanisms of the one-shot element
have the greatest impact or risk. This should consider input signals, environmental factors and human
interactions throughout the life profile; and not solely at the point of operation since the device may not be as
thoroughly tested after initial manufacture.

30.1.4 Establish a programme that can test the above mentioned failure mechanisms whilst minimizing the
parts of the device that will be destroyed. In addition, consider the use of high stresses for accelerated
testing purposes in order to reduce the quantity tested.

30.1.5 Consider testing the complete device with a limited set of conditions to provide a measure of
confidence. For example, worst case tolerance conditions.

30.1.6 Ensure that there is batch homogeneity.

30.1.7 Since most one-shot devices are likely to be subjected to long term storage, it is advisable that the
built-in test for the final product is maximised.

31 Sample Testing
31.1 Since the testing of a one-shot device or one-shot system usually results in its total destruction or an
irreversibility of a discreet part, qualification testing and production reliability acceptance testing has to be
conducted by testing a representative random sample of the batch submitted for acceptance. Qualification
testing can be considered as sample testing since the quantities submitted to a destructive test will be limited
and are representative of a larger population implied by the design and manufacturing process. Testing of a
one-shot device or one-shot system will result in either the intended function or failure, i.e. a success or a
failure. Acceptance of the batch will depend on the number of unacceptable items being less than or equal to
an agreed maximum. Under these circumstances and within the economic and logistic constraints of the
programme, use of ISO 2859 (BS 6001): Sample Procedures and Tables for Inspection by Attributes is
recommended. Use of this British Standard allows the Operating Characteristic (OC) curve of the sampling
plan being used to be studied so that the risks of rejecting “good” material or accepting “bad”, if it is
submitted, can be understood and evaluated. Switching rules in these standards also allow the amount and
severity of the sampling regime to be adjusted in response to changes in the reliability of the product when
there is a continuing series of batches.

31.2 The main statistical distribution underlying ISO 2859 (BS 6001), and generally applicable to one-shot
devices and one-shot systems, is the binomial distribution. This distribution is expanded in many statistical
text books. A brief introduction is given here. If a sample of size n is taken from a relatively large batch that

Unclassified
15
 Unclassified
Def Stan 00-42 Part 1 Issue 2

has a reliability level of q then the probability that the sample will contain exactly r unacceptable parts is
given by:

P(r) = [n C r p r q (n-r)]

Where p = l-q and is the fraction of unacceptable parts and

n
Cr = n! / r!(n-r)! and n! = n x (n-l) x (n-2)...x 1

If it is agreed that the batch will be accepted if no more than ‘a’ failures occur when the sample is tested,
then the probability of acceptance for a batch of reliability q is given by:

P(a) = a∑ r=0 [n Cr pr q (n-r)]

Using this equation with a range of values of q will generate an OC curve for the sampling plan defined by n
and a. This curve describes the ability of the plan to discriminate between high and low levels of reliability.

31.3 A point estimate ( ↑ q ) of reliability can be obtained from sample data from the expression:

↑ q = (n-r) / n

Where r is the number of one-shot devices failing in a sample size of n. Since this sample data only
determines a point estimate, the real reliability level q is unknown. On occasion it is of interest to calculate a
lower confidence bound below which there is only a small risk that q will dwell. This can be achieved by
finding the value q that satisfies the equation:

(1- confidence) = a∑ r=0[nC r pr q (n-r)]

If a = 0 then this expression is simplified:

q = (1 - confidence)1/n

The cumulative binomial equation is a function readily available in current computer spreadsheets.
Alternatively, cumulative binomial tables and homographs, available in many text books, can be used.

31.4 When the batch is small and the sample to be taken is a relatively large proportion, say greater than
30%, use of the binomial distribution becomes inappropriate because it assumes that the population is
infinite. The binomial will over-estimate the probability of acceptance. The hyper-geometric distribution gives
the correct solution. This is the main statistical distribution applied within ISO 2859 (BS 6001) for sampling
plans indexed by limited quality for isolated lot inspection. If there are N items in a batch that contains M
potential failures and n items are tested and x fail, then the probability of this event can be calculated as:

Px = [ M C x (N-M) C (n-X)] / [ N C n ]

If it is agreed that the batch will be accepted if not more than “a” failures occur when the sample is tested,
then the probability of acceptance for a batch containing M potential failures is:

P(a) = α ∑ x=0 [ M C x (N-M) C (n-X)] / [ N C n ]

Points on an OC curve can be calculated by varying M. Again, the cumulative hyper-geometric equation is a
function readily available in current computer spreadsheets.

31.5 One-shot devices and one-shot systems sometimes produce outputs which can be measured on a
continuous scale, eg pressures, velocity, burning times. The outputs can be used to characterise the device

Unclassified
16
 Unclassified
Def Stan 00-42 Part 1 Issue 2

or system and may be useful as part of a specification and test regime. If the output appears to be at least
approximately distributed according to a Normal Distribution then ISO 3951 (BS 6002), Sampling Procedures
for Inspection by Variables, should be considered, within the economic and logistic constraints of the
programme, as a basis for acceptance testing. As better use is made of the data when using inspection by
variables, it is possible to reduce the sample size compared to inspection by attributes (ISO 2859 (BS 6001)
refers) for the same level of discrimination between “good” and “bad” reliability levels.

31.6 Examples

31.6.1 Example 1. It is required to determine the reliability of a batch from which a sample of 50 items has
been tested and there were 46 successes.

An exact determination of the reliability of the batch from a sample is not possible, but a level of confidence
can be calculated by applying the equation:

(1- confidence) = a ∑ r = 0 [n C r p r q ( n - r )]

The confidence that the batch has a reliability of a least 0.92 (equivalent to the point estimate) can be
determined by utilising the binomial equation available in commercial spreadsheets. The input factors are:

The number of trials, i.e. 50.

The number of successes, i.e. 46.
The reliability of the batch, i.e. assumed to be 0.92.
A value to indicate that the calculation is cumulative, ie at least 46 successes as opposed to
exactly 46 successes.

For this example, there is a 37.1% confidence that the reliability of the batch is at least 0.92. Conversely,
there is a 62.9% risk that the reliability of the batch is less than 0.92.

More usually, the confidence factor is defined and the lower confidence bound for reliability is required. In
these cases, a range of reliability values is inserted in the spreadsheet and the confidence determined. An
iterative procedure being used to “home-in” on the defined confidence level. For example:

RELIABILITY CONFIDENCE RELIABILITY CONFIDENCE

0.92 0.3710 0.827 0.9486
0.84 0.9192 0.826 0.9504
0.83 0.9428 0.825 0.9521
0.82 0.9601
0.81 0.9726

Hence, there is a 95% confidence that the batch reliability is at least 0.826.

31.6.2 Example 2. A sample plan is required to be established so that there is a 95% confidence that the
reliability of the batch is at least 0.92.

To apply the binomial distribution for this case is difficult because both the number of trials and the number
of successes are unknown. An alternative approach is to use the “criterion binomial” function that is available
in commercial spreadsheets. The input factors are:

The number of trials (to be determined).

The reliability of the batch, i.e. 0.92.
The criterion probability (in this case, 0.95).

Unclassified
17
 Unclassified
Def Stan 00-42 Part 1 Issue 2

The output is the largest integer, depicting the number of trial successes, for which the cumulative
distribution is less than or equal to the criterion. For this example, the following output can be calculated for
the reliability of the batch to be at least 0.92:

MINIMUM NO OF
SAMPLE SIZE
SUCCESSES

36 36

58 57

77 75

95 92

Having determined the values of n and a, it is possible to use the binomial distribution to generate a series of
OC curves (see Figure 1). The advantage in selecting the minimum sample size is obviously the costs
involved in conducting the demonstration. An increase in the number of items tested will reduce the risk to
the contractor. Assuming that the reliability of the batch or population is 0.98, the risk to the contractor (1 -
probability of acceptance) of failing to pass the selected sampling plan is as follows:

Figure 1 - Typical Operating Characteristic (OC) Curves

RISK OF FAILING TEST IF BATCH

SAMPLE SIZE RELIABILITY IS 0.98

Unclassified
18
 Unclassified
Def Stan 00-42 Part 1 Issue 2

36 52%

58 32%

77 12%

95 8%

It is important that the risks implied by the OC curve for the sampling plan selected for the demonstration are
acceptable to both the MOD and the contractor. Increasing the number of items tested steepens the OC
curve and reduces the risk, but adds cost to the programme.

32 Accelerated Testing
32.1 Accelerated testing can be used for life testing, endurance testing and reliability improvement
testing. The intention is to conduct tests using stress levels in excess of those normally experienced so that
failures will be generated faster.

32.2 For one-shot devices and one-shot systems that are subjected to long term storage before
operation, accelerated testing is used to simulate the storage period and an acceleration factor applied to
relate the storage life under acceleration with the life under normal conditions. Since failure mechanisms are
basically a physical and/or chemical process and temperature is known to vary the rates of many physical
and chemical reactions (such as corrosion in the presence of moisture, intermetallic growth, material
migration etc), increasing the temperature is a popular choice for accelerated testing. With respect to
vibration and thermal cycling, it is more usual to determine the total amount that an item will experience
during its lifetime and to apply the same amount (at a faster rate) over the shorter accelerated test period.
This multi-stress approach is intended to ensure that failure mechanisms that require multiple stresses are
suitably tested. Stress corrosion cracking, for example, is an interaction between fracture and corrosion.
Other stresses such as shock, humidity, contaminants, and electromagnetic fields, etc. also need also be
considered.

32.3 Most frequently, the dependence of a failure mechanism on temperature is modelled by the
Arrhenius model where the median time to failure is expressed as:

Cexp (-E/kT)

where: C is a constant
E is the activation energy for the failure mechanism
k is Boltzman’s constant (8.36 x 10-5 eV/K)
T is the absolute temperature

By conducting accelerated tests at two different temperatures it is possible to derive an acceleration factor to
relate to normal usage.

32.4 Unfortunately, when there is a multitude of failure mechanisms and multiple stresses, all interacting,
it is not always possible to apply a simple theory approach. In particular, failure mechanisms may occur
which would not manifest during the normal lifetime of the product. These failures cause two problems: the
need to determine each fault and to decide if it would occur in normal usage; and also the disruption of the
accelerated test with techniques having to be devised to inhibit the unwanted failures so that the test can
continue to find other failures.

32.5 These problems, however, should not detract from the many potential benefits that can be gained
from accelerated testing, but emphasise the degree of caution that needs to be exercised when preparing an
accelerated test programme. Experience in accelerated testing and the product technology concerned are
important requisites. It is important, however, to recognise that accelerated testing cannot demonstrate but

Unclassified
19
 Unclassified
Def Stan 00-42 Part 1 Issue 2

only indicate compliance/non-compliance. For this reason, surveillance programmes are essential in order to
accumulate experience. Surveillance programmes are intended to study quantities of the product (or parts of
the product) under normal conditions. At certain time intervals, items are removed for test and examination
(sometimes resulting in their destruction) to determine if there are any signs of degradation that could
eventually result in a failure. For example, it is possible to detect the drift of a particular test parameter and
extrapolate the time to predict eventual failure. Again, surveillance programmes require careful consideration
and need to address a variety of difficulties such as:

32.5.1 selection of the most likely parts requiring surveillance (necessary to minimise costs);

32.5.2 the surveillance environmental conditions represent the typical/worst case scenario;

32.5.3 batch variability;

32.5.4 the isolation of a part from the remainder of the product may cause inappropriate
stresses/environments.

32.6 Consideration should be given to the benefits of utilising over-testing in assessing margins between
success and failure, especially where samples are low and in cases where experience is minimal.

33 Growth Testing
33.1 One of the primary purposes of growth testing is to generate typical failures that can be analysed
and eliminated from the design. For one-shot devices and one-shot systems, failures usually result in the
bulk of evidence being destroyed. Therefore, to be effective, the data recording and corrective action system
(DRACAS) needs to accurately record the full details of the failure. The record should specify the activity
being undertaken, the state of the equipment, as well as any external influences; environment, scenario,
personnel or other interfacing equipment. Preferably the information should be provided from automatic
recordings and/or instrumentations complemented by eye-witnesses. To establish the cause of a failure in
these cases, it may be necessary to examine the FMEA/FMECA/FTA data as well as simulations as the
likelihood of exactly repeating the occurrence, and hence duplicating the failure, may be difficult, if not
impossible; as well as costly.

33.2 One of the objectives of growth testing is to estimate the reliability of the product at the end of
development, or, conversely, to estimate the amount of development time that is required to achieve the
desired reliability. In order to accomplish this a mathematical model has to be selected. The collected data
are used to confirm the applicability of a particular model and the model is then used to extrapolate the data
so that the reliability can be estimated at some future point in time. Growth testing should be introduced as
early as possible in the development programme in order to achieve the greatest impact, but this can
introduce its own problems. For example, testing during early development is concerned with average
performance parameters with subsequent testing at the extremes of the performance envelope. Similarly, the
test equipment is refined as development progresses. Growth models do not usually take into account
variations in performance testing, but require the product to be subjected to its in-service conditions.

33.3 Since testing a one-shot device or a one-shot system may result in its destruction, the amount of
testing is restricted. In these cases it may be preferable to identify the most vulnerable and/or critical failure
mechanisms and to increase testing in these specific areas in order to supplement the limited testing of the
whole product.

33.4 The reliability requirement for a one-shot device or one-shot system is usually very high and
therefore testing to estimate the overall reliability would require an unacceptable number of items to be
destructively tested. An alternative approach would be to consider “Step Stress Testing”. This is an
accelerated testing technique designed to precipitate faults that under normal operation have a low
probability of occurrence. When a fault is established, a design solution can then be introduced.

Unclassified
20
 Unclassified
Def Stan 00-42 Part 1 Issue 2

33.5 The most widely accepted model for growth testing is the empirical model developed by Duane in
which the relationship is:

Mc= At ∞

where: Mc is the cumulative mean time between failure (MTBF)

A is a constant
T is the cumulative time of failure
∞ is a constant

For one-shot devices with high reliability, the time, t, can be equated to the total number of trials and the
cumulative MTBF becomes (total number of trials / total number of failures).

Plotting the log of Mc against the log of t will result in a straight line. The instantaneous MTBF (Mi) can be
expressed as:

Mi = Mc / (l - ∞)
Therefore, when using log-log paper, it can be represented by a straight line parallel to the cumulative plot,
but displaced above it by a factor of (1 - ∞).

The Duane model assumes a uniform level of testing and immediate improvement of the fault throughout the
duration of the test. The model is also insensitive to variations in reliability occurring late in the test
programme.

33.6 The US Army materiel systems analysis activity (AMSAA) model is an improvement on the Duane
model, but is more complex. It is based on the fact that the Duane model is a non homogeneous Poisson
process. The probability that n failures occur between test commencement and total test time t is:

[m(t)n exp.(-m(t))] / n!

where: m(t) = λtß

λ and ß are positive parameters

33.6.1 This model overcomes the difficulty of Duane in that the rectification of faults can occur in step
functions. The AMSAA model uses the cumulative number of failures as opposed to the cumulative MTBF
when plotting against time on log-log graph paper and l is (1 - ∞).

33.7 There is a wide range of other complex models that can be used and current software packages are
available that will automatically derive a model for a set of data points. However, a simple moving average
plot can sometimes be perfectly adequate and is usually better appreciated when presented to non-
mathematicians.

34 Environmental Stress Screening (ESS)

34.1 Environmental stress screening (ESS) is intended to induce faults that would otherwise occur during
the early life of a product so that they can be detected and rectified prior to delivery. Obviously, there is no
benefit in conducting ESS if the fault cannot be detected. Hence, ESS is usually conducted prior to
embodiment of the one-shot elements. Usually, various types of stresses and durations are conducted as
early as possible in the production process to minimise costs, i.e. ESS is phased over the entire production
process to reap the maximum benefit. Any ESS conducted after incorporation of the one-shot device will
have reduced testing not only of the one-shot elements, but also of the associated sub-systems. Faults
present within the one-shot device can only be detected on a statistical basis by sample testing the
production batches.

Unclassified
21
 Unclassified
Def Stan 00-42 Part 1 Issue 2

34.2 Since ESS is intended to induce faults, there needs to be a high confidence that faults will not
manifest themselves in these untestable areas. It is worth noting that interconnections that are accomplished
after ESS in order to incorporate the one-shot elements should be identified as critical areas so that
production can introduce suitable measures (such as increased inspection) to ensure that a satisfactory
performance is achieved.

Unclassified
22
 Unclassified
Def Stan 00-42 Part 1 Issue 2

SECTION 8 MANAGEMENT

35 Planning
35.1 The R&M programme plan is a key document for the achievement of R&M objectives. It is the means
by which the contractor can specify and manage the programmes and by which the purchaser can monitor
progress and achievement.

35.2 In the R&M programme plan, the contractor should describe the scope and content of the R&M
activities and how these will be achieved. It should be fully integrated with the overall project programme
plan, including a quality plan. It should include a list of milestones against which R&M progress can be
measured and these may form part of the contractual milestone programme. It should cover all phases of the
programme and specify what has to be achieved in one phase before the next can commence.

35.3 The R&M programme plan should be written as a realistic working document and should highlight all
areas of risk or uncertainty. It should not be based on the assumption that all activities will have a successful
outcome but should consider suitable courses of action should difficulties arise. It should show the key links
and decision points agreed between the contractor and the purchaser as well as the responsibilities of all
personnel with a working or managerial involvement in the R&M activities. It should show the time at which
particular activities will be undertaken, the resources needed and define what needs to have been completed
before each task can commence. The output from each task should be specified together with any inter-
relationships between the tasks.

35.4 In the R&M programme plan, the contractor should detail, within a quality plan, how he plans to
specify, control and accept the work of his subcontractors. Each subcontractor should have his own
programme plan that is agreed by the contractor and the key milestones of this should be reflected in the
overall programme plan. The subcontractor’s R&M programme plan should form a part of this and should
have its own discrete milestones. One of these milestones should be detailed specification of the items being
supplied by the subcontractor and the acceptance criteria against which they will be judged.

35.5 One-shot devices and one-shot systems should be subjected to management control procedures
that integrate fully with the remainder of the programme, although the way these are implemented technically
may have to differ. Due to the difficulties in confirming the R&M performance of such items it is likely that the
production controls will assume a very high profile. The production R&M plans will need to consider areas
where critical inspection is required, batch testing programmes and the monitoring of batch to batch
variations.

35.6 In some cases, the one-shot devices may be supplied by the purchaser with the contractor being
tasked to integrate these into the overall system and to embody them in the equipment. In this case the
purchaser supplied equipment (PSE) should be defined such that the achievement of the R&M performance
of the item under agreed conditions is the responsibility of the purchaser. The subsequent translation of this
into R&M performance within the equipment is then the responsibility of the contractor. Provision of R&M
data during design/development of the PSE is the purchaser’s responsibility even if this is supplied direct to
the contractor by the PSE manufacturer. If the PSE is subject to batch testing before delivery to the
contractor the batch numbers and test results should be passed to the contractor so that they become part of
the configuration control of the overall equipment.

36 R&M Case and Progressive Assurance

Confidence shall be developed through progressive assurance as defined in Defence Standard 00-42, Part
3, R&M Case. The R&M Case is a reasoned, auditable argument created to support the contention that a
defined system satisfies the R&M requirements, and as such provides an audit trail of the engineering
considerations from requirements through to evidence of compliance. It provides the traceability of why
certain activities have been undertaken and how they can be judged as successful. It is initiated at the
concept stage, revised progressively during a system life cycle and will typically be summarised in R&M
Case Reports at predefined milestones.

Unclassified
23
 ©Crown Copyright 2008

Copying Only as Agreed with DStan

Defence Standards are Published by and Obtainable from:

Defence Procurement Agency

An Executive Agency of The Ministry of Defence

UK Defence Standardization

Kentigern House

65 Brown Street

GLASGOW G2 8EX

DStan Helpdesk

Tel 0141 224 2531/2

Fax 0141 224 2503

Internet e-mail [email protected]

File Reference

The DStan file reference relating to work on this standard is 21/42/1

Contract Requirements

When Defence Standards are incorporated into contracts users are responsible for their correct
application and for complying with contractual and statutory requirements. Compliance with a Defence
Standard does not in itself confer immunity from legal obligations.

Revision of Defence Standards

Defence Standards are revised as necessary by an up issue or amendment. It is important that users
of Defence Standards should ascertain that they are in possession of the latest issue or amendment.
Information on all Defence Standards can be found on the DStan Website www.dstan.mod.uk,
updated weekly and supplemented regularly by Standards in Defence News (SID News). Any person
who, when making use of a Defence Standard encounters an inaccuracy or ambiguity is requested to
notify UK Defence Standardization (DStan) without delay in order that the matter may be investigated
and appropriate action taken.