Engineering Failure Analysis 14 (2007) 420433 www.elsevier.

com/locate/engfailanal

General principles of the use of safety factors in design and assessment

F.M. Burdekin
*
Emeritus Professor, UMIST, Sackville Street, Manchester M60 1QD, United Kingdom Received 30 August 2005; accepted 30 August 2005 Available online 21 August 2006

Abstract Any structure or component can be made to fail if it is subjected to loadings in excess of its strength. Structural integrity is achieved by ensuring that there is an adequate safety margin or reserve factor between strength and loading eects. The basic principles of allowable stress and limit state design methods to avoid failure in structural and pressure vessel components are summarised. The use of risk as a means of dening adequate safety is introduced where risk is dened as the product of probability of failure multiplied by consequences of failure. The concept of acceptable target levels of risk is discussed. The use of structural reliability theory to determine estimates of probability of failure and the use of the reliability index b are described. The need to consider the eects of uncertainties in loading information, calculation of stresses, input data and material properties is emphasised. The way in which the eect of dierent levels of uncertainty can be dealt with by use of partial safety factors in limit state design is explained. The need to consider all potential modes of failure, including the unexpected, is emphasised and an outline given of safety factor treatments for crack tip dependent and time dependent modes. The relationship between safety factors appropriate for the design stage and for assessment of structural integrity at a later stage is considered. The eects of redundancy and system behaviour on appropriate levels of safety factors are discussed. 2006 Elsevier Ltd. All rights reserved.
Keywords: Structural reliability; Limit state design; Safety margins and safety factors

1. Denitions and general considerations 1.1. Safety margins and safety factors For structural integrity applications safety is assured by ensuring that the resistance to failure is greater than the combined eects of the various types of loading which may occur. It is necessary to consider separately all modes of failure which may occur. For present purposes the resistance eects will be dened by the term R and the loading eects by the term L. Thus for safety, R L > 0.
* Address: Formerly School of Mechanical, Aeronautical and Civil Engineering, Department of Civil and Structural Engineering, University of Manchester, P.O. Box 88, Manchester M60 1QD, United Kingdom. Tel.: +44 161 200 4600; fax: +44 161 200 4601. E-mail address: mburdekin@aol.com.

1350-6307/$ - see front matter 2006 Elsevier Ltd. All rights reserved. doi:10.1016/j.engfailanal.2005.08.007

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

421

The safety margin for any particular mode of failure, Z is given by: ZRL The overall safety factor for any failure mode, c is given by: c R =L In practice both the resistance eects R and the loading eects L will involve a number of variables or material properties, each of which may be subject to uncertainty or scatter. In addition, in order to compare the load and resistance eects, it is necessary to have equations giving the relationship between them for each potential mode of failure which predicts failure when R = L. There will also be uncertainties in this modelling equation. The margin of safety, or alternatively the safety factor, which is appropriate for a particular application must take into account the following:      The scatter or uncertainty in the variables which form the input data for load and resistance eects. Any uncertainty in the equation used to model failure. The consequences of failure. The possibility of unknown loadings or mechanisms of failure occurring. The possibility of human error causing unforeseen events.

1.2. Modes of failure The potential modes of failure can be divided into those which cause failure on the net cross section and those which cause failure by progressive growth of a crack as follows: Net section failure Plastic collapse Bending Buckling Overall Local Lateral torsional Torsion Shear Crack tip failure Fracture Fatigue Stress corrosion Creep

Note: the net cross section may be reduced by crack growth. 1.3. Types of loading The types of loading which may have to be considered include the following:  Dead permanent eects self-weight  Live imposed service Oce/factory oor loading Human movement Trac Pressure Thermal Temperature dierence  Environmental wind, wave, tide, snow  Extreme/accident earthquake, impact, failure of other members or component.

422

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

 Note: Probability of occurrence/uncertainty is dierent for each case and the overall probability must be obtained by combining the probabilities for each mode as independent events.

2. Codes and standards: system failure and eects of redundancy on safety margins 2.1. Allowable stress and limit state design codes It is necessary to dene exactly what constitutes failure. Codes and standards are generally based on one of two alternatives in this respect, namely allowable stress or limit state design. In allowable stress codes, the intention is that the stress under the maximum loading conditions should nowhere exceed the material yield or ultimate strength divided by an appropriate safety factor (typically 1.5 for yield strength or 2.53.0 for ultimate strength). In limit state design, the structure is designed to reach a dened limit state under loading conditions derived from the maximum expected multiplied up by a load factor. The usual limit states are either the ultimate state in which the structure actually fails or a serviceability limit state in which the performance of the structure is impaired to an unacceptable extent. With limit state design, it is common practice to use partial safety factors, where separate factors cL and cR are applied to the load and resistance parts of the failure equation, respectively. These factors cL and cR may then be broken down further to partial safety factors cL1, cL2, cL3, cL4 and cR1, cR2, cR3, cR4, etc. applied to the individual variables for loading and resistance terms in the failure equation, respectively. This is discussed further below. Limit state design codes have been in use in the UK and some European countries for some years. These will be superseded in due course by EuroCodes although individual member states have the right to place their own values for certain requirements where guidance is given in the EuroCode by boxed numbers. This situation applies to guidance on partial safety factors in EuroCodes. The most relevant of the EuroCodes is EuroCode 3 which is for steel structures and was published in 1993 although it is not yet in widespread use [1]. EuroCode 3 gives conventional guidance on design of steel structures to avoid failure by plastic collapse and by buckling. As far as fracture is concerned the guidance is given in the form of material selection requirements based on the Charpy V notch impact test for dierent grades of steel and thicknesses at dierent minimum temperatures. A full presentation on the approach to safety in EuroCodes is given in a separate paper at this symposium [2]. 2.2. Eects of redundancy on safety margins It is important to distinguish between local failure of a component and failure of a complete system. Whilst failure of a critical component in a non-redundant structure may cause complete failure of the whole structure, in a redundant structure alternative load paths may be available such that there is a reserve capacity after failure of a single component. Even within a single member there may be redundancies as shown by the example of comparing a xed ended beam with a simply supported beam under uniformly distributed loading as shown in Fig. 1. In Fig. 1a for the simply supported case, as the magnitude of the uniform load increases, yielding rst occurs at the mid length position and a further increase of load causes the spread of yield across the complete cross section at mid length until collapse occurs by the formation of a plastic hinge there. The load capacity depends on the material yield strength ry, the span L, and the section moduli, Ze for elastic behaviour and Zp for plastic behaviour. For the xed ended case in Fig. 1b, however, yielding rst occurs at the ends of the beam where the bending moment is highest. This starts to spread across the cross section at the ends as the load is increased further. The bending moment at the mid length position for fully elastic conditions is only half that at the ends so that a signicant increase in loading is required before yielding starts to occur at midlength. Even when a full plastic hinge has developed at each end of the beam, collapse does not occur until a mechanism develops with a plastic hinge at mid span as well. In general, overall collapse will not occur until there are sucient plastic hinges for a mechanism, although there will be some rotation at some hinges before the full mechanism develops. For the xed ended beam, rotation will develop at the ends at a xed resistance moment equal to the fully plastic moment of the beam and material (Zp ry) and the shape will change towards the shape of a simply supported beam. The results for load capacities for these dierent conditions

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

423

w / unit length

Plastic hinge at collapse

wL/2

wL/2

w =8 Ze y/L2 w =8 Zp y/L2 M

Elastic

MP

Collapse

a
M0 w / unit length Plastic hinges at collapse M0

wL/2 2. w =12 Zp y /L2 1. w =12 Ze y/L2

wL/2

MP

1. w =12 Ze y /L2 2. w =12 Zp y /L

2

1 2 3 MP

3. w = 16 Zp y/L2

Fig. 1. Beams with dierent end conditions under uniformly distributed loads. (a) Simply supported and (b) xed ends.

are summarised in Table 1, and the ratios of loads for rst hinge and for collapse to those for rst yield are given in Table 2. The ratio of the fully plastic modulus to the elastic modulus Zp/Ze is a property of the cross section and is known as the shape factor. For a solid rectangular bar, the shape factor has a value of 1.5, whilst for a typical structural I-beam the shape factor is about 1.1. Thus considering the results set out in Tables 1 and 2, it can be seen that a simply supported structural I-beam can carry about 10% additional load after rst yield occurs before failure occurs by plastic collapse. The corresponding xed ended case, however, can carry nearly
Table 1 Uniformly distributed load levels for dierent limiting conditions in simply supported and xed ended beams w for rst yield Simply supported Fixed ended 8Zery/L 12Zery/L2
2

w for rst hinge 8Zpry/L 12Zpry/L2

2

w for collapse 8Zpry/L2 16Zpry/L2

424

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

Table 2 Ratios of loads at which dierent limiting conditions are reached for simply supported and xed ended beams w for first hinge w for first yield Simply supported Fixed ended Zp/Ze Zp/Ze w for collapse w for first yield Zp/Ze 1.33Zp/Ze

50% additional load after rst yield occurs before it actually fails by plastic collapse. The xed ended beam case is typical of a redundant situation, where local exceedance of normal limiting stresses does not mean failure of the structure or component. Allowable stress design would limit permissible loads to those at which the yield strength is rst reached. Limit state design, however, is based on designing for complete failure but then applying appropriate safety margins to the input variables to ensure that the failure condition is not reached in practice. Similar considerations apply to the dierence between local and global collapse in determining the plastic collapse parameter Lr in the fracture assessment diagram treatments using the R6 [3] or BS 7910 [4] approaches. However, in this case, the relationship between the amount of plasticity and the increase of crack tip driving force is very important and specic cases should be assessed by elastic plastic nite element analysis. In principle, failure of a redundant structure should be considered as a system in which the probability of failure of individual elements is assessed sequentially after load redistribution following each failure and the overall failure probability obtained by combining the results. 3. General background to reliability analysis and partial factors 3.1. Reliability analysis There are a number of general texts describing the general principles of reliability analysis; amongst them references [57]. For general structural assessment purposes it is standard practice to assess safety by a comparison of load and resistance eects using an established design relationship able to predict failure. When there are uncertainties in the input variables, or scatter in the materials data, reliability analysis methods can be employed to determine the probability of failure, i.e. the probability that the load eects will exceed the resistance eects. This is shown in Fig. 2 where the failure region is in the overlap zone between the load and resistance distributions. The failure equation is written in terms of load and resistance eects with the input variables grouped together appropriately. For normally distributed load and resistance parameters, with means lL and lR, and standard deviations sL and sR, respectively, the reliability index b is given by: l lL : b pR 1 2 s2 R sL

=
L

R 2

L 2

sR1 + sL1
R

Load

Resistance SL1 SR1

pdf

Load / strength

Fig. 2. Basic denition of reliability index b.

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

425

One convenient method to estimate probability of failure is the rst-order second moment method (FOSM) where the reliability index b is estimated by an iterative numerical procedure. In a multi-dimensional graph involving all the variables, the failure equation can be represented by a failure surface as shown in Fig. 3, which represents a two-dimensional cross section of the failure surface in the plane of two of the variables, plotted on a normalised basis. The reliability index b is the shortest distance from the origin to the failure surface and can be determined using this approach by an iterative method, provided the failure surface is continuous with no sharp changes in slope. When all the variables have a normal distribution, there is a unique relationship between the reliability index b and the probability of failure as shown in Fig. 4. For non-normal distributions, methods are available to transform them into equivalent normal distributions, although there may be some loss of accuracy in estimating the probability of failure the more the distributions deviate from normal. Fig. 5 shows a case where the load and resistance distributions have the same mean values as shown in Fig. 2, but the standard deviations for the distributions in Fig. 5 are much lower than in Fig. 2. Consideration of Eq. (1) shows that if the standard deviations of the load and resistance distributions, sL and sR, are reduced, the value of the reliability index will be increased. It can be seen from Fig. 4 that an increase of b corresponds to a reduction in the probability of failure and in Fig. 5, it can be seen that this is represented by the overlap region of the distributions becoming vanishingly small.

6
Design point

X2

Failure surface

0 0 2 4

X1
Fig. 3. Reliability index b in terms of normalised failure surface.

1.E+00 1.E-01

Probability of Failure

1.E-02 1.E-03 1.E-04 1.E-05 1.E-06 1.E-07 0 1 2 3 4 5 6

Reliability Index Beta

Fig. 4. Relationship between b and probability of failure.

426

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

=
L

R 2 R2

2 s + s L2
R

Load

Resistance SL2 SR2

pdf

Load / strength
Fig. 5. Reliability index for lower standard deviations of load and resistance.

The possible eects of time on the probability of failure are shown schematically in Fig. 6 where it is assumed that the load eects distribution can increase with time whilst the resistance distribution can decrease with time. The increase in severity of load eects with time might be due for example to crack growth, whilst the decrease in resistance might be due to deterioration of fracture toughness for example by radiation eects. In the example shown in Fig. 6, the variability has been assumed to remain constant with time, although this need not necessarily be the case. In practice, time may well aect the standard deviations of the distributions as well as the mean values and hence it is essential to have realistic data or modelling to predict variations of properties or other eects with time. It can be seen that the reduction in dierence between the mean values leads directly to a reduction in the reliability index b and hence an increase in probability of failure. To allow for these eects at the design stage, it is necessary to predict the occurrence of crack growth with time and the degradation of properties with dose and time, but in principle this can be done. Characteristic values are often taken to represent upper bounds for distributions of load eects and lower bounds for distributions of resistance eects as follows: C L lL nL sL ; C R lR nR sR ; 2 where nL and nR are the number of standard deviations above or below the relevant mean values of the distributions chosen to represent characteristic values. This is shown in Fig. 7. The design point, which is where the probability of failure is greatest, is given by the following expressions, where Ld and Rd represent the design points on the load and resistance distribution curves, respectively, and are at the same position: sL sR Ld lL p b sL ; Rd lR p b sR : 3 2 2 2 sR sL sR s2 L

=
L

sR + sL
2

Load

Resistance SL SL SR SR

pdf

Load / strength
Fig. 6. Change in reliability index with time.

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

Design point

427

L
CL CR Load

R
Resistance

pdf

SL

SR

Load / strength
Fig. 7. Use of characteristic values to represent distributions.

To avoid having to solve these equations, an arbitrary division can be made for positioning the design point with respect to the means of the distributions which will always give a safe estimate, such that Rd is always just above Ld, for example: Ld lL aL b sL ; Rd l R aR b s R ; 4 where aL and aR are coecients which strictly depend on the ratio sL/sR but typically lie in the range 0.70.8. A simplication often adopted is to take aL as 0.7 and aR as 0.8 as this gives safe estimates without having to solve the equations for dierent sets of input data. 3.2. Partial safety factors Partial safety factors are factors which can be applied to the individual input variables in a design equation to give the given target reliability without having to carry out the probabilistic calculations. In eect the overall partial safety factor for load eects is the ratio of the design point value to the value assumed to represent the loading, and the overall partial safety factor on resistance eects is the ratio of the value chosen to represent resistance eects to the design point value. Thus for load eects lL nL sL cL Ld ; 5 where nL is the number of standard deviations above the mean for the value assumed to represent the loading and cL is the overall loading partial safety factor. For resistance eects 1 l n R s R Rd ; cR R 6

where nR is the number of standard deviations below the mean for the values assumed to represent the resistance and cR is the overall resistance partial safety factor. If the second set of equations above for load and resistance design points are assumed to represent the same point (a conservative assumption) and it is noted that the ratio of the standard deviation to the mean is called the coecient of variation (COV), the following expressions for the overall load and resistance partial safety factors can be derived: cL 0:7 b COVL 1 ; nL COVL 1 cR 1 nR COVR : 1 0:8 b COVR 7

It can be seen that the values of these partial safety factors depend on the target reliability, b, the (COV)s and the number of standard deviations from the mean taken to represent the load and resistance distributions. The relationships between partial safety factors and COV values for selected values of the reliability index b are shown in Figs. 8 and 9 for load and resistance eects, respectively, for values of nL of 0 and nR of 1. It can be seen that the partial safety factors for load eects increase linearly with COV and b values whilst those for resistance eects increase non-linearly and do not converge for higher values of COV or b.

428

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

In the case of failure by fracture or plastic collapse the failure equation can be written as follows: K I K r K mat q 0; 8 where KI is the applied stress intensity factor (and represents loading eects), Kr is the permitted value of the fracture ratio in the R6/BS 7910 assessment diagram approach given by the expression below, Kmat is the material fracture toughness and q is the plasticity interaction factor for primary and secondary stresses (Kr.Kmat q represents resistance eects). 6 K r 1 0:14L2 9 r 0:3 0:7 exp 0:66Lr ; where Lr is the ratio of applied load to yield collapse load for the cracked structure. Note that plastic collapse is one of the failure mechanisms identied in Section 1.2. It should be emphasised that these general explanations are presented to assist understanding of the general principles of partial safety factors and their relationship to target reliability and variability/uncertainty of data. The situation is more complicated if the data are not normally distributed and where the load and resistance expressions themselves are functions of multiple variables. In these cases it is much more convenient to make use of specially written computer software, such as the UMIST or TWI programs. Calibration studies to give recommended values for partial factors for use with the fracture clauses in BS 7910 and also for the SINTAP programme were carried out at UMIST and TWI and reported in Ref. [8]. The general basis for a FOSM fracture mechanics analysis with characteristic values and partial safety factors is shown in Fig. 10. The calibration studies were based on assuming that the failure equations for a level 3 fracture analysis using the mean values of distributions did predict failure, and determining the combinations of partial factors necessary to give a required target probability of failure. It should be noted that in these analyses, a decision was made to make the partial factors on stress and on yield strength consistent with those for the structural design code EuroCode 3. It should also be noted that there is no unique relationship between partial factors and target reliability across the full range of values of input variables and hence it is necessary to
2.5 2

Partial factor

1.5 1 0.5 0 0 0.1 0.2 0.3 0.4

Beta 0.739 Beta 3.09 Beta 3.8 Beta 4.27

Coefficient of variation on load effects

Fig. 8. Relationship between partial factor and COV on load eects with dierent values of target reliability index b.

3 2.5

Partial factor

2 1.5 1 0.5 0 0 0.1 0.2 0.3 0.4

Beta 0.739 Beta 3.09 Beta 3.8 Beta 4.27

Coefficient of variation for resistance effects

Fig. 9. Relationship between partial factor and COV on resistance eects with dierent values of target reliability index b.

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

Design point

429

L
Load KI SL

R
CL CR
L R

Resistance Kr . Kmat SR

pdf

Load / strength
Fig. 10. Partial safety factors for fracture mechanics application.

compromise with values of partial factors, which are sometimes conservative for some input values. Checks on this aspect showed that the recommended values of partial factors in BS 7910 corresponded to notional probabilities of failure, which lay between the target value and up to one order of magnitude safer. Consideration of the eects of modelling uncertainties was also reported in Ref. [8] by comparisons of predicted results with those from series of wide plate tests. It was found that removal of the modelling uncertainty of the failure equation generally amounted to a reduction in the generally recommended partial factors of the order of 0.050.1 on stress, and 0.21.0 on fracture toughness but these eects were not included in the recommendations for BS 7910. Further studies on these matters are reported in other papers at this symposium [9,10]. It is important to note that all potential failure modes have to be considered and combined. Furthermore, the possibility of unforeseen modes of failure and of human error should be considered. These are dicult areas and are best treated as independent probabilistic events. 4. Risk assessment and acceptability Two standard dictionary denitions of risk are as follows: (i) The chance of loss or injury (Chambers Dictionary). (ii) The chance of bad consequences (Oxford Dictionary). The general public has a basic perception of risk in connection with every day activities. This is usually manifest as a perception of injury or death. In the engineering and scientic elds risk has a more precise denition as follows: Risk = frequency of occurrence of an adverse event consequences of the event. This can also be interpreted as follows: Risk = probability of occurrence of adverse event consequences of the event. There have been two authoritative reports on risk published by the Royal Society in 1983 [11] and 1992 [12]. Fig. 11 shows information from the 1983 Royal Society report where the frequency of events per year, which cause more deaths than N, is plotted against N itself for a number of common activities. The results for air, sea, and rail travel and for failure of dams are taken from actuarial gures. The gures for accidents involving nuclear reactors and public assemblies are based on modelling calculations. The dierence between the group of the top four items in Fig. 11 and the two at the bottom is extremely signicant. Clearly the general public is prepared to live with the level of risk involved in every day activities such as travel although any major accident leading to a signicant number of deaths does cause great concern. Such accidents are usually investigated by a public enquiry, which in turn leads to recommendations to try to ensure that similar events are avoided in future. Engineering activities are expected to work to a completely dierent level of risk than that

430

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

1.E+01 1.E+00

FREQ. EVENTS> N/YR

1.E-01 1.E-02 1.E-03 1.E-04 1.E-05 1.E-06 1.E-07 1.E-08 1.E-09 10 100 1000

DEATHS, N
AIR PASSENGERS SHIPPING RAIL PASSENGERS DAMS NUCLEAR REACTORS PUBLIC ASSEMBLIES

Fig. 11. Event frequency versus consequences for various types of incident [11].

which members of the public may be prepared to accept when they have a free choice. This raises the concept of perception of risk which has been addressed by the Health and Safety Executive (HSE) in reports and discussion documents [1315] and the Standing Committee on Structural Safety [16]. It should be noted that on a plot of frequency/probability of occurrence versus consequences using logarithmic scales, constant risk is represented by a straight line, so that each category in the gure is a line of constant risk. This can be compared with the gures put forward by the HSE as a basis for the ALARP principle (as low as reasonably practicable) shown in Fig. 12 [13]. This suggests three main regions on a risk diagram as follows: 1. Frequency (F) consequences (N) > 0.1 per year, risks unacceptable. 2. 101 > F N > 104, ALARP region. 3. 104 > F N, risks negligible and acceptable. In the ALARP region it is required that control measures be taken to drive the residual risk towards the acceptable region. If society expects risk reductions, the residual risk in this region is only tolerable if such reductions are impracticable or require action grossly disproportionate to the reduction in risk achieved.
1E-01

FREQ. EVENTS > N/YR

1E-02

Intolerable
1E-03 1E-04 1E-05

ALARP Region Negligible

1E-06 1 10 100 1000 10000

DEATHS, N
LOCAL TOLERABILITY LOCAL SCRUTINY NEGLIGIBLE

Fig. 12. HSE guidance on tolerability of societal risk.

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

431

The general value adopted in EuroCodes for the target reliability index b is 3.8 for ultimate limit state conditions in structures for which failure would have major consequences, corresponding to a failure probability of about 7 105 (see Fig. 4). To account for the fact that there is more uncertainty about variable (live) loads than for permanent (xed or dead) loads, partial factors for variable loads are given as 1.5, those for permanent loads as 1.35 applied to best estimates (mean values) of loading. Because the probability of accidental loading is much less than that for normal design loadings, the partial factors for accidental loads are given as 1.05 for UK applications of EC3 (general EC3 values 1.0). Since these factors have been derived to deal with the appropriate uncertainties in loading for plastic collapse failure with a target reliability index of 3.8 it would seem sensible to adopt the same partial factors for fracture/plastic collapse failure to ensure consistency with existing procedures. The resistance partial factors on material yield strength cM are given as 1.05 for UK applications of EC3 (general EC3 values 1.1), applied to characteristic values of material strength, i.e. mean minus 2 standard deviations. It should be noted that account must be taken of both the expected lifetime at risk and the number of similar structures at risk in deciding an acceptable probability of failure per year. 5. Examples 5.1. Limiting thermal stress It is required to assess safety margins and safety factors such that thermal stresses must not exceed a prescribed limit. For target reliability it is decided that a reliability index of 3.0 is required (i.e. the probability of applied thermal stress exceeding the limiting value is 103). Assume that the maximum value of residual stress is not permitted to exceed 355 MPa, with no uncertainty. This gives lR = 355 and sR = 0. The uncertainty in estimating the applied thermal stress is assumed to have a standard deviation of 50 MPa (i.e. a high probability of being able to estimate the thermal stress occurring within 100 MPa). In both cases these gures are assumed to apply throughout the lifetime of the structure so that adjustments for time considerations are not required. Noting that the safety margin is dened as lR lL and the safety factor as lR/lL, Eq. (1) can be re-written as: q 2 10 lR lL b s2 R sL : Thus, using the numbers assumed in this example, the safety margin can be calculated as: q Z R L 3 02 502 150 MPa:

11

Hence to meet the required level of safety in terms of the safety margin, the best estimate of thermal stresses should not exceed 205 MPa (355 150). Alternatively, using the safety factor concept and the same assumed input gures c R=L 355=205 1:73: 12 The position remains the same in that the best estimate of thermal stresses should not exceed 205 MPa, and this gives rise to a safety factor on best estimates (mean values) of 1.73. Note that if characteristic values were used, based on mean + 2sL for load eects and mean 2sR for resistance eects, the value of CL would be 305 MPa (205 + 2 50) whilst the value of CR would be 355 (355 2 0). The safety factor on characteristic values would then be 1.16 (355/305). This could be separated into partial factors of 1.16 on load eects and 1.0 on resistance eects. (This does not follow the arbitrary division of aL as 0.7 and aR as 0.8 assumed in Section 3.1 because of the xed value of limiting maximum stress assumed here.) 5.2. Limiting temperature dierence Avoidance of brittle fracture is sometimes sought by maintaining a safe temperature margin between the minimum operating temperature and a nominal transition temperature. The uncertainties in these estimates

432

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

are rarely taken into account explicitly (perhaps because of lack of rm data). For illustration purposes, it will be assumed that for avoidance of fracture in parts of an oshore structure, a probability of failure of 103/year or reliability index value, b, of 3 on a per year basis and the example will be based on determining the safety margin for a Charpy test energy of 27 J not to lie below minimum service temperature. The minimum ambient temperature per year for the under water regions of an oshore structure will be assumed to be 5 C with a standard deviation of 2 C (lL = 5, sL = 2). The variability of the Charpy test results gives a standard deviation on the 27 J temperature of say 5 C (estimate assumed to lie within say 10 C of the mean). Using Eq. (10), the safety margin can be calculated as: q Z R L 3 22 52 16:15  C: 13 This means that to achieve the required target safety level, the mean 27 J temperature should not be higher than 11.15 C (5 16.15). A grade of steel having a toughness of 27 J at 15 C would suit. It should be noted that safety factors in terms of transition temperatures are meaningless because of the intervention of zero on the temperature scale in C. 6. Conclusions The principles of formal methods to determine safety margins or safety factors to meet a given target safety requirement have been explained demonstrating that safety margins and safety factors depend on the following factors:  Target reliability requirements which in turn depend on the consequences of failure.  Variability or uncertainty in the input data or assumptions.  Modelling uncertainties. In addition the following factors have to be taken into account, but it is more dicult to make quantitative allowance for them:  The possibility of unknown loadings or mechanisms of failure occurring.  The possibility of human error causing unforeseen events. The way in which safety factors are used in structural codes has been explained. The basis of dividing overall safety factors into partial factors on the input data for the load and resistance parts of the failure equation has been described. Two simple examples have been given of determining safety margins/factors for limiting thermal stresses and for Charpy test requirements. References
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] prEN 1993 1.1, EuroCode 3, Design of Steel Structures; 1993. Sedlacek G. Use of safety factors for the design of steel structures according to the Eurocodes, Paper No. 2 TAGSI Symposium; 2003. British Energy Generation Report R/H/R6-Rev 4, Assessment of the integrity of structures containing defects; 2000. BS 7910 British Standards Institution, Guidance on the determination of the signicance of defects (Incorporating Amendment 1); October 2000. Baker MJ. Reliability considerations in structural design a state of the art report, CIRIA Report No. 73, London; 1978. Melchers RE. Structural reliability analysis and prediction. 2nd ed. Chichester: Ellis Horwood; 1999, ISBN 0471983241. Ang AH-S, Tang WH. Probability concepts in engineering planning and design: basic principles, vol. 1. New York: Wiley; 1975. Burdekin FM, Hamour W, Pisarski HG, Muhammed A. Derivation of partial safety factors for BS 7910:1999, I Mech E Conference; 1999. Muhammed A. Background to the derivation of partial safety factors for BS 7910 and API 579, Paper No. 6, TAGSI Symposium; 2003. Wilson R. A comparison of the simplied probabilistic method in R5 with the partial safety factor approach, Paper No. 7, TAGSI Symposium; 2003. Risk Assessment A Study Group Report, The Royal Society, ISBN 0 85403 208 8; 1983. Risk Analysis, Perception and Management, Report of a Royal Society Study Group, The Royal Society, ISBN 0 85403 467 6; 1992.

F.M. Burdekin / Engineering Failure Analysis 14 (2007) 420433

433

[13] Health and Safety Executive, Reducing Risks, Protecting People HSEs decision making process, HSE Books, ISBN 0 7176 21510; 2001. [14] Health and Safety Executive, Advisory Committee on Major Hazards Second Report, HMSO, London; 1979. [15] Health and Safety Executive, The tolerability of risk from nuclear power stations, HMSO, London; 1992. [16] Standing Committee on Structural Safety Reports, published on a periodic basis by the Institution of Structural Engineers, London.