Reliability Engineering and System Safety 159 (2017) 69–79

Contents lists available at ScienceDirect

Reliability Engineering and System Safety

journal homepage: www.elsevier.com/locate/ress

A Dempster-Shafer Theory-based approach to the Failure Mode, Effects and MARK

Criticality Analysis (FMECA) under epistemic uncertainty: application to
the propulsion system of a fishing vessel
⁎
Antonella Certa, Fabrizio Hopps, Roberta Inghilleri, Concetta Manuela La Fata
Dipartimento dell’Innovazione Industriale e Digitale (DIID), Università degli Studi di Palermo, Viale delle Scienze, 90128, Palermo, Italy

A R T I C L E I N F O A BS T RAC T

Keywords: Failure Mode and Effects Analysis (FMEA) is a safety and reliability analysis tool widely used for the
FMECA identification of system/process potential failures, their causes and consequences. When aimed at the failure
Epistemic uncertainty modes prioritization, FMEA is named Failure Mode, Effects and Criticality Analysis (FMECA). In the latter case,
Dempster-Shafer Theory failure modes are commonly prioritized by means of the Risk Priority Number (RPN) that has been widely
Failure modes prioritization
criticized to have several shortcomings. Firstly, in the presence of multiple experts supplying different and
Propulsion system
uncertain judgments on risk parameters, RPN is not able to deal with such a kind of information. Therefore, the
present paper proposes the Dempster-Shafer Theory (DST) of evidence as a proper mathematical framework to
deal with the epistemic uncertainty often affecting the input evaluations on risk parameters. In particular, such
evaluations are supposed to be elicited from experts in an interval or crisp form, and then opportunely
propagated to obtain a multiple-values characterization of the RPN associated with each analyzed failure mode.
In order to synthesize the available information and make them useful for failure mode's prioritization aims,
Belief and Plausibility distributions are used. The methodology is finally applied to the propulsion system of a
fishing vessel operating in Sicily.

1. Introduction process and on its surroundings as a consequence of the failure mode

Failure Mode and Effects Analysis (FMEA) is a systematic proce-
dure for the analysis of a system/process to identify the potential
failure modes, their causes and effects on the system performance [1].
It is commonly performed by a multi-disciplinary team of experts with
the aim of supporting the risk manager into the identification of failure
modes on which paying attention for the overall system/process
performance improvement. FMEA starts with the hierarchical decom-
position of the system/process under investigation up to its basic
components (Fig. 1). Then, it carries on by a bottom-up approach [2]
on the basis of which the lowest level elements are analyzed to identify
their possible failure modes, their causes and their consequent effects
at a lower level.
When also aimed at the prioritization of potential failure modes,
FMEA is referred to as Failure Mode, Effects and Criticality Analysis
(FMECA). The ranking of failure modes is commonly performed by
combining the Severity (S), the Occurrence (O) and the Detection (D)
parameters that produce a metric called Risk Priority Number (RPN).
In particular, S is the assessment of the level of damage on the system/
occurrence, O is the frequency of occurrence of the failure mode and D
is the probability of the failure mode to be detected [3]. As suggested by
the Standard IEC 60812 [1], such risk parameters are commonly
measured on a discrete ten-point scale (Tables 1–3). As concerns the
parameter D, it is usually ranked in a reverse order in respect to the S
and O numbers, namely the higher the detection value, the less
probable the failure mode detection. Therefore, the RPN of a specific
failure mode is generated by taking the product of the corresponding
risk parameter values. The higher the RPN of the failure mode, the
greater the risk for the component/system reliability as a result of the
failure mode occurrence.
Since its introduction, FMEA/FMECA has been extensively applied
in a wide range of industrial fields [4–6]. However, despite its wide use,
the conventional RPN method for the failure modes prioritization has
been criticized to have many drawbacks [7–9] some of which are listed
below.
– Parameters O, S and D are equally weighted.
– Different evaluations of O, S and D may lead to the same RPN even if

⁎
Corresponging author.
E-mail addresses: antonella.certa@unipa.it (A. Certa), fabrizio.hopps@unipa.it (F. Hopps), roberta.inghilleri@unipa.it (R. Inghilleri),
concettamanuela.lafata@unipa.it (C.M. La Fata).

http://dx.doi.org/10.1016/j.ress.2016.10.018
Received 24 February 2016; Received in revised form 21 October 2016; Accepted 28 October 2016
Available online 04 November 2016
0951-8320/ © 2016 Elsevier Ltd. All rights reserved.
A. Certa et al. Reliability Engineering and System Safety 159 (2017) 69–79

Fig. 1. Hierarchical decomposition of the system/process under investigation.

Table 1 Table 2
Failure mode severity. Failure mode occurrence related to frequency.

Severity (S) Criteria Ranking Occurrence (O) Frequency Ranking

None No discernible effect 1 Remote: failure is unlikely ≤0.010 per thousand items 1
Very minor Negligible effect on component/system 2
performance Low: relatively few failures 0.1 per thousand items 2
Minor Slight effect on component/system 3 0.5 per thousand items 3
performance. Non-vital faults will be noticed 1 per thousand items 4
most of the time
Very low Minor effect on component/system 4 Moderate: occasional failures 2 per thousand items 5
performance 5 per thousand items 6
Low Reduced performance with gradual 5
performance degradation High: repeated failures 10 per thousand items 7
Moderate Component/system operable and safe but 6 20 per thousand items 8
performance degraded
High Component/system performance severely 7 Very high: failure is almost inevitable 50 per thousand items 9
affected ≥ 100 in thousand items 10
Very high Component/system inoperable but safe 8
Hazardous with Component/system failure resulting in 9
warning hazardous effects highly probable – Precise values of parameters O, S and D are often difficult to be
Hazardous without Component/system failure resulting in 10
elicited from experts. Actually, due to the uncertainty of information
warning hazardous effects almost certain
and the vagueness of human feeling and recognition, experts may
prefer linguistic or interval-valued judgments rather than certain
their risk implications are totally different. For instance, let have two ones.
different failure modes which O, S and D values are 2, 3, 2 and 4, 1,
3 respectively. The resulting RPN is 12. However, failure modes Focusing the attention on the latter aspect, two different kinds of
have different severities so that their risk implications may be very uncertainty are commonly defined in the literature, namely the
different. aleatory uncertainty and the epistemic one [10,11]. The aleatory
– The RPN comprises only three terms related to the safety aspect so uncertainty arises from the random behavior of the system/process
disregarding other important factors such as the economical one. under analysis, whereas the epistemic uncertainty results from the lack
– The RPN is not a continuous function so that the meaning of the of knowledge about the system/process. In the presence of stochastic
differences among the RPN values causes some interpretation variables affected by both types of uncertainty, the most widely used
problems, namely it is not clear if the difference between two approach has been the probabilistic one. Nevertheless, its application
neighboring RPNs always has the same importance. to deal with the epistemic uncertainty affecting (stochastic or not)
– Small variations in one parameter evaluation may lead to significant problem parameters has been extensively criticized [12,13]. Actually,
variations on the resulting RPN, depending on the other factor when interval-valued input information are available, the traditional
values. probabilistic approach overcomes the lack of information by the

70
A. Certa et al.
Table 3
Likelihood of detection of the failure mode.
Detection (D) Criteria: Likelihood of detection
Almost certain Control system will almost certainly detect a
potential cause and subsequent failure mode
Very high Very high chance the control system will detect
a potential cause and subsequent failure mode
High High chance the control system will detect a
potential cause and subsequent failure mode
Moderately high Moderately high chance the control system will
detect a potential cause and subsequent failure
mode
Moderate Moderate chance the control system will detect
a potential cause and subsequent failure mode
Low Low chance the control system will detect a
potential cause and subsequent failure mode
Very low Very low chance the control system will detect
a potential cause and subsequent failure mode
Remote Remote chance the control system will detect a
potential cause and subsequent failure mode
Very remote Very remote chance the control system will
detect a potential cause and subsequent failure
mode
Absolutely Control system will not and/or cannot detect a
uncertain potential cause and subsequent failure mode
Laplace's Principle of Insufficient Reason and the axiom of additivity
[14]. These two assumptions can lead to precise-looking information
about events that actually are poorly known. The Dempster-Shafer
Theory (DST) of evidence [15,16] offers a more general representation
of the epistemic uncertainty and it is more suitable than the probabil-
istic approach in situations when there is not enough information to
define probability distributions of events or when the information is
non-specific or subjective, e.g. an expert's opinion [17–19]. In the
evidence theory, complete information about the system/process are
not necessary, and no further assumptions are required to deal with the
poor available knowledge. In addition, it offers numerous well struc-
tured combination rules that allows the analyst at aggregating informa-
tion elicited from different and independent sources.
With these recognitions, the present paper proposes a DST-based
FMECA methodology to deal with the epistemic uncertainty often
affecting the experts’ opinions on risk parameters. In particular, crisp
or interval-valued judgments on parameters O, S and D related to each
failure mode are here supposed to be elicited from a team of experts
assumed to be as equally credible and reliable [20]. As a consequence
of such an assumption, the total available evidence as regards each risk
factor of failure modes is equally distributed among all experts. Then,
for each failure mode, all possible combinations among the related risk
parameter ratings are considered so that a multiple-values character-
ization of the correlative RPN is obtained. Resulting RPNs can be crisp
or interval-valued and are characterized by an associated evidence
opportunely computed. Aiming at finally prioritizing failure modes,
Belief and Plausibility distributions are then suggested. To the purpose
of demonstrating the usefulness of the proposed methodology into real
industrial contexts affected by the presence of epistemic uncertainty, it
is applied to the propulsion system of a fishing vessel operating in the
west sea side of Sicily.
The remainder of the paper is organized as follows. The literature
review is synthesized in Section 2 whereas an overview on DST is
supplied in Section 3. Section 4 aims of pointing out the novelty of the
proposed DST-based approach that is then detailed in Section 5. The
applicative case is reported in Section 6 and conclusions are finally
drawn in Section 7.
2. Literature review
Despite its wide use, the conventional RPN method has been
criticized to have many deficiencies so that various risk priority models
Reliability Engineering and System Safety 159 (2017) 69–79
have been proposed in the literature to enhance the performance of
FMECA. In this respect, a detailed literature review is proposed by Liu
et al. [21]. Authors analyze 75 FMEA/FMECA papers published
Ranking
between 1992 and 2012 and categorize them into five main categories
1 (i.e. Multi-Criteria Decision Making (MCDM) methods, Mathematical
Programming (MP), Artificial Intelligence (AI), hybrid methods and
2
others) according to the approaches commonly used to overcome the
3 limitations of the conventional RPN method. Bevilacqua et al. [22]
propose a modified FMECA where the RPN consists of a weighted sum
4 of six parameters (safety, machine importance for the process, main-
tenance costs, failure frequency, downtime length and operating
conditions) which weights are determined by the Monte Carlo simula-
5
tion. Puente et al. [23] and Sankar and Prabhu [24] focus their
6 attention on the definition of alternative linguistic scales. Braglia [25]
develops a Multi-Attribute Failure Mode Analysis (MAFMA) approach
7
based on the Analytic Hierarchy Process (AHP) technique [26] which
8 considers the risk factors O, S, D and the expected cost due to failures
as decisional criteria, the possible causes of failure as decisional
9 alternatives and the selection of causes of failure as decisional goal.
Nevertheless, the main part of the existing literature contributions
on FMEA/FMECA with uncertain and imprecise input information on
10
risk parameters proposes the fuzzy logic technique [27–29]. Since
developing and testing an extensive set of fuzzy rules is a complex and
time-consuming activity, several authors have focused their attention
on approaches that combine the fuzzy logic method together with the
MCDM techniques [30,31]. In this respect, Tay and Lim [32] investi-
gate on a number of fuzzy inference techniques for determining the
RPN scores. In particular, the possibility of using fuzzy rule interpola-
tion and reduction techniques to design new fuzzy RPN models is
examined, and the ability of the weighted fuzzy RPN model in the
failure risk evaluation with a reduced rule base is demonstrated.
Aiming at supporting the maintenance staff in the identification of
failure modes criticality, Braglia and Bevilacqua [33] present a
decision-making support system based on the fuzzy logic and AHP
techniques. Braglia et al. [34] propose a fuzzy criticality assessment
model easy to implement and design. A risk function which permits
fuzzy if-then rules to be generated in an automatic way is presented and
the proposed methodology tested with relation to a real process plant.
In Zhang and Chu [35], a further fuzzy-RPN-based approach is
proposed. In particular, a fuzzy Weighted Least Squares Model
(WLSM) is used to aggregate the Decision Makers’ (DMs) opinions
and the relative importance weights of O, S and D are considered. As a
result, several failures having an identical RPN value that derives from
different combinations of O, S and D can be discriminated. In order to
enhance the robustness of the ranking results, a partial order method
based on fuzzy preference relations is employed for the final ranking of
failure modes. In Zammori and Gabbrielli [36], the FMEA is combined
together with the Analytic Network Process (ANP) MCDM technique
[37] to take into account the possible interactions among the principal
causes of failure. A fuzzy-Technique for Order Preference by Similarity
to Ideal Solution (TOPSIS)-based approach is presented by Braglia
et al. [38] to avoid the intrinsic difficulty encountered in assessing the
three risk parameters of FMECA as crisp values. Differently from the
fuzzy logic applications commonly proposed in the literature, Authors
integrate fuzzy logic into the multi-criteria decision model without
needing the definition of a rule matrix, and a particular classification
method is then adopted to rank the final fuzzy criticality values. In
Kutlu and Ekmekçioğlu [39], fuzzy-TOPSIS is integrated together with
the fuzzy-AHP. Particularly, the fuzzy-AHP method is used to deter-
mine the weight vector of risk factors that are later used into the fuzzy-
TOPSIS approach to get the final closeness coefficients on the basis of
which failure modes are ranked. A further fuzzy-TOPSIS-based
approach is suggested in [40] to prioritize failure modes of a street
cleaning vehicle on the basis of three evaluation criteria, two related to
the severity and a further criterion related to the occurrence. As
concerns the two criteria (i.e. time of operation and modality of the
71
A. Certa et al.
maintenance action execution) considered to measure the failure mode
severity, both refer to the execution of maintenance actions when the
failure mode occurs.
More recently, the Evidential Reasoning (ER) and DST approaches
have been also proposed in the literature to enhance the performance
of traditional FMEA/FMECA. Chin et al. [41] use the ER to model the
team members' opinions and to prioritize failure modes under different
types of uncertainty such as incomplete assessment, ignorance and
intervals. The relative importance of risk factors is also taken into
account for the determination of failure modes priority, and a minimax
regret approach is used to rank interval-valued risk scores. Liu et al.
[42] propose a risk priority model for FMEA using the Fuzzy ER (FER)
approach and the grey theory. The FER approach is used to model the
diversity and uncertainty of FMEA team members’ assessment infor-
mation, whereas the grey relational analysis is utilized to determine the
risk priority of failure modes. In [43,44], DST is adopted to aggregate
different experts’ evaluation opinions whereas the random theory is
used to attain the mean value of RPNs.
3. The Dempster-Shafer Theory of evidence
In 1967 Arthur P. Dempster and later Glenn Shafer introduced the
theory of evidence, also known as Dempster-Shafer Theory (DST), as a
mathematical framework for the representation of the epistemic
uncertainty. It is based on three different measures, namely the Basic
Probability Assignment (BPA), the Belief measure (Bel), and the
Plausibility measure (Pl). Within the DST, the Frame Of
Discernment (FOD) Ω={H1, H2,.., HN} is defined as a set of exhaustive
and mutually exclusive hypotheses or propositions, whereas the power
set, PΩ, comprises all the possible subsets of Ω (2|Ω|), including the
empty set Ø. Namely, PΩ={Ø, {H1}, {H2}, …, {HN}, {H1, H2},{H1, H3},
…, Ω}. |Ω| states for the cardinality of the FOD.
Definition 3.1. The BPA is the amount of knowledge associated with
every subset pi of PΩ and it is commonly denoted by m(pi). It measures
the belief exactly assigned to pi and represents how strongly the
evidence supports pi. Each element pi ⊆ PΩ having a m(pi) > 0 is called
focal element of PΩ. On BPAs the following assumptions hold:
m (pi ): PΩ → [0, 1] (1)
m (∅) = 0 (2)
∑ m (pi ) = 1
pi ⊆ PΩ (3)
With relation to the Eq. (2), it means that in the evidence theory
none possibility for an uncertain parameter to be located outside of the
FOD is given [45].
Definition 3.2. The Belief of pi (i.e. Bel (pi)) is the sum of all the BPAs
of the proper subsets pk of the element of interest pi, namely:
Bel (pi ) = ∑ m (pk )
pk ⊆ pi (4)
Definition 3.3. The Plausibility of pi (i.e. Pl (pi)) is the sum of all the
BPAs of subsets pk that intersect with the set of interest pi, namely:
Pl (pi ) = ∑ m (pk )
pk ∩ pi ≠∅ (5)
In addition, the two measures are related to each other by the
following relation:
Pl (pi ) = [1 − Bel (pi )] (6)
where pi denotes the complement of pi.
Bel(pi) represents the exact support to pi, i.e. the belief of the
hypothesis pi being true, whereas Pl(pi) represents the possible support
72
Reliability Engineering and System Safety 159 (2017) 69–79
to pi, i.e. the total amount of belief that could be potentially placed in
pi. Therefore, [Bel(pi), Pl(pi)] constitutes the interval of support to pi,
whereas the difference between Pl(pi) and Bel(pi) describes the
ignorance associated to the set pi. Bel(pi) and Pl(pi) can be seen as
the lower and upper bounds of the exact probability at which pi is
supported.
3.1. Dempster aggregation rule
In order to aggregate evidences coming from different and inde-
pendent sources of information, the DST offers several combination
rules. Among them, the firstly defined rule within the framework of the
evidence theory is the Dempster one. Assuming the independence of
two generic sources of information, the aggregated BPA on pi can be
computed as follows:
⎧0 forpi = ∅
⎪
[m1 ⊕ m2](pi ) = ⎨ ∑ p ∩ p = p m1 (pa ) ⋅ m2 (pb )
⎪ a b i
forpi ≠ ∅
⎩ 1−K (7)
where m1(pa) and m2(pb) are the BPAs expressed by the two sources
with relation to the events pa and pb respectively. The parameter (1-K)
in the Eq. (7) is a normalization factor that assures the property (3) to
hold. The parameter K represents the amount of conflicting evidence
between the two sources of information and it is calculated as follows:
K= ∑ pa ∩pb =∅ m1 (pa )⋅m2 (pb ) (8)
The Dempster's rule of combination is proved to be both commu-
tative and associative. As a consequence of such two properties,
evidences can be combined in any order so that, in case of multiple
belief structures, combination can be carried out in a pair-wise way.
The Dempster’ rule verifies some interesting properties and its use has
been theoretically justified by several authors [46–48]. Anyway, it
ignores contradicting evidences among sources by means of the
normalization factor and exhibits numerical instability if the conflict
among sources is large [49]. As a consequence, several alternative
combination rules [50–52] have been proposed so far to overcome the
main limitations recognized to the Dempster’ rule.
4. DST-based frameworks in FMECA applications: an
overview
So far, the DST has been widely used in the reliability field as a
proper mathematical framework to deal with the epistemic uncertainty.
Literature contributions focused on its use are numerous, but only very
few of them propose the DST for FMECA applications. In this regard, in
our opinion, the two main contributions on FMECA under a DST
framework differ from the one developed in the present paper so that
the main attempt of this section is to point out the novelty of the
proposed DST-based FMECA approach in respect to such contribu-
tions. Specifically, in [43,44] FODs of risk parameters O, S and D are
discrete and coincident with the ten-point scales suggested by the
International Standard IEC 60812. As in traditional RPN-based
prioritization applications, O, S and D factors of each failure mode
are elicited from experts only in a crisp form, and the further
information required is the associated BPA. The BPA is directly
supplied by the expert in such a way that the total available evidence
(i.e. 1) is assigned to one or two ratings [43], or opportunely computed
on the basis of a normal distribution assumption of masses [44]. For
each failure mode, the way judgments are formulated always assures a
non-empty intersection among experts’ evaluations related to the same
risk parameter. In our opinion, the latter represents a bit of a stretch
just to allow the classical combination rule of Dempster to be used in
computing the aggregated mass of a specific rating (i.e. 1, 2, …, 10) with
relation to each risk parameter of failure modes. Since the BPA satisfies
the axiom (3), the aggregated BPA of a specific rating is then
A. Certa et al. Reliability Engineering and System Safety 159 (2017) 69–79

Fig. 2. Flow-diagram of the proposed DST-based methodology.

Table 4 concerns the BPA assigned to each individual judgment on risk factors
Experts’ judgments on risk parameters. related to each failure mode, all experts are here considered as equally
credible and reliable [20] so that the weight of evidence (i.e. the BPA)
Expert O S D
assigned to the estimate of each expert i (with i=1,…, N) with reference
1 [1,2] 3 [4,6] to the rth risk factor (with r = O, S, D) of the failure mode f, i.e mi,r,f
2 [1,3] [5,6] [3,5] (X), is computed as 1/N [14,53], where X ⊆ PΩ . Namely, the total
available evidence (i.e. 1) on the rth risk factor of the failure mode f is
equally distributed among the N involved experts.
Table 5
Possible combinations among O, S and D judgments.
5.2. Information propagation
N° Combination O S D RPN
As a consequence of the elicitation phase, each risk factor r of the
1 [1,2] 3 [4,6] [12,36]
failure mode f is characterized by N crisp and/or interval-valued
2 [1,2] 3 [3,5] [9,30]
3 [1,2] [5,6] [4,6] [20,72]
judgments each one having an associated BPA computed as 1/N. The
4 [1,2] [5,6] [3,5] [15,60] proposed procedure does not require any aggregation stage. Instead,
5 [1,3] 3 [4,6] [12,54] keeping the definition of RPN as the multiplication of parameters O, S
6 [1,3] 3 [3,5] [9,45] and D, all possible combinations Z among judgments related to risk
7 [1,3] [5,6] [4,6] [20,108]
factors of the failure mode f are here considered. Specifically, being
8 [1,3] [5,6] [3,5] [15,90]
each risk factor r of the failure mode f characterized by N judgments,
the number of possible combinations Z, each one leading to a different
considered by the authors as the probability of that rating of the risk crisp or interval-valued RPN, is N3. Let RPNf,z be the RPN related to
factor. The three risk factors are hence considered as discrete random the failure mode f and the combination z, with z=1,…, Z. Bearing in
variables and the RPN a function of them. In order to compare failure mind that interval-valued judgments are also allowed, RPNf,z is
modes, the mean value of the RPN related to each failure mode is computed by the classical interval arithmetic rules, and the corre-
computed by the random theory. Summing up, authors limit experts’ sponding BPA, i.e. m(RPNf,z), as the Cartesian product of masses
judgments to precise values that actually are inappropriate in uncertain assigned to risk parameters’ judgments involved within the specific
contexts where the use of interval-valued opinions is deemed more combination.
opportune. Furthermore, experts’ ratings on risk parameters always For sake of clarity, let have two experts that express their risk
have a non-empty intersection, that is a necessary condition for using parameters’ evaluations with relation to a generic failure mode
the Dempster rule of aggregation. To overcome such drawbacks, the (Table 4). Since the involvement of two experts (N=2), 1/2 is the
present paper proposes a different method to formulate judgments and BPA assigned to the individual evaluations on each risk factor of the
compute the response function as the multiplication of the three analyzed failure mode. Table 5 shows all the possible combinations
parameters O, S and D, maintaining the epistemic approach until the among the risk parameter values and the resulting interval-valued
attainment of the final result. RPNs. The BPA related to each RPN is equal to (1/2)3=1/8.

5. Proposed DST-based approach to FMECA 5.3. Failure modes prioritization

The DST-based approach to FMECA under an uncertain environ-
ment is presented in the current section. Specifically, it comprises three
different stages, namely the information elicitation, the information
propagation and the failure modes prioritization (Fig. 2).
5.1. Information elicitation
In real-life FMECA applications, experts are unlikely able to rate
parameters O, S and D by means of precise values because of the
unavoidably presence of information uncertainty and human feeling
vagueness. Instead, they are more confident in expressing interval-
valued judgments that better represent their actual knowledge and
perception of the analyzed context. With this recognition, input
information on the three risk factors O, S and D of each analyzed
failure mode f are here elicited from a team of N experts in a crisp or
also in an interval form. The classical ten-point scales suggested by the
International Standard IEC 60812 are used. From the DST point of
view, the latter means that a FOD (i.e. Ω) coincident with the discrete
interval [1,10] is defined for all the three uncertain risk parameters. As
At the end of the propagation phase described in the sub-Section
5.2, Z=N3 RPN values are obtained for each failure mode f. In order to
synthesize the available information and make them useful for failure
mode's prioritization aims, let consider the event E = {RPNf > RPN*f }
where the RPN of failure mode f, i.e. RPNf, is compared with a generic
threshold value RPN*f . Since increasing values of RPN imply a greater
criticality of f, one believes that the considered event E well matches
with the description of the failure modes criticality. Namely, one
investigates on the evidence that supports the event E : the larger such
an evidence, the more critical the failure mode. Therefore, for each
failure mode f, Belief and Plausibility distributions of the event E are
drawn on the basis of the N3 RPNs previously obtained. Bearing in
mind that a generic crisp value a may be also written in an interval
form wherein lower and upper bounds are equal, namely a ≡ [a, a],
Belief and Plausibility distributions of the event E are developed as
follows.
1) Lower and upper bounds of each interval-valued RPNf,z are
increasingly ordered in a separate way.

73
A. Certa et al. Reliability Engineering and System Safety 159 (2017) 69–79

Fig. 3. Flow diagram of the prioritization procedure.

Fig. 4. Block diagram of the propulsion system.

2) Belief of the complementary event E = {RPNf ≤ RPN*f } is calculated 3) Plausibility of the event E = {RPNf ≤ RPN*f } is calculated by adding
by adding the belief masses of all those intervals RPNf,z totally the belief masses of those intervals RPNf,z which intersect with [0,
included into the interval [0, RPN*f ]: RPN*f ]

Bel (E ) = Bel (RPNf ≤ RPN*f ) = ∑ m (RPNf , z) Pl (E ) = Pl (RPNf ≤ RPN*f ) = ∑ m (RPNf , z)

RPNf , z ⊂ [0,RPN*]
f (9) RPNf , z ∩[0,RPN*]≠∅
f (10)

74
A. Certa et al.
Fig. 5. Schematic representation of the propulsion system.
4) Therefore, Belief and Plausibility distributions of the event of
interest E are obtained as follows
Bel (E ) = Bel (RPNf > RPN*f ) = 1 − Pl (RPNf ≤ RPN*f ) (11)
Pl (E ) = Pl (RPNf > RPN*f ) = 1 − Bel (RPNf ≤ RPN*f ) (12)
Aiming at prioritizing failure modes, one deems to be more
opportune to initially account for curves arising from the Eq. (12)
because the higher the RPN, the more critical the failure mode.
Therefore, setting a credibility mass equal to m , the threshold value
RPN*f of each failure mode f arises from the intersection between the
related Pl (E ) and the line through the point [0, m ] parallel to the x-axis
(i.e. y=m ). Decreasingly ordering all the obtained RPN*f , failure modes
are hence ranked from the most critical to the least critical one.
When different failure modes result to be equally ranked on the
basis of the previous described steps, it is useful to better discriminate
their actual criticality. To such an aim, the following additional steps
are performed.
1) Draw the line through the point [RPN*f , 0] parallel to the y-axis;
2) Read the value arising from the intersection between such a line
and the Belief curve. In such a way, for the specific value of RPN*f
arising from the Eq. (12), the minimum credibility of the event E is
also available.
3) Order failure modes for decreasing values of belief. Actually, the
greater the belief value, the more critical the failure mode.
For sake of clarity, the Fig. 3 shows the flow diagram related to the
failure modes prioritization procedure.
6. Case study: application to the propulsion system of a
fishing vessel
The proposed DST-based approach to FMECA is applied to the
75
Reliability Engineering and System Safety 159 (2017) 69–79
propulsion system of fishing vessels typically operating in the west sea
side of Sicily. In particular, the type of analyzed fishing vessels is
characterized by a length between 16 and 21 m, a gross tonnage
ranging from 45 to 65 Gt, and equipped with a supercharged diesel
engine. The latter is a 400 hp turbocharged Common Rail diesel
engine. For sake of clarity, the main components of the propulsion
system are illustrated by the block diagram of Fig. 4 and identified by a
tag. Then, a schematic representation of the propulsion system is
reported in Fig. 5.
The turbine (1.4.2) is moved by the flue gases and connected with
the compressor (1.4.3) used by the air-supply system that feeds the
combustion’ chambers. The driveshaft of the turbocharger (1.4.2–
1.4.3) is lubricated with the oil arising from the main engine oil tank. In
order to eliminate water and impurities, the fuel is opportunely filtered
(1.3.2.2) and then pumped into the engine through a Common Rail
injection system which comprises low-pressure pump (1.3.3.1), fuel
filter (1.3.3.2), high-pressure pump (1.3.3.3) and electro injectors
(1.3.3.4). These components communicate each other and are mon-
itored by means of an Engine Control Unit (ECU) which opportunely
intervenes whether a malfunctioning of components under control is
detected. Referring to electro injectors (1.3.3.4), they are not reported
in the schematic representation of Fig. 5 because they are installed into
the main engine block (1.2). The driveshaft of the main engine is
connected with a gear-inverter (1.6.1) that reduces the engine rounds,
reverses the propeller’ rotation and switches off the transmission
system. Motor oil (1.5.2), fresh air (1.5.3), fresh water (1.5.4) and
inverter oil (1.5.5) are cooled by the cooling system (1.5) that uses as
refrigerant the sea water pumped by a centrifugal pump (1.5.1). The
cooling system consists in four heat exchangers arranged in series, the
first one (1.5.2.1) cools the motor oil, the second (1.5.3.1) the fresh air
arising from the turbocharger, the third (1.5.4.3) the fresh water used
by the engine, and finally the fourth heat exchanger (1.5.5.1) cools the
gear-inverter oil.
As concerns the implementation of the designed DST-based
FMECA methodology, a team of three experts (N=3) comprising a
technician, a ship owner and a mechanical engineer is involved. Results
of the FMEA analysis performed on the propulsion system are reported
A. Certa et al. Reliability Engineering and System Safety 159 (2017) 69–79

Table 6 Table 6 (continued)

FMEA analysis.
Item Id Component Failure Failure Failure
Item Id Component Failure Failure Failure modes causes effects
modes causes effects
the engine
1.1 Engine Energy shut- – Lack of No engine temperature
starting off electricity starting 1.5.2.1 Heat Fluids mixing Perforation of Increase of the
system supply exchanger #1 the heat oil engine
– Oxid deposit (oil/sea exchanger temperature
1.2 Engine block Engine shut- – Valves, Stop of the water)
down driveshaft or fishing vessel 1.5.2.2 Motor oil No oil Lack of Reduction of
pistons pump pumping to transmission the motor oil
damage the engine pressure
1.3.1 Fuel tank Level control Electric Reduction of 1.5.2.3 Motor oil Filter – Fluid Bad engine
failure component the fishing filter chocking impurities lubrication
failure vessel range – Lack of
1.3.2.1 Recycle pump Pump – Lack of – Damage to maintenance
(fuel) blockage electricity the filtering 1.5.3.1 Heat Fluids mixing Perforation of Increase of the
supply system exchanger #2 the heat fresh-air
– Bearings – Increase of (fresh air/sea exchanger temperature
wear fuel water)
impurities (intercooler)
1.3.2.2 Fuel filter Filter – Fuel – Increase of 1.5.4.1 Fresh water Empty tank – Level control Increase of the
choking impurities impurities tank (no water) failure motor oil
– Lack of contained in – Perforation temperature
maintenance the fuel of the tank
– Low engine 1.5.4.2 Fresh water No pumping – Lack of – Possible
performance pump transmission damage of
1.3.2.3 Water filter Filter Lack of – High % of – Bearings the heat
choking maintenance H2O inside wear exchanger #3
the fuel – Increase of
– Possible the engine
engine shut- temperature
off 1.5.4.3 Heat Fluids mixing Perforation of Increase of the
1.3.3.1 Low-pressure No fuel Lack of – Low engine exchanger #3 the heat fresh-water
pump pumping to electricity performance (fresh water/ exchanger temperature
the high- supply – Possible sea water)
pressure engine shut- 1.5.5.1 Heat Fluids mixing Perforation of Increase of the
pump off exchanger #4 the heat gear-inverter oil
1.3.3.2 Fuel filter Filter – Fuel No fuel to the (inverter oil/ exchanger temperature
choking impurities engine sea water)
– Lack of 1.5.5.2 Gear-inverter No pumping Lack of Low pressure of
maintenance oil pump transmission the gear-
1.3.3.3 High-pressure No fuel – Rotor Engine shut-off inverter oil
pump pumping to damage 1.5.5.3 Gear-inverter Filter – Fluid Bad inverter
the engine – Bearings oil filter choking impurities lubrication
wear – Lack of
1.3.3.4 Electro Choking – Fuel Low engine maintenance
injector impurities performance 1.6.1 Gear-inverter Trasmission – Mechanical – Possible
– Electric failure failures damage of
component – Lack of the gear-
failure lubrication inverter
1.4.1 Air filter Filter Lack of – Low fresh-air – Stop of the
choking maintenance pressure fishing vessel
– Possible 1.6.2 Shaft supports Roll wear – Lack of Propeller shaft
damage of lubrication not aligned
the heat – Lack of
exchanger #2 cooling
1.4.2 Turbine Palette – Exausted gas Low engine 1.6.3 Propeller Chipping Cavitation – Low
damages impurities performance propeller
– Lack of performance
maintenance – Increase of
1.4.3 Compressor Palette – Fresh air Low engine the propeller
damages impurities performance noise
– Lack of
maintenance
in Table 6 where a total number of 28 failure modes are identified. On
1.4.2 Turbocharger Component – No driveshaft – Low engine
the basis of Tables 1–3, the interval-valued or crisp experts’ judgments
1.4.3 blockage lubrication performance
– Bearings – Increase of on risk parameters S, O and D related to each failure mode are
wear the engine’ synthesized in Table 7.
smoke and In accord to the designed approach, the three experts are consid-
noise
ered as equally credible and reliable (see Section 5.1). As a conse-
1.5.1 Sea water Reduced flow – Rotor – Possible
pump into the damage damage of
quence, the BPA related to each expert judgment on each risk factor of
cooling – Bearings the cooling failure modes is computed as 1/N, being N=3. Then, as highlighted in
system wear system Section 5.2, the proposed procedure does not require any aggregation
– Increase of stage. Instead, keeping the definition of RPN as the multiplication of
(continued on next page)

76
A. Certa et al. Reliability Engineering and System Safety 159 (2017) 69–79

Table 7
Experts’ judgments on risk parameters.

Item Id Failure modes S O D

Expert 1 Expert 2 Expert 3 Expert 1 Expert 2 Expert 3 Expert 1 Expert 2 Expert 3

1.1 Energy shut-off [8,9] [7,8] 8 [5,6] 6 [5,6] [1,3] [2,4] 3

1.2 Engine shut-down [8,9] 8 [7,8] [5,6] [5,6] 5 [1,3] 2 [2,3]
1.3.1 Level control failure [2,3] [2,3] 3 [2,3] [3,4] 3 [6,8] 7 [6,7]
1.3.2.1 Pump blockage [5,6] 5 [5,6] [3,4] 4 [4,5] [8,9] [7,8] 8
1.3.2.2 Filter choking [3,4] [4,5] 4 [3,4] [3,4] 3 [7,8] [6,7] 8
1.3.2.3 Filter choking [4,5] 5 [5,6] [3,4] 3 [3,4] [7,8] 8 [8,9]
1.3.3.1 No fuel pumping to the high-pressure pump [7,8] [7,8] 8 [6,7] 6 [5,6] [3,4] 4 [4,5]
1.3.3.2 Filter choking [6,7] 7 [7,8] [3,4] [4,5] 3 [4,5] [4,5] 5
1.3.3.3 No fuel pumping to the engine [8,9] [7,8] 8 [6,7] 7 [5,6] [3,4] [4,5] 4
1.3.3.4 Choking [8,9] 9 [8,9] [7,8] [6,7] 7 [2,3] 2 [1,2]
1.4.1 Filter choking [3,4] [3,4] 3 [3,4] [4,5] 4 [8,9] 8 [7,9]
1.4.2 Palette damages [8,9] 8 [7,8] [6,7] 7 [6,7] [2,4] [2,3] 3
1.4.3 Palette damages [8,9] [8,9] 8 [6,7] [5,6] 7 [2,3] [3,4] 3
1.4.2 Component blockage [8,9] 9 [7,8] [6,7] 6 [6,7] [2,4] 3 [2,3]
1.4.3
1.5.1 Reduced flow into the cooling system [7,8] [7,9] 8 [7,8] 7 [7,8] [6,7] 7 [5,6]
1.5.2.1 Fluids mixing [7,8] 7 [7,8] [6,7] [5,6] 6 [3,4] [4,5] 4
1.5.2.2 No oil pumping to the engine [8,9] [7,9] 8 [7,8] 7 [7,8] [6,7] [5,6] 6
1.5.2.3 Filter chocking [4,5] 5 [4,5] [3,4] [2,3] 4 [6,7] 6 [5,6]
1.5.3.1 Fluids mixing [6,7] [5,6] 7 [6,7] [7,8] 6 [3,4] 3 [3,4]
1.5.4.1 Empty tank (no water) [4,5] 5 [4,6] [2,3] 2 [3,4] [7,8] [6,7] 7
1.5.4.2 No pumping [4,6] [5,6] 5 [7,8] [7,8] 7 [6,7] [7,8] 7
1.5.4.3 Fluids mixing [6,7] 6 [5,6] [6,7] 7 [6,7] [3,4] 3 [4,5]
1.5.5.1 Fluids mixing [6,7] [7,8] 6 [6,7] 6 [5,6] [3,4] 4 [4,5]
1.5.5.2 No pumping [8,9] 9 [8,9] [7,8] [7,8] 7 [7,8] [6,8] 7
1.5.5.3 Filter choking [6,7] [7,8] 6 [3,4] 3 [4,5] [6,7] [6,7] 7
1.6.1 Trasmission failure [8,9] 5 [7,8] [8,9] [7,8] 9 [3,4] 4 [2,4]
1.6.2 Roll wear [6,7] [5,6] 6 [7,8] [7,8] 8 [3,5] 4 [4,5]
1.6.3 Chipping [5,7] 6 [6,7] [8,9] 9 [7,8] [3,4] [3,5] 4

Table 8
Combinations of experts’ judgments related to failure mode 1.5.5.2.

Item Id N° Combination S O D RPN

1.5.5.2 1 [8,9] [7,8] [7,8] [392,576]

2 [8,9] [7,8] [6,8] [336,576]
3 [8,9] [7,8] 7 [392,504]
4 [8,9] [7,8] [7,8] [392,576]
5 [8,9] [7,8] [6,8] [336,576]
6 [8,9] [7,8] 7 [392,504]
7 [8,9] 7 [7,8] [392,504]
8 [8,9] 7 [6,8] [336,504]
9 [8,9] 7 7 [392,441]
10 9 [7,8] [7,8] [441,576]
11 9 [7,8] [6,8] [378,576]
12 9 [7,8] 7 [441,504]
13 9 [7,8] [7,8] [441,576]
14 9 [7,8] [6,8] [378,576] Fig. 6. Belief and Plausibility curves of failure mode 1.5.5.2.
15 9 [7,8] 7 [441,504]
16 9 7 [7,8] [441,504]
17 9 7 [6,8] [378,504] Belief and Plausibility curves are not hereafter reported for each failure
18 9 7 7 [441,441] mode. With the aim of clarifying the methodology, Table 8 synthesizes
19 [8,9] [7,8] [7,8] [392,576] the 27 combinations pertaining to the failure mode 1.5.5.2 (that will
20 [8,9] [7,8] [6,8] [336,576]
result the most critical one) whereas Fig. 6 shows the resulting Belief
21 [8,9] [7,8] 7 [392,504]
22 [8,9] [7,8] [7,8] [392,576]
* }, namely
and Plausibility curves of the event {RPN1.5.5.2 > RPN1.5.5.2
23 [8,9] [7,8] [6,8] [336,576] * ) and Pl (RPN1.5.5.2 > RPN1.5.5.2
Bel (RPN1.5.5.2 > RPN1.5.5.2 * ) respectively.
24 [8,9] [7,8] 7 [392,504] Setting a mass of evidence m equal to 0.9, the threshold value RPN*f
25 [8,9] 7 [7,8] [392,504] (to be read on the x-axis) of each failure mode f is computed as the
26 [8,9] 7 [6,8] [336,504] intersection between the related Pl (RPNf > RPN*f ) and the line y=0.9.
27 [8,9] 7 7 [392,441]
Table 9 synthesizes the failure modes ranking on the basis of the
obtained RPN*f , ordered from the greatest value to the lowest one.
The lack of pumping by the gear-inverter oil pump (Item Id 1.5.5.2)
parameters O, S and D, all possible combinations among the experts’
*
results to be the most critical failure mode with a RPN1.5.5.2 = 441.
judgments related to risk factors O, S and D of each failure mode are
For the nineteen failure modes equally ranked, the additional steps
developed. Therefore, since the involvement of three experts, a total
number of 33=27 combinations is considered for each failure mode. of the prioritization procedure described in Section 5.3 are performed.
Namely, for failure modes characterized by the same value of RPN*f (see
Each combination leads to a crisp or interval-valued RPN having a BPA
equal to (1/3)3. For sake of space, such combinations as well as the Table 9), the line x=RPN*f is drawn so that the minimum credibility (i.e.

77
A. Certa et al. Reliability Engineering and System Safety 159 (2017) 69–79

Table 9 Table 10
Failure modes ranking on the basis of Plausibility curves. Final ranking.

Item Id RPN*f Ranking Item Id RPN*f Bel[RPN > RPN*f ] Pl[RPN > RPN*f ] Final Ranking

1.5.5.2 441 1 1.5.5.2 441 – – 1

1.5.1 378 2 1.5.1 378 0.111 0.9 2
1.5.2.2 378 2 1.5.2.2 378 0 0.9 3
1.5.4.2 280 3 1.5.4.2 280 – – 4
1.6.3 216 4 1.6.3 216 – – 5
1.3.3.1 192 5 1.3.3.3 192 0.37 0.9 6
1.3.3.3 192 5 1.3.3.1 192 0.148 0.9 7
1.6.2 192 5 1.6.2 192 0.148 0.9 7
1.4.2 168 6 1.5.2.1 168 0.444 0.9 8
1.5.2.1 168 6 1.4.2 168 0.074 0.9 9
1.4.3 162 7 1.4.3 162 0.222 0.9 10
1.4.2–1.4.3 162 7 1.4.2−1.4.3 162 0.111 0.9 11
1.3.2.1 160 8 1.6.1 160 0.482 0.9 12
1.6.1 160 8 1.3.2.1 160 0.444 0.9 13
1.1 144 9 1.5.5.1 144 0.444 0.9 14
1.5.5.1 144 9 1.1 144 0.074 0.9 15
1.3.3.4 126 10 1.5.5.3 126 0.704 0.9 16
1.5.3.1 126 10 1.5.3.1 126 0.444 0.9 17
1.5.4.3 126 10 1.5.4.3 126 0.407 0.9 18
1.5.5.3 126 10 1.3.3.4 126 0.148 0.9 19
1.3.2.3 120 11 1.3.2.3 120 – – 20
1.4.1 108 12 1.4.1 108 – – 21
1.3.3.2 105 13 1.3.3.2 105 – – 22
1.3.2.2 96 14 1.3.2.2 96 – – 23
1.2 90 15 1.5.2.3 90 0.333 0.9 24
1.5.2.3 90 15 1.2 90 0 0.9 25
1.5.4.1 70 16 1.5.4.1 70 – – 26
1.3.1 42 17 1.3.1 42 – – 27

second position of Table 9. Therefore, aiming at better discriminate

Fig. 7. Belief and Plausibility curves of failure mode 1.5.1.
their actual criticality, the line x=378 is drawn. The intersection
between such a line and the belief curves leads to a
Bel (RPN1.5.1 > 378) = 0.11, whereas Bel (RPN1.5.2.2 > 378) = 0 .
Therefore, since the minimum credibility of the event RPN1.5.1 > 378
is greater than the one associated with the event RPN1.5.2.2 > 378, the
failure mode 1.5.1 results more critical than the 1.5.2.2. As a
consequence, 1.5.1 still remains in the second position of the final
ranking, whereas 1.5.2.2 shifts to the third. The additional steps of the
prioritization procedure described with relation to failure modes 1.5.1
and 1.5.2.2 are performed on the remaining seventeen equally ranked
failure modes. Obtained results are reported in Table 10 as well as the
new ranking.
Analyzing the final ranking of Table 10, one can state that the
additional prioritization steps make possible a better discrimination
among the failure modes criticality. Actually, only failure modes 1.3.3.1
and 1.6.2 still remain undifferentiated.

7. Conclusions

In the present paper, a Failure Mode, Effects and Criticality

Fig. 8. Belief and Plausibility curves of failure mode 1.5.2.2.
Belief) of the event {RPNf > RPN*f } is found. For sake of clarity, let
consider the Belief and Plausibility curves of failure modes 1.5.1 and
1.5.2.2 (Figs. 7 and 8 respectively) that are equally ranked in the
Analysis (FMECA) under an uncertain environment is proposed. In
particular, the Dempster Shafer Theory (DST) of evidence is suggested
as a proper mathematical framework to deal with the epistemic
uncertainty often affecting the expert opinions on risk parameters
Occurrence (O), Severity (S) and Detection (D), which lead to the Risk
Priority Number (RPN). Whereas in the traditional RPN-based method
experts are forced at rating risk parameters by means of precise values,
the proposed DST-based FMECA approach allows experts to express
also interval-valued judgments on parameters O, S and D that better
represent their actual knowledge and perception of the analyzed
context. Contrarily to the two cited works on DST-based FMECA, the
proposed procedure does not require any aggregation stage so that
input information are not forced to have non-empty intersections.
Instead, all possible combinations among O, S and D values are
considered, and an innovative prioritization procedure is implemented.

78
A. Certa et al.
Plausibility curves of the event E = {RPNf > RPN*f } are firstly consid-
ered for each failure mode f, where RPN*f is a generic threshold value of
the RPNf . Such a choice is justified by the consideration that increasing
values of the RPN imply a greater criticality of failure modes. Setting a
credibility mass equal to m , the corresponding threshold value RPN*f of
each failure mode arises from the intersection between the related
Plausibility curve and the line through the point [0, m ] parallel to the x-
axis. Such a new parameter is employed to rank failure modes from the
most critical to the least critical one. In addition, in the presence of
equally ranked failure modes, the Belief curves are also used to better
discriminate the failure modes criticality.
Aiming at demonstrating the usefulness of the designed methodol-
ogy into real industrial contexts affected by the presence of epistemic
uncertainty, it is applied to the propulsion system of a fishing vessel
operating in the west sea side of Sicily. A team of three experts
comprising a technician, a ship owner and a mechanical engineer is
involved for the implementation of the whole approach. A total number
of 28 failure modes are identified among which the lack of pumping by
the gear-inverter oil pump results to be the most critical failure mode,
and only two failure modes still remain undifferentiated after the
implementation of the additional steps of the designed prioritization
procedure.
In the authors’ opinion, the proposed DST-based FMECA approach:
– properly deals with the epistemic uncertainty often affecting experts’
ratings on risk factors in real-life FMECA applications. In this
regard, interval-valued evaluations are also allowed to better
represent the experts knowledge and perception of the analyzed
context;
– does not force experts to express a BPA on their judgments, and
none assumption about the BPA distribution is required;
– does not require any aggregation stage of input information so that
also conflicting judgments may be handled;
– opportunely propagates the uncertainty of input data maintaining
the epistemic approach until the attainment of the final result.
References
[1] IEC 60812. Analysis techniques for system reliability – procedure for failure mode and
effects analysis (FMEA). International Electrotechnical Commission, Switzerland; 2006.
[2] Rausand M, Høyland A. System reliability theory: models, statistical methods, and
applications, 2nd edition. Wiley Series in Probability and Statistics; 2004.
[3] Scipioni A, Saccarola G, Centazzo A, Arena F. FMEA methodology design, implementa-
tion and integration with HACCP system in a food company. Food Control
2002;13:495–501.
[4] Arvanitoyannis IS, Savelides SC. Application of failure mode and effect analysis and cause
and effect analysis and Pareto diagram in conjunction with HACCP to a chocolate-
producing industry: a case study of tentative GMO detection at pilot plant scale. Int J
Food Sci Technol 2007;42:1265–89.
[5] Arvanitoyannis IS, Varzakas TH. Application of failure mode and effect analysis (FMEA),
cause and effect analysis and Pareto diagram in conjunction with HACCP to a potato
chips manufacturing plant. Int J Food Sci Technol 2007;42:1424–42.
[6] Cicek K, Celik M. Application of failure modes and effects analysis to main engine
crankcase explosion failure on-board ship. Saf Sci 2013;51:6–10.
[7] Wang YM, Chin KS, Poon GKK, Yang JB. Risk evaluation in failure mode and effects
analysis using fuzzy weighted geometric mean. Expert Syst Appl 2009;36:1195–207.
[8] Yang ZL, Bonsall S, Wang J. Fuzzy rule-based bayesian reasoning approach for
prioritization of failures in FMEA. IEEE Trans Reliab 2008;57(3):517–28.
[9] Seyed-Hosseini SM, Safaei N, Asgharpour MJ. Reprioritization of failures in a system
failure mode and effects analysis by decision making trial and evaluation laboratory
technique. Reliab Eng Syst Saf 2006;91:872–81.
[10] Ferson S, Ginzburg LR. Different methods are needed to propagate ignorance and
variability. Reliab Eng Syst Saf 1996;54:133–44.
[11] Francese M, Galante GM, La Fata CM, Passannanti G. Handling epistemic uncertainty in
the Fault Tree Analysis using interval-valued expert information. Safety and reliability:
methodology and applications. In: Proceedings of the european safety and reliability
conference-ESREL. Wroclaw; 2014. p. 1683–90.
[12] Helton JC, Johnson JD, Oberkampf WL. An exploration of alternative approaches to the
representation of uncertainty in model predictions. Reliab Eng Syst Saf 2004;85:39–71.
[13] Helton JC. Quantification of margins and uncertainties: conceptual and computational
basis. Reliab Eng Syst Saf 2011;96(9):976–1013.
79
Reliability Engineering and System Safety 159 (2017) 69–79
[14] Selonen K. A study on evidence theory: a general representation of uncertainty. Systems
Analysis Laboratory Bachelor’s thesis Espoo; 2015.
[15] Dempster AP. Upper and lower probabilities induced by a multivalued mapping. Ann
Math Stat 1967;38(2):325–39.
[16] Shafer G. A mathematical theory of evidence. Princeton: Princeton University Press;
1976.
[17] Curcurù G, Galante GM, La Fata CM. Epistemic uncertainty in fault tree analysis
approached by the evidence theory. J Loss Prev Process Ind 2012;25:667–76.
[18] Curcurù G, Galante GM, La Fata CM. A bottom-up procedure to calculate the top event
probability in presence of epistemic uncertainty. In: Proceedings of the 11th international
probabilistic safety assessment and management conference and the annual european
safety and reliability conference 2012, PSAM11 ESREL, Helsinki; 2012.
[19] Curcurù G, Galante GM, La Fata CM. An imprecise Fault Tree Analysis for the estimation
of the Rate of OCcurrence Of Failure (ROCOF). J Loss Prev Process Ind
2013;26:1285–92.
[20] Ayyub BM, Klir GJ. Uncertainty modeling and analysis in engineering and the sciences.
CRC Press; 2006.
[21] Liu H-C, Liu L, Liu N. Risk evaluation approaches in failure mode and effects analysis: a
literature review. Expert Syst Appl 2013;40:828–38.
[22] Bevilacqua M, Braglia M, Gabbrielli R. Monte Carlo simulation approach for a modified
FMECA in a power plant. Qual Reliab Eng Int 2000;16(14):313–24.
[23] Puente J, Pino R, Priore P, Fuente D. A decision support system for applying failure mode
and effects analysis. Int J Qual Reliab Manag 2001;19(2):137–50.
[24] Sankar NR, Prabhu BS. Modified approach for prioritization of failures in a system failure
mode and effects analysis. Int J Qual Reliab Manag 2001;18(3):324–35.
[25] Braglia M. MAFMA: multi-attribute failure mode analysis. Int J Qual Reliab Manag
2000;17:1017–33.
[26] Saaty TL. The analytic hierarchy process. New York: McGraw Hill Company; 1994.
[27] Bowles JB, Peláez CE. Fuzzy logic prioritization of failures in a system failure mode,
effects and criticality analysis. Reliab Eng Syst Saf 1995;50(2):203–13.
[28] Cayrac D, Dubois D, Prade H. Handling uncertainty with possibility theory and fuzzy sets
in a satellite fault diagnosis application. IEEE Trans Fuzzy Syst 1996;4(3):251–69.
[29] Xu K, Tang LC, Xie M, Ho SL, Zhu ML. Fuzzy assessment of FMEA for engine systems.
Reliab Eng Syst Saf 2002;75(1):17–29.
[30] Lupo T. Fuzzy ServPerf model combined with ELECTRE III to comparatively evaluate
service quality of international airports in Sicily. J Air Transp Manag 2015;42:249–59.
[31] Lupo T. A fuzzy framework to evaluate service quality in the healthcare industry: an
empirical case of public hospital service evaluation in Sicily. Appl Soft Comput
2016;40:468–78.
[32] Tay KM, Lim CP. Enhancing the failure mode and effect analysis methodology with fuzzy
inference techniques. J Intell Fuzzy Syst 2010;21:135–46.
[33] Braglia M, Bevilacqua M. Fuzzy modelling and analytical hierarchy processing as a means
of quantifying risk levels associated with failure modes in production systems. Technol
Law Insur 2000;5:125–34.
[34] Braglia M, Frosolini M, Montanari R. Fuzzy criticality assessment model for failure
modes and effects analysis. Int J Qual Reliab Manag 2003;20(4):503–24.
[35] Zhang Z, Chu X. Risk prioritization in failure mode and effects analysis under
uncertainty. Expert Syst Appl 2011;38:206–14.
[36] Zammori F, Gabbrielli R. ANP/RPN: a multi criteria evaluation of the risk priority
number. Qual Reliab Eng Int 2011;28:85–104.
[37] Saaty TL, Ozdemir MS. The encyclicon: a dictionary of decisions with dependence and
feedback based on Analytic Network Process. Pittsburgh (USA): RWS Publications; 2005.
[38] Braglia M, Frosolini M, Montanari R. Fuzzy TOPSIS approach for failure mode, effects
and criticality analysis. Qual Reliab Eng Int 2003;19:425–43.
[39] Kutlu AC, Ekmekçioğlu M. Fuzzy failure modes and effects analysis by using Fuzzy
TOPSIS-based Fuzzy AHP. Expert Syst Appl 2012;39:61–7.
[40] Carpitella S, Certa A, Galante G, Izquierdo J, La Fata CM. The FTOPSIS method to
support FMECA analyses. In: Proceedings of the 22nd ISSAT international conference on
reliability and quality in design. Los Angeles, California, USA; 2016. p. 398–402.
[41] Chin K-S, Wang Y-M, Poon GKK, Yang J-B. Failure mode and effects analysis using a
group-based evidential reasoning approach. Comput Oper Res 2009;36:1768–79.
[42] Liu HC, Liu L, Bian QH, Lin QL, Dong N, Xu PC. Failure mode and effects analysis using
fuzzy evidential reasoning approach and grey theory. Expert Syst Appl 2011;38:4403–15.
[43] Yang J, Huang H-Z, He L-P, Zhu S-P, Wen D. Risk evaluation in failure mode and effects
analysis of aircraft turbine rotor blades using Dempster–Shafer evidence theory under
uncertainty. Eng Fail Anal 2011;18:2084–92.
[44] Su X, Deng Y, Mahadevan S, Bao Q. An improved method for risk evaluation in failure
modes and effects analysis of aircraft engine rotor blades. Eng Fail Anal 2012;26:164–74.
[45] Bae H-R, Grandhi RV. Uncertainty quantification of structural response using Evidence
Theory. AIAA J 2003;41(10):2062–8.
[46] Voorbraak F. On the justification of Dempster's rule of combinations. Artif Intell
1991;48:171–97.
[47] Klawonn F, Schwecke E. On the axiomatic justification of Dempster's rule combination.
Int J Intell Syst 1992;7:469–78.
[48] Dubois D, Prade H. On the unicity of dempster rule of combination. Int J Intell Syst
1986;1:133–42.
[49] Zadeh L. Book review: a mathematical theory of evidence. Al Mag 1984;5(3):81–3.
[50] Yager RR. On the dempster–shafer framework and new combination rules. Inf Sci
1987;41:93–137.
[51] Sentz K, Ferson S. Combination of Evidence in Dempster-Shafer Theory. Sandia Reports.
vol. 4015; 2002.
[52] Certa A, Enea M, Galante GM, La Fata CM. A Multistep methodology for the evaluation of
human resources using the evidence theory. Int J Intell Syst 2013;28(11):1072–88.
[53] Baraldi P, Compare M, Zio E. Maintenance policy performance assessment in presence of
imprecision based on Dempster-Shafer Theory of Evidence. Inf Sci 2013;245:112–31.