A systems engineer conducts FMEA on a hospital's emergency generator. The failure mode 'fuel pump fails to start' is rated: Severity = 9 (patient life-safety impact), Occurrence = 2 (rare), Detectability = 7 (hard to detect without testing). Calculate the Risk Priority Number (RPN) and determine whether this failure mode should be prioritised for mitigation.

RPN = 18 (9 + 2 + 7); this low score means the failure mode is acceptable and no action is needed RPN = 126 (9 × 2 × 7); the high severity rating makes this a priority despite low occurrence — RPN alone underweights catastrophic-severity, low-frequency failures RPN = 126 (9 × 2 × 7); this score is below the threshold of 200, so no immediate action is required RPN = 63 (9 × 7 ÷ 2 × occurrence factor); occurrence is divided because rare events reduce risk

A Fault Tree Analysis of a nuclear reactor's emergency cooling system starts with the top event 'Cooling system fails to activate.' Below this is an OR gate connected to: 'Pump A fails' and 'Pump B fails.' The probability of each pump failing is 0.001. What is the probability of the top event, and what does the OR gate indicate about system design?

Probability = 0.000001 (product of both failures for OR gate); the OR gate shows the system is redundant because both pumps must fail simultaneously Probability ≈ 0.002 (sum of independent failures for OR gate); the OR gate shows either failure alone is sufficient to cause top event — this is NOT a redundant design, it is two single points of failure in parallel Probability = 0.001 (unchanged because the pumps are identical); OR gates do not change the probability of the top event Probability = 0.5 (OR gate averages the two pump failure rates); the design is adequate because the average failure rate is within acceptable limits

A commercial aircraft uses a 2-of-3 voting system for its flight control computers: three computers independently calculate control surface commands, and the system uses whichever answer at least two computers agree on. If one computer produces a faulty output, what happens, and why is this better than a simple 1-of-2 active redundancy system?

The system shuts down all three computers and transfers control to the pilot's mechanical backup; 1-of-2 would do the same but faster The faulty computer is outvoted by the other two; the system continues operating correctly and the fault is identified — a 1-of-2 system cannot determine which computer is correct when they disagree The system averages the outputs of all three computers, diluting the effect of the faulty output; 1-of-2 cannot average because only two computers are available The faulty computer reboots automatically; the 2-of-3 system provides time for the reboot that a 1-of-2 system does not

During the 2003 North American Blackout, FirstEnergy's alarm system had a software bug that caused it to stop displaying alerts — but the system gave no indication it had failed. Operators believed the grid was normal while transmission lines were overloading. What systems engineering concept does this failure most directly illustrate, and what design principle would have prevented it?

Common cause failure: the alarm software and the grid protection relays used the same code base, so both failed simultaneously for the same reason A silent failure / fail-opaque design: the alarm system failed without alerting operators; a fail-safe or watchdog design would have generated an explicit alarm when the alarm system itself stopped functioning Human error: operators chose to ignore alarm warnings because they had seen many false alarms previously (alarm fatigue) Insufficient redundancy: FirstEnergy should have had a second independent alarm system running simultaneously

A telecommunications network connects cities A, B, C, D, and E. Currently, every city is connected to every other city by a direct fibre link (fully meshed). The network operator proposes cutting costs by removing links so each city has only one connection path to every other city (a spanning tree topology). A systems engineer objects. What specific resilience property is lost, and why does it matter?

Throughput is reduced — a spanning tree carries less data than a fully meshed network because there are fewer links available Path redundancy is eliminated — any single link failure in a spanning tree disconnects part of the network, whereas the meshed topology has multiple paths so any one link can fail without loss of connectivity Latency increases — packets must travel longer distances in a spanning tree than in a direct meshed connection Security is weakened — a meshed network has more points of entry for attackers, so reducing to a spanning tree actually improves security

Power stations require water cooling, natural gas fuel (transported via pipelines), and digital control systems (which run on electricity). Natural gas pipelines use electrically powered compressors. During a major power outage, the pipelines cannot deliver gas, so gas-fired backup generators cannot start. What infrastructure systems engineering concept does this chain of failures demonstrate?

Single point of failure — the power grid has one critical node whose failure brings down all connected infrastructure Graceful degradation — the system is shedding non-essential loads to protect the most critical infrastructure Critical infrastructure interdependency — cascading failure occurs when interconnected systems each depend on outputs from another, so failure in one propagates through the entire network Active redundancy failure — all parallel backup systems are failing simultaneously due to a common cause

A flight management system (FMS) loses its satellite navigation signal over the ocean. Rather than declaring a complete failure, it switches to inertial navigation (less accurate, drifts over time), continues to display the best available position estimate, and removes functions that depend on high-accuracy positioning while keeping core autopilot and fuel management active. What resilience design principle is this?

Active redundancy — the system switches seamlessly to an identical backup navigation system Fail-safe — the system detects a failure and automatically hands control to the pilot Graceful degradation — the system maintains core functionality with reduced capability after a partial failure, rather than failing catastrophically Standby redundancy — the inertial system was not active before and was switched on only when needed

During the COVID-19 pandemic, hospitals in many countries ran out of personal protective equipment (PPE) within weeks of the outbreak. Most health services had been operating PPE supply chains on just-in-time (JIT) principles. A health economist proposes switching to just-in-case (JIC) for PPE. A supply chain manager objects that JIC is too expensive. Synthesise the correct trade-off analysis.

JIC is always superior to JIT because inventory buffers protect against all supply chain disruptions regardless of cost JIT is superior because the pandemic was a once-in-a-century event and the holding costs of JIC over 100 years would exceed the cost of the shortage JIT is cost-optimal for predictable demand with reliable supply, but its zero-buffer makes it catastrophic for low-probability, high-consequence supply disruptions; JIC is justified for critical safety stock where the cost of stockout (patient and staff deaths) greatly exceeds the cost of holding inventory The pandemic shortage was caused by hoarding rather than supply chain design, so neither JIT nor JIC would have prevented it

A technology company claims its new solid-state battery has been tested in a laboratory environment and outperforms current lithium-ion batteries in energy density. It seeks investment to scale to automotive production. Using the TRL scale, what level does this represent, and what are the TWO most critical next milestones before the technology can be considered ready for vehicles?

TRL 9 (fully proven in operational mission); the technology just needs a manufacturing partner to begin production TRL 4 (component validated in laboratory); next milestones are TRL 6 (validated in a relevant environment — e.g., in a prototype vehicle in real temperature and vibration conditions) and TRL 7 (prototype demonstrated in an operational vehicle) TRL 1 (basic principles observed); the company needs to conduct more fundamental research before any investment is justified TRL 7 (prototype demonstrated operationally); the only remaining step is regulatory approval for commercial sale

A defence contractor uses FMECA rather than standard FMEA for a missile guidance system. FMECA adds a 'criticality' calculation to the FMEA risk assessment. What additional information does FMECA provide that standard FMEA's RPN does not capture?

FMECA adds a cost estimate for each failure mode so that mitigation budgets can be allocated optimally FMECA calculates the probability that a given failure mode causes mission failure by multiplying the component failure rate by the conditional probability that the failure mode leads to the critical effect — giving an absolute risk measure rather than a relative ranking FMECA extends FMEA by adding environmental failure modes (temperature, humidity, vibration) that standard FMEA ignores FMECA replaces the detectability score with a human factors score to capture the contribution of operator error to each failure mode

A global electronics manufacturer sources a critical microprocessor from a single Taiwanese fab (fabrication plant). After a major earthquake disrupts production for six months, the company cannot build its flagship products. In response, it develops a resilience strategy. Which combination of measures best addresses the root cause of the disruption while remaining commercially viable?

Switching entirely to a domestic supplier to eliminate geopolitical and natural disaster risk from overseas supply chains Dual-sourcing the processor from a second qualified fab in a different geography, holding 12 weeks of safety stock, and redesigning the product to accept an alternative chip — addressing single-source risk, buffer absence, and design inflexibility simultaneously Purchasing six months of forward contracts on the processor to lock in supply price and availability from the existing single source Moving all manufacturing to a country with low earthquake risk and insisting the Taiwanese fab establish a backup facility there

A systems engineering team is developing a new urban air mobility aircraft (a flying taxi). They apply concurrent engineering from the project's start. Stakeholder requirements are: 30-minute range, <70 dB at 100 m, autonomous operation (no pilot), and a 5-year service life with 1,000 flight hours between major overhauls. During requirements analysis, the team discovers that achieving autonomous operation at TRL 9 within the project timeline is not feasible, but TRL 7 is achievable. Apply systems engineering process discipline to determine the correct response.

Proceed with TRL 7 autonomy and document it as a risk in the project log; customers rarely read risk registers so this avoids conflict Escalate the TRL 7 vs TRL 9 gap as a requirements conflict; present options (extend timeline, accept piloted operation, reduce autonomy scope) to the customer for a decision — requirements cannot be silently reduced without customer sign-off Redefine 'autonomous operation' in the requirements document to match what TRL 7 can deliver, then proceed — this is standard systems engineering practice Cancel the project immediately because any gap between required and achievable TRL means the project cannot succeed