Failure Mode Effects and Criticality Analysis (FMECA)

Kim R. Fowler KSU ECE

February 2013

Purpose for FMECA

  In the face of potential failures, determine if design must change to improve:   Reliability   Safety   Operation

  Secondary purpose: estimate reliability of system from base component reliabilities

February 2013

Basic Description   Determines failure effects at various levels

  Functions or components   Modules or assemblies   Subsystems

  Failures that appear at interfaces – how do failures propagate and affect other subsystems

  Qualitative and quantitative   Tabular, bottom-up approach   Single point failures February 2013

Basic Description (continued)

  Part of detailed design hazard analysis type (DD-HAT); this is done once the system design is completed and you have schematics or detailed functional descriptions of components/modules

February 2013

Goals of FMECA

  Assess system safety   Bottoms-up analysis focused on design   Identifies failures

  Types occurring at/within each component   Effect on component behavior   Criticality

  Provides basis for reducing safety risks   How might system be reconfigured to mitigate

  Documentation of safety considerations

February 2013

Goals of FMECA (continued)

  What does it tell developer? – help address risks in priority during design

  What does it tell regulator? – designers used a measure of discipline and rigor

February 2013

History of FMECA

  Developed for U.S. military in late 1940s   Embodied in MIL-STD-1629A   Used by

  NASA in 1960s for moon program   Ford Motor Co. in late 1970s after Pinto gas

tank problems   Automotive Industry Action Group (AIAG) and

American Society for Quality Control (ASQC)   1993   SAE J-1739

February 2013

FMECA Answers these Questions

  What components can fail?   How can each component fail?   What are the effects of each failure?   What are the consequences of each

failure?   (If reliability data are available: )

  How frequently can it fail?   How does it affect system reliability?

February 2013

FMECA Inputs – Part 1   System context

  Mission   System design

  Identifies the subsystems   Granularity determines extent of analysis

  Operational constraints   Logical dependencies   Data flow

  Success and failure boundaries   Defines fault/failure/problem propagation   How faults/failures/problems are contained

February 2013

FMECA Inputs – Part 2   Data on each component

  Possible failure types, e.g. short together two electrical signal pins

  Possible operational modes, e.g. expected mechanical actions from control operations

  Connection to other components   Immediate effects of failure   Systemic effects of failure   (For reliability calculations: probability of

failure or occurrence)

February 2013

FMECA Outputs - Lists of Effects

  Effects (failures)   Criticality

  One set of characterizations   Safety in medical domain

  0 = none, no consequence   1 = very low (e.g. minor annoyance)   2 = low to moderate (e.g. inconvenience)   3 = serious (e.g. minor injury)   4 = severe (e.g. harm and significant injury)   5 = catastrophic (e.g. death)

February 2013

FMECA Outputs (continued)

  Criticality (continued)   Mission criticality in military domain

  0 = none, no consequence   1 = very low (e.g. minor annoyance)   2 = low to moderate (e.g. inconvenience)   3 = serious (e.g. disruption to subsystem)   4 = severe (e.g. loss of subsystem affects other

subsystems, reduces effectiveness of mission)   5 = catastrophic (e.g. loss of entire mission)

February 2013

FMECA Outputs – Reliability, RPN   (For reliability calculations: )

  probability of failure or occurrence   RPN

  risk priority number   RPN = (prob. of occurrence) x (criticality) / (prob.

of detection)

  Domain expertise required   Criticality   Probability of detection

  Needs component failure rates   Subtleties in RPN require careful interpretation

February 2013

Step 1

  Understand and list potential hazards that lead to failures within the system (see earlier lectures)

  List components to be analyzed

February 2013

Step 1 – Examples

February 2013

Step 2   Collect and list failure modes for each

component   Example: (note – line 3 requires domain

expertise, in this case, a heater element might experience corrosion in its connectors that increases electrical resistance and lowers heat dissipation)

February 2013

Step 3   Collect and list effects for each component:

  Immediate effect   (failure effect as observed by rest of system at

component/module boundary)

  Systemic effect   (effect of failure on overall system behavior)

  Please note: effects can expand number of lines in analysis to give clarify failure modes

February 2013

Step 3 – Examples

February 2013

Step 4

  Determine criticality for each component:   Review systemic effects   Subjectively gauge how critical   Select criticality:

  0 = none, no consequence   1 = very low (e.g. minor annoyance)   2 = low to moderate (e.g. inconvenience)   3 = serious (e.g. minor injury)   4 = severe (e.g. harm and significant injury)   5 = catastrophic (e.g. death)

February 2013

Step 4 – Example

February 2013

Step 5 (if calculating reliability)   List probability of failure for each component

(e.g. from MIL-HDBK-217)   Reliability = probability that the system will

operate correctly for a specified continuous time duration under specified conditions.

  Definitions:   λ = # failures / unit time for each component

  System failure rate: λsys = λ1+ λ2+ λ3+…+ λn   Critical failure rate: λ’ = f • λ1, f =fraction of failures

that make system inoperable   Assume single, independent failure, no common cause

  Unreliability: Q(T) = 1 – exp(- λ’T) February 2013

Step 5 – Example

February 2013

Step 5 - NOTES

  MTTF = mean time to failure   MTTF values made up for purposes of

illustration   11.4 years = 100,000 hours

February 2013

Step 6 (if calculating RPN)

  Collect for each component:   Probability of occurrence (from failure rate)   Probability of detection (% or between 0 and 1)   Calculate RPN

  RPN = (prob. of occurrence) x (criticality) / (prob. of detection)

February 2013

Step 6 – Example

February 2013

Step 6 - NOTES

  Larger RPNs indicate priority to fix or mitigate these particular faults   Most important in this example = 0.3893   Next in importance = 0.3504

February 2013

Extensions to FMECA   Ericson suggests additional columns that

could be added to enhance understanding of failures and hazards:   Causal factors – between failure mode and

effects columns to give more comment to type or location of failure or extenuating circumstances

  Failure detection after the effects columns, e.g.:   Inspection   Test   none

February 2013

Extensions to FMECA – Part 2   Controls after the failure detection column, e.g.:

  Quality Assurance (QA)   Built-in-test   None

  Hazard after the controls column, e.g.:   Fire   Premature operation   Damage   None

  Final column for “Recommended Action”   See reproduced Table 13.4 on pp. 253-254

February 2013

Ericson example FMECA

February 2013

EXAMPLE AND CLASS EXERCIES

February 2013

Example – Incubator Isolette

February 2013

http://www.worldbiomedsource.com/images/products/pimage/Air%20Shield%20C550.jpg

Simple Isolette Diagram

February 2013

Ex. – Isolette Heater Element

February 2013

CLASS EXERCISE – FAN, DUCTING, AND DAMPERS

February 2013

Steps 3 - 4   Steps 1 and 2 done for you.   Collect and list effects for each component:

  Immediate effect   Systemic effect

  Determine criticality for each component:   0 = none, no consequence   1 = very low (e.g. minor annoyance)   2 = low to moderate (e.g. inconvenience)   3 = serious (e.g. minor injury)   4 = severe (e.g. harm and significant injury)   5 = catastrophic (e.g. death)

February 2013

Exercise – Isolette Airflow Fan

February 2013

Solution – Isolette Airflow Fan

February 2013

CLASS EXERCISE – THERMAL SAFETY INTERLOCK

February 2013

Steps 3 - 4   Steps 1 and 2 done for you.   Collect and list effects for each component:

  Immediate effect   Systemic effect

  Determine criticality for each component:   0 = none, no consequence   1 = inconsequential or very low   2 = low to moderate   3 = serious   4 = severe   5 = catastrophic

February 2013

Exercise –Thermal Interlock

February 2013

Solution –Thermal Interlock

February 2013

FINAL EXAMPLE From Aerospace, Detail of pin in a connector

February 2013

Ex. FMECA from aerospace

February 2013

(© 2008 by Kim Fowler, used with permission. All rights reserved.)

Ex. 2 FMECA from aerospace

February 2013

FINAL THOUGHTS ON FMECA

February 2013

FMECA Advantages

  Easily understood and performed   Relatively inexpensive (terms of effort)   Gives rigor and focuses analyses   Can provide reliability prediction   Commercial software available

February 2013

FMECA Disadvantages

  Single mode failures only, not combinations of failures

  Does not identify hazards unrelated to failure

  Very limited examination of:   Human error   External influences and interfaces   Software or operations – focus is hardware

  Requires system/product expertise February 2013

Parting Comments

  FMECA should be used in combination with other analytical tools, not as sole tool for hazard analysis

  FMEDA is an extension (favored by some)   Failure rates   Diagnostics (the “D” replacing the “C”)

February 2013

Reference   Clifton A. Ericson II, “Hazard

Analysis Techniques for System Safety,” Wiley-Interscience, A John Wiley & Sons, Inc., Publication, 2005, pp. 235 – 259.

  Based on MIL. STD. 882

February 2013