system safety - m8 failure modes effects criticality ... · pdf filesystem safety m8 failure...

System SafetyM8 Failure Modes Effects Criticality Analysis (FMECA) V1.1

Matthew Squair

UNSW@Canberra

12 October 2015

1 Matthew Squair M8 Failure Modes Effects Criticality Analysis (FMECA) V1.1

Except for images whose sources are specifically identified, this copyright work islicensed under a Creative Commons Attribution-Noncommercial, No-derivatives 4.0International licence.

To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/


1 Introduction

2 Overview

3 Methodology

4 Limitations, advantages and disadvantages

5 Conclusions

6 Further reading


Introduction

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Introduction

Learning outcomes

The student is able to appropriately apply the FMECA method as part of ahazard analysis

The student will understand the strengths and weaknesses of the method


Overview

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Overview

Overview

“Failure Modes, Effects, and Criticality Analysis is an excellent hazardanalysis and risk assessment tool, but it suffers from other limitations.This alternative does not consider combined failures or typicallyinclude software and human interaction considerations. It also usuallyprovides an optimistic estimate of reliability. FMECA should be usedin conjunction with other analytical tools when developing reliabilityestimates.”

— FAA (2004)


Overview

Overview

FMEA is a tool originated by SAE reliability engineers for flight controls, iswidely used in reliability engineering [Clements 1996]

FMECA = FMEA + C

C = Criticality (can be via a risk assessment)

FMEA (or FMECA) is a known cause, unknown effect analysis thatconsiders the potential effects of system components ceasing to behave asintended

FMEA/FMECA works from the bottom up, e.g from part failure modes tothe failure effect at that level and at sucessive higher levels in the system


Overview

Overview (cont’d)

Results can be used to identify high-vulnerability elements and to guideresource deployment for best benefit

Can identify single point of failures in a system

Strength of the technique is its completeness, the weakness of thetechnique is it’s labour intensive nature

FMEA as a single point of failure analysis

Early aviation safety standards focused on the elimination of single pointsof failures as a deterministic safety goal. FMEA is the deterministicanalysis technique used to achieve this goal


Overview

Key definitions

Criticality A relative measure of the consequences of a failure modeand its frequency of occurrence

Failure effect. The consequence (s) of a failure mode on the systemor it’s environment. May be functional or physical

A system that is shut down by safety features has not faultedProtective devices which function as intended are not failed

Failure modes versus fault

The term ’failure modes’ is a misnomer, some sources now call FMEA byanother name, ’fault hazard analysis’

Failure mode. A particular way in which an item fails, independentof the reason for failure


Overview

Key definitions (cont’d)

Failed/faulted safe. Proper function is compromised, but no hazardexists

Failed/faulted dangerous. Proper function is impaired or lost in away which presents a hazard

Indenture levels. The hierarchy of hardware levels from the part tothe component to the subsystem to the system, etc


Overview

FMEA/FMECA and the system lifecycle


Overview

FMEA/FMECA and the system lifecycle (cont’d)

A FMEA or FMECA cannot be done until design has proceeded to thepoint that system components have been selected at the level the analysisis to explore

Ideally, FMEA/FMECAs leads on from the PHA efforts

Failure mode and effect relation

FMEA/FMECAs require an part/whole indentured model of the system toallow for the logical identificaton of failure effects (at the next level)induced by failure modes (at the level below)


Methodology

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Methodology

Methodology

1 Define the system and it’s boundary for analysis

2 Establish the scope and level of the analysis

3 Construct functional and reliability block diagrams

4 Identify failure modes, effects, failure detection & recovery

5 Evaluate and assign criticality (FMECA)

6 Identify design and operational changes to reduce risk

7 Document the analysis

The purpose of analysis is insight, not paper

The final report should discuss problem failure modes found, identify itemsexempted (and why) and summarise the scope


Methodology Defining the scope of the analysis

Scope the analysis

Common analysis scoping (sometimes called ground rules) include:

Only one failure mode exists at a time

All inputs to the item are present & at nominal values

All consumables are present in sufficient quantities

Nominal power is available

All mission phases are considered in the analysis

Connector failure modes are limited to connector disconnect

Focus on single failures causing N>2 redundancy loss

Passive component failure in benign environments is ignored

The analysis will be performed at the piece part level

The analysis will be performed at the functional module level


Methodology Defining the scope of the analysis

System and analysis definition

FMEA/FMECAs generate a lot of information so it’s important tostructure the analysis

Clearly identify the boundary of the analysis, ensure that systemboundary interfaces are included in the analysis

Ensure that there is a system breakdown strcuture or indenturedequipment list to support the assessment of ’next higher’ effects

Define a standardised coding scheme for components, functional,geographic or both

For major analysis campaigns plan the analysis top down to ensure thatthe bottom up analysis effort is targeted at critical areas


Methodology Analysing failure modes and effects

Analysing failure modes and effects

These tasks are performed once for each identified failure mode

1 Select part or interface for analysis

2 Identify item (or function)

3 Postulate a single failure mode

4 Identify causes (from knowledge of part/technology)

5 From knowledge of design, assess the local effect

6 Assess failure effect at the NHA and at system level of (3)

7 Assign a severity category for (3)

8 Evaluate criticality

9 Identify possible detection, recovery or redunancy

10 Re-evaluate criticality post proposed changes (if any)


Methodology Assessing criticality

What do we mean by ’criticality’?

Various ways we can assess criticality, depends on what metric we use toexpress risk

If our metric of risk is the presence of single points of failure and the lossof redundancy (NASA’s traditional approach) then criticality can beincorporated into the severity scale

If we have qualitative likelihood data we can utilise a qualitative riskassessment of criticality

If we have failure rates for piece parts we can evaluate risk and criticalityquantitatively


Methodology Assessing criticality

Criticality as single point failure

NASA severity as criticality metric

Category Identifier Description1 Catastrophic Results in loss of life, severe damage

1R Catastrophic R Failure mode of redundant componentthat if all failed would result in Cat 1

2 Critical Loss of mission objectives2R Critical R Failure mode of redundant component

that if all failed would result in Cat 23 Significant Degradation to mission objectives4 Minor Insignificant, no loss of mission objectives

A useful metric of risk during early functional design when detailed partsdesign and failure rates are not readily available


Methodology The FMEA/FMECA worksheet

Typical worksheet information

General administrative/heading information

Identification number (from System Breakdown)

Item name/function performed

Operational Phase(s). Alt. co-effector if a prequisite for the effect

Failure mode/cause/effect

Risk assessment (Target(s)/Severity/Probability/Risk)

Action required/remarks

Means of detection/recovery/redundancy (if any)

A failure mode at one level becomes a failure effect at the next higherlevel of indenture



The MIL-STD-1629 FMEA worksheet

Figure: Image source [Clements 1996]



The MIL-STD-1629 FMECA worksheet




Qualitative risk based FMECA worksheet



Methodology Example

Example: Ranger arm wrist actuator FMEA

Example

The Ranger Telerobotic Vehicle System (TRVS) consists of two manipulators(one grapple, one dexterous), a positioning manipulator for a stereo camera pair,and an avionics-services torso module mounted onto a propulsion module

The Ranger TRVS is a free flying servicing vehicle intended to provide remoteservicing via ground control for moderate difficulty tasks and pre-task sitepreparation for manned EVA

The system has a 100 day on orbit life and is retrieved from orbit for repair andrefurbishment. We are conducting a FMEA on the wrist roll actuator of thedexterous arm

The arms are normally stowed for orbital transfer and manouevre


Methodology Example

Example: Ranger FMEA (System overview)

Figure: Image sources: UM SSL and NASA


Methodology Example

Example: Ranger FMEA - Wrist roll actuator

Function. To provide rotational motion (roll) and torque about the wristsz axis

Failure mode. Loss of motor actuation of joint

Failure causes. Part failure in drive cct, loss of motor control

Failure effects

Local (wrist). Loss of wrist roll & torque

NHA (arm). Cannot continue on orbit manipulation task

System (vehicle). None at vehicle level (safe return assured)

Severity effects. Using the NASA code 2 - loss of misson

Detection/Recovery. Position/torque sensing and display


Methodology Example

Example: Ranger (Wrist roll actuator) FMEA worksheet

ID Mission phase Name & function a. Failure mode& b. cause

Failure Effect (a.Local, b. NHA,c. End)

Sev Detect,redundancy &recovery

1 On orbit repairoperations

Dexterous armwrist actuator(roll), providesmotion in roll (z)axis

a. Loss of motorcontrol b. Partfailure in motordrive circuit

a. Loss of wristroll-motion andtorque b. Cannotcontinue on orbittask and missionc. None at vehiclelevel mission

2 a. Position sensor& torque sensingdisplayed at DACb. Design forstowage in anyangle.


Limitations, advantages and disadvantages

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading



Limitations of the method

Esssentially a classical reductionist technique

The effects of coexisting failures are not considered

Environmental differences can affect assumed part reliability

Frequently, human errors and hostile environments are oftenoverlooked

Fundamentally cannot address system hazards



Advantages

Advantages of the FMECA method are

Good for discovering single points of failure

Can evaluate risk for SPOF for all identified f.m/ph/t tuples

Can extend PHA hazard analysis for high risk hazards

Can optimise reliability, design & component selection

Is very thorough and amenable to siege approaches to system analysis



Disadvantages

Disadvantages of the FMECA method are

Can be extraordinarily tedious and time consuming

Can lead to attentional channeling on single point failures, in practicesystem reliability in service is dominated far more by interconnectionfailures that we’d like to think

Getting failure data, and applying it meaningfully is difficult, andintroduces epistemic risk

The very thoroughness can inculcate a false sense of security


Conclusions

1 Introduction

2 Overview

3 Methodology


5 Conclusions

6 Further reading


Conclusions

Conclusions

FMECA is a single failure view of the world, but if used to the exclusion ofall else it can introduce a false sense of security

The techniques greatest strength is it’s thoroughness, which is also it’sgreates drawback

There is a place for the tailored and judicious use of the technique,especially if coupled with a reliability centred maintenance program


Further reading

Bibliography

[Clements 1996] Clements, P., (1996) Sverdrup System Safety Course Notes, Sverdrup.

[US DoD 1980] US DoD, (1980) Procedures for Performing a Failure Mode, Effects andCriticality Analysis US Dept of Defense Standard MIL-STD-1620A, November 1980.


system safety - m8 failure modes effects criticality ... · pdf filesystem safety m8 failure...

Documents