Fmea Fta Module

MODUL PENDAHULUAN PENDEKATAN KUANTITATIF PENILAIAN RESIKOIndustrialindo Konsultrain Services

IKS The Most Comprehensive Safety Sources

Garis Besar Metode PENILAIAN RESIKO Definitions Qualitative and Quantitative FMEA FMECA Qualitative and Quantitative Fault Tree Analysis

(FTA) Probabilistic Risk Assessment (PRA) Reliability Allocation Reliability Prediction Reliability Demonstration Trend Analysis Probabilistic Structural Analysis Design of Experiments (DOE) Statistical Process Control (SPC) Manufacturing Process Capability2


DefinisiProbability: The chance or the

likelihood of occurrence of an event. Risk: The chance of occurrence of an undesired event and the severity of the resulting consequences. Risk Assessment: The process of qualitative risk categorization or quantitative risk estimation. 3Risk Management: The process of


DefinisiReliability: The probability that an

item will perform its intended function for a specified mission profile. Safety: The freedom of injury, damage, or loss of resources. Hazard: The condition that can result in or contribute to a mishap. Mishap: An unintended event that 4 can cause injuries, damage, or lossIKS The Most Comprehensive Safety Sources

Failure Modes and Effects Analysis (FMEA) FMEA is an inductive (bottom-up) engineering analysis method. It is intended to analyze system hardware, processes, or functions for failure modes, causes, and effects. Its primary objective is to identify critical and catastrophic failure modes and to assure that potential failures do not result in an adverse effect on safety and system operation. It is an integral part of the design process. It is performed in a timely manner to facilitate a prompt action by design organization and project management.5IKS The Most Comprehensive Safety Sources

Failure Modes and Effects Analysis (FMEA)Items in a typical FMEA sheet for the

Shuttle program: Nomenclature and function Failure mode and cause Failure effect on subsystem Failure effect on element Failure effect on mission/crew and reaction time Failure detection Redundancy screens 6 Correcting action/timeframe/remarks IKS The Most Comprehensive Safety Sources

FAILURE MODE EFFECTS ANALYSISREVISION: Basic DATE: March 15, 1988 PAGE: A-141 SUPERCEDES: ______ ANALYST: C. Barnes APPROVED: G. PerryNOMENCLATURE AND FUNCTION FAILURE MODE AND CAUSE FAILURE EFFECT ON SUBSYSTEM

THRUST VECTOR CONTROL SUBSYSTEM

A FINAL COUNTDOWN B BOOST C SEPARATION D DESCENT E RETRIEVALa. FAILURE DETECTION b. REDUNDANCY SCREENS CORRECTING ACTION/ TIMEFRAME/REMARKS CRIT CAT

FAILURE EFFECT ON SRB

FAILURE EFFECT ON MISSION/ CREW AND REACTION TIME

20-01-44 Turbine Exhaust Duct Assembly P/N: 10206-0002-102 Ref. Des.: None 2 Required Vents HPU turbine exhaust gas to atmosphere outside of the aft skirt. Exhaust Duct Assembly includes: Upper Exhaust Assembly (three bellows) 10206-0003-101 Middle Exhaust Assembly 10206-0007-101 Alt. 10206-0031-851 Alt. 10206-0044-851 Alt. 10206-0045-851 Lower Exhaust Assembly 10206-0010-101 FM Code A01 External leakage of hot exhaust gas (System A and/or B) caused by: Bellows fracture/ fatigue Flange/duct fracture Seal failure Seal surface defect Improper torque Contamination during assembly Improperly lockwired. A,B. Actual loss Loss of containment of hot exhaust gases. A,B. Probable Loss A,B. Probable Loss Fire and explosion. Fire and explosion will lead to loss of the mission, vehicle, and crew. Reaction Time: Seconds C,D,E. No Effect Failure mode not applicable to these phases. C,D,E. No Effect Failure mode not applicable to these phases. C,D,E. No Effect Failure mode not applicable to these phases. a) N/A b) N/A 3 a) None b) N/A Correcting Action: None Timeframe: N/A 1

s

m a

le p

7IKS The Most Comprehensive Safety Sources

Failure Modes and Effects Analysis (FMEA)Benefits: The FMEA provides a systematic evaluation and documentation of failure modes, causes and their effects. It categorizes the severity (criticality category) of the potential effects from each failure mode/failure cause. It provides input to the CIL (Critical Items List). It identifies all single point failures. The FMEA findings constitute a major consideration in design and management reviews. Results from the FMEA provide data for other types of analysis, such as design improvements, testing, operations and maintenance, and analysis of mission risk. 8IKS The Most Comprehensive Safety Sources

Failure Modes, Effects, and Criticality Analysis (FMECA) A FMECA is similar to a FMEA; however, a

FMECA provides information to quantify, prioritize and rank failure modes.

It is an analysis procedure which identifies all possible

failure modes, determines the effect of each failure on the system, and ranks each failure according to a severity classification of failure effect.

MIL-STD-1629A, Procedures for Performing a

FMECA, discusses the FMECA as a two-step process: Failure Modes and Effects Analysis (FMEA). Criticality Analysis (CA).

Criticality analysis can be done quantitatively

using failure rates or qualitatively using a Risk Priority rating Number (RPN). CA using failure rates requires extensive 9 amount of information and failure Most Comprehensive Safety Sources data. IKS The

Failure Modes, Effects, and Criticality Analysis (FMECA) - ExamplePart name/ Part numberTurbine Exhaust Duct Assembly P/N 10206-0002-102

Potential Failure modesExternal leakage of hot exhaust gas (System A and/or B)

Causes (failure Mechanism)1. Bellows fracture/fatigue 2. Flange/duct fracture 3. Seal failure 4. Seal surface defect 5. Improper torque 6. Contamination during assembly 7. Improperly lockwired

Effects

Risk Priority Rating Sev Freq Det RPN

Recommended Improvement

Risk Priority Rating Sev Freq Det RPN

Fire and Explosion Fire and Explosion Fire and Explosion Fire and Explosion Fire and Explosion Fire and Explosion Fire and explosion

10


Qualitative Fault Tree Analysis (FTA) A FTA is a deductive (top-down) approach that graphically and logically represents events at a lower level which can lead to a top undesirable event. It is a tool that systematically can answer the question of what can go wrong by identifying failure scenarios. It is an excellent tool for analyzing complex systems. Qualitative FTA is predominately a Safety tool.11IKS The Most Comprehensive Safety Sources

Qualitative Fault Tree Analysis (FTA)X-34 Hydraulic System ExampleThis is a portion of a schematic to a system which incorporates three hydraulic pump packages. The system can still function properly if two of the pumps operate. The fault tree example is only a tiny portion of one pump package from the hydraulic system fault tree from which this example was based.

Charging Connector

External Power

5

Pump Motor Controller 1

18 HP var

PT

Pump Battery 1

Pump Latching Relay 1

Flight Computer

Pump Motor Controller 2

18 HP var

PT

Pump Battery 2


Pump Motor Controller 318 HP var

PT

Pump Battery 3


6

Cooling Plate

12

FWD ManifoldIKS The Most Comprehensive Safety Sources

Qualitative Fault Tree Analysis (FTA)X-34 Hydraulic System ExampleInadequate Power to Pump Package 1 Motor

MTR-1-PWR Page X

Pump Package 1 Motor Controller Off / Low

Inadequate / No Power to Pump Package 1 Motor Controller

MTR-CTRL-1-OFF

MTR-CTRL-1-PWR

Pump Package 1 Motor Controller Fails Off / Low (Component Failure) MTR-CTRL-1-FOF

Pump Package 1 Motor Controller Commanded Off / Low (Software / Pressure Transducer Error) MTR-1-CTRL-CMD-OFF

Pump Package 1 Battery Failure (Loss of Charge / Inadequate Charge) PMP-PKG-1-BAT-F

Pump Package Relay Fails / Commanded Off

PMP-PKG-1-REL-OFF

Page XX Pump Package 1 Relay Fails Off Pump Package 1 Relay Commanded to "Off" Position

PKG-1-REL-FOF

PMP-PKG-1-CMD-OFF


Qualitative Fault Tree Analysis (FTA)Benefits: Provides a format for quantitative and qualitative evaluation. Provides a visual description of system functions that lead to undesired outcomes. Identifies failure potentials which may otherwise be overlooked. Identifies design features that preclude occurrence of a top level fault event. Identifies manufacturing and processing faults. Determines where to place emphasis for further testing and analysis. Directs the analyst deductively to accident-related events. Useful in investigating accidents or problems resulting from use of a complex system.


Qualitative Fault Tree Analysis (FTA)Benefits: (contd) Can identify impact of operator/personal interaction with a system. Can help identify design, procedural, and external conditions which can cause problems under normal operations. Often identifies common faults or inter-related events which were previously unrecognized as being related. Excellent for ensuring interfaces are analyzed as to their contribution to the top undesired event. Can easily include design flaws, human and procedural errors which are sometimes difficult to quantify (and therefore, often ground-ruled out of quantitative analysis). Qualitative FTA requires cutset analysis to attain full benefits of the analysis. (Cutsets: Any group of nonredundant contributing elements which, if all occur, will 15 cause the top event to occur)


Qualitative Fault Tree Analysis (FTA)Considerations: FTA addresses only one undesirable condition or event at a time. Many FTAs might be needed for a particular system. Both Quantitative and Qualitative FTAs are time/resource intensive. In general, design oriented FTAs require much more time than failure investigation FTAs. Management is mostly acquainted with failure investigations FTAs. Such FTA efforts can give a false sense of how quickly a design FTA can be developed.


Quantitative Fault Tree Analysis (FTA) Quantitative FTA is used as a Reliability and a

Safety tool. It diverges from Qualitative FTA in that failure rates or probabilities are input into the tree and the probability of occurrence is computed for the cutsets and the top undesirable event. Tends to be strictly hardware failure oriented as opposed to Qualitative FTA (which includes hardware and other less quantifiable faults). Is excellent in comparing different configurations of a system (even if the failure rate data uncertainty is fairly high). 17 Can be used to calculate the probability of IKS The Most Comprehensive Safety Sources

Quantitative Fault Tree Analysis (FTA)X-33 Methane Ground Storage and Loading Example

System Description: Methane loading system - The methane is stored in a tank in a liquid form and then vaporized and loaded as a gas. This example terminated at valve failure.


Quantitative Fault Tree Analysis (FTA)X-33 Methane Ground Storage and Loading ExampleInability to Load Methane (CH4)NO-LOAD-CH4

CH4 Not Supplied Through Manual Valve V-1537VIA-VLV-1537

Loss / Blockage of CH4 in Loading Line (Post V-1537)LOAD-LINE

Valve V-1557 Fails OpenVLV-1557-OP

Valve V-1537 Fails ClosedVLV-1537-CL

CH4 Vented Through Load LineCH4-LOAD-VNT

CH4 Transfer Blocked Through Load LineCH4-LOAD-BLK

3.90E-04 Solenoid Operated Valve SOV-1549 Mech. Fails OpenSOV-1549-MECH-OP

3.90E-04 Solenoid Operated Valve SOV-1549 Solenoid Fails OpenSOV-1549-SOL-OP

Relief Valve RV1552 OpenRV-1552-OP

Solenoid Operated Valve SOV-1561 Fails ClosedSOV-1561-MECH-CL

Check Valve CV1548 Fails ClosedCV-1548-CL

6.50E-06

3.90E-04

3.90E-05 Solenoid Operated Valve SOV-1561 Mech. Fails Closed Solenoid Operated Valve SOV-1561 Solenoid Fails ClosedSOV-1561-SOL-OP

2.86E-08

19

SOV-1561-MECH-OP

6.50E-06

3.90E-04


Quantitative Fault Tree Analysis (FTA) Considerations: The probabilities derived from a Quantitative FTA should be viewed with the uncertainty fully understood. It is often difficult to obtain valid reliability data for experimental / nonproduction related systems. In such cases: Too few items are available for a proper statistical sample Data from Like systems and operating environments must be used20 Quantitative FTA has little or no place inIKS The Most Comprehensive Safety Sources

Probabilistic Risk Assessment (PRA) PRA is a process that follows a quantitative approach to determine the risk of a top undesirable event and the associated uncertainty arising from inherent causes. It provides a systematic way of answering the following questions: What can go wrong? How likely is it to happen? What are the consequences? How certain are we about the answer? (uncertainty or state of knowledge) The main tools used in PRA processes are fault trees, event sequence diagrams, and event trees. Other tools such as reliability block diagrams can be used to support a PRA study.21IKS The Most Comprehensive Safety Sources

Probabilistic Risk Assessment (PRA) A typical PRA process involves: Identification of end state(s) to be assessed. Identification of Initiating Events (IE) leading to the end states. Development of the Event Sequence Diagrams (ESD) for the initiating event. An ESD shows the sequence of events from IE to end states. Quantification of ESDs (event tree). Aggregation of risk for each system end 22 state. IKS The Most Comprehensive Safety Sources

Probabilistic Risk Assessment (PRA)A PRA Process ExampleMaster Logic Diagram (MLD)

FLIGHT/TEST DATA PROBABILISTIC STRUCTURAL MODELS SIMILARITY ANALYSIS ENGINEERING JUDGMENT

MLD identifies all significant basic/ initiating events that could lead to loss of vehicle.

EVENT PROBABILITY DISTRIBUTION Event TreePorosity Turbine Inspection Present in Blade Not Critical Porosity Effective Location

Porosity Present in Critical Location Leads to Crack in 1.33 Capable Cpk = 1.00-1.33 Capable with tight control Cpk < 1.00 Incapable Manufacturing process capability is essential to evaluate the suitability of the process to meet the spec. Manufacturing process capability data are one of essential data sources to support design feasibility and reliability trade study.


Manufacturing Process CapabilityApplication Example

lox post

Injector Lox Post Tolerance RequirementBackground: Lox post OD and ID dimensions have significant effect on lox and fuel mixture property. Uneven mixture of the propellants and localized overheating impact engine performance and reliability Analysis Support: OD and ID tolerance boundaries need to be established with sound engineering rationale and be backed up by manufacturing process capability

ID OD


Manufacturing Process CapabilityApplication Example Injector Lox Post Tolerance Requirement Analysis Approach and Result Performance impact is correlated with OD and ID dimensions. Localized overheating is assessed by OD and ID process variability. Tolerance boundaries were established as +/- .0005 for both OD and ID. Results indicate the process capability is feasible to support design and reliability requirement.


Manufacturing Process CapabilityExample: Main Injector Lox Post ID DimensionLSL 4 Nominal USLMean = -.0000095 sigma = .000076 Cpk = 2.14

3 frequency -3s 2 +3s

1

0 -5 -3 -1 1 3 5 (X 0.0001)

Post ID Deviation from Nominal66IKS The Most Comprehensive Safety Sources

Manufacturing Process CapabilityBenefits: Manufacturing process capability data are vital to support design feasibility. Manufacturing process capability is a good tool to judge the suitability of the process to build a specific design. Limitations: Process capability data represent dynamic manufacturing environment that can be easily misused. Maintaining a manufacturing process capability data bank is a very intensive effort.


Conclusions/Recommendations QRA is a well-established technology that involves

methods and techniques beyond conducting classical PRA studies. QRA is essential to understanding uncertainty and controlling our critical processes. Implementation and use of QRA could be enhanced if QRA is incorporated as part of the system

management process QRA methods and techniques are viewed as part of the system engineering effectiveness tools QRA is extremely important for the Space Shuttle

Program to understand and control risk. QRA techniques are well-established, however, the application of the techniques on a larger scale will require careful planning, extensive training, and 68 strong commitment by Shuttle Program Comprehensive Safety Sources IKS The Most

MODUL - FMECAIndustrialindo Konsultrain Services


LATAR BELAKANGPREMISE (Mengapa Kita Butuh) You own/operate/require/design/or are responsible for equipment essential to a system/process/activity which may be small or large, simple or complex. It may be a future plan, or be presently in operation. NEED (Kebutuhan) Reassurance that causes, effects, and risks of system failures have


APAKAH FMECA?Failure modes, effects, and criticality

analysis (FMECA) is a methodology to identify and analyze: q All potential failure modes of the various

parts of a system q The effects these failures may have on the system q How to avoid the failures, and/or mitigate the effects of the failures on the systemFMECA is a technique used to identify,

prioritize, and eliminate potential failures from the system, design or process before they reach the customerIKS The Most Comprehensive Safety Sources

APAKAH FMECA?Initially, the FMECA was called

FMEA (Failure modes and effects analysis). The C in FMECA indicates that the criticality (or severity) of the various failure effects are considered and ranked. Today, FMEA is often used as a synonym for FMECA. The distinction between the two terms has become blurred.IKS The Most Comprehensive Safety Sources

SEJARAH DIMULAINYA FMECA FMECA was one of the first systematic

techniques for failure analysis FMECA was developed by the U.S. Military. The first guideline was Military Procedure MIL-P1629 Procedures for performing a failure mode, effects and criticality analysis dated November 9, 1949 FMECA is the most widely used reliability analysis technique in the initial stages of product/system development FMECA is usually performed during the conceptual and initial design phases of the system in order to assure that all potential failure modes have been considered and the


What can FMECA be used for? Assist in selecting design alternatives with high

reliability and high safety potential during the early design phases Ensure that all conceivable failure modes and their effects on operational success of the system have been considered List potential failures and identify the severity of their effects Develop early criteria for test planning and requirements for test equipment Provide historical documentation for future reference to aid in analysis of field failures and consideration of design changes Provide a basis for maintenance planning IKS The Most Comprehensive Safety Sources

DEFINISI FAULT: Inability to function in a desired manner, or operation in an undesired manner, regardless of cause. FAILURE: A fault owing to breakage, wear out, compromised structural integrity, etc. FMEA does not limit itself strictly to failures, but includes faults. FAILURE MODE: The manner in which a fault occurs, i.e., the way in which the Element faults.


DEFINISI (2)FAILURE EFFECT: The consequence(s) of a failure mode on an operation, function, status of a system/process/activity/environment. The undesirable outcome of a fault of a system element in a particular mode. The effect may range from relatively harmless impairment of performance to multiple fatalities, a major equipment loss, and environmental damage, for example. All failures are faults; not all faults are failures. Faults can be caused by actions that are not strictly failures. A system that has been shut down by safety features responding properly has NOT faulted (e.g., an overtemperature cutoff.) A protective device which functions as intended (e.g., a blown fuse) has NOT failed. FAILED/FAULTED SAFE: Proper function is compromised, but no further threat of harm exists (e.g., a smoke detector alarms in The Most Comprehensive Safety Sources the absence of IKS

ALIRAN PROSES FMEA


FMECA PERTANYAAN MENDASARHow can each part conceivably

fail? What mechanisms might produce these modes of failure? What could the effects be if the failures did occur? Is the failure in the safe or unsafe direction? How is the failure detected? What inherent provisions areIKS The Most Comprehensive Safety Sources

KAPAN KITA BUTUH FMECA? The FMECA should be initiated as early in the

design process, where we are able to have the greatest impact on the equipment reliability. The locked-in cost versus the total cost of a product is illustrated in the figure:


BEBERAPA TIPE FMECADesign FMECA is carried out to

eliminate failures during equipment design, taking into account all types of failures during the whole life-span of the equipment Process FMECA is focused on problems stemming from how the equipment is manufactured, maintained or operated System FMECA looks for potential problems and bottlenecks in larger


Two approaches to FMECABottom-up approach The bottom-up approach is used when a system concept has been decided. Each component on the lowest level of indenture is studied one-byone. The bottom-up approach is also called hardware approach. The analysis is complete since all components


Two approaches to FMECATop-down approach The top-down approach is mainly used in an early design phase before the whole system structure is decided. The analysis is usually function oriented. The analysis starts with the main system functions - and how these may fail. Functional failures with significant effects are usually prioritized in the analysis. The analysis will not necessarily be complete. The top-


FMECA standards MIL-STD 1629 Procedures for performing a failure

mode and effect analysis IEC 60812 Procedures for failure mode and effect analysis (FMEA) BS 5760-5 Guide to failure modes, effects and criticality analysis (FMEA and FMECA) SAE ARP 5580 Recommended failure modes and effects analysis (FMEA) practices for nonautomobile applications SAE J1739 Potential Failure Mode and Effects Analysis in Design (Design FMEA) and Potential Failure Mode and Effects Analysis in Manufacturing and Assembly Processes (Process FMEA) and Effects Analysis for Machinery (Machinery FMEA) SEMATECH (1992) Failure Modes andComprehensive Safety Sources IKS The Most Effects

PROSEDUR PELAKSANAAN FMECA

FMECA main steps 1. FMECA prerequisites 2. System structure analysis 3. Failure analysis and preparation of FMECA worksheets 4. Team review 5. Corrective actions


FMECA prerequisites1. Define the system to be analyzed : (a) System boundaries (which parts should be included and which should not) (b) Main system missions and functions (incl. functional requirements) (c) Operational and environmental conditions to be consideredNote: Interfaces that cross the design boundary should be included in the analysis

2. Collect available information that describes the system to be analyzed; including drawings, specifications, schematics, component lists, interface information, functional descriptions, and so on 3. Collect information about previous and similar designs from internal and external sources;IKS The Most Comprehensive Safety Sources

System structure analysis1. Divide the system into manageable units typically functional elements. To what level of detail we should break down the system will depend on the objective of the analysis. It is often desirable to illustrate the structure by a hierarchical tree diagram:


System structure analysis (2) In some applications it may be beneficial to

illustrate the system by a functional block diagram (FBD) as illustrated in the following figure.


System structure analysis (3)The analysis should be carried out on

an as high level in the system hierarchy as possible. If unacceptable consequences are discovered on this level of resolution, then the particular element (subsystem, sub-subsystem, or component) should be divided into further detail to identify failure modes and failure causes on a lower level. To start on a too low level will give a complete analysis, but may at the same time be a waste of efforts and


Worksheet preparationPreparation of FMECA worksheets A suitable FMECA worksheet for the analysis has to be decided.In many cases the client (customer) will have requirements to the worksheet format - for example to fit into his maintenance management system. A sample FMECA worksheet covering the most relevant columns is given below.


Preparation of FMECA worksheets - (2)For each system element (subsystem, component) the analyst must consider all the functions of the elements in all its operational modes, and ask if any failure of the element may result in any unacceptable system effect. If the answer is no, then no further analysis of that element is necessary. If the answer is yes, then the element must be examined further. We will now discuss the various columns in the FMECA worksheet on the previous slide. 2. In the first column a unique reference to an element (subsystem or component) is given. It may be a reference to an id. in a specific drawing, a socalled tag number, or the name of the element. 3. The functions of the element are listed. It isIKS The Most Comprehensive Safety Sources

Preparation of FMECA worksheets - (3)3. The various operational modes for the element are listed. Example of operational modes are: idle, standby, and running. Operational modes for an airplane include, for example, taxi, take-off, climb, cruise, descent, approach, flare-out, and roll. In applications where it is not relevant to distinguish between operational modes, this column may be omitted. 4. For each function and operational mode of an element the potential failure modes have to be identified and listed. Note that a failure mode should be defined as aIKS The Most Comprehensive Safety Sources

Preparation of FMECA worksheets - (4)5. The failure modes identified in column 4 are

studied one-by-one. The failure mechanisms (e.g., corrosion, erosion, fatigue) that may produce or contribute to a failure mode are identified and listed. Other possible causes of the failure mode should also be listed. If may be beneficial to use a checklist to secure that all relevant causes are considered. Other relevant sources include: FMD-97 Failure Mode/Mechanism distributions published by RAC, and OREDA (for offshore equipment) 6. The various possibilities for detection of the identified failure modes are listed. These may involve diagnostic testing, different alarms, proof testing, human perception, and The Mostlike. Some Sources the Comprehensive Safety IKS

Preparation of FMECA worksheets - (4) In some applications an extra column is added to

rank the likelihood that the failure will be detected before the system reaches the end-user/customer. The following detection ranking may be used:


Preparation of FMECA worksheets - (5)7. The effects each failure mode may have on other components in the same subsystem and on the subsystem as such (local effects) are listed. 8. The effects each failure mode may have on the system (global effects) are listed. The resulting operational status of the system after the failure may also be recorded, that is, whether the system is functioning or not, or is switched over to another operational mode. In some applications it may be beneficial to consider each category of effects separately, like:safety effects, environmental effects, production

availability effects, economic effects, and so on. IKS The Most Comprehensive In some applications it may be relevant to Safety Sources

Preparation of FMECA worksheets - (6)9. Failure rates for each failure mode are listed. In many cases it is more suitable to classify the failure rate in rather broad classes. An example of such a classification is: 1 Very unlikely Once per 1000 years or more seldom 2 Remote Once per 100 years 3 Occasional Once per 10 years 4 Probable Once per year 5 Frequent Once per month or more often


Preparation of FMECA worksheets - (7)10. The severity of a failure mode is the worst potential (but realistic) effect of the failure considered on the system level (the global effects). The following severity classes for health and safety effects are sometimes adopted:


Preparation of FMECA worksheets - (8)In some application the following severity classes are used


Preparation of FMECA worksheets - (9)11. Possible actions to correct the failure and restore the function or prevent serious consequences are listed. Actions that are likely to reduce the frequency of the failure modes should also be recorded. We come bach to these actions later in the presentation. 12. The last column may be used to record pertinent information not included in the other columns.


Risk ranking and team reviewThe risk related to the various failure modes is often presented either by a: Risk matrix, or a Risk priority number (RPN) Risk matrix, The risk associated to failure mode is a function of the frequency of the failure mode and the potential end effects (severity) of the failure mode. The risk may be illustrated in a so-called risk matrix.


Risk ranking and team reviewRisk priority number An alternative to the risk matrix is to use the ranking of: O = the rank of the occurrence of the failure mode S = the rank of the severity of the failure mode D = the rank of the likelihood the the failure will be detected before the system reaches the end-user/customer. All ranks are given on a scale from 1 to 10. The risk priority number (RPN) is defined asIKS The Most Comprehensive Safety Sources

RPN has no clear meaningHow the ranks O, S, and D are defined

depend on the application and the FMECA standard that is used The O, S, D, and the RPN can have different meanings for each FMECA Sharing numbers between companies and groups is very difficult


Alternative FMECA worksheetWhen using the risk priority number,

we sometimes use an alternative worksheet with separate columns for O, S, and D. An example is shown below:


FMECA review teamA design FMECA should be initiated by the design engineer, and the system/process FMECA by the systems engineer. The following personnel may participate in reviewing the FMECA (the participation will depend on type of equipment, application, and available resources): Project manager Design engineer (hardware/software/systems) Test engineer Reliability engineer Quality engineer Maintenance engineer Field service engineer Manufacturing/process engineer Safety engineer IKS The Most Comprehensive Safety Sources

Review objectivesThe review team studies the FMECA worksheets and the risk matrices and/or the risk priority numbers (RPN). The main objectives are: 1. To decide whether or not the system is acceptable 2. To identify feasible improvements of the system to reduce the risk. This may be achieved by: (a) Reducing the likelihood of occurrence of the failure (b) Reducing the effects of the failure (c) Increasing the likelihood that the failure is detected before the system reaches the enduser. If improvements are decided, the FMECA


Corrective actions Selection of actionsDesign changes Engineered safety features Safety devices Warning devices Procedures/training


Reporting of actionsThe suggested corrective actions are reported, for example, as illustrated in the printout from the Sverdrup - program.


RPN reductionThe risk reduction related to a corrective action may be comparing the RPN for the initial and revised concept, respectively. A simple example is given in the following table..


Application areasDesign engineering. The FMECA

worksheets are used to identify and correct potential design related problems. Manufacturing. The FMECA worksheets may be used as input to optimize production, acceptance testing, etc. Maintenance planning. The FMECA worksheets are used as an important input to maintenance planning for example, as part of reliability


FMECA in design


Conclusions-Summing upThe FMECA process comprises three main phases:


FMECA pros and consPros: FMECA is a very structured and reliable method for evaluating hardware and systems The concept and application are easy to learn, even by a novice The approach makes evaluating even complex systems easy to do Cons: The FMECA process may be tedious, timeconsuming (and expensive) The approach is not suitable for multiple failures It is too easy to forget human errors in the analysis IKS The Most Comprehensive Safety Sources

Example: Pressure Cooker


Example: Pressure Cooker


MODUL CRITICAL ANALYSIS MIL-STD-1629AIKS The Most Comprehensive Safety Sources

Criticality Mil-Std-1629 ApproachCRITICALITY is a measure of

the frequency of occurrence of an effect. May be based on qualitative judgement or May be based on failure rate data (most common)IKS The Most Comprehensive Safety Sources

Criticality AnalysisQualitative analysis: Used when specific part or

item failure rates are not available. Quantitative analysis: Used when sufficient failure rate data is available to calculate criticality numbers.IKS The Most Comprehensive Safety Sources

Qualitative Approach Because failure rate data is not available,

failure mode ratios and failure mode probability are not used. The probability of occurrence of each failure is grouped into discrete levels that establish the qualitative failure probability level for each entry based on the judgment of the analyst. The failure mode probability levels of occurrence are: Level A - Frequent Level B - Reasonably Probable Level C - Occasional Level D - Remote Level E - Extremely UnlikelyIKS The Most Comprehensive Safety Sources

Quantitative ApproachFailure Mode Criticality (CM) is the portion of the criticality number for an item, due to one of its failure modes, which results in a particular severity classification (e.g. results in an end effect with severity I, II, etc...).


Mil-Std-1629 Severity Levels Category I - Catastrophic: A failure which may

cause death or weapon system loss (i.e., aircraft, tank, missile, ship, etc...) Category II - Critical: A failure which may cause severe injury, major property damage, or major system damage which will result in mission loss. Category III - Marginal: A failure which may cause minor injury, minor property damage, or minor system damage which will result in delay or loss of availability or mission degradation. Category IV - Minor: A failure not serious enough to cause injury, property damage or system damage, but which IKS The Most Comprehensive Safety Sources will result in

Quantitative ApproachThe quantitative approach uses the

following formula for Failure Mode Criticality: Cm = ptWhere Cm = Failure Mode Criticality = Conditional probability of occurrence of

next higher failure effect = Failure mode ratio p = Part failure rateT = Duration of applicable mission phaseIKS The Most Comprehensive Safety Sources

Criticality Analysis ExampleA resistor R6 with a failure rate of .01 failures per million hours is located on the Missile Interface Board of the XYZ Missile Launch System. If the resistor fails, it fails open 70 % of the time and short 30 % of the time. If it fails open, the system will be unable to launch a missile 30 % of the time, the missile explodes in the tube 20 % of the time, and there is no effect 50 % of the time. If it fails short, the performance of the missile is degraded 50 % of the time and the missile inadvertently launches 50 % of the time. Mission time is 1 hour.p = 0.01 in every case = 0.7 for open = 0.3 for unable to fire = 0.2 for missile explodes = 0.5 for no effect = 0.3 for short = 0.5 for missile performance degradation = 0.5 for inadvertent launch Cm for R6 open resulting in being unable to fire is (.3)(.7)(.01)(1)=0.0021 Cm for R6 open resulting in a missile explosion is (.2)(.7)(.01)(1)=0.0014 Cm for R6 open resulting in no effect is (.5)(.7)(.01)(1)=0.0035 Cm for R6 short resulting in performance degradation is (.5)(.3)(.01)(1)=0.0015 Cm for R6 short resulting in inadvertent launch is (.5)(.3)(.01)(1)=0.0015


Quantitative ApproachItem Criticality (Cr) is the criticality number associated with the item under analysis. For a mission phase, Cr is the sum of the items failure mode criticality numbers, Cm, which result in the same severity classification.


Quantitative ApproachThe quantitative approach uses the

following formula for Item Criticality within a particular severity level:Where Cr Item Criticality n = The current failure mode of the item

being analyzed j = The number of failure modes for the item being analyzed.IKS The Most Comprehensive Safety Sources

Criticality Analysis ExerciseCriticality Analysis: Determine failure mode criticality values and item criticality values for the R9 resistor, and create an item criticality matrix.


Criticality Analysis Exercise A resistor R9 with a failure rate of .04 failures

per million hours is located on the Power Supply Board of the XYZ Missile Launch System. If the resistor fails, it fails open 70 % of the time and short 30 % of the time. If it fails open, the system will be unable to launch a missile 30 % of the time and there is no effect 70 % of the time. If it fails short, the performance of the missile is degraded 100 % of the time. Mission time is 1 hour.

p = __ in every case = __ for open = __ for unable to fire = __ for no effect = __ for short = __ for missile performance degradation Cm for R9 open resulting in being unable to fire is ___ Cm for R9 open resulting in no effectThe Most Comprehensive Safety Sources IKS is ___

Criticality Analysis Exercise


Criticality Analysis Exercise

Item Criticality

Severity Levels


Criticality Analysis - Answers A resistor R9 with a failure rate of .04 failures per million

hours is located on the Power Supply Board of the XYZ Missile Launch System. If the resistor fails, it fails open 70 % of the time and short 30 % of the time. If it fails open, the system will be unable to launch a missile 30 % of the time and there is no effect 70 % of the time. If it fails short, the performance of the missile is degraded 100 % of the time. Mission time is 1 hour. p = 0.04 in every case = 0.70 for open = 0.30 for unable to fire = 0.70 for no effect = 0.30 for short = 1.00 for missile performance degradation Cm for R9 open resulting in being unable to fire is 0.0084 Cm for R9 open resulting in no effect is 0.0196 Cm for R9 short resulting in performance degradation is 0.012


Criticality Analysis - Answers


Criticality Analysis - Answers

Item Criticality

R9(4 )

R9(3 )

R9(2 )

Severity LevelsIKS The Most Comprehensive Safety Sources

Criticality Analysis Worksheet


MODUL - FTAIndustrialindo Konsultrain Services


What is fault tree analysis?Fault tree analysis (FTA) is a top-down

approach to failure analysis, starting with a potential undesirable event (accident) called a TOP event, and then determining all the ways it can happen. The analysis proceeds by determining how the TOP event can be caused by individual or combined lower level failures or events. The causes of the TOP event are connected through logic gates In this book we only consider AND-gatesIKS The Most Comprehensive Safety Sources

HistoryFTA was first used by Bell Telephone

Laboratories in connection with the safety analysis of the Minuteman missile launch control system in 1962 Technique improved by Boeing Company Extensively used and extended during the Reactor safety study (WASH 1400)


FTA main stepsDefinition of the system, the TOP

event (the potential accident), and the boundary conditions Construction of the fault tree Identification of the minimal cut sets Qualitative analysis of the fault tree Quantitative analysis of the fault treeIKS The Most Comprehensive Safety Sources

Preparation for FTAThe starting point of an FTA is

often an existing FMECA and a system block diagram The FMECA is an essential first step in understanding the system The design, operation, and environment of the system must be evaluated The cause and effect relationships leading to the TOP event must beIKS The Most Comprehensive Safety Sources

Preparation for FTA


Boundary conditionsThe physical boundaries of the system

(Which parts of the system are included in the analysis, and which parts are not?) The initial conditions (What is the operational stat of the system when the TOP event is occurring?) Boundary conditions with respect to external stresses (What type of external stresses should be included in the analysis war, sabotage, earthquake, lightning, etc?) IKS The Most Comprehensive Safety Sources

Fault tree constructionDefine the TOP event in a clear and

unambiguous way. Should always answer: What e.g., Fire Where e.g., in the process oxidation reactor When e.g., during normal operation What are the immediate, necessary, and sufficient events and conditions causing the TOP event? Connect via AND- or OR-gate Proceed in this way to an appropriate Safety Sources IKS The Most Comprehensive

Fault tree symbols


Example: Redundant fire pumpsTOP event = No water from fire water system Causes for TOP event: VF = Valve failure G1 = No output from any of the fire pumps G2 = No water from FP1 G3 = No water from FP2 FP1 = failure of FP1 EF = Failure of engine FP2 = Failure of FP2 Sources IKS The Most Comprehensive Safety

Example: Redundant fire pumps (2)


Example: Redundant fire pumps (3)

The two fault trees above are logically identical. They give the same IKS The information. Most Comprehensive Safety Sources

Qualitative assessmentQualitative assessment by investigating the minimal cut sets: Order of the cut sets Ranking based on the type of basic events involved1. Human error (most critical) 2. Failure of active equipment 3. Failure of passive equipment Also look for large cut sets with dependent

items


Quantitative assessmentNotation

Let Qi(t) denote that basic event i

occurs at time t. Qi(t) may, for example, be that component i is in a failed state at time t. Note that Qi(t) does not mean that component i fails exactly at time t, but that component i is in a failed state at time t A minimal cut set is said to fail when allIKS The Most Comprehensive Safety Sources

Single AND-gate


Single OR-gate


TOP event probability


Input DataTypes of events


Non-repairable unit


Repairable unit


Periodic testing


Frequency


On demand probability


Cut set evaluation


ConclusionsFTA identifies all the possible causes

of a specified undesired event (TOP event) FTA is a structured top-down deductive analysis. FTA leads to improved understanding of system characteristics. Design flaws and insufficient operational and maintenance procedures may be revealed and corrected during the fault tree construction. FTA is not (fully) suitable for modelling dynamic scenariosIKS The Most Comprehensive Safety Sources

Fmea Fta Module

Documents

Transcript of Fmea Fta Module