A Failure Mode and Effects Analysis (FMEA) is a “bottom-up” type of system analysis that is required for the standards certification of functional safety: IEC 61508 and all the standards deriving from it. This type of analysis contrasts and may serve as a complement to “top down” analytical approaches such as Fault Tree Analysis (FTA); however, the standard mandate for the use of FMEA to do the quantitative or probabilistic analysis of functional safety systems requires that each component of the functional safety system be considered in the FMEA. (An FMEDA, Failure Mode and Effects Diagnostic Analysis, is no different from an FMEA; the “diagnostic” simply emphasizes one of the results one gets from an FMEA, pointing to the principal purpose of that particular FMEA.)
“With an FMEA, you look at what the system is composed of, how its elements can potentially fail, and what the system-level effect of a component failure would be,” says Anura Fernando, research engineer, predictive modeling and risk analysis, at Underwriters Laboratories (UL). Depending on the level of information one has about a system, an FMEA can decompose to a functional subsystem level or all the way down to individual discrete components.
The general principles of an FMEA are straightforward:
1) It contemplates items (i.e., elements of the system under analysis) within a system.
Examples are hardware components, hardware blocks, function blocks, software functions, and production processes.
2) The system is described as interacting, interconnected items.
3) The analysis starts with an isolated element.
In what way can it fail? What are its failure modes?
4) The causes for failure modes are identified.
Information from “top down” analysis (e.g., FTA) is incorporated to help identify common cause failures.
5) Parts surrounding the element are considered.
How are neighboring or directly connected elements impacted by failure modes?
How are other system parts, or indirectly/unintentionally connected parts, impacted?
What are the impacts on a system level? Either loss of a system function or system purpose, or adverse, unintended, or undesired system behavior. These are the failure mode effects.
6) The severity of effects is defined.
Apply a severity scale, for example, from 1 (insignificant) to 4 (catastrophic).
Determine the costs of the effects.
7) The frequency of failure modes is identified.
Apply a frequency scale, for example, from 1 (remote) to 4 (very frequent or inevitable).
Or use failure rates and probabilities.
8) The criticality of failure modes is determined.
Criticality is expressed as a Risk Priority Number (RPN), determined by multiplying the severity of effects by the frequency of failure modes, yielding values, for example, from 1 (negligible) to 16 (intolerable).
FMEA facilitates functional safety certification by identifying places where measures are required to meet standards. It helps identify the most suitable and practical type of measures (e.g., avoid, exclude, detect, tolerate, reduce frequency, mitigate severity) while allowing qualitative/relative and absolute quantitative judgments.
Design and Verification
“Particularly for functional safety, one of the most important results of an FMEA is the identification of diagnostic requirements using FMEA as a design tool,” says Thomas Maier, principal engineer, functional safety, at UL. Used as a verification tool, the FMEA can verify that the particular diagnostic coverage required for a Safety Integrity Level (SIL) is met.
This design and verification paradigm is the classic V-Model used for system or subsystem design, with FMEAs used on both sides of the V concurrently. (In the V-Model, for each development step taken, a corresponding verification and validation activity must be planned and specified.)
As a design tool, FMEAs systematically identify dangerous failures and countermeasures to detect and address each failure mode. Any dangerous failure mode not identified is unlikely to be addressed by the system design.
As a verification tool, FMEA quantitatively verifies diagnostic capabilities and safety related reliability, including probability of failure per hour (PFH), probability of error fault detection (PFD), and system failure frequency (SFF) for Safety Integrity Levels, as well as mean time to dangerous failure (MTTFd) and diagnostic coverage (DC) for Performance Levels.
“You can use FMEA as a design tool to derive new diagnostic requirements,” says Maier. “You can also identify other requirements or other solutions for problems in your system, such as identifying more reliable components or changing the design so that a certain failure cannot occur at all.”
Fernando adds that FMEA can be used as a design tool very early in the development process, as soon as there is an idea of the structure, the parts that will be in the system, and how they interact.
A Challenging Discipline
Doing an FMEA can require a huge effort. If, for example, you have a safety programmable logic controller (PLC), you very easily have between 500 and 1,000 components on the circuit boards; if each component has three failure modes, you can easily end up with an FMEA table of 3,000 rows. “It’s really hard work to do this,” says Maier.
This is why you should distinguish between using FMEA as a design tool, a tool that provides some feedback, or a tool that allows you to derive additional safety requirements, for example. “If you want to use a FMEA as a design tool, you need to make sure that the level of granularity is adequate, that a certain level of abstraction is established to ensure that something meaningful comes out of the analysis,” cautions Maier. “Otherwise you won’t see the forest for the trees.”
Consider Advisory Services
Conducting an FMEA can yield valuable information, whether applied to an entire system such as a refinery or power plant, a subsystem within that larger system, or in certifying a particular product to functional safety standards.
Effectively conducting an FMEA requires resources and technical experience that some manufacturers may not have. If you are uncertain of how an FMEA can benefit you in achieving functional safety certifications—or aren’t confident that you have the internal wherewithal to go through this analytical process—speak with UL’s Advisory Services group.
UL, one of the world’s leading experts in functional safety, is experienced in applying FMEAs according to functional safety standards, and can train or coach your personnel in designing and executing FMEAs, or conduct them for you. For more information on how UL’s Advisory Services can support your functional safety efforts, please contact:
Kevin Connelly
631-546-2691
[email protected]
Or go to the web: http://www.ul.com/global/eng/pages/offerings/industries/powerandcontrols/functional/advisoryservices/
