Common-mode failure effects

Common Mode Failure An event having a single cause with multiple failure effects, which are not consequences of each other. 

A systematic approach was undertaken for the BRP PRA to identify all potential sources of common mode failure. The first step in the treatment of common mode failures was a compilation of a detailed list of common mode initiators. To achieve this, available literature on common mode failure analysis was reviewed. The next step was to qualitatively assess the potential effects of these initiators on BRP systems. The initiator categories and the systems selected for examination are presented in Table VI.1 of the BRP PRA. 

The upsets considered need to be regarded as independent from one another and are not based on "common mode" failure. Furthermore the measures adopted need to be effective and independent of one another. 

The second is that we fear some sort of random gremlin which affects trials and occasionally leads to spectacularly low but unrepeatable P-values which reflect not so much the effect of treatment but that the trial has gone wrong . If this occurrence is fairly rare, a good level of protection will be afforded provided only that there is no tendency for the random gremlin to strike in one trial when it has struck in the other. Such common mode failure would vitiate the value of this protection. So once again its seems that the rule makes sense if the trials are rather different if the protocols are different, different sorts of centres are used, the trial is run with different monitors and so forth. 

Tests which induce specific failure modes. For instance, use hardware/software fault-injection techniques to subject redundant diverse versions to anomalous behaviour. The effect of the injected faults is observed to determine if common mode failures have occurred. 

At the first stage, number of modifications of schemes was made, with the purpose to prevent boron dilution in primary circuit, to reduce the single failure and common mode failure probability. The effectiveness of primary circuit emergency supply systems and spring system was increased. The reliability and effectiveness of the SG emergency feed water systems are increased. Reliability of the emergency power supply systems and control systems is increased. 

Although physical separation can reduce the effects of common-mode failures, the owner/operator should also evaluate the likelihood that these common-mode failures occur at the same time. Only simultaneous common-mode failures are of concern. Typically, electronic component stress results in failures at different times, often separated in time by months or years. In these situations, the advantages of physical separation may be outweighed by the economic advantages of installing the redundant hardware in the same physical location or cabinet. 

Administrative diversity may also be used to help reduce the potential for common-mode failure. This involves the development and implementation of procedures that facilitate opportunities to recover from mistakes in design, operation, and/or maintenance. Examples may include, but are certainly not limited to, periodic audits of work process effectiveness, inspections, and tests performed by multiple individuals on a rolling basis rather than the same person all the time, etc. 

Figure 5.5 The effect of common mode failures on system safety...

Several kind of analysis of the MCS are possible. In the domain of Integrated Modular Avionics (IMA), a first analysis can be performed on the basis of MCS that only include functional node faults. This first analysis provides an indication of the safety of the system before integrating the system on the IMA platform. Then another analysis if performed using MCS that only include physical node faults. This second analysis is used to assess the safety of the system after integration on the IMA platform. The size of both MCS can be compared in order to check whether the effect of common mode failures related wiht IMA shared resources is acceptable. 

CCFs and common mode failures (CMFs) are similar in nature in that they are both involved with the simultaneous loss of redundant equipment to a single shared cause. However, they differ by the type of the single shared causal event that causes the redundant items to fail simultaneously. A CCF is caused by an external event, whereas the CMF is caused by an identical failure internal to each item. CMFs normally fail in the same functional mode. Quite often, CMFs are (erroneously) referred to as CCFs. Although it is reasonable to include CMFs under the CCF umbrella, CCFs are much larger in scope and coverage. Figure 2.10 shows this conceptual difference between CCF and CMF. Note that the boxes represent redundant system elements, and the redundancy is effectively shunted by the CMFs and CCFs. Redundancy is the key for identifying CCFs and CMFs. 

The primary system level safety requirement which drives risk control is failure tolerance. Failure tolerance embraces many design approaches. These include, but are not limited to functional redundancy functional inhibits safety devices manual back-up to automatic functions benign failure modes and failure effect isolation and containment. Damage tolerance (fracture control) and safety factor requirements are applied to structures as an equivalent to functional failure tolerance, although structural failure tolerance is acceptable where it can be implemented. Common cause and common mode failure mechanisms are taken into account in the implementation of Failure Tolerance. 

At the level of an individual SIS, common mode failures are also considered when redundancy is implemented. The lEC standards propose the use of the classical p factor method and this method is effective when the number of identical elements is about two or three. In the oil and gas industry occasionally there are a much larger number of elements involved - for example, if the facility stops, dozens of wells must be closed under penalty of sending the ignited liquid through the flare. In this case, instead of the p factor, we prefer the shock method to manage the problem. 

A preliminary system safety assessment (PSSA) is essential in order to determine (and agree) the depth of assessment needed, the criteria utilised and the manner in which the safety objectives are to be accomplished. The PSSA concentrates on the functions and vulnerabiUties of the system instead of the detailed analysis, and can thus be conducted prior to the definition of the system s architecture. The PSSA remains a live document until the final SSA can be issued. By the preliminary design review (PDR), the PSSA should include functional failure consequences to the aircraft and its occupants consequences of other possible malfunctions of a system (e.g. overheating) and their effects on surrounding systems consequences to the system of failure in other systems or parts of the aircraft, identification of any possible common-mode failures or cascade failures which my need detailed investigation the identification of possible vulnerabilities to flight crew or maintenance error. 

The modes of failure, including reasonable human errors as well as single point and common mode failures, and the effects on safety when failures occur in subsystem components. 

System models assume the independent probabilities of basic event failures. Violators oithis assumed independence are called Systems Interactions, Dependencies, Common Modes, or Common Cause Failure (CCF) which is used here. CCF may cause deterministic, possibly delayed, failures of equipment, an increase in the random failure probability of affected equipment. The CCF may immediately affect redundant equipment with devastating effect because no lime is available for mitigation. If the effect of CCF is a delayed increase in the random failure probability and known, time is available for mitigation. 

WASH-1400 introduced this method for unknown common mode effects. The procedure was not presented in the best light and was severely criticized by the Lewis Commiiiee or lack of a physical basis, although the approach is not unreasonable. Basically, the procedure considered the failure rate of a system, with a common mode, to be i>ctween two bounds. The lower bound is the one with no... 

Before any mitigation measures can be designed, an effective hazard identification study must be conducted. The results of such a study (a set of release scenarios) can be used to develop a coherent set of mitigation strategies. In the process industries, these studies are most commonly conducted using hazard and operability (HAZOP) studies, what-if checklists, failure modes and effects analyses (FMEA), and several other comparable techniques (CCPS, 1992). 

HAZOP and What-If reviews are two of the most common petrochemical industry qualitative methods used to conduct process hazard analyses. Up to 80% of a company s process hazard analyses may consist of HAZOP and What-If reviews with the remainder 20% from Checklist, Fault Tree Analysis, Event Tree, Failure Mode and Effects Analysis, etc. An experienced review team can use the analysis to generate possible deviations from design, construction, modification, and operating intent that define potential consequences. These consequences can then be prevented or mitigated by the application of the appropriate safeguards. 

Several methods of analyzing medication errors exist. Two common methods are root cause analysis and failure mode and effects analysis. 

Safety. It is becoming increasingly common to conduct quantitative assessments of process risks by failure modes and effects, fault tree, or other analytical alternatives. Thus, the probability of an accident times the corresponding potential loss is a cost factor which, although probabilistic. 

In the most commonly employed correction strategy, the desired quality is approached and achieved in small steps. Correction in this context does not mean the elimination of defects, but the addition of small amounts of materials to hit the specification window. Quality assurance corresponding to the ISO Standards 9000-9004 (e.g., failure mode-and-effect analysis (FMEA) and statistical process control (SPC) [7.12]) has been introduced in modern paint factories. 

Note that Failure mode has also been adopted outside of health in the naming of a commonly used formal method for identifying hazards, Failure Mode and Effects Analysis described in Sect. 13.6.1. 

The considerations listed below apply when an assessment is carried out on the likelihood of common cause, common mode and dependent failures. The extent, formality and depth of the assessment will depend on the safety integrity level of the intended function. The effect of common cause, common mode and dependent failures may be dominant for safety integrity levels of 3 or higher. The following should be considered ... 

Since diagnostics are such a critical variable in the calculations, the ability to measure and evaluate the effectiveness of the diagnostics is important. This is done using an extended failure modes and effects analysis technique (Ref. 9) and verified with fault injection testing (Ref. 10 and 11). The techniques were refined to include multiple failure modes (Ref. 12) and today are commonly used to evaluate diagnostic capability and failure mode split (Ref. 13). 

Common modes are common characteristics or potential failures (random or systemic) that effect multiple items which should be independent but are not. See Chapter 6 for a common mode checklist. When looking for common modes in architecture, it is useful to adopt the philosophy of guilty until proven innocent - i.e. the common mode exists unless it can be shown not to [Spitzer, Petrel, Digital Avionics Handbook, third ed., 1SBN 9781439868980]. 

This step involves the Safety Engineer highlighting to the Test Pilot and/or the HF Specialist all failure conditions identified via techniques such as the Functional Hazard Analysis (FHA) (Chapter 3), Failure Modes and Effects Analysis (EMEA) (Chapter 5), Common Mode Analysis (CMA) (Chapter 6), Particular Risk Analysis (PRA) (Chapter 7) and Zonal Safety Analysis (ZSA) (Chapter 8). 

Failure modes and effects analysis is a systematic look at hardware, piece by piece, to determine how each piece could fail. The effects of each type of failure on the surrounding pieces and on the system or subsystem as a whole, and an assessment of the risk associated with each failure, commonly in terms of severity and probability, are expressed as a risk assessment code (RAC). 

Common techniques for hazard analysis are the failure modes and effects analysis (FMEA) and fault tree analysis (FTA). Many of the other techniques listed in Chapter 17 are also used. TTie FMEA is considered a reliability tool and used, in most NASA and NASA contractor organizations, by a separate reliability division or branch. The FMEA is used to generate another popular NASA tool, the critical items list (CIL). 

Laundry lists of analyses frequently mix types of analyses (preliminary hazard analysis, system hazard analysis, and operating hazard analysis) with the methods or techniques for performing analyses (fault tree analysis, energy trace and barrier analysis, failure modes and effects analysis, common cause analysis, change analysis, and so on). Whether fault hazard analysis is a type or a method depends upon the reference in use. For all practical purposes, fault hazard analysis and system (or subsystem) hazard analysis seem to be the same thing, which is apparently called gross hazard analysis occasionally. 

The recommended techniques for preliminary hazard analysis are energy trace and barrier analysis (ETBA) and failure modes and effects analysis (FMEA). Recommended techniques for system and subsystem hazard analyses are FMEA, fault tree analysis (FTA), common cause analysis, sneak circuit analysis (for electrical, electronic, and some hydraulic or pneumatic circuits) and, of course, software hazard analysis for software. 

Based on the results of the PHA, recommendations made by 30% review boards, and guidance provided in the system safety program plan, detailed hazard analyses are made of specified (critical) subsystems. The techniques for these SSHAs are as outlined in the system safety program plan or as selected by the SSWG. Failure modes and effects analysis (FMEA) and/or fault tree analysis (FTA) are generally the techniques of choice. Software hazard analysis, common cause analysis, and/or sneak circuit analysis may also be appropriate. 

The functional FMEA tends to use deductive logic, that is, to ask what the cause may be and to focus on the functional failure modes and their causes. It can be used early in the program and is usually done at the subsystem or assembly level. The hardware FMEA tends to be more inductive, asking what ir and when questions, in that common component failure modes are listed and then the focus of the analysis is on the effects of each failure mode. It needs fixed design data and goes to the component level. 

---