Functional hazard analysis failure effects

The functional approach stems from the fact that any system (or item) is merely the embodiment of a set of functions. A Functional Hazard Analysis (FHA) is a systematic, comprehensive top-down examination of each function of the system to consider the effects and probability of a functional failure, malfunction and/or normal response to unusual or abnormal external factors [AMC25.1309 para lOb(l)]. 

This step involves the Safety Engineer highlighting to the Test Pilot and/or the HF Specialist all failure conditions identified via techniques such as the Functional Hazard Analysis (FHA) (Chapter 3), Failure Modes and Effects Analysis (EMEA) (Chapter 5), Common Mode Analysis (CMA) (Chapter 6), Particular Risk Analysis (PRA) (Chapter 7) and Zonal Safety Analysis (ZSA) (Chapter 8). 

The fault hazard analysis (FHA)—also referred to as the functional hazard analysis—method follows an inductive reasoning approach to problem solving in that the analysis concentrates primarily on the specific and moves toward the general (TAI 1989). The FHA is an expansion of the FMEA (Stephenson 1991). As demonstrated in the previous chapter, the FMEA is concerned with the critical examination and documentation of the possible ways in which a system component, circuit, or piece of hardware may fail and the effect of that failure on the performance of that element. The FHA takes this evaluation a step further by determining the effect of such failures on the system, the subsystem, or personnel. In fact, when a FMEA has already been completed for a given system and information on the adverse safety effect of component or human failures is desired for that system, the safety engineer can often utilize the data from the FMEA as an input to the FHA. 

Fault (or Functional) Hazard Analysis A system safety analysis method, usually an extension of the failure mode and effect analysis that evaluates the overall effect of functional failures on other subsystems or the overall system itself. 

Functional hazard analysis is the airline industry s name for hazard analysis. Failure mode and effects analysis and fanlt tree analysis are applied in the same way as in other industries. Zonal analysis is the verification of correct manufacture and installation. It starts by reviewing drawings and analysis and ends in the physical inspection of mockup, prototype, and production systems. 

Model Based Safety Assessment aims at supporting the Preliminary System Safety Assessment (PSSA) [8]. Before the PSSA is performed, the Functional Hazard Analysis identifies the Failure Conditions (e.g. safety critical situations of the system) and assesses their severity on a scale going from No Safety Effect (NSE) to Catastrophic (CAT). Then, during the Preliminary System Safety Assessment, safety models (or alternatively fault-trees) axe built and analysed. A safety model describes formally in which node a fault occurs and how this fault propagates inside the system architecture in order to cause a Failure Condition. 

Risk identification and evaluation is performed using Reliability and Safety analyses in a mutually supportive way. Reliability analysis are principally concerned with functional criticality and failure effects aspects, and are performed principally in support of assuring mission success. Safety Analysis concentrates on identifying and evaluating the hazardous consequences which can arise from the system s hazardous conditions or from system functional failures. 

This approach is based on a safety analysis, often used for safety critical systems. The safety analysis performed at each stage of the system development is intended to identify all possible hazards with their relevant causes. Traditional safety analysis methods include, e.g. Functional Hazard Analysis (FHA) [1], Failure Mode and Effect Analysis (FMEA) [2] and Fault Tree Analysis (FTA). FMEA is a bottom-up method since it starts with the failure of a component or subsystem and then looks at its effect on the overall system. First, it lists all the components comprising a system and their associated failure modes. Then, the effects on other components or subsystems are evaluated and listed along with the consequence on the system for each component s failure modes. FTA, in particular, is a deductive method to analyze system design and robustness. Within this approach we can determine how a system failure can occur. It also allows us to propose countermeasures with a higher coverage or having wider dimension. 

The lists of critical items that were described under Identifying controls in Part 2 Chapter 2, together with Failure Modes and Effects Analysis and Hazard Analysis, are techniques that aid the identification of characteristics crucial to the safe and proper functioning of the product. 

A systems hazards analysis (SHA) is a systematic and comprehensive search for and evaluation of all significant failure modes of facility systems components that can be identified by an experienced team. The hazards assessment often includes failure modes and effects analysis, fault tree analysis, event tree analysis, and hazards and operability studies. Generally, the SHA does not include external factors (e.g., natural disasters) or an integrated assessment of systems interactions. However, the tools of SHA are valuable for examining the causes and the effects of chemical events. They provide the basis for the integrated analysis known as quantitative risk assessment. For an example SHA see the TOCDF Functional Analysis Workbook (U.S. Army, 1993-1995). 

The enterprise analyzes and prioritizes potential functional failure modes to define failure effects and identify the need for fault detection and recovery fimctions. Functional reliability models are established to support the analysis of system effectiveness for each operational scenario. Failures, which represent significant safety, performance, or environmental hazards, are modeled to completely understand system impacts. 

The second and more common hardware FMEA examines actual system assemblies, subassemblies, individual components, and other related system hardware. This analysis should also be performed at the earliest possible phase in the product or system life cycle. Just as subsystems can fail with potentially disastrous effects, so can the individual hardware and components that make up those subsystems. As with the functional FMEA, the hardware FMEA evaluates the reliability of the system design. It attempts to identify single-point failures, as well as all other potential failures, within a system that could possibly result in failure of that system. Because the FMEA can accurately identify critical failure items within a system, it can also be useful in the development of the preliminary hazard analysis and the operating and support hazard analysis (Stephenson 1991). It should be noted that FMEA use in the development of the O SHA might be somewhat limited, depending on the system, because the FMEA does not typically consider the ergonomic element. Other possible disadvantages of the FMEA include its purposefiil omission of multiple-failure analysis within a system, as well as its failure to evaluate any operational interface. Also, in order to properly quantify the results, a FMEA requires consideration and evaluation of any known component failure rates and/or other similar data. These data often prove difficult to locate, obtain, and verify (Stephenson 1991). 

Software System Hazard Analysis This type of analysis is conducted similar to a hardware system hazard analysis (SHA), analyzing software functional processing steps to determine whether they may have any particular hazardous effect on the system. The analysis utilizes a hazard-risk index to illustrate the severity of each potential failure. The main advantage to this method is in its ability to positively identify safety-critical hardware and software functions as well as consider the effect of the human element in system software operations. The results of the software SHA, which identifies single-point failures or errors within a system, can often be used to assist in the development of a software fault tree analysis or, to some degree, a system FMEA. However, as with the other various SWHA techniques briefly described above, this method is also time-consuming and costly to perform. 

A conprehensive product release process ensures that products are very mamre when released. Parallel to the comprehensive quality management process the safety process starts with general safety requirements which are checked for applicability and allocated to the project respectively. It continues with several tasks like performance of an Functional Hazard Assessment, production of an hardware RAM Modelling and Prediction Report and a Failure Modes, Effects and Criticality Analysis for a typical configuration and the use of the previously mentioned hazard checklist. Finally all issues of the product release checklist are to be fulfilled to get the official release. 

The Functional Hazard Assessment (FHA) asks the question How safe does the system need to be considering the required functionality and the specific environmental context of the system. A typically used technique in that phase is the Functional Failure Modes and Effects Analysis (Functional FMEA) to find all theoretically possible failure modes which then can be traced to hazards. 

For this paper we treat hazard assessment as a combination of two interrelated concepts hazard identification, in which the possible hazardous events at the system boundary are discovered, and hazard analysis, in which the likelihood, consequences and severity of the events are determined. The hazard identification process is based on a model of the way in which parts of a system may deviate fi om their intended behaviour. Examples of such analysis include Hazard and Operability Studies (HAZOP, Kletz 1992), Fault Propagation and Transformation Calculus (Wallace 2005), Function Failure Analysis (SAE 1996) and Failure Modes and Effects Analysis (Villemeur 1992). Some analysis approaches start with possible deviations and determine likely undesired outcomes (so-called inductive approaches) while others start with a particular unwanted event and try to determine possible causes (so-called deductive approaches). The overall goal may be safety analysis, to assess the safety of a proposed system (a design, a model or an actual product) or accident analysis, to determine the likely causes of an incident that has occurred. 

FHA is a powerful, efficient, and comprehensive system safety analysis technique for the discovery of hazards. It is especially powerful for the safety assessment of software. Since software does not have discrete failure modes as hardware does, the best way to identify software-related hazards is by evaluating the effect of potential software functions failing. Software is built upon performing functions therefore, FHA is a very natural and vital tool. After a functional hazard is identified, further analysis of that hazard may be required to determine if the causal factors of the functional failure are possible. Since the FHA focuses on functions, it might overlook other types of hazards, such as those dealing with hazardous energy sources, sneak circuit paths, and hazardous material (HAZMAT). For this reason, the FHA should not be the sole HA performed, but should be done in support of other types of HA, such as PHA and SSHA. 

These functions are the basis for the Functional Hazard Assessment (FHA), for the identification of possible hazards. In workshops with experts - to combine technical, domain and safety know-how - various techniques are applied. This includes brainstorming, use of historical data and functional failure modes and effects analysis to identrfy possible failure modes, their operational effects and the respective severity of the worst credible outcome. Based on the safety-relevant failure modes, potential hazards are determined and respective risks are allocated according to the risk matrix. The FHA leads to derivation of top level hazards. 

The assumption of independence between hazards and safety instrumented function failures seems very realistic. (NOTE If control functions and safety functions are performed by the same equipment, the assumption may not be valid Detailed analysis must be done to insure safety in such situations, and it is best to avoid such designs completely.) When hazards and equipment are independent, it is realized that a hazard may come at any time. Therefore, international standards have specified that PFDavg is an appropriate metric for measuring the effectiveness of a safety instrumented function. 

The causes of hazards and functional failures are broken down, e.g. via Fault Tree Analysis (FTA). Other typical techniques are the Failure Modes, Effects and Criticality Analysis (FMECA) and the production of a Reliability Availability Maintainability Modelling and Prediction Report (RAM MPR), containing reliability block diagrams of the system. 

NOTE The hazard and risk analysis takes irtto account potential common-cause failures between the control functions (which may be the initiating cause) and the SIF. The effect of the failure of the logic solver, corruption of the data highways, software mistakes, and access security at the engineering interface are just a few of the items that become... 

Safety-in-use considers that the intended function since it operates or behaves correct doesn t lead to any harm. The classical failure analyses cannot be considered for this analysis. Therefore, we rely on the positive analyses. In this case, particularly the behaviors of the intended functions, within its typical environment have to be analyzed as a positive approach. Generally, in this context we would see the classical event tree analysis (ETA). Based on deductively determined malfunctions and, in opposite to the general Hazard Risk Analysis according to ISO 26262, effects of intended functions, within relevant critical driving situations. 

FMEA is an analysis tool for evaluating the effect(s) of potential failure modes of subsystems, assemblies, components, or functions. It is primarily a reliability tool to identify credible failure modes that would adversely affect overall system reliability. FMEA has the capability to include failure rates for each failure mode, in order to achieve a quantitative analysis. Additionally, the FMEA can be extended to evaluate failure modes that may result in an undesired system state, such as a system hazard, and thereby also be used for HA. 

---