Safety analysis methods FMEA

Failure Modes and Effects Analysis (FMEA) and its variants have been widely used in safety analyses for more than thirty years. With the increase of application domain of software intensive systems there was a natural tendency to extend the use of (originally developed for hardware systems) safety analysis methods to software based systems. 

This approach is based on a safety analysis, often used for safety critical systems. The safety analysis performed at each stage of the system development is intended to identify all possible hazards with their relevant causes. Traditional safety analysis methods include, e.g. Functional Hazard Analysis (FHA) [1], Failure Mode and Effect Analysis (FMEA) [2] and Fault Tree Analysis (FTA). FMEA is a bottom-up method since it starts with the failure of a component or subsystem and then looks at its effect on the overall system. First, it lists all the components comprising a system and their associated failure modes. Then, the effects on other components or subsystems are evaluated and listed along with the consequence on the system for each component s failure modes. FTA, in particular, is a deductive method to analyze system design and robustness. Within this approach we can determine how a system failure can occur. It also allows us to propose countermeasures with a higher coverage or having wider dimension. 

The traditional FMEA has been a well-accepted safety analysis method, however, it suffers from several weaknesses. One of the critically debated weaknesses, is the method that the traditional FMEA employs to achieve a risk ranking. The purpose of ranking risk in order of importance is to assign the limited resources to the most serious risk items. Traditional FMEA uses an RPN to evaluate the risk level of a component or process. The RPN is obtained by finding the multiplication of three factors, which are the probability of failure (5/), the severity of the failure S) and the probability of not detecting the failure (Sj). Representing this mathematically will give ... 

Keywords System Safety Complexity Safety Analysis Software Engineering Formal Methods OF-FMEA Safety Claim Structure Safety Case Safety Assessment... 

Two types of analytical methods are used to evaluate hazards 1) preliminary hazards analysis (PHA), and 2) failure modes and effects analysis (FMEA). PHA is an accident scenario-based form of analysis. The FMEA is a complementary type of evaluation that utilizes a system failure-based form of analysis. Generally, FMEAs were only accomplished for equipment which was perceived to have a significant safety role, i.e. SSCs which were anticipated to be designated as safety significant in accordance with DOE-STD-3009. Unlike PHA, the first objective of FMEA is to subdivide the facility into several different (and, to the maximum extent possible, independent) system elements. Failure modes of each system element are then postulated and a structured esramination of the consequences of each failure mode follows. However, similar to PHA, FMEA. documents preventive and mitigative features (failure mechanisms and compensation) and anticipated accident consequences (failure effects). This appendix documents the FMEA for the HCF. 

A type of safety identification review that methodically analyzes the interactions between individuals and machines. It reviews the operation phase to operational phase, while considering the consequences of operator-system faults at each operating step within each phase. This analysis allows for the recognition of threats from equipment faults that may coexist with operator errors. It is considered similar to a Failure Mode and Effects Analysis (FMEA), but with increased emphasis on the steps in human procedures rather than viewing hardware exclusively. See also Failure Mode and Effects Anafysis (FMEA) Job Safety Analysis (JSA). 

Chapter 3 presents introductory aspects of safety and human factors. Chapter 4 is devoted to methods considered useful to perform patient safety analysis. These methods include failure modes and effect analysis (FMEA), fault tree analysis (FTA), root cause analysis (RCA), hazard and operability analysis (HAZOP), six sigma methodology, preliminary hazard analysis (PFfA), interface safety analysis (ISA), and job safety analysis (JSA). Patient safety basics are presented in Chapter 5. This chapter covers such topics as patient safety goals, causes of patient injuries, patient safety culture, factors contributing to pahent safety culture, safe practices for better health care, and patient safety indicators and their selection. 

The fault hazard analysis (FHA)—also referred to as the functional hazard analysis—method follows an inductive reasoning approach to problem solving in that the analysis concentrates primarily on the specific and moves toward the general (TAI 1989). The FHA is an expansion of the FMEA (Stephenson 1991). As demonstrated in the previous chapter, the FMEA is concerned with the critical examination and documentation of the possible ways in which a system component, circuit, or piece of hardware may fail and the effect of that failure on the performance of that element. The FHA takes this evaluation a step further by determining the effect of such failures on the system, the subsystem, or personnel. In fact, when a FMEA has already been completed for a given system and information on the adverse safety effect of component or human failures is desired for that system, the safety engineer can often utilize the data from the FMEA as an input to the FHA. 

The strength of this method is that all disciplines come together (face to face) and identify free format different kinds of risks. The test engineers are important stakeholders in these sessions, as they are good at identifying failure modes. Where the safety hazard analysis looks at safety issues, the FMEA considers possible failure modes in the product and how to tackle them not only safety issues but also e.g. possible failures in reliability, performance and functionality. 

Abstract. Safety and security are two important aspects in the analysis of cyber-physical systems (CPSs). In this short paper, we apply a new safety and security analysis method to intelligent and cooperative vehicles, in order to examine attack possibilities and failure scenarios. The method is based on the FMEA technique for safety analysis, with extensions to cover information security. We examine the feasibility and efficiency of the method, and determine the next steps for developing the combined analysis method. 

FMVEA [3] is a combined analysis method for safety and security. It is based on the Failure Mode and Effects Analysis, as described in lEC 60812 [6]. In the FMEA approach, each component of a system is analyzed for potential failure modes. Based on the detail level and maturity of the design, components can be HW/SW-modules or functions. A failure mode is the manner in which the component fails [6] or the manner by which a occurred fault is observed [4]. In the next step the effects of the failure mode on the system are identified. A failure mode could cause a component to cease to function and still only have a negligible effect on the functionality of the complete system. After the severity of the final effect is determined, potential causes are identified. Based on the causes, the probability of the failure mode is estimated. This process is repeated until every failure mode of the component and every component on the chosen analysis level is examined. 

This cross-functional approach of ISO TS 16949 defines the basis for a necessary safety culture as the foundation of functional safety and address directly FMEAs as a mayor quality analysis method. 

The automobile associations like VDA and AIAG have described the essential methods in this context. Standards had been improved in other industries based on their requirements. FMEA is according to ISO 26262 an inductive method for the safety analysis. However, all FMEA methods in the automobile industry are widely based on the sequence of failure cause, failure and failure effect. The kind of measures to improve the product or avoid, mitigate errors, or their propagation had been defined and applied differently in the standards. The evaluation factors of failures are called as follows ... 

Safety analysis is the term with which ISO 26262 describes methods such as FMEA and FTA. Neither in this book nor in ISO 26262, was the intention never to define these methods anew. ISO 26262 mentions in part 9, Chap. 8 the different methods and lists general requirements in the context of ISO 26262 for these methods. In the individual development of items, system or components the safety analyses are invoked in the respective context, based on the specific requirements for this method. 

The inductive safety analysis is described as a bottom-up method. It investigates unknown failure effects starting with known failure causes. Today the FMEA is the basic analysis method at all. It has been developed for almost twenty years in different ways. The classical form sheet analysis (blank table form analysis) can be called a truly inductive safety analysis, whereas the cause in this context is often also determined deductively. This means that potentially unknown causes are examined. AU new FMEA methods start with the function, a task or characteristics of the basic parts and search for potential causes, which could lead to malfunction, wrong tasks or to deviations of required characteristics of the basic parts. The next step is the determination of error propagations so that the failure effect can be determined. 

However, the model-based safety analysis should first be seen as addition for the classic analysis methods. It would be worth considering seeing the model-based safety analysis preferably as deductive analysis and the classic FMEA further on as inductive analysis. Therefore, the systematic approach of consistent system engineering can again be applied from the vehicle level all the way down to the silicon stmcmres and the software development. 

In this section we give a brief description of three commonly used methods of safety analysis Fault Tree Analysis, Event Tree Analysis and Failure Mode and Effect Analysis. Those are the methods which, in our opinion, can mostly benefit fix)m being extended with more formal semantics. We do not cover here Hazard and Operability Study (HAZOP) which is a "structured brainstorm" - type method with the main stress on managerial aspects. However, as HAZOP may make use of FTA, ETA and/or FMEA, it can also benefit firom the proposed approach. 

Three examples of these methods and techniques that can be used in both reliability and safety areas are failure modes and effect analysis (FMEA), fault-tree analysis (FTA), and the Markov method. FMEA was developed in the early 1950s to analyze the reliability of engineering systems. Similarly, the FTA approach was developed in the early 1960s to analyze the safety of rocket launch control systems. Today, both FMEA and FTA are being used across many diverse areas to analyze various types of problems. 

Methods for performing hazard analysis and risk assessment include safety review, checkhsts, Dow Fire and Explosion Index, what-if analysis, hazard and operabihty analysis (HAZOP), failure modes and effects analysis (FMEA), fault tree analysis, and event tree analysis. Other methods are also available, but those given are used most often. 

There are various types of analyses that are used for a process hazard analysis (PHA) of the equipment design and test procedures, including the effects of human error. Qualitative methods include checklists, What-If, and Hazard and Operability (HAZOP) studies. Quantitative methods include Event Trees, Fault Trees, and Failure Modes and Effect Analysis (FMEA). All of these methods require rigorous documentation and implementation to ensure that all potential safety problems are identified and the associated recommendations are addressed. The review should also consider what personal protective equipment (PPE) is needed to protect workers from injuries. 

One hazards analysis technique used to analyze equipment items is FMEA. The method examines the ways in which an equipment item can fail (its failure modes) and examinees the effects or consequences of such failures. If the criticality of each failure is to be considered, then the method becomes a Failure Modes, Effects and Criticality (FMECA) Analysis. The consequences can be to do with safety, reliability, or environmental performance. 

First, the importance of learning lessons from past process safety incidents is highlighted in Section 3.2. The subsequent section presents preliminary hazard review procedure, risk matrix, what-if method, plot plan and layout review, pressure relief system review and fire safety design aspects. Section 3.4 presents PHA techniques and procedures hazards and operability analysis (HAZOP), failure modes and effects analysis (FMEA), instrumented protective system (IPS) design, fault trees, event trees, layer of protection analysis (LOPA) and finally SIS life eyele. The importanee of revision of PSI is highlighted in Seetion 3.5. 

Used originally as a reliability tool, the FMEA is now often used to identify and prioritize safety problems associated with hardware failures. This is usually done by including a risk assessment code (RAC) in the analysis (Table 14-1). (Note When a RAC or other method of quantifying is used to identify critical safety items, some organizations and analysts call the technique failure mode and effects criticality analysis [FMECA].)... 

---