Single-point failure

High reliability items and single-point failure items... 

These studies may also point out locations or items of equipment that are critical or single point failures for the entire facility. Where such points are identified special emphasis should be to ensure that events leading up to such circumstances are prevented or eliminated. 

Safety systems should not be segregated together. Each safety system should be diversified as much as possible to avoid the possibility of a single point failure. A prime example is the firewater supply which should be pumped into a facility firemain at several separate and remote locations. 

Several catastrophic fire incidents in the petroleum industry have been the result of the facility firewater pumps being directly affected by the initial effects of the incident. The cause of these impacts has been mainly due to the siting of the fire pumps in vulnerable locations without adequate protection measures from the probable incident and the unavailability or provision of other backup water sources. A single point failure analysis of firewater distribution systems is an effective analysis that can be performed to identify where design deficiencies may exist. For all high risk locations, fire water supplies should be available from several remotely located sources that are totally independent of each and utility systems which are required for support. 

Communications plays a vital role in alerting and notifying both in facility personnel and outside emergency agencies that a major incident has occurred. Communication systems should not be arranged so a single point failure exists. Of primary concern is the provision of a backup source of power and a remote backup activation and signaling post. 

Heat transfer systems are normally provided to utilize available process heat, to economize heat for distillation purposes or to preheat fuel supplies before usage. They are generally considered a secondary process support system to the main production process, however they may be so critical to the process that they might be considered a single point failure if not adequately designed. 

System Interconnect Reliability From the standpoint of reliability, the shared memory system in the global bus both have problems in the area of single-point failures If a failure of the bus or the central memory occurs, the entire system is incapacitated A ring system, when bypass hardware is employed, demonstrates very good fault tolerant characteristics. 

Question 40 How do safety agencies typically test for single-point failures in off-line power supplies ... 

Answer Any component can be shorted or opened by the safety agency during their testing. Even the possibility of a solder connection coming undone anywhere, or a bad via between layers of a PCB would be taken into account. Any such single-point failure is expected to usually cause the power supply to simply shut down gracefully, or even fail catastrophically. That is fine, but in the process, no hazardous voltage is permitted to appear on the outputs, even for a moment. 

No single point failure anywhere in the equipment should lead the user to be exposed to an electrical shock. There should be two levels of protechon, so that if one gives way, there is sbll some protechon available. 

Single point failure can be a problem with Brayton systems. A leak in the reactor can easily lead to all the coolant being lost. 

Single point failures from the FMEA/FMECA (see Chapter 5). 

Finally, add cut set diagrams, particular first order (where a single basic event chases up to the top-level event) as these represent single point failures in the system. 

Finally, an annex of the SSA (or a separate FTA report) should include a summary of the fault tree results, and if they are compfiant to the numerical targets and, for top events with a catastrophic severity, whether any single point failures have been identified. Additionally, the report should detail any maintenance actions that are necessary to alleviate the effects of dormant failures. 

What is clear is that, while FTA is mostly used to provide a quantitative assessment of a failure condition, it remains fundamentally a quahtative analysis method due to the means that the FTA is developed [see NASA Fault Tree Handbook paragraph 1.2]. Nevertheless, the discipline the analyst goes through to consider each failure path methodically provides an excellent deductive method to provide a reasoned estimate of failure probability. Additionally, the FTA provides more information than simply probability of the top event and can be used even without probability calculation to understand weaknesses in the system design (such as single point failures) and to conduct sensitivity analysis to determine which parts of the system may drive the overall probability of particular failure modes. 

Design, when allowed, to minimize or eliminate single-point failures that have an undesired consequence. Make at least 2-fault tolerant, that is tolerant of multiple faults or system breakdown that would have adverse safety consequence. 

A critical item is defined as a single point failure and/or a redundant element in a life- or mission-essential application where ... 

No single-point failures are allowed in severity level I and II mishap... 

The FMEA evaluates reliability and identifies single-point failures. It can be performed at different levels and thus at different times in the life cycle. 

The FMEA evaluates the reliability of the design and identifies single-point failures that can lead to system failure. It also determines the possible effects of all potential failures and thus can aid in identifying failures with safety significance. It provides a cause-effect relationship for failures, some of which may be safety related. Failure rates or other reliability statistics can be used to quantify the FMEA. 

The primary advantages of an FMEA are that critical single-point failures can be identified and that reliability can be evaluated in detail. It may identify areas or parts with poor reliability and allow early and cost-effective design changes. If it is performed functionally early in the project, it may reduce the amount of more detailed FMEA needed. 

In any event, after the tree has been developed consistent with the ground rules for the project, the next step is to analyze the tree to determine weak spots in the system, identify single-point failures, evaluate redundancy, and seek appropriate methods of improving the reliability and safety of the system. 

The failure mode and effect analysis (FMEA) is one of the more familiar of the system safety analysis techniques in use. It has remarkable utility in its capacity to determine the reliability of a given system. The FMEA will specifically evaluate a system or subsystem to identify possible failures of each individual component in that system, and, of greater importance to the overall system safety effort, it attempts to forecast the effects of any such failure(s). Because of the FMEA s ability to examine systems at the component level, potential single-point failures can be more readily identified and evaluated (Stephenson 1991). Also, although the FMEA should be performed as early in the product life cycle design phase as possible (see Figure 3.4), based on the availability of accurate data, the system safety analyst can also use this tool, as necessary, throughout the life of the product or system to identify additional failure elements as the system matures. 

The second and more common hardware FMEA examines actual system assemblies, subassemblies, individual components, and other related system hardware. This analysis should also be performed at the earliest possible phase in the product or system life cycle. Just as subsystems can fail with potentially disastrous effects, so can the individual hardware and components that make up those subsystems. As with the functional FMEA, the hardware FMEA evaluates the reliability of the system design. It attempts to identify single-point failures, as well as all other potential failures, within a system that could possibly result in failure of that system. Because the FMEA can accurately identify critical failure items within a system, it can also be useful in the development of the preliminary hazard analysis and the operating and support hazard analysis (Stephenson 1991). It should be noted that FMEA use in the development of the O SHA might be somewhat limited, depending on the system, because the FMEA does not typically consider the ergonomic element. Other possible disadvantages of the FMEA include its purposefiil omission of multiple-failure analysis within a system, as well as its failure to evaluate any operational interface. Also, in order to properly quantify the results, a FMEA requires consideration and evaluation of any known component failure rates and/or other similar data. These data often prove difficult to locate, obtain, and verify (Stephenson 1991). 

Any and aU critical single-point failure (CSPF) items that were identified during the FMEA should also be provided in this section. The specific failure mode and its effect(s) should be listed and discussed here. The discussion should detail any acceptance or rejection rationale to justify the recommended actions, which are provided later in the report. 

At face value, on the basis of the information provided, the complexity of the system described above appears to offer numerous opportunities for critical single-point failures. Therefore, the analyst should begin the FMEA process by first attempting to identify any and all nonpassive components and/or subassemblies that, depending on the type or mode of failure, could possibly have an undesirable effect. Table 10.1 lists each identified subsystem and related components in the overhead bridge crane system used in this example. Once such a list has been developed, the analyst will find it much easier to evaluate each subsystem or component, its possible failure mode(s), and the resultant effect(s) of any failure. Also, subsequent FMEAs may typically be performed during the operational phase of the crane life... 

The FHA process usually begins with the establishment of a list of system or subsystem functions. Hazards are then postulated on the basis of the failure and/or likelihood of failure of each function. Then, the overall probable effect of the hazard on the system and those operating it (i.e., people) is derived. Once identified, this overall probable effect is known as the failure condition. The severity of the failure condition is assessed and a hazard severity classification is assigned to it. This severity class will determine the maximum allowable probability for each failure condition. In extremely critical systems or operations, such as an elevator braking device/system or materials-handling operations, for example, very low maximum allowable probabilities identified in an FHA will mandate the prohibition of single-point failures. 

Since input and/or output variables typically fail in a discrete manner, the evaluation of any single-point failure effects on the software program, the computer hardware, and/or the system can be accomplished through the software FHA. The drawback here is that the specific effects of any such failure may be somewhat difficult to define since they are typically a function of the actual operational state of the computer at the exact time that the failure occurs. Hence, even evaluation of hypothetical scenarios could be a monumental task since so many possible variables are bound to exist. Also, the software FHA can be an extremely lengthy and quite tedious process that may or may not yield any significant results. A decision to proceed with such an effort must therefore be weighed against the anticipated benefits that are expected on its completion. 

Software System Hazard Analysis This type of analysis is conducted similar to a hardware system hazard analysis (SHA), analyzing software functional processing steps to determine whether they may have any particular hazardous effect on the system. The analysis utilizes a hazard-risk index to illustrate the severity of each potential failure. The main advantage to this method is in its ability to positively identify safety-critical hardware and software functions as well as consider the effect of the human element in system software operations. The results of the software SHA, which identifies single-point failures or errors within a system, can often be used to assist in the development of a software fault tree analysis or, to some degree, a system FMEA. However, as with the other various SWHA techniques briefly described above, this method is also time-consuming and costly to perform. 

Reducing the probability of occurrence means that a hazard is less likely to create an incident. One means to accomplish this is to use parts that have a longer life and do not fail as often. Designing for lower failure rates, using redundancy and avoiding single point failures are others. 

---