Extension to Chapter 3.

FMECA

Mary Ann Lundteigen Marvin Rausand

RAMS Group
Department of Mechanical and Industrial Engineering
NTNU

(Version 0.1)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 1 / 54

 Introduction

Learning Objectives

The main learning objectives associated with these slides are to:
I To understand why Failure modes, effects, and criticality analysis
(FMECA) is used
I To understand terminology used in an FMECA
I To learn the steps of an FMECA
I To realize the pros and cons of an FMECA
The slides provide additional information to Chapter 3 in Reliability of
Safety-Critical Systems: Theory and Applications.
DOI:10.1002/9781118776353.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 2 / 54

 Introduction

Outline of Presentation

1 Introduction

2 FMECA - What and Why

3 Terminology

4 FMECA procedure

5 FMECA Worksheet

6 Risk Ranking

7 Corrective Actions

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 3 / 54

 FMECA - What and Why

What is FMECA?

Z Failure modes, effects, and criticality analysis (FMECA): A methodology

to identify and analyze:
I All potential failure modes of the various parts of a system
I The effects these failures may have on the system
I How to avoid the failures, and/or mitigate the effects of the failures on
the system

FMECA is a technique used to identify, prioritize, and eliminate potential

failures from the system, design or process before they reach the customer.
– Omdahl (1988)

FMECA is a technique to “resolve potential problems in a system before

they occur.” – SEMATECH (1992)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 4 / 54

 FMECA - What and Why

FMECA – FMEA

Initially, the FMECA was called FMEA (Failure modes and effects analysis).
The C in FMECA indicates that the criticality (or severity) of the various
failure effects are considered and ranked.

Today, FMEA is often used as a synonym for FMECA. The distinction

between the two terms has become blurred.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 5 / 54

 FMECA - What and Why

Background

I FMECA was one of the first systematic techniques for failure analysis
I FMECA was developed by the U.S. Military. The first guideline was
Military Procedure MIL-P-1629 “Procedures for performing a failure
mode, effects and criticality analysis” dated November 9, 1949
I FMECA is the most widely used reliability analysis technique in the
initial stages of product/system development
I FMECA is usually performed during the conceptual and initial design
phases of the system in order to assure that all potential failure modes
have been considered and the proper provisions have been made to
eliminate these failures

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 6 / 54

 FMECA - What and Why

What Can FMECA be Used for?

I Assist in selecting design alternatives with high reliability and high safety
potential during the early design phases
I Ensure that all conceivable failure modes and their effects on operational
success of the system have been considered
I List potential failures and identify the severity of their effects
I Develop early criteria for test planning and requirements for test equipment
I Provide historical documentation for future reference to aid in analysis of
field failures and consideration of design changes
I Provide a basis for maintenance planning
I Provide a basis for quantitative reliability and availability analyses.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 7 / 54

 FMECA - What and Why

FMECA Basic Question

1. How can each part conceivably fail?

2. What mechanisms might produce these modes of failure?
3. What could the effects be if the failures did occur?
4. Is the failure in the safe or unsafe direction?
5. How is the failure detected?
6. What inherent provisions are provided in the design to compensate for
the failure?

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 8 / 54

 FMECA - What and Why

When to Perform an FMECA

The FMECA should be initiated early in the design process, where we are
able to have the greatest impact on the equipment reliability. The locked-in
cost versus the total cost of a product is illustrated in the figure:
100 100

85%
s ts
Operation (50%)
80 Co 80
-In
ed
ck
Lo
%
% Locked-In Costs

% Total Costs
60 60

40 40
Production (35%)

20 20
12%
3%
0 0
Concept/Feasibility Design/Development Production/Operation

– Source: SEMATECH (1992)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 9 / 54
 FMECA - What and Why

Types of FMECA

I Design FMECA is carried out to eliminate failures during equipment

design, taking into account all types of failures during the whole
life-span of the equipment
I Process FMECA is focused on problems stemming from how the
equipment is manufactured, maintained or operated
I System FMECA looks for potential problems and bottlenecks in larger
processes, such as entire production lines

GHFRUUHQWH

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 10 / 54

 FMECA - What and Why

Two Approaches to FMECA

I Bottom-up approach
• The bottom-up approach is used when a system concept has been
decided. Each component on the lowest level of indenture is studied
one-by-one. The bottom-up approach is also called hardware approach.
The analysis is complete since all components are considered.

I Top-down approach
• The top-down approach is mainly used in an early design phase before
the whole system structure is decided. The analysis is usually function
oriented. The analysis starts with the main system functions - and how
these may fail. Functional failures with significant effects are usually
prioritized in the analysis. The analysis will not necessarily be complete.
The top-down approach may also be used on an existing system to focus
on problem areas.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 11 / 54

 FMECA - What and Why

FMECA Standards

I MIL-STD 1629 “Procedures for performing a failure mode and effect analysis”
I IEC 60812 “Procedures for failure mode and effect analysis (FMEA)”
I BS 5760-5 “Guide to failure modes, effects and criticality analysis (FMEA and
FMECA)”
I SAE ARP 5580 “Recommended failure modes and effects analysis (FMEA)
practices for non-automobile applications”
I SAE J1739 “Potential Failure Mode and Effects Analysis in Design (Design
FMEA) and Potential Failure Mode and Effects Analysis in Manufacturing and
Assembly Processes (Process FMEA) and Effects Analysis for Machinery
(Machinery FMEA)”
I SEMATECH (1992) “Failure Modes and Effects Analysis (FMEA): A Guide for
Continuous Improvement for the Semiconductor Equipment Industry”

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 12 / 54

 Terminology

Definition of Failure

Z Failure: The termination of the ability of an item to perform a required

function. [IEV 191-04-01]

A failure is always related to a required function. The function is often

specified together with several performance requirements, such as response
time, reliability target, behavoir upon fault condition etc.

Shutdown valve
A maximum closing time of a shutdown valve may be set to 15 seconds. A failure of
the function occurs when the closing time exceeds 15 seconds.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 13 / 54

 Terminology

Failure Attributes

A failure is an event that occurs at a specific point in time.

A failure may:
I Develop gradually
I Occur as a sudden event

The failure may sometimes be revealed:

I On demand (i.e., when the function is needed) (“hidden”)
I During a functional test (also “hidden”)
I By monitoring or diagnostics (“evident”)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 14 / 54

 Terminology

Fault

Z Fault: The state of an item characterized by inability to perform a

required function [IEV 191-05-01]

While a failure is an event that occurs at a specific point in time, a fault is a

state that will last for a shorter or longer period.

In most cases, an item will have a fault after a hardware failure has occurred
– and we say that the item is in a failed state.

Design and installation errors may also prevent the item from performing
its required function. The item has a fault that is not preceded by any
hardware failure and we call this fault a systematic fault.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 15 / 54

 Terminology

Error

Z Error: Discrepancy between a computed, observed, or measured value or

condition and the true, specified, or theoretically correct value or condition.
[IEC 191-05-24].

An error is present when the performance of a function deviates from the

target performance (i.e., the theoretically correct performance), but still
satisfies the performance requirement. An error will often, but not always,
develop into a failure.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 16 / 54

 Terminology

Relationship failure, fault and error

A failure may originate from an error. When the failure occurs, the item
enters a fault state.
Performance

Target value
Error Acceptable deviation

Actual
performance Failure
(event)
Fault
(state)

Time

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 17 / 54

 Terminology

Failure Mode

Z Failure mode: The way a failure is observed on a failed item. [IEC 191-05-22]

A failure mode is the way in which an item could fail to perform its required
function. An item can fail in many different ways – a failure mode is a
description of a possible state of the item after it has failed.
Pump
Performance requirement: The pump must provide an output between 100 and 110
liters per minute.
Associated failure modes may be:
I No output
I Too low output
I Too high output
I Too much fluctuation in output

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 18 / 54

 Terminology

Classification of Failures

Failures may be classified according to their:

I Causes: To avoid future occurrences and make judgments about repair
I Effects: To rank between critical and not so critical failures
I Detectability: To distinguish failures that may be revealed
“automatically” (and shortly after their occurrence) and those that may
be hidden until special effort is taken, such as functional tests.
I And several other criteria.

Special category:
I Common-cause failures (CCFs)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 19 / 54

 Terminology

Example: Failure classification in IEC 61508

IEC 61508 classify failures according to their:

I Causes:
• Random (hardware) faults
• Systematic(“functional”) faults (including software faults)
I Effects:
• Safe failures (typically: untimely activation of function)
• Dangerous failures (typically: function prevented)
• No part/no effect failures (typically: Not associated with the main
function)
I Detectability:
• Detected - revealed by online diagnostics
• Undetected - revealed by functional tests or upon a real demand for
activation

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 20 / 54

 FMECA procedure

FMECA main steps

1. FMECA prerequisites (what to prepare before start)

2. System structure analysis
3. Failure analysis and preparation of FMECA worksheets
4. Team review
5. Corrective actions

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 21 / 54

 FMECA procedure

FMECA Prerequisites (1)

1. Define the system to be analyzed

• System boundaries (which parts should be included and which should
not)
• Main system missions and functions (incl. functional requirements)
• Operational and environmental conditions to be considered
Note: Interfaces that cross the design boundary should be included in
the analysis

. . . continued on next slide

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 22 / 54

 FMECA procedure

FMECA Prerequisites (2)

2. Collect available information that describes the system to be analyzed;

including drawings, specifications, schematics, component lists,
interface information, functional descriptions, and so on
3. Collect information about previous and similar designs from internal
and external sources; including FRACAS data, interviews with design
personnel, operations and maintenance personnel, component
suppliers, and so on

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 23 / 54

 FMECA procedure

System Structure Analysis (1)

I Divide the system into manageable units - typically functional

elements.
I To what level of detail we should break down the system will depend
on the objective of the analysis.
I It is often desirable to illustrate the structure by a hierarchical tree
diagram:

System
More level 1 subsystems
Level of intendure

Subsystem 1 Subsystem 2
More level 2 subsystems More level 2 subsystems

Subsystem Subsystem Subsystem Subsystem Subsystem

1.1 1.2 1.3 2.1 2.2
More components More components

Component Component Component Component

1.1.1 1.1.2 2.1.1 2.1.2

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 24 / 54

 FMECA procedure

System Structure Analysis (2)

In some applications it may be beneficial to illustrate the system by a

functional block diagram (FBD) as illustrated in the following figure.

System boundary

Control panel Electric start Start batteries

Control and Provide torque to Provide electric
monitor the engine start diesel engine power

Diesel tank Diesel engine Battery charger

Provide diesel Load start
Provide torque
to the engine batteries

Air intake system Lube oil system Exhaust system

Provide lube oil Remove and
Provide air
to diesel engine clean exhaust

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 25 / 54

 FMECA procedure

System Structure Analysis (3)

Rules of thumb:
I The analysis should be carried out on an as high level in the system
hierarchy as possible (“screening of subsystems to study in more
detail”)
I If unacceptable consequences are discovered on this level of resolution,
then the particular element (subsystem, sub-subsystem, or component)
should be divided into further detail to identify failure modes and
failure causes on a lower level.
I To start on a too low level will give a complete analysis, but may
at the same time be a waste of efforts and money.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 26 / 54

 FMECA Worksheet

FMECA Worksheet (1)

A suitable FMECA worksheet has to be decided. In many cases the client

(customer) will have requirements to the worksheet format – for example to
fit into her maintenance management system.

System: Performed by:

Ref. drawing no.: Date: Page: of

Description of unit Description of failure Effect of failure

Opera- Failure On the Risk
Ref. tional Failure cause or Detection On the system Failure Severity reducing
no Function mode mode mechanism of failure subsystem function rate ranking measures Comments

(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 27 / 54

 FMECA Worksheet

FMECA Worksheet (2)

For each system element (subsystem, component) the analyst must consider
all the functions of the elements in all its operational modes, and ask if any
failure of the element may result in any unacceptable system effect. If the
answer is no, then no further analysis of that element is necessary. If the
answer is yes, then the element must be examined further.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 28 / 54

 FMECA Worksheet

FMECA Worksheet (3)

We will now discuss the various columns in the FMECA worksheet on the
previous frame.

1. In the first column a unique reference to an element (subsystem or

component) is given. It may be a reference to an id. in a specific
drawing, a so-called tag number, or the name of the element.

2. The functions of the element are listed. It is important to list all

functions. A checklist may be useful to secure that all functions are
covered.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 29 / 54

 FMECA Worksheet

FMECA Worksheet (4)

3. The various operational modes for the element are listed. Example of
operational modes are: idle, standby, and running. Operational modes
for an airplane include, for example, taxi, take-off, climb, cruise,
descent, approach, flare-out, and roll. In applications where it is not
relevant to distinguish between operational modes, this column may
be omitted.

4. For each function and operational mode of an element the potential

failure modes have to be identified and listed. Note that a failure mode
should be defined as a nonfulfillment of the functional requirements of
the functions specified in column 2.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 30 / 54

 FMECA Worksheet

FMECA Worksheet (5)

5. The failure modes identified in column 4 are studied one-by-one. The

failure mechanisms (e.g., corrosion, erosion, fatigue) that may produce
or contribute to a failure mode are identified and listed. Other possible
causes of the failure mode should also be listed. If may be beneficial to
use a checklist to secure that all relevant causes are considered. Other
relevant sources include: FMD-97 “Failure Mode/Mechanism
Distributions” published by RAC, and OREDA (for offshore equipment)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 31 / 54

 FMECA Worksheet

FMECA Worksheet (6)

6. The various possibilities for detection of the identified failure modes

are listed. These may involve diagnostic testing, different alarms, proof
testing, human perception, and the like. Some failure modes are
evident, other are hidden. The failure mode “fail to start” of a pump
with operational mode “standby” is an example of a hidden failure.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 32 / 54

 FMECA Worksheet

FMECA Worksheet (7)

In some applications, an extra column is added to rank the likelihood that

the failure will be detected before the system reaches the
end-user/customer. The following detection ranking may be used:

Rank Description
1-2 Very high probability that the defect will be detected. Verification and/or
controls will almost certainly detect the existence of a deficiency or defect.
3-4 High probability that the defect will be detected. Verification and/or
controls have a good chance of detecting the existence of a deficiency/defect.
5-7 Moderate probability that the defect will be detected. Verification and/or
controls are likely to detect the existence of a deficiency or defect.
8-9 Low probability that the defect will be detected. Verification and/or control
not likely to detect the existence of a deficiency or defect.
10 Very low (or zero) probability that the defect will be detected. Verification
and/or controls will not or cannot detect the existence of a deficiency/defect.

– Source: SEMATECH (1992)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 33 / 54

 FMECA Worksheet

FMECA Worksheet (8)

7. The effects each failure mode may have on other components in the
same subsystem and on the subsystem as such (local effects) are listed.
8. The effects each failure mode may have on the system (global effects)
are listed. The resulting operational status of the system after the
failure may also be recorded, that is, whether the system is functioning
or not, or is switched over to another operational mode. In some
applications it may be beneficial to consider each category of effects
separately, like: safety effects, environmental effects, production
availability effects, economic effects, and so on.

In some applications it may be relevant to include separate columns in the

worksheet for Effects on safety, Effects on availability, etc.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 34 / 54

 FMECA Worksheet

FMECA Worksheet (9)

9. Failure rates for each failure mode are listed. In many cases it is more
suitable to classify the failure rate in rather broad classes. An example
of such a classification is:
1 Very unlikely Once per 1000 years or more seldom
2 Remote Once per 100 years
3 Occasional Once per 10 years
4 Probable Once per year
5 Frequent Once per month or more often

1 2 3 4 5

0 10-3 10-2 10-1 10 Frequency

[year -1]
Logaritmic scale

In some applications it is common to use a scale from 1 to 10, where 10

denotes the highest rate of occurrence.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 35 / 54

 FMECA Worksheet

FMECA Worksheet (10)

10. The severity of a failure mode is the worst potential (but realistic)
effect of the failure considered on the system level (the global effects).
The following severity classes for health and safety effects are
sometimes adopted:

Rank Severity class Description

10 Catastrophic Failure results in major injury or death of personnel.
7-9 Critical Failure results in minor injury to personnel, personnel
exposure to harmful chemicals or radiation, or fire or
a release of chemical to the environment.
4-6 Major Failure results in a low level of exposure to
personnel, or activates facility alarm system.
1-3 Minor Failure results in minor system damage but does not
cause injury to personnel, allow any kind of exposure
to operational or service personnel or allow any
release of chemicals into the environment

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 36 / 54

 FMECA Worksheet

FMECA Worksheet (11)

In some application the following severity classes are used:

Rank Description
10 Failure will result in major customer dissatisfaction and cause non-
system operation or non-compliance with government regulations.
8-9 Failure will result in high degree of customer dissatisfaction
and cause non-functionality of system.
6-7 Failure will result in customer dissatisfaction and annoyance
and/or deterioration of part of system performance.
3-5 Failure will result in slight customer annoyance and/or slight
deterioration of part of system performance.
1-2 Failure is of such minor nature that the customer (internal or external)
will probably not detect the failure.

– Source: SEMATECH (1992)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 37 / 54

 FMECA Worksheet

FMECA Worksheet (12)

11. Possible actions to correct the failure and restore the function or
prevent serious consequences are listed. Actions that are likely to
reduce the frequency of the failure modes should also be recorded. We
come bach to these actions later in the presentation.

12. The last column may be used to record pertinent information not
included in the other columns.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 38 / 54

 Risk Ranking

Risk Ranking

The risk related to the various failure modes is often presented either by a:

I Risk matrix, or a
I Risk priority number (RPN)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 39 / 54

 Risk Ranking

Risk Matrix

The risk associated to failure mode is a function of the frequency of the

failure mode and the potential end effects (severity) of the failure mode. The
risk may be illustrated in a risk matrix.

Frequency/ 1 2 3 4 5
consequence Very unlikely Remote Occasional Probable Frequent
Catastrophic

Critical

Major

Minor

Acceptable - only ALARP actions considered

Acceptable - use ALARP principle and consider further investigations

Not acceptable - risk reducing measures required

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 40 / 54

 Risk Ranking

Risk Priority Number RPN)

An alternative to the risk matrix is to use the ranking of:

O = the rank of the occurrence of the failure mode

S = the rank of the severity of the failure mode
D = the rank of the likelihood the the failure will be detected before the
system reaches the end-user/customer.

All ranks are given on a scale from 1 to 10. The risk priority number (RPN) is
defined as

RPN = S × O × D

The smaller the RPN the better – and – the larger the worse.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 41 / 54

 Risk Ranking

Limitations of RPN

I How the ranks O, S, and D are defined depend on the application and
the FMECA standard that is used.
I The O, S, D, and the RPN can have different meanings for each FMECA.
I Sharing numbers between companies and groups is very difficult.
– Based on Kmenta (2002)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 42 / 54

 Risk Ranking

Alternative FMECA Worksheet

When using the risk priority number, we sometimes use an alternative

worksheet with separate columns for O, S, and D. An example is shown
below:

Project: Version: Date:

System: Subsystem: Teamwork leader:

Id. Comp. Function Failure Failure Local Global S O D RPN Corrective

mode cause effects effects actions

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 43 / 54

 Risk Ranking

Example FMECA Worksheet

– ReliaSoft Xfmea printout, from www.reliasoft.com

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 44 / 54
 Risk Ranking

FMECA Review team

A design FMECA should be initiated by the design engineer, and the
system/process FMECA by the systems engineer. The following personnel
may participate in reviewing the FMECA (the participation will depend on
type of equipment, application, and available resources):
I Project manager
I Design engineer (hardware/software/systems)
I Test engineer
I Reliability engineer
I Quality engineer
I Maintenance engineer
I Field service engineer
I Manufacturing/process engineer
I Safety engineer

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 45 / 54

 Risk Ranking

Review Objectives

The review team studies the FMECA worksheets and the risk matrices
and/or the risk priority numbers (RPN). The main objectives are:
1. To decide whether or not the system is acceptable
2. To identify feasible improvements of the system to reduce the risk.
This may be achieved by:
• Reducing the likelihood of occurrence of the failure
• Reducing the effects of the failure
• Increasing the likelihood that the failure is detected before the system reaches
the end-user.

If improvements are decided, the FMECA worksheets have to be revised and

the RPN should be updated.
Problem solving tools like brainstorming, flow charts, Pareto charts and
nominal group technique may be useful during the review process.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 46 / 54

 Corrective Actions

Selection of Actions

The risk may be reduced by introducing:

I Design changes
I Engineered safety features
I Safety devices
I Warning devices
I Procedures/training

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 47 / 54

 Corrective Actions

Reporting of Actions

The suggested corrective actions are reported, for example, as illustrated in

the printout from the Xfmea program.

– ReliaSoft Xfmea printout, from www.reliasoft.com

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 48 / 54

 Corrective Actions

RPN Reduction

The risk reduction related to a corrective action may be comparing the RPN
for the initial and revised concept, respectively. A simple example is given in
the following table.

Occurrence Severity Detection

RPN
O S D

Initial 7 8 5 280

Revised 5 8 4 160

% Reduction in RPN 43%

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 49 / 54

 Corrective Actions

Application Areas

I Design engineering. The FMECA worksheets are used to identify and

correct potential design related problems.
I Manufacturing. The FMECA worksheets may be used as input to
optimize production, acceptance testing, etc.
I Maintenance planning. The FMECA worksheets are used as an
important input to maintenance planning – for example, as part of
reliability centered maintenance (RCM). Maintenance related problems
may be identified and corrected.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 50 / 54

 Corrective Actions

FMECA in Design

Revise
Design
design

Perform
Get system Establish Determine
FMECA, identify
overview failure effects criticality
failure modes

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 51 / 54

 Corrective Actions

FMECA Pros and Cons

Pros:
I FMECA is a very structured and reliable method for evaluating
hardware and systems
I The concept and application are easy to learn, even by a novice
I The approach makes evaluating even complex systems easy to do

Cons:
I The FMECA process may be tedious, time-consuming (and expensive)
I The approach is not suitable for multiple failures
I It is too easy to forget human errors in the analysis

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 52 / 54

 Corrective Actions

FMEDA - a Variant of FMECA

An Failure modes, Effects, and Diagnostic Analysis (FMEDA) is an extension of an
FMECA that is tailured-made for a SIS.
I FMEDA as a method was developed by the company Exida
I Is in principle, very similar to an FMECA, and a FMECA-like table is used
I Focus is placed on (and columns in the table are allocated to) the
classification of each failure mode into DU, DD, SU or SD
I Failiure rates can be estimated for each failure category with basis in the
classification and the overall failure rate of the item
I Also proof test coverage may be considered
I The approach can supplement manufacturers calculations of failure rates, and
specific measures like the safe failure fraction (SFF) and diagnostic coverage
factor (DC)
More information is available from the book “Safety instrumented systems
verification”, by William M. Goble and Harry Cheddie.

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 53 / 54

 Corrective Actions

FMEDA Example

Reference: Goble, W.M. and Brombacher, A. Using a failure modes, effects and diagnosis analysis (FMEDA) to mesure diagnostic coverage in
programmable electronic systems. DOI:10.1016/S0951-8320(99)00031-9 (Journal of Reliability Engineering and System Safety)

Lundteigen& Rausand Extension to Chapter 3.FMECA (Version 0.1) 54 / 54