home » Calculations » Analysis of the types and consequences of failures. FMEA analysis: example and application

Analysis of the types and consequences of failures. FMEA analysis: example and application

To deal with the second part, I strongly recommend that you first familiarize yourself with.

Failure Modes and Effects Analysis (FMEA)

Failure Mode and Effect Analysis (FMEA) is an inductive reasoning-based risk assessment tool that considers risk as a product of the following components:

the severity of the consequences of a potential failure (S)
the possibility of a potential failure (O)
probability of failure to be detected (D)

The risk assessment process consists of:

Assigning to each of the above risk components an appropriate level of risk (high, medium or low); with detailed practical and theoretical information on the principles of design and operation of the qualified device, it is possible to objectively assign risk levels for both the probability of failure and the probability of failure to be detected. The possibility of a failure can be viewed as the time interval between occurrences of the same failure.

The assignment of risk levels for the probability of failure to be detected requires knowledge of how the failure of a particular instrument function will occur. For example, a failure of the instrument's system software suggests that the spectrophotometer cannot be operated. Such a failure can be easily detected and therefore assigned a low level of risk. But the error in the measurement of optical density cannot be detected in a timely manner if the calibration has not been performed; accordingly, the failure of the function of the spectrophotometer for measuring the optical density should be assigned a high level of risk of its non-detection.

The assignment of a risk severity level is a somewhat more subjective process and depends to some extent on the requirements of the respective laboratory. In this case, the level of risk severity is considered as a combination of:

Some suggested criteria for assigning a risk level for all the components of the cumulative risk assessment discussed above are presented in Table 2. The proposed criteria are most suitable for use in a regulated product quality control environment. Other laboratory analysis applications may require a different set of assignment criteria. For example, the impact of any refusal on the quality of a forensic laboratory may ultimately affect the outcome of a criminal trial.

Table 2: proposed criteria for assigning risk levels

Risk level	Quality (Q)	Compliance (C)	Business (B)	Probability of occurrence (P)	Probability of non-detection (D)
Risk level	Severity			Probability of occurrence (P)	Probability of non-detection (D)
High	Is likely to harm the consumer	Will lead to product recall	Downtime for more than one week or potential major loss of income	More than once in three months	Hardly detectable in most cases
Average	Probably won't harm the consumer	Will result in a warning letter	Downtime up to one week or potential significant loss of income	Once every three to twelve months	Can be detected in some cases
Short	Will not harm the consumer	Will lead to the discovery of nonconformity during the audit	Downtime up to one day or insignificant loss of income	Once every one to three years	Probably to be discovered

Taken from the source

The calculation of the level of aggregate risk assumes:

Assigning a numerical value to each level of severity of risk for each individual category of severity, as shown in Table 3
Summing the numerical values of the severity levels for each risk category will give a cumulative quantitative level of severity in the range from 3 to 9
The cumulative quantitative level of severity can be converted to the cumulative qualitative level of severity, as shown in Table 4.

Table 3: assignment of a quantitative level of severity		Table 4: calculating the cumulative level of severity
Qualitative level of severity	Quantitative level of severity	Cumulative quantitative level of severity	Aggregate quality level of severity
High	3	7-9	High
Average	2	5-6	Average
Short	1	3-4	Short

As a result of multiplying the cumulative quality level of Severity (S) by the level of possibility of Occurrence (O), we obtain the Risk Class, as shown in table 5.
The Risk Factor can then be calculated by multiplying the Risk Class by the Non-Detectability, as shown in Table 6.

Table 5: risk class calculation				Table 6: calculation of the risk level
Severity level				Undetectability
Spawn rate	Short	Average	High	Risk class	Short	Average	High
High	Average	High	High	High	Average	High	High
Average	Short	Average	High	Average	Short	Average	High
Short	Short	Short	Average	Short	Short	Short	Average
Risk class = Severity level * Occurrence rate				Risk factor = Risk class * Level of undetectability

An important feature of this approach is that when calculating the Risk Factor, this calculation gives additional weight to the factors of occurrence and detectability. For example, if the failure is of a high severity, but it is unlikely and easy to detect, then the overall risk factor will be low. Conversely, where the potential severity is low, but the occurrence of failure is likely to be frequent and difficult to detect, the cumulative risk factor will be high.

Thus, the severity, which is often difficult or even impossible to minimize, will not affect cumulative risk associated with a specific functional failure. Whereas appearance and undetectability, which are easier to minimize, have a greater impact on the overall risk.

Discussion

The risk assessment process consists of four main stages, as follows:

Conducting an assessment in the absence of any mitigation tools or procedures
Establishment of means and procedures for minimizing the assessed risk based on the results of the assessment performed
Carrying out a risk assessment after the implementation of mitigation measures to determine their effectiveness
Establish additional mitigation tools and procedures as needed, and re-evaluate

The risk assessment, summarized in Table 7 and discussed below, is viewed from the perspective of the pharmaceutical and related industries. Despite this, similar processes can be applied to any other sector of the economy, however, if other priorities are applied, other, but no less reasonable, conclusions can be obtained.

Initial assessment

It starts with the performance functions of the spectrophotometer: wavelength accuracy and precision, as well as the spectral resolution of the spectrophotometer, which determine its suitability for authenticity testing within the UV / VIS spectrum. Any inaccuracies, lack of precision in the wavelength of determination, or insufficient resolution of the spectrophotometer can lead to erroneous results of the authenticity test.

In turn, this can lead to the release of products with unreliable authenticity, up to their receipt by the end consumer. It can also lead to the need for product recalls and subsequent significant costs or loss of income. Therefore, in each severity category, these functions will pose a high level of risk.

Table 7: risk assessment using FMEA for UV / B spectrophotometer

Pre-minimization

Subsequent minimization

Severity

Functions

Work functions

Wavelength accuracy

WITH

Wavelength reproducibility

WITH

Spectral resolution

WITH

Diffused light

WITH

Photometric stability

Photometric noise

Spectral baseline flatness

Photometric accuracy

Functions to ensure data quality and integrity

Access controls

Electronic signatures

Password controls

Data security

Audit log

Time stamps

B = High, M = Medium, L = Low
Q = Quality, C = Compliance, B = Business, S = Severity, O = Occurrence, D = Non-detectability, RF = Risk Factor

Analyzing further, scattered light affects the correctness of optical density measurements. Modern instruments can take it into account and make an appropriate correction in the calculations, but this requires that this scattered light be detected and stored in the operating software of the spectrophotometer. Any inaccuracies in the stored scattered light parameters will result in incorrect absorbance measurements with the same consequences for photometric stability, noise, baseline accuracy and flatness as described in the following paragraph. Therefore, in each severity category, these functions will pose a high level of risk. The accuracy and precision of wavelength, resolution and scattered light are highly dependent on the optical properties of the spectrophotometer. Modern diode array devices have no moving parts and therefore failures in these functions can be assigned a medium chance of occurrence. However, in the absence of special checks, failure of these functions is unlikely to be detected, therefore, undetectability is assigned a high level of risk.

Photometric stability, noise and accuracy, and flatness of the baseline affect correct absorbance measurements. If the spectrophotometer is used for quantitative measurements, any error in the absorbance measurements may result in erroneous results being reported. If the reported results from these measurements are used to market a batch of a pharmaceutical product, this could result in substandard batches of the product to end users.

Such series will have to be withdrawn, which in turn will entail significant costs or loss of income. Therefore, in each severity category, these functions will pose a high level of risk. In addition, these functions are dependent on the quality of the UV lamp. UV lamps have a typical life of approximately 1500 hours or 9 weeks of continuous use. Accordingly, these data indicate a high risk of failure. In addition, in the absence of any precautions, failure of any of these functions is unlikely to be detected, which implies a high undetectability factor.

Returning now to the data quality and integrity functions, the test results are used to make decisions about the suitability of a pharmaceutical product for its intended use. Any compromise on the correctness or integrity of the generated records could potentially lead to the placing on the market of products of undetermined quality, which could harm the end consumer, and the products may have to be recalled, resulting in great losses to the laboratory / company. Therefore, in each severity category, these functions will pose a high level of risk. However, once the required instrument software configuration has been properly configured, it is unlikely that these functions will fail. In addition, any failure can be detected in a timely manner.

For instance:

Providing access only to authorized persons to the relevant work program until it is opened, it can be implemented by prompting the system to enter a username and password. If this function fails, the system will no longer ask you to enter a username and password, respectively, it will be immediately detected. Therefore, the risk of not detecting this failure will be low.
When a file to be verified is created electronic signature, then a dialog box opens, which requires you to enter a username and password, respectively, if a system failure occurs, then this window will not open and this failure will be immediately detected.

Minimization

While the severity of failure of operational functions cannot be minimized, the potential for failure can be significantly reduced and the likelihood of detecting such failure can be increased. Before using the device for the first time, it is recommended to qualify the following functions:

wavelength precision and precision
spectral resolution
diffused light
photometric accuracy, stability and noise
the flatness of the spectral baseline,

and then re-qualify at specified intervals, as this will significantly reduce the likelihood and likelihood of any failure being detected. Since photometric stability, noise and accuracy, and baseline flatness are dependent on the condition of the UV lamp, and standard deuterium lamps have a lifespan of approximately 1500 hours (9 weeks) of continuous use, it is recommended that the operating procedure be specified that the lamp (s) should be turned off when the spectrophotometer is idle, that is, when it is not in use. It is also recommended that preventive maintenance (PM) be performed every six months, including lamp replacement and re-qualification (PC).

The rationale for a re-qualification period depends on the life of the standard UV lamp. It is approximately 185 weeks when used for 8 hours once a week, and the corresponding life in weeks is shown in Table 8. Thus, if the spectrophotometer is used four to five days a week, the UV lamp will last about eight to ten months.

Table 8: the average life of the UV lamp depending on the average number of eight-hour working days of the spectrophotometer during the week

Average number of days of operation per week	Average lamp life (weeks)
7	26
6	31
5	37
4	46
3	62
2	92
1	185

Preventive maintenance and re-qualification (PM / PC) every six months will ensure trouble-free operation of the instrument. If the spectrophotometer is operated for six to seven days a week, the lamp life is expected to be about six months, so it is more appropriate to perform a PT / PC every three months to ensure adequate uptime. Conversely, if the spectrophotometer is used once or twice a week, then the PTO / PC will be sufficient every 12 months.

In addition, due to the relatively short service life of the deuterium lamp, it is recommended to check the following parameters, preferably on every day of use of the spectrophotometer, as this will provide an additional guarantee of its correct functioning:

lamp brightness
dark current
calibration of deuterium emission lines at wavelengths of 486 and 656.1 nm
filter and shutter speed
photometric noise
spectral baseline flatness
transient photometric noise

Modern instruments already contain these tests within their software and they can be performed by selecting the appropriate function. If any of the tests fail, with the exception of the dark current and filter and shutter speed test, the deuterium lamp must be replaced. If the dark current or filter and shutter speed test fails, the spectrophotometer should not be used and should be sent for repair and re-qualification instead. Establishing these procedures will minimize both the risk of failure of a work function and the risk of failure to detect any failure.

Risk factors for data quality and integrity functions are already low without any minimization. Therefore, it is only necessary to verify the operation of these functions during OQ and PQ to confirm the correct configuration. After that, any failure can be detected in a timely manner. However, personnel must receive appropriate training or instruction to be able to recognize a failure and take appropriate action.

Conclusion

Failure Modes and Effects Analysis (FMEA) is an easy-to-use risk assessment tool that can be easily applied to assess the risks of laboratory equipment failure that affect quality, compliance and business. Performing such a risk assessment will enable informed decisions to be made regarding the implementation of appropriate controls and procedures to cost-effectively manage the risks associated with the failure of critical instrument functions.

FMEA methodology, examples

FMEA (Failure Mode and Effects Analysis) is an analysis of the modes and consequences of failures. Originally developed and published by the US military-industrial complex (in the form of MIL-STD-1629), failure mode and effect analysis is so popular today as specialized standards for FMEA have been developed and published in some industries.

A few examples of such standards:

MIL-STD-1629. Developed in the USA and is the ancestor of all modern FMEA standards.
SAE-ARP-5580 is a revision of MIL-STD-1629 with a library of some elements for the automotive industry. Used in many industries.
SAE J1739 is an FMEA standard for Potential Failure Mode and Effects Analysis in Design (DFMEA) and Potential Failure Mode and Effects Analysis in Manufacturing and Assembly. Processes, PFMEA). The standard helps to identify and mitigate risk by providing appropriate terms, requirements, rating charts and worksheets. As a standard, this document contains requirements and recommendations to guide the user through the implementation of the FMEA.
AIAG FMEA-3 is a specialized standard used in the automotive industry.
Internal FMEA-standards of large car manufacturers.
Historically developed in many companies and industries, procedures are similar to the analysis of the types and consequences of failures. Perhaps today these are the FMEA “standards” of the widest coverage.

All standards for the analysis of failure modes and consequences (published or developed historically) are generally very similar to each other. The general description below gives general idea about FMEA as a methodology. It is intentionally not very deep and covers most of the currently used FMEA approaches.

First of all, the boundaries of the analyzed system must be clearly defined. The system can be a technical device, process, or anything else subject to FME analysis.

Further, the types of possible failures, their consequences and possible causes of occurrence are identified. Depending on the size, nature and complexity of the system, the determination of the types of possible failures can be performed for the entire system as a whole or for each of its subsystems individually. In the latter case, the consequences of failures at the subsystem level will manifest themselves as failure modes at the higher level. Identification of the types and consequences of failures should be performed using the "bottom-up" method, before reaching top level systems. To characterize the types and consequences of failures, defined at the upper level of the system, parameters such as intensity, criticality of failures, probability of occurrence, etc. are used. These parameters can either be calculated "bottom-up" from the lower levels of the system, or explicitly set at its upper level. These parameters can be both quantitative and qualitative. As a result, for each element of the top-level system, its own unique measure is calculated, calculated from these parameters according to the appropriate algorithm. In most cases, this measure is referred to as the “risk priority ratio”, “severity”, “risk level” or something similar. The way such a measure is used and how it is calculated can be unique in each case and provide a good starting point for a variety of modern approaches to Failure Mode and Effects Analysis (FMEA).

An example of FMEA application in the military-industrial complex

The purpose of the "Severity" parameter is to demonstrate that the security requirements of the system are fully met (in the simplest case, this means that all criticality indicators are below a predetermined level.

The abbreviation FMECA stands for Failure Mode, Effects and Criticality Analysis.

The main indicators used to calculate the Criticality value are:

failure rate (determined by calculating mean time between failures - MTBF),
the probability of failure (as a percentage of the failure rate indicator),
running time.

Thus, it is obvious that the criticality parameter has a real exact value for each specific system (or its component).

There is a fairly wide range of available catalogs (libraries) containing failure probabilities different types for various electronic components:

FMD 97
MIL-HDBK-338B
NPRD3

A library descriptor for a specific component, in general, looks like this:

Since for calculating the criticality parameter of failure it is necessary to know the values of the failure rate indicator, in the military-industrial complex, before applying the FME [C] A methodology, the MTBF methodology is calculated, the results of which are used by FME [C] A. For elements of the system, the criticality of failure of which exceeds the tolerances established by the safety requirements, an appropriate Fault Tree Analysis (FTA) must also be carried out. In most cases, Failure Mode, Effects and Severity Analysis (FMEA) for the MIC needs is performed by one specialist (who is an expert in electronic design or quality control) or a very small group of such specialists.

FMEA in the automotive industry

For each Risk Priority Number (RPN) of failure that exceeds a predetermined level (often 60 or 125), corrective actions are identified and implemented. As a rule, those responsible for the implementation of such measures, the timing of their implementation and the way of subsequent demonstration of the effectiveness of the taken corrective actions are determined. After corrective measures are taken, the value of the Failure Risk Priority Factor is re-evaluated and compared with the maximum established value.

The main indicators used to calculate the value of the Risk Priority Ratio are:

the likelihood of a failure
criticality,
the probability of detecting a failure.

In most cases, the Risk Priority Ratio is derived on the basis of the values of the above three indicators (dimensionless values of which lie in the range from 1 to 10), i.e. is a calculated value varying within the same boundaries. However, in cases where actual (retrospective) exact values of the failure rate for a specific system are available, the boundaries of finding the Risk Priority Factor can be expanded many times over, for example:

In most cases, FMEA analysis in the automotive industry is carried out internally. working group representatives of different departments (R&D, production, service, quality control).

Features of analysis methods FMEA, FMECA and FMEDA

Reliability analysis methods FMEA (failure modes and consequences analysis), FMECA (failure modes, consequences and severity analysis) and FMEDA (failure modes, consequences and diagnostics analysis), although they have much in common, contain several notable differences.

Whereas FMEA is a methodology that allows you to determine scenarios (ways) by which a product (equipment), emergency protection device (ESD), technological process or system can fail (see standard IEC 60812 "Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA) "),

FMECA, in addition to FMEA, ranks identified failure modes in order of their importance (criticality) by calculating one of two indicators - the Risk Priority Number or the failure criticality of the failure,

and the purpose of FMEDA is to calculate the failure rate of an end system, which can be considered a device or group of devices performing a more complex function. Methodology for the Analysis of Species, Effects and Diagnosability bounce FMEDA was first developed for the analysis of electronic devices and subsequently extended to mechanical and electromechanical systems.

General concepts and approaches FMEA, FMECA and FMEDA

FMEA, FMECA and FMEDA share common basic concepts of components, devices and their arrangement (interaction). The Safety Instrumented Function (SIF) consists of several devices that must ensure that the necessary operation is performed to protect a machine, equipment or technological process from the consequences of danger, failure. Examples of ESD devices are a converter, an insulator, a contact group, etc.

Each device is made up of components. For example, a transmitter can consist of components such as gaskets, bolts, diaphragm, electronic circuit etc.

An assembly of devices can be considered as one combined device that implements the ESD function. For example, an actuator-positioner-valve is an assembly of devices, which together can be considered as the final safety element of an ESD. Components, devices and assemblies can be part of the final system for the purposes of FMEA, FMECA or FMEDA evaluation.

The basic methodology behind FMEA, FMECA and FMEDA can be applied prior to or during the design, manufacture or final assembly of the final system. The basic methodology considers and analyzes the failure modes of each component that is part of each device to estimate the chance of failure of all components.

In cases where FME analysis is performed for an assembly, in addition to identifying the modes and consequences of failures, a block diagram (diagram) of the reliability of this assembly should be developed to assess the interaction of devices with each other (see standard IEC 61078: 2006 "Analysis techniques for dependability - Reliability block diagram and boolean methods ").

Input data, results and evaluation of results of FMEA, FMECA, FMEDA shown schematically in the picture (right). Enlarge the picture.

The general approach defines the following main steps for FME analysis:

definition of the final system and its structure;
determination of possible scenarios for performing the analysis;
assessment of possible situations of combinations of scenarios;
performing FME analysis;
evaluation of the results of FME analysis (including FMECA, FMEDA).

Applying the FMECA methodology to the results of the failure mode and effect analysis (FMEA) provides an opportunity to assess the risks associated with failures, and the FMEDA methodology provides an opportunity to assess the reliability.

For everybody simple device an FME table is developed, which is then applied to each defined analysis scenario. The structure of the FME table can vary for FMEA, FMECA, or FMEDA, and also depending on the nature of the final system being analyzed.

The result of the analysis of the modes and consequences of failures is a report containing all verified (if necessary, adjusted by the working group of experts) FME tables and conclusions / judgments / decisions regarding the final system. If the target system is modified after the FME analysis, the FMEA procedure must be repeated.

Differences between estimates and results of FME-, FMEC- and FMED-analyzes

Although the basic steps for performing an FME analysis are generally the same for FMEA, FMECA, and FMEDA, the score and results are different.

FMECA results include FMEA results as well as rankings of all failure modes and consequences. This ranking is used to determine the components (or devices) with a higher degree of influence on the reliability of the final (target) system, characterized by such safety indicators as the average probability of failure on demand (PFDavg), average dangerous failure rate (PFHavg).), Average time between failures (MTTFs) or mean time to dangerous failure (MTTFd).

FMECA results can be used for qualitative or quantitative assessment, and in both cases, they should be represented by a criticality matrix of the final system, which graphically shows which components (or devices) have more / less impact on the reliability of the final (target) system.

FMEDA results include FMEA results and end-system reliability data. They can be used to verify that a system meets a target SIL level, SIL certification, or as a basis for calculating the target SIL of an ESD device.

FMEDA provides quantitative estimates of reliability indicators such as:

Safe detected failure rate (rate of diagnosed / detected safe failures) - the frequency (rate) of failures of the final system, transferring its operating state from normal to safe. PAZ system or operator notified, target or equipment protected;
Safe undetected failure rate (rate of undiagnosed / undetectable safe failures) - frequency (rate) of failures of the final system, transferring its operating state from normal to safe. The ESD system or operator is not notified, the target installation or equipment is protected;
Dangerous detected failure rate - the rate (rate) of failure of the end system at which it will remain in a normal state when the need arises, but the system or the ESD operator is notified to correct the problem or perform maintenance. The target installation or equipment is not protected, but the problem is identified, and there is a chance to fix the problem before the need arises;
Dangerous undetected failure rate (rate of undiagnosed / undetectable dangerous failures) - the frequency (rate) of failures of the final system, at which it will remain in a normal state when the need arises, but the system or the ESD operator is not notified. The target or equipment is not protected, the problem is latent, and the only way to identify and correct the problem is to perform a proof test (s). If necessary, the FMEDA can identify how much of the undiagnosed dangerous failures can be identified by the proof test. In other words, the FMEDA score helps to provide performance metrics for the Proof Test (Et) or Proof Test Coverage (PTC) when performing proof testing (validation) of the target system;
Annunciation failure rate - the frequency (intensity) of the end system failures, which will not affect the safety performance when its operating state is transferred from a normal to a safe state;
No effect failure rate - The frequency (rate) of any other failures that will not lead to the transition of the operating state of the final system from normal to safe or dangerous.

KConsult C.I.S. offers professional services of certified European practical engineers in performing FMEA, FMECA, FMEDA analyzes, as well as introducing FMEA methodology into the daily activities of industrial enterprises.

F MEA analysis is currently recognized as one of the most effective instruments to improve the quality and reliability of the facilities being developed. It is aimed primarily at preventing the occurrence of possible defects, as well as at reducing the amount of damage and the likelihood of its occurrence.

Analysis of types and consequences bounce FMEA in order to reduce risks, it is successfully used all over the world at enterprises of various industries. This is a universal method that is applicable not only for each production facility, but also for almost any activity or individual processes. Wherever there is a risk of defects or failures, FMEA analysis allows you to assess the potential threat and select the most appropriate option.

FMEA terminology

The basic concepts on which the analysis concept is based are the definitions of defect and failure. Having a general result in the form negative consequences they are, however, significantly different. Thus, a defect is a negative result of the predicted use of an object, while a failure is an unplanned or abnormal operation during production or operation. In addition, there is also the term non-compliance, which means that the planned conditions or requirements are not met.

Negative outcomes, the likelihood of which is analyzed FMEA method, marks are given, which can be conditionally divided into quantitative and expert. Quantitative estimates include the probability of occurrence, the probability of detecting a defect, measured in percent. Expert assessments are given in points for the likelihood of occurrence and detection of a defect, as well as for its significance.

The final indicators of the analysis are the complex risk of a defect, as well as the priority number of risk, which are overall assessment the significance of the defect or failure.

Analysis stages

Briefly FMEA analysis method consists of the following steps:

1. Team building
2. Selecting the object of analysis. Determining the Boundaries of Each Part of a Composite Object
3. Identifying Analysis Applications
4. Selection of the types of nonconformities to be considered based on time constraints, type of consumers, geographic conditions, etc.
5. Approval of the form in which the analysis results will be provided.
6. Designation of the elements of the object, in which failures or defects may occur.
7. Making a list of the most significant possible defects for each element
8. Determination of possible consequences for each of the defects
9. Assessment of the likelihood of occurrence, as well as the severity of the consequences for all defects
10. Calculation of the priority risk number for each defect.
11. Ranking of potential failures / defects by importance
12. Development of measures to reduce the likelihood or severity of consequences, by changing the project or production process
13. Recalculation of grades

If necessary, clauses 9-13 are repeated until an acceptable indicator of the priority risk number is obtained for each of the significant defects.

Analysis types

Depending on the stage of product development and on the object of analysis FMEA method is divided into the following types:

SFMEA or analysis of the interaction between individual elements of the whole system
DFMEA analysis - an event to prevent the launch of an unfinished design into production
PFMEA analysis allows you to work out and bring processes to an applicable state

Purposes of FMEA Analysis

Using FMEA analysis method in a manufacturing enterprise, you can achieve the following results:

reducing the cost of production, as well as improving its quality by optimizing the production process;
reduction of after-sales repair and service costs;
reduction of production preparation time;
reducing the number of product revisions after the start of production;
increase in customer satisfaction and, as a result, an increase in the manufacturer's reputation.

The peculiarity is that the analysis types and consequences of FMEA failures v short term may not provide tangible financial benefits or be costly. However, in strategic planning, it plays a decisive role, since, carried out only at the stage of preparation for production, subsequently will bring economic benefits throughout life cycle product. In addition, the costs of the negative consequences of defects can often be higher than the final cost of the product. An example is the aviation industry, where hundreds of human lives depend on the reliability of every detail.

With an exponential distribution law of the recovery time and the time between failures, the mathematical apparatus of Markov random processes is used to calculate the reliability indicators of systems with recovery. In this case, the functioning of systems is described by the process of changing states. The system is depicted as a graph called the state-to-state transition graph.

A random process in any physical system S is called Markov, if it has the following property : for any moment t 0 the probability of a system state in the future (t> t 0 ) depends only on the state in the present

(t = t 0 ) and does not depend on when and how the system came to this state (otherwise: with a fixed present, the future does not depend on the prehistory of the process - the past).

t< t 0

t> t 0

For the Markov process, the “future” depends on the “past” only through the “present”, that is, the future course of the process depends only on those past events that influenced the state of the process at the present moment.

The Markov process, as a process without aftereffect, does not mean complete independence from the past, since it manifests itself in the present.

When using the method, in the general case, for the system S , you must have mathematical model as a set of system states S 1 , S 2 , ..., S n , in which it can be in case of failures and restorations of elements.

When compiling the model, the following assumptions were introduced:

Failed elements of the system (or the object itself) are immediately restored (the beginning of recovery coincides with the moment of failure);

There are no restrictions on the number of restorations;

If all flows of events that transfer the system (object) from state to state are Poisson (simplest), then the random process of transitions will be a Markov process with continuous time and discrete states S 1 , S 2 , ..., S n .

Basic rules for drawing up a model:

1. The mathematical model is depicted as a state graph, in which

a) circles (vertices of the graphS 1 , S 2 , ..., S n ) - possible system states S , arising from failures of elements;

b) arrows- possible directions of transitions from one state S i to another S j .

Above / below the arrows indicate the intensity of the transitions.

Graph examples:

S0 - working condition;

S1 - the state of failure.

"Loops" denote delays in one state or another S0 and S1 relevant:

Good condition continues;

The failure state continues.

The state graph reflects a finite (discrete) number of possible states of the system S 1 , S 2 , ..., S n . Each of the vertices of the graph corresponds to one of the states.

2. To describe a random process of state transition (failure / recovery), state probabilities are used

P1 (t), P2 (t), ..., P i (t), ..., Pn (t) ,

where P i (t) - the probability of finding the system at the moment t v i-m condition.

Obviously, for any t

(normalization condition, since states other than S 1 , S 2 , ..., S n No).

3. Based on the state graph, a system of ordinary differential equations of the first order (Kolmogorov-Chapman equations) is compiled.

Consider an installation element or a non-redundant installation itself, which can be in two states: S 0 -fail-safe (efficient),S 1 - the state of failure (recovery).

Let us determine the corresponding probabilities of the states of the element R 0 (t): P 1 (t) at any time t under different initial conditions. We will solve this problem under the condition, as already noted, that the flow of failures is the simplest with λ = const and recovery μ = const, the distribution law of time between failures and recovery time is exponential.

For any moment in time, the sum of the probabilities P 0 (t) + P 1 (t) = 1 - the probability of a reliable event. We fix the time moment t and find the probability P (t + ∆ t) that at the moment of time t + ∆ t the item is in work. This event is possible when two conditions are met.

At time t, the element was in the state S 0 and over time t no failure occurred. The probability of operation of an element is determined by the rule of multiplying the probabilities of independent events. The probability that at the moment t item was and condition S 0 , is equal to P 0 (t). The likelihood that over time t he did not refuse, equal e -λ∆ t . With an accuracy up to a value of a higher order of smallness, we can write

Therefore, the probability of this hypothesis is equal to the product P 0 (t) (1- λ ∆ t).

2. At a moment in time t item is in state S 1 (in a state of recovery), during ∆ t recovery ended and the item went into the state S 0 ... This probability is also determined by the rule of multiplying the probabilities of independent events. The probability that at a point in time t item was in state S 1 , is equal to R 1 (t). The probability that the recovery is over, we define through the probability of the opposite event, i.e.

1 - e -μ∆ t = μ· ∆ t

Therefore, the probability of the second hypothesis is P 1 (t) ·μ· ∆ t/

The probability of the system working state at the moment of time (t + ∆ t) is determined by the probability of the sum of independent incompatible events when both hypotheses are fulfilled:

P 0 (t+∆ t)= P 0 (t) (1- λ ∆ t)+ P 1 (t) ·μ ∆ t

Dividing the resulting expression by ∆ t and taking the limit at ∆ t → 0 , we obtain the equation for the first state

dP 0 (t)/ dt=- λP 0 (t)+ μP 1 (t)

Carrying out similar reasoning for the second state of the element - the state of failure (recovery), one can obtain the second equation of state

dP 1 (t)/ dt=- μP 1 (t)+λ P 0 (t)

Thus, to describe the probabilities of the element state, a system of two differential equations was obtained, the state graph of which is shown in Fig. 2

d P 0 (t)/ dt = - λ P 0 (t)+ μP 1 (t)

dP 1 (t)/ dt = λ P 0 (t) - μP 1 (t)

If there is a directed graph of states, then the system of differential equations for the probabilities of states R TO (k = 0, 1, 2, ...) you can write right away using the following rule: on the left side of each equation there is a derivativedP TO (t)/ dt, and on the right - as many components as there are ribs associated directly with this state; if the edge ends in this state, then the component has a plus sign, if it starts from this state, then the component has a minus sign. Each component is equal to the product of the intensity of the flow of events that transfers an element or system along a given edge to another state, by the probability of the state from which the edge starts.

The system of differential equations can be used to determine the FBG of electrical systems, the function and availability factor, the probability of being in repair (restoration) of several elements of the system, the average residence time of the system in any state, the failure rate of the system, taking into account the initial conditions (states of the elements).

With initial conditions R 0 (0) = 1; R 1 (0) = 0 and (P 0 + P 1 =1), the solution of the system of equations describing the state of one element has the form

P 0 (t) = μ / (λ+ μ )+ λ/(λ+ μ )* e^ -(λ+ μ ) t

Probability of a failure condition P 1 (t)=1- P 0 (t)= λ/(λ+ μ )- λ/ (λ+ μ )* e^ -(λ+ μ ) t

If at the initial moment of time the element was in the state of failure (recovery), i.e. R 0 (0) = 0, P 1 (0)=1 , then

P 0 (t) = μ / (λ +μ)+ μ/(λ + μ) * e ^ - (λ + μ) t

P 1 (t) = λ /(λ +μ)- μ/ (λ + μ) * e ^ - (λ + μ) t

Usually in calculating reliability indicators for sufficiently long time intervals (t ≥ (7-8) t v ) without a large error, the probabilities of states can be determined by the steady-state mean probabilities -

R 0 (∞) = K G = P 0 and

R 1 (∞) = TO P = P 1 .

For steady state (t→∞) P i (t) = P i = const a system of algebraic equations with zero left-hand sides is compiled, since in this case dP i (t) / dt = 0. Then the system of algebraic equations has the form:

Because Kg there is a possibility that the system will be operational at the moment t at t, then from the obtained system of equations it is determined P 0 = Kg., that is, the probability of the element operation is equal to the stationary availability factor, and the failure probability is equal to the forced downtime coefficient:

limP 0 (t) = Kg =μ /(λ+ μ ) = T/(T+ t v )

limP 1 (t) = Кп = λ / (λ +μ ) = t v /(T+ t v )

i.e., the result is the same as in the analysis of limiting states using differential equations.

The method of differential equations can be used to calculate indicators of reliability and non-recoverable objects (systems).

In this case, the inoperable states of the system are "absorbing" and the intensities μ exits from these states are excluded.

For a non-recoverable object, the state graph is:

System of differential equations:

With initial conditions: P 0 (0) = 1; P 1 (0) = 0 , using the Laplace transform of the probability of being in a working state, i.e., FBG to the operating time t will be .

FEDERAL AGENCY FOR TECHNICAL REGULATION AND METROLOGY

NATIONAL

STANDARD

RUSSIAN

FEDERATIONS

GOSTR

51901.12-

(IEC 60812: 2006)

Risk management

SPECIES AND EFFECTS ANALYSIS METHOD

DISCLAIMERS

Analysis techniques for system reliability - Procedure for failure mode and effects

Official edition

С | Ш№Ц1Ч1 + П | Ш

GOST R 51901.12-2007

Foreword

Objectives and principles of standardization e Russian Federation installed Federal law of December 27, 2002 No. 184-FZ "On technical regulation", and the rules for the application of national standards of the Russian Federation - GOST R 1.0-2004 "Standardization in the Russian Federation. Basic provisions "

Information about the standard

1 PREPARED Open joint stock company"Research Center for Control and Diagnostics of Technical Systems" (JSC "NIC KD") and the Technical Committee for Standardization TC 10 "Advanced production technologies, management and risk assessment" on the basis of its own authentic translation of the standard specified in paragraph 4

2 INTRODUCED by the Development Department. information support and accreditation of the Federal Agency for Technical Regulation and Metrology

3 APPROVED AND PUT INTO EFFECT by Order of the Federal Agency for Technical Regulation and Metrology No. 572-st dated December 27, 2007

4 This standard is modified according to the international standard IEC 60812: 2006 “Methods for analyzing the reliability of systems. Failure Mode and Effects Analysis (FMEA) ”(IEC 60812: 2006“ Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA) ”) by introducing technical deviations explained in the introduction to this standard.

The name of this standard has been changed from the name of the specified international standard to comply with GOST R 1.5-2004 (subsection 3.5)

5 INTRODUCED FOR THE FIRST TIME

Information about changes to this standard is published in the annually published information index "National standards". and the text of changes and amendments - in the monthly published information indexes "National Standards". In case of revision (replacement) or cancellation of this standard, the corresponding notice will be published in the monthly published information index "National Standards". Relevant information, notice and texts are also posted in information system general use - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet

This standard may not be reproduced in whole or in part, replicated and distributed as an official publication without the permission of the Federal Agency for Technical Regulation and Metrology.

GOST R 51901.12-2007

1 Scope ............................................ 1

3 Terms and definitions .......................................... 2

4 General provisions ............................................ 2

5 Analysis of types and consequences of failures ................................... 5

6 Other research ........................................... 20

7 Applications ................................................ 21

Appendix A (informative) Short description procedures FMEA and FMECA ............... 25

Appendix B (informative) Examples of research .......................... 28

Appendix C (informative) List of abbreviations for English language used in the standard. 35 Bibliography ................................................ 35

GOST R 51901.12-2007

Introduction

In contrast to the applicable International Standard, this standard includes references to IEC 60050 * 191: 1990 International Electrotechnical Vocabulary. Chapter 191. Reliability and quality of services ”, which are impractical to cite in the national standard due to the absence of an adopted harmonized national standard. In accordance with this, the content of Section 3 has been changed. In addition, Appendix C is included in the standard, containing a list of abbreviations used in English. References to national standards and Supplementary Annex C are in italics.

GOST R 51901.12-2007 (IEC 60812: 2006)

NATIONAL STANDARD OF THE RUSSIAN FEDERATION

Risk management

ANALYSIS METHOD FOR TYPES AND CONSEQUENCES OF FAILURES

Risk management. Procedure for failure mode and effects analysts

Date of introduction - 2008-09-01

1 area of use

This International Standard specifies Failure Mode and Effects Analysis (FMEA) methods. types, consequences and criticality of failures (Failure Mode. Effects and Criticality Analysis - FMECA) and gives recommendations on their application to achieve the set goals by:

Performing the necessary stages of the analysis;

Identification of relevant terms, assumptions, criticality indicators, failure modes:

Definitions of the basic principles of analysis:

Using examples of necessary technological maps or other tabular forms.

All given in this standard General requirements FMEAs also apply to FMECA. because

the latter is an extension to FMEA.

2 Normative references

8 of this standard, normative references to the following standards are used:

GOST R 51901.3-2007 (IEC 60300-2: 2004) Risk management. Reliability management guidelines (IEC60300-2: 2004 "Reliability management. Guidelines for reliability management". MOD)

GOST R 51901.5-2005 (IEC 60300-3-1: 2003) Risk management. Guidance on the application of reliability analysis methods (IEC 60300-3-1: 2003 "Reliability management. Part 3-1. Application guidance. Reliability analysis methods. Methodology manual." MOD)

GOST R 51901.13-2005 (IEC 61025: 1990) Risk management. Fault tree analysis (IEC 61025: 1990 "Fault tree analysis (FNA)". MOD)

GOST R51901.14-2005 (IEC61078: 1991) Risk management. Reliability structural diagram method (IEC 61078: 2006 "Methods of reliability analysis. Reliability structural diagram and Bulway methods". MOD)

GOS TR51901.15-2005 (IEC61165: 1995) Risk management. Application of Markov methods (IEC 61165: 1995 "Application of Markov methods". MOD)

Note - When using this standard, it is advisable to check the operation of reference standards in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet or according to the annually published information index "National Standards *, which is published as of January 1 of the current year. , and according to the relevant monthly information signs published in the current year. If the reference standard is replaced (changed), then when using this standard, the replacing (modified) standard should be followed. If the reference standard is canceled without replacement, then the provision in which the reference to it is given shall apply to the extent that does not affect the reference.

Official edition

GOST R 51901.12-2007

3 Terms and definitions

The following terms are used in this standard with the corresponding definitions:

3.1 item: Any part, element, device, subsystem, functional unit, apparatus or system that can be considered independently.

Notes

1 An object may consist of technical equipment, software tools or a combination of these, and may also, in special cases, include technical personnel.

2 A number of objects, for example, their collection or sample, can be considered as an object.

NOTE 3 A process can also be viewed as an entity that performs a specified function and for which an FMEA or FMECA is carried out. Typically, a hardware FMEA does not cover people and their interactions with hardware or software, while a process FMEA usually involves an analysis of human actions.

3.2 failure: The loss of an object's ability to perform a required function ')

3.3 faultcondition of an object in which it is unable to perform a required function, with the exception of such inability during maintenance or other planned activities or due to a lack of external resources

Notes (edit)

1 Failure is often the result of facility failure, but can occur without it.

NOTE 2 In this standard, the term “failure” is used in conjunction with the term “failure” for historical reasons.

3.4 failure effect effect of the mode of failure on the operation, function or status of an item

3.5 failure modemode and nature of an object's failure

3.6 failure criticalitycombination of severity of consequences and frequency of occurrence or other properties of failure as a characteristic of the need to identify sources, causes and reduce the frequency or number of occurrences this refusal and reducing the severity of its consequences.

3.7 systemset of interrelated or interacting elements

Notes (edit)

1 With regard to reliability, the system should have:

a) certain goals, presented in the form of requirements for its functions:

t>) established operating conditions:

c) certain boundaries.

2 The structure of the system is hierarchical.

3.8 failure severitythe significance or severity of the consequences of the failure mode to ensure the functioning of the facility environment and the operator associated with the established boundaries of the investigated object.

4 Key points

4.1 introduction

Failure Mode and Effects Analysis (FMEA) is a method of systematically analyzing a system to identify potential failure modes. their causes and consequences, as well as the impact of failure on the functioning of the system (the system as a whole or its components and processes). The term "system" is used to describe hardware, software (with their interactions), or a process. It is recommended that the analysis be carried out in the early stages of development, when it is most cost effective to eliminate or reduce the consequences and the number of failure modes. The analysis can be started as soon as the system can be represented in the form of a functional block diagram with an indication of its elements.

For more details see.

GOST R 51901.12-2007

Timing of the FMEA is very important. If the analysis was carried out at a sufficiently early stage in the development of the system, then the introduction of design changes to eliminate the deficiencies found during the FMEA. is more cost effective. Therefore, it is important that the goals and objectives of the FMEA are described in a plan and timeline for the development process. In this way. FMEA is an iterative process that runs concurrently with the design process.

FMEA is applicable at various levels of system decomposition - from the highest level of the system (the system as a whole) to the functions of individual components or software commands. FMEAs are continually repeated and updated as the system design improves and changes during development. Design changes require changes to the relevant parts of the FMEA.

In general, FMEA is the result of the work of a team of qualified specialists. capable of recognizing and assessing the significance and consequences of various types of potential design and process nonconformities that can lead to product failure. Teamwork stimulates the thinking process and ensures required quality expertise.

An FMEA is a method to identify the severity of the consequences of potential failure modes and provide mitigation measures, in some cases the FMEA also includes an assessment of the likelihood of failure modes. This expands the analysis.

Prior to the application of FMEA, a hierarchical decomposition of the system (hardware with software or process) into basic elements must be performed. It is useful to use simple block diagrams illustrating decomposition (see GOST 51901.14). In this case, the analysis begins with the elements of the lowest level of the system. The consequence of a failure at a lower level can cause an object to fail at a higher level. The analysis is carried out from bottom to top, bottom-up, until the ultimate consequences for the system as a whole are determined. This process is shown in Figure 1.

FMECA (Failure Modes, Consequences and Severity Analysis) extends FMEA to include methods for ranking the severity of failure modes, allowing for the prioritization of countermeasures. The combination of severity and failure rate is a measure called criticality.

FMEA principles can be applied outside of project development at all stages of the product life cycle. The FMEA method can be applied to a manufacturing or other process such as hospitals. medical laboratories, education systems, etc. When applying PMEA to a production process, this procedure is called Process Failure Mode and Effects Analysis (PFMEA). For effective use of FMEA, it is important to provide adequate resources. A complete understanding of the system for preliminary FMEA is not necessary however, as the design progresses, full knowledge of the characteristics and requirements of the designed system is necessary for detailed analysis of the modes and consequences of failures. technical systems usually require analysis to be applied to a large number of design factors (mechanics, electrical engineering, systems engineering, software engineering, maintenance tools, etc.).

6 In general, FMEA applies to certain types failures and their consequences for the system as a whole. Each type of failure is considered independent. Therefore, this procedure is not suitable for dealing with dependent failures or failures that result from a sequence of several events. To analyze such situations, it is necessary to apply other methods, such as Markov analysis (see GOST 51901.15) or fault tree analysis (see GOST R 51901.13).

In determining the consequences of a failure, it is necessary to consider higher level failures and failures of the same level resulting from the failure that occurred. The analysis should identify all possible combinations of failure modes and their sequences that can cause the consequences of higher level failure modes. In this case, additional modeling is needed to assess the severity or likelihood of such consequences.

FMEA is a flexible tool that can be adapted to the specifics of the requirements of a particular production. In some cases, the development of specialized forms and rules for maintaining records is required. Failure mode severity levels (where applicable) for different systems or different levels of the system can be defined in different ways.

GOST R 51901.12-2007

Subsystem

Podsisgaia


	"Subsystem" * 4 *	Pyoisteab
The reason for the wholesale system

Vidmotk & iv

Pietista: Otid Padyastamy 4

Afterwards: stm * iodom *

; tts, Nodul3

(Preminm atash aoyugsh 8 Kinds of spam

UA.4. ^ .A. a ... "l"

Posedoteio:<утммчеип«2

Figure 1 - The relationship between the types and consequences of failures in the hierarchical structure of the system

GOST R 51901.12-2007

4.2 Goals and objectives of the analysis

The reasons for using Failure Mode and Effects Analysis (FMEA) or Failure Mode, Effects and Severity Analysis (FMECA) may be:

a) identification of failures that have undesirable consequences for the functioning of the system, such as interruption or significant degradation of performance, or impact on the safety of the user;

b) fulfillment of the customer's requirements specified in the contract;

c) improving the reliability or safety of the system (for example, through design changes or quality assurance actions);

d) improving the maintainability of the system by identifying areas of risk or nonconformity with respect to maintainability.

According to the above objectives, FMEA (or FMECA) may be as follows:

a) complete identification and assessment of all undesirable consequences within established system boundaries and sequences of events caused by each identified common cause failure mode at various levels of the functional structure of the system;

b) determining the criticality (see clause c) or prioritization to diagnose and mitigate the negative consequences of each failure mode that affects the correct operation and parameters of the system or associated process;

c) classification of the identified failure modes according to those characteristics. as ease of detection, the ability to diagnose, traceability, operating and repair conditions (repair, operation, logistics, etc.);

d) identifying functional system failures and assessing the severity and likelihood of failure:

e) developing a plan to improve the design by reducing the number and consequences of failure modes;

0 development of an effective maintenance plan to reduce the likelihood of failures (see IEC 60300-3-11).

NOTE When dealing with criticality and the likelihood of failure, it is recommended to apply the FMECA methodology.

5 Analysis of failure modes and consequences

5.1 Basics

Traditionally, there are quite large differences in the way FMEAs are conducted and presented. Typically, analysis is performed by identifying failure modes, associated causes, immediate and final consequences. Analytical results can be presented in the form of a worksheet containing the most essential information about the system as a whole and details that take into account its features. in particular about the pathways of potential system failures, the components and the types of failures that can cause the system to fail, as well as the reasons for each failure mode.

The application of FMEA to complex products is very difficult. These difficulties may be less if some subsystems or parts of the system are not new and coincide with the subsystems and parts of the previous system design or are their modification. The newly created FMEA should use information from existing subsystems to the greatest extent possible. It should also indicate the need for testing or full analysis of new properties and objects. Once a detailed FMEA has been developed for a system, it can be updated and improved for subsequent system modifications, requiring significantly less effort than a newly developed FMEA.

Using the existing FMEA of the previous version of the product, it is necessary to ensure that the structure (design) is reused in the same way and with the same loads as the previous one. New loads or environmental influences during operation may require a preliminary analysis of the existing FMEA prior to performing the FMEA. Differences in external conditions and operational loads may require the creation of a new FMEA.

The FMEA procedure consists of the following four main steps:

a) establishing the basic rules for planning and developing a schedule for the implementation of FMEA works (including the allocation of time and ensuring the availability of expertise for performing the analysis);

GOST R 51901.12-2007

b) performing the FMEA using appropriate worksheets or other forms such as logic diagrams or fault trees:

c) summarizing and drawing up a report on the results of the analysis, including all conclusions and recommendations;

d) Updating the FMEA as the design and development of the project progresses.

5.2 Preliminary tasks

5.2.1 Planning the analysis

FMEA activities. including actions, procedures, interactions with processes in the field of reliability, actions for managing corrective actions, as well as the timing of completion of these actions and their stages, should be indicated in the overall plan of the reliability program 1 K

The reliability program plan should describe the FMEA methods used. Description of methods can be a stand-alone document or can be replaced by a link to a document containing this description.

The reliability program plan should contain the following information:

Determination of the purpose of the analysis and the expected results;

The scope of the analysis, indicating which structural elements the FMEA should pay particular attention to. The scope should be appropriate for the maturity of the design and cover structural elements that could be a source of risk because they perform a critical function or are manufactured with unfinished or new technology;

A description of how the presented analysis contributes to the overall reliability of the system:

Activities identified to manage FMEA revisions and related documentation. The management of revisions of analysis documents, worksheets and their storage methods should be defined;

The required amount of participation in the analysis of project development experts:

Clearly identifying key milestones in the project schedule for timely analysis:

A method for completing all actions identified in the process for reducing the identified failure modes to be considered.

The plan must be agreed upon by all project participants and approved by its management. The final FMEA at the end of the product design or manufacturing process (process FMEA) shall identify all recorded actions to eliminate or reduce and reduce the severity of identified failure modes, and the manner in which such actions are taken.

5.2.2 System structure

5.2.2.1 System structure information

Information about the structure of the system should include the following data:

a) a description of the system elements and their characteristics. operating parameters, functions;

b) a description of the logical relationships between elements;

c) the extent and nature of the reservation;

d) the position and relevance of the system within the device as a whole (if any);

e) system inputs and outputs:

f) replacements in the structure of the system for measuring operating conditions.

All levels of the system require information about functions, characteristics and parameters. The levels of the system are considered from the bottom up to the highest level, investigating with the help of FMEA the modes of failure that disrupt each of the functions of the system.

5.2.2.2 Determining the boundaries of the system for analysis

System boundaries include the physical and functional interfaces between the system and its environment, including other systems with which the system under study interacts. The definition of the system boundaries for analysis should be consistent with the system boundaries established for design and maintenance and apply to any level of the system. Systems and / or components that transcend boundaries should be clearly defined and excluded.

Determining the boundaries of a system depends more on its design, intended use, sources of supply, or commercial criteria than on the optimal FMEA requirements. However, where possible, when defining the boundaries, consideration should be given to requirements to facilitate the FMEA and its integration with other related studies. This is especially important.

1> For more details on the elements of the reliability program and the reliability plan, see GOST R 51901.3.

GOST R 51901.12-2007

if the system is functionally complex, with numerous interrelationships between objects within the boundaries. In such cases, it is useful to define research boundaries based on system functions rather than hardware and software. This will limit the number of inputs and outputs to other systems and can reduce the number and severity of system failures.

It should be clearly established that all systems or components outside the boundaries of the system under study are considered and excluded from the analysis.

5.2.2.3 Levels of analysis

it is important to determine the level of the system that will be used for the analysis. For example, a system may experience malfunctions or failures of subsystems, replaceable elements, or unique components (see Figure 1). The basic rules for choosing the levels of the system for analysis depend on the desired results and the availability of the necessary information. The following basic principles are helpful:

a) The highest level of the system is selected based on the design concept and specified output requirements:

b) the lowest level of the system at which the analysis is effective. is a level characterized by the presence available information to determine the definition of its functions. The choice of the appropriate level of the system depends on previous experience. For a system based on a mature design with fixed and high levels of reliability, maintainability, and safety, a less detailed analysis is applied. A more detailed study and, accordingly, lower levels of the system are introduced for a newly developed system or a system with an unknown reliability chronology:

c) the stated or anticipated level of maintenance and repair is a valuable guide in determining the lower levels of the system.

In an FMEA, the determination of the types, causes and consequences of failures depends on the level of analysis and criteria for the failure of the system. In the analysis process, the consequences of a failure identified at a lower level can become failure modes for a higher level of the system. Failure modes at a lower level of the system can cause failures at a higher level of the system, and so on.

When a system is decomposed to its elements, the consequences of one or more causes of the failure mode create a failure mode, which in turn is the cause of component failures. Component failure causes the module to fail, which in turn causes the subsystem to fail. The impact of the cause of failure at one level of the system thus becomes the cause of the impact at a higher level. This explanation is shown in Figure 1.

5.2.2.4 Representation of the system structure

The symbolic representation of the structure of the functioning of the system, especially in the form of a diagram, is very useful in the analysis.

It is necessary to develop simple diagrams reflecting the basic functions of the system. In the diagram, the block connection lines represent the inputs and outputs for each function. The nature of each function and each input must be accurately described. Several diagrams may be required to describe the different phases of a system's operation.

8 According to the progress of the system design, a block diagram can be developed. representing real components or parts. This presentation provides additional information to more accurately identify potential failure modes and their causes.

Block diagrams should reflect all elements, their relationships, redundancy and functional relationships between them. This ensures the traceability of functional failures of the system. Several block diagrams may be required to describe the alternative modes of operation of the system. Separate diagrams may be required for each mode of operation. At a minimum, each block diagram should contain:

a) decomposition of the system into main subsystems, including their functional relationships:

b) all appropriately marked inputs and outputs and the identification numbers of each subsystem:

c) all reservations, alarms and others technical features that protect the system from failures.

5.2.2.5 Start-up, operation, operation and maintenance

The status of the various modes of operation of the system, as well as changes in the configuration or position of the system and its components during different stages of operation, should be determined. The minimum system performance requirements should be defined as follows. so that the criteria

GOST R 51901.12-2007

failure and / or performance were clear and understandable. Availability or safety requirements should be established based on specified minimum levels of performance required for operation and maximum levels of damage that can be accepted. You must have accurate information:

a) the duration of each function performed by the system:

b) the time interval between periodic tests;

c) the time to take corrective action before serious consequences for the system occur;

d) any means used. environmental conditions and / or personnel, including interfaces and interactions with operators;

e) about the workflows during system startup, shutdown and other transitions (repair);

f) control during the stages of operation:

e) about preventive and / or corrective maintenance;

h) the test procedures, if applicable.

It has been found that one of the important uses of FMEA is to assist in the development of a maintenance strategy. equipment, spare parts for maintenance should also be known for preventive and corrective maintenance.

5.2.2.6 System environment

The environmental conditions of the system must be determined, including external conditions and degradations created by other systems in the vicinity. For the system, its relationships must be described. interdependencies or interactions with supporting or other systems and interfaces and with personnel.

At the design stage, not all of this data is known and therefore approximations and assumptions must be used. As the project progresses and data increases, FMEA changes should be made to accommodate new information or changed assumptions and approximations. FMEA is often used to define the necessary conditions.

5.2.3 Determination of failure modes

The successful functioning of the system depends on the functioning of the critical elements of the system. To assess the functioning of a system, it is necessary to identify its critical elements. The effectiveness of procedures for identifying failure modes, their causes and consequences can be improved by preparing a list of expected failure modes based on the following data:

a) the purpose of the system:

b) the characteristics of the elements of the system;

c) the operating mode of the system;

d) operational requirements;

f) time limits:

f) environmental influences:

e) workloads.

An example of a list of common failure modes is shown in Table 1.

Table 1 - Example of common failure modes

NOTE - This list is only an example. Different lists correspond to different types of systems.

In fact, each type of failure can be attributed to one or more of these general types. However, these common failure modes are too broad for analysis. Consequently, the list must be expanded in order to narrow the group of failures attributed to the general type of report under study. Requirements for I / O control parameters and potential failure modes

GOST R 51901.12-2007

must be identified and described on the structural diagram of the object's reliability. It should be noted that one type of failure can have several reasons.

it is important that the assessment of all objects within the system boundary at the lowest level for the idea * of tying all potential failure modes is consistent with the objectives of the analysis. Studies are then carried out to determine possible failures, as well as the consequences of failures for subsystems and system functions.

Component suppliers should identify potential failure modes for their products. Typically, failure mode data can be obtained from the following sources:

a) for new objects, data from other objects with a similar function and structure can be used, as well as the results of tests of these objects with appropriate loads;

b) For new facilities, potential failure modes and their causes are determined in accordance with the design objectives and detailed analysis of the facility's functions. This method is preferable to the one given in item a), since the loads and the actual functioning may differ for similar objects. An example of such a situation would be using FMEA to process signals from a processor other than the same processor used in a similar project;

c) for facilities in service, reporting data related to maintenance and failures can be used;

d) Potential failure modes can be determined based on an analysis of the functional and physical parameters specific to the operation of the facility.

It is important that failure modes are not overlooked due to lack of data, and that initial estimates are improved based on test results and progress data, FMEA should maintain records of the status of such assessments.

Identification of failure modes, etc. when necessary, defining project corrective actions, quality assurance preventive actions, or product maintenance actions are essential. It is more important to identify and. where possible, mitigate the consequences of failure modes by design measures rather than knowing the likelihood of their occurrence. If it is difficult to prioritize, a criticality analysis may be required.

5.2.4 Reasons for failure

The most likely causes of each potential failure mode should be identified and described. Since a failure mode can have multiple causes, the most likely independent causes for each failure mode must be identified and described.

Identifying and describing the causes of failures is not always necessary for all failure modes identified in the analysis. Identification and description of the causes of failures and proposals for their elimination should be carried out on the basis of a study of the consequences of failures and their severity. The more severe the consequences of a failure mode, the more accurately the reasons for the failure must be identified and described. Otherwise, the analyst may spend unnecessary effort in identifying the causes of such failure modes that do not affect the functioning of the system or have very minor consequences.

The causes of failures can be determined based on the analysis of operational failures or failures during testing. If the project is new and unprecedented, the reasons for the refusals can be established by expert methods.

Once the causes of the failure modes have been identified based on the estimates of their occurrence and the severity of the consequences, the recommended actions are evaluated.

5.2.5 Consequences of failure

5.2.5.1 Determining the consequences of failure

The consequence of a failure is the result of the action of the failure mode in terms of the operation, performance or status of the system (see definition 3.4). The consequence of a failure can be caused by one or more types of failure of one or more objects.

The consequences of each failure mode on the functioning of the elements, function or status of the system must be identified, evaluated and recorded. Maintenance activities and system objectives should also be reviewed each time. when it is necessary. The consequences of failure can affect the next and. ultimately to the highest level of system analysis. Therefore, at each level, the consequences of failures must be assessed for the next higher level.

5.2.5.2 Local consequences of failure

The expression "local consequences") refers to the consequences of the failure mode for the considered element of the system. The consequences of each possible failure at the output of the facility should be recorded

GOST R 51901.12-2007

dignity. The purpose of identifying local consequences is to provide a basis for assessing existing alternative conditions or developing recommended corrective actions, in some cases there may be no local consequences other than the failure itself.

5.2.5.3 Consequences of failure at the system level

When identifying the consequences for the system as a whole, the consequences of a possible failure for the highest level of the system are determined and assessed based on the analysis at all intermediate levels. Higher-level consequences can result from multiple failures. For example, a failure of a safety device leads to catastrophic consequences for the system as a whole only in the event of a failure of the safety device simultaneously with going beyond the permissible limits. main function the system for which the safety device is intended. These consequences, resulting from multiple failures, should be reported in worksheets.

5.2.6 Failure detection methods

For each type of failure, the analyst should determine how the failure is detected and the means that the provider or maintenance technician uses to diagnose the case. Failure diagnostics can be performed using technical means, can be carried out by automatic means provided in the design (built-in testing), as well as by introducing a special control procedure before starting the system operation or during maintenance. Diagnostics can be carried out when the system is started during its operation or at set time intervals. In any case, after diagnosing the failure, the hazardous operating mode must be eliminated.

Failure modes other than the one under consideration that have identical manifestations should be analyzed and listed. Consideration should be given to the need for separate diagnostics of failures of redundant elements during system operation.

For FMEA, designs upon failure detection investigate how likely, when and where a design flaw will be identified (by analysis, simulation, testing, etc.). For a process FMEA, when failures are detected, consider the likelihood and where process deficiencies and nonconformities can be identified (for example, by the operator in statistical process control, during quality control, or later in the process).

5.2.7 Terms of refusal compensation

The identification of all design features at a given system level or other safety measures that can prevent or mitigate the consequences of failure modes is extremely important. The FMEA should clearly show the true effect of these safety measures in the context of a specific failure mode. Failure prevention measures to be registered with the FMEA. include the following:

a) redundant objects that allow long-term operation if one or more elements fail;

b) alternative means of work;

c) monitoring or signaling devices;

d) any other methods and means of efficient operation or limitation of damage.

During the design process, functional elements (hardware and software) can be repeatedly rebuilt or re-formed, and their capabilities can also be changed. At each stage, the need to analyze the identified failure modes and to apply the FMEA should be confirmed or even revised.

5.2.8 Classification of severity of failure

Failure severity is an assessment of the significance of the impact of the consequences of a failure mode on the operation of an object. Classification of the severity of failure, depending on the particular application of the FMEA. designed taking into account several factors:

System performance according to potential failures, user characteristics or the environment;

Functional parameters of a system or process;

Any customer requirements specified in the contract;

Legal and safety requirements;

Warranty claims.

Table 2 provides an example of a qualitative classification of the severity of consequences when performing one of the FMEA types.

GOST R 51901.12-2007

Table 2 - Illustrative example of the classification of the severity of the consequences of failure

Failure severity class number	Severity class name	Description of the consequences of failure for people or the environment
	Catastrophic	The failure mode can lead to the interruption of the primary functions of the system and cause severe damage to the system and the environment and / or death and serious injury to people.
	Critical	Failure mode may lead to the termination of the primary functions of the system and cause significant damage to the system and the environment, but does not pose a serious threat to human life or health.
	Minimum	the type of failure can impair the performance of system functions without noticeable damage to the system or threat to life or health of people
	Worthless	the type of failure can impair the performance of the system's functions, but does not cause damage to the system and does not pose a threat to the life and health of people

5.2.9 Frequency or likelihood of failure

The frequency or likelihood of occurrence of each failure mode should be determined to assess the consequences or severity of the failure.

To determine the likelihood of a failure mode occurring, in addition to published information on the rate of failure. It is very important to consider the actual operating conditions of each component (environmental, mechanical and / or electrical loads), the characteristics of which contribute to the likelihood of failure. This is necessary because the components of the failure rate and. Consequently, the intensity of the considered type of failure in most cases increases with an increase in the acting loads in accordance with a power-law or exponential law. The likelihood of failure modes for a system can be estimated using:

Life test data;

Available databases of failure rates;

Operational failure data;

Data on failures of similar objects or components of a similar class.

FMEA failure probability estimates refer to a specified time period. This is usually the warranty period or the specified life of the object or products.

The application of frequency and probability of occurrence of failure is explained below in the description of criticality analysis.

5.2.10 Analysis procedure

The block diagram shown in Figure 2 shows the general analysis procedure.

5.3 Failure Modes, Effects and Severity Analysis (FMECA)

5.3.1 Purpose of analysis

The letter C. is included in the abbreviation FMEA. means that a failure mode analysis also leads to a criticality analysis. Determination of criticality implies the use of a qualitative measure of the consequences of failure modes. Criticality has many definitions and ways of measuring, most of which have a similar meaning: the impact or significance of a failure mode that needs to be eliminated or mitigated. Some of these measurement methods are explained in 5.3.2 and 5.3.4. The purpose of criticality analysis is to qualitatively determine the relative magnitude of each failure consequence. The values of this quantity are used to prioritize actions to eliminate failures or reduce their consequences based on combinations of the criticality of failures and the severity of their consequences.

5.3.2 Risk R and Risk Priority Value (RPN)

One of the methods for quantifying criticality is to determine the value of the priority of risk. The risk in this case is assessed by a subjective measure of severity.

n A value that characterizes the severity of the consequences.

GOST R 51901.12-2007

Figure 2 - Block diagram of the analysis

These consequences and the likelihood of failure occurring within a given period of time (used for analysis). In some cases, when this method is not applicable, it is necessary to turn to a simpler form of non-quantitative FMEA.

GOST R 51901.12-2007

8 As a general measure of potential risk R & some types of FMECA use the quantity

where S is the value of the severity of the consequences, i.e., the degree of influence of the failure on the system or user (dimensionless value);

P is the probability of failure (dimensionless value). If it is less than 0.2. it can be replaced by the C criticality value which is used in some quantitative FMEA methods. described in 5.3.4 (assessment of the likelihood of occurrence of the consequences of failure).

Some FMEA or FMECA applications further emphasize the failure detection level for the system as a whole. In these cases, an additional failure detection value 0 (also a dimensionless value) is used to form the risk priority value RPN

where O is the probability of a failure for a given or specified period of time (this value can be defined as a rank, and not the actual value of the probability of a failure);

D - characterizes the detection of a failure and is an estimate of the chances to identify and eliminate the failure before the consequences for the system or the customer appear. D-values are usually ranked in reverse order with respect to the probability of occurrence of a failure or the severity of failure. The higher the D value, the less likely it is to detect a deviation. A lower probability of detection corresponds to a higher RPN value and a higher priority of the failure mode.

The risk prioritization value RPN can be used to prioritize the reduction of failure modes. In addition to the risk priority value, for making a decision on reducing the failure modes, first of all, the value of the severity of the failure modes is taken into account, implying that with equal or close RPN values, this decision should first of all be applied to the failure modes with higher failure severity values.

These values can be evaluated numerically using a continuous or discrete scale (finite number of specified values).

The failure modes are then ranked according to their RPN. High priority is assigned to high RPN values. In some cases, the implications for failure modes with RPN. exceeding the specified limit are unacceptable, while in other cases high failure severity values are set regardless of the RPN values.

Different types of FMECA use different scales of values for S. O and D. For example, from 1 to 4 or 5. Some types of FMECA, for example used in the automotive industry for design and manufacturing analysis, are called DFMEA and PFMEA. assign a scale from 1 to 10.

5.3.3 Relationship of FMECA to risk analysis

The combination of severity and severity of consequences characterizes a risk that differs from commonly used risk indicators in less severity and requires less effort to assess. The differences lie not only in the way in which the severity of failure consequences is predicted, but also in describing the interactions between the contributing factors using the usual bottom-up FMECA procedure. Moreover. The FMECA usually allows for a relative ranking of the contributions to the total risk, while the risk analysis for a high-risk system is usually focused on acceptable risk. However, for systems with low risk and low complexity, FMECA may be a more cost effective and appropriate method. Every time. When the FMECA detects the likelihood of high-risk consequences, the use of Probabilistic Risk Analysis (PRA) is preferred over FMECA.

For this reason, FMECAHe should be used as the only method for deciding the acceptability of the risk of specific consequences for a high-risk or high-complexity system, even if estimates of the frequency and severity of consequences are based on reliable data. This should be the task of probabilistic risk analysis, where more influencing parameters (and their interactions) can be taken into account (eg dwell time, probability of prevention of consequences, latent failures of failure detection mechanisms).

In accordance with the FMEA, each identified failure effect is assigned to an appropriate severity class. The frequency of occurrence of events is calculated based on the failure data or estimated for the investigated component. The frequency of occurrence of events multiplied by the specified operating time gives the criticality value, which is then applied directly to the scale, or. if the scale represents the probability of occurrence of an event, determine this probability of occurrence according to

GOST R 51901.12-2007

steppe with a scale. The severity class of the consequences and the class of severity (or the probability of occurrence of an event) for each consequence together constitute the magnitude of the consequence. There are two main methods for assessing criticality: the criticality matrix and the concept of risk priority RPN.

5.3.4 Determination of failure rate

If the failure rates for failure modes of similar objects are known, determined for external and operating conditions similar to those adopted for the system under study, these event rates can be directly used in FMECA. If there are failure rates (rather than failure modes) for different external and operational conditions than required, the failure rates * must be calculated. In this case, the following ratio is usually used:

> .i «Х, аД.

where> .j is the estimate of the failure rate of the i-th type of failure (the failure rate is assumed to be constant);

X, - is the failure rate of the) th component;

a, - is the ratio of the number of the i-th type of failures to the total types of failures, i.e., the probability that the object will have the i-th type of failure: p, is the conditional probability of the consequences of the i-th type of failure.

The main disadvantage of this method is the implicit assumption that. that the failure rate is constant; and that many of the parameters used are derived from predictions or assumptions. This is especially important in the case when there is no data on the corresponding failure rates for the system components, but there is only a calculated probability of failure for a specified time of operation with the corresponding loads.

With indicators that take into account changes in environmental conditions, loads, maintenance, data on failure rates obtained under conditions other than the studied conditions can be recalculated.

Recommendations for the selection of values for these indicators can be found in the relevant reliability publications. The correctness and applicability of the selected values of these parameters should be carefully checked for the specific system and its operating conditions.

In some cases, such as a quantitative method of analysis, the criticality value of the failure mode C (not associated with the total criticality value, which can take on a different value) is used instead of the failure rate of the i-th failure mode X ;. The criticality value is related to the notional failure rate and time of operation and can be used to obtain a more realistic risk assessment corresponding to a specific type of failure during a given time of product use.

C i = X> «. P, V

where ^ is the operating time of the component during the entire specified time of FMECA studies. for which the probability is estimated, i.e., the time of active operation of the) -th component.

The criticality value for the i-th component with m failure modes is determined by the formula

C, - ^ Xj-a, pjf |.

It should be noted that the importance of criticality is not related to criticality as such. It is only a value calculated in some FMECA types and is a relative measure of the consequences of a failure mode and the likelihood of its occurrence. Here, the criticality value is a measure of risk, not a measure of failure occurrence.

The probability P, of the appearance of a failure of the i-th type in time t for the obtained criticality:

P, - 1 - e s ".

If the failure mode rates and the corresponding criticality values are small, then, with a rough approximation, it can be argued that for the probabilities of occurrence less than 0.2 (the criticality is 0.223), the criticality and failure probability are very close.

In the case of variable failure rates or failure rates, it is necessary to calculate the probability of failure, not the criticality, which is based on the assumption of a constant failure rate.

GOST R 51901.12-2007

5.3.4.1 Criticality matrix

Criticality can be represented as a criticality matrix, as shown in Figure 3. Note that there is no universal definition of criticality. Criticality should be determined by the analyst and accepted by the program or project manager. Definitions can vary significantly for different purposes.

8 to the severity matrix shown in Figure 3. it is assumed that the severity of the consequences increases with its value. In this case, IV corresponds to the highest severity of the consequences (death of a person and / or loss of system function, injury to people). In addition, it is assumed that on the ordinate the probability of the appearance of a failure mode increases from bottom to top.

Probably

pomp cl

ItaMarv poopvdvpiy

Figure 3 - Criticality Matrix

If the highest probability of occurrence does not exceed 0.2, then the probability of occurrence of a failure mode and the criticality value are approximately equal to each other. The following scale is often used when compiling a criticality matrix:

The severity value is 1 or E. Almost unbelievable otkae. the probability of its occurrence varies in the interval: 0 £ P ^< 0.001;

The criticality value is 2 or D. A rare failure, the probability of its occurrence varies in the interval: 0.001 dp,< 0.01;

Criticality value 3 or C. Possible failure, the probability of its occurrence varies in the interval: 0.01 £ P,<0.1;

The criticality value is 4 or V. Probable failure, the probability of its occurrence varies in the interval: 0.1 dp,< 0.2;

The criticality value is 5 or A. Frequent failure, the probability of its occurrence varies in the interval: 0.2 & P,< 1.

Figure 3 is for example only. In other methods, different designations and definitions can be used for the severity and severity of the consequences.

8 for the example in Figure 3. failure mode 1 has a higher probability of occurrence than failure mode 2, which has a higher severity of consequences. The solution is from. Which type of failure corresponds to a higher priority depends on the type of scale, severity and frequency grades, and the ranking principles used. Although, for a linear scale, failure mode 1 (as usual in the criticality matrix) should have a higher severity (or likelihood of occurrence) than failure mode 2, there may be situations where severity has absolute priority over frequency. In this case, failure mode 2 is the more critical failure mode. Another obvious conclusion is. that only the failure modes related to one level of the system can reasonably be compared according to the criticality matrix, since the failure modes of low complexity systems at a lower level usually have a lower frequency.

As shown above, the criticality matrix (see Figure 3) can be used both qualitatively and quantitatively.

5.3.5 Risk acceptability assessment

If the required analysis result is a criticality matrix, a severity and event frequency distribution diagram can be drawn. Risk acceptability is determined subjectively or is guided by professional and financial decisions depending on

GOST R 51901.12-2007

ty from the type of production. 8 Table 3 shows some examples of acceptable risk classes and modified criticality matrix.

Table 3 - Risk / Severity Matrix

Failure rate	Severity levels
Failure rate	Worthless	Minimum	Critical	Catastrophic
1 Practically	Minor	Minor	Tolerant	Tolerant
incredible rejection	consequences	consequences	consequences	consequences
2 Rare failure	Minor	Tolerant	Unwanted	Unwanted
	consequences	consequences	consequences	consequences
3 possible from-	Tolerant	Unwanted	Unwanted	Unacceptable
	consequences	consequences	consequences	consequences
4 Probable from-	Tolerant	Unwanted	Unacceptable	Unacceptable
	consequences	consequences	consequences	consequences
S Frequent failure	Unwanted	Unacceptable	Unacceptable	Unacceptable
	consequences	consequences	consequences	consequences

5.3.6 FMECA types and ranking scales

FMECA types. described in 5.3.2 and widely used in the automotive industry, are usually used to analyze the design of products, as well as to analyze the manufacturing processes of these products.

The analysis methodology is the same as described in general FMEA / FMECA. in addition to the definitions in the three tables for the severity values S. of occurrence of O and detection of D.

5.3.6.1 Alternative determination of severity

Table 4 provides an example of a severity ranking that is commonly used in the automotive industry.

Table 4 - Severity of Failure Mode Consequences

The severity of the consequences	Criterion
Missing	No consequences
Very insignificant	The decoration (noise level) of the object does not meet the requirements. The defect is noticed by demanding customers (less than 25%)
Insignificant	The decoration (noise level) of the object does not meet the requirements. The defect is noticed by 50% of customers
Very low	The decoration (noise level) of the object does not meet the requirements. The majority of clients notice the defect (more than 75%)
	The vehicle is functional, but the comfort / convenience system works at a weakened level, ineffective. The client is experiencing some dissatisfaction
Moderate	The vehicle / assembly is operational, but the comfort / convenience system is not operational. The client is uncomfortable
	The vehicle / assembly is operational, but at a reduced level of efficiency. The client is very dissatisfied
Very high	The vehicle / assembly is inoperative (loss of primary function)
Dangerous with danger warning	Very high severity when a potential failure mode affects operational safety vehicle and / ili causes non-compliance with mandatory safety requirements with warning of danger
Dangerous without danger warning	A very high level of severity of consequences, when a potential type of failure affects the safety of the vehicle and / or causes non-compliance with mandatory requirements without warning about the danger

Note - The table is taken from SAE L 739 | 3].

GOST R 51901.12-2007

The severity rank of the consequences is assigned for each type of failure based on the impact of the consequences of the failure on the system as a whole, its safety, fulfillment of requirements, goals and restrictions, as well as the type of vehicle as a system. The severity grade is indicated on the FMECA sheet. The definition of the severity rank given in Table 4. is accurate for the severity values b above. It should be used in the above formulation. Determining the rank of severity from 3 to 5 can be subjective and depends on the characteristics of the task.

5.3.6.2 Failure occurrence characteristics

8 Table 5 (also taken from FMECA. Used in the automotive industry) provides examples of quality measures. characterizing the occurrence of a failure, which can be used in the RPN concept.

Table 5 - Forks of failure in accordance with the frequency and probability of occurrence

Characteristics of the generation of ida failure	Failure rate	Probability
Very low - unlikely to fail	< 0.010 на 1000 транспортных средсте/объектоа
Low - relatively few bounces	0.1 per 1000 vehicles / object
Low - relatively few bounces	0.5 per 1000 vehicles / object
Moderate - rejections POSSIBLE	1 per 1000 vehicles / facility
	2 per 1000 vehicles / facility
	5 not 1000 vehicles / facilities
High - the presence of atatory failure	10 per 1000 vehicles / object
High - the presence of atatory failure	20 per 1000 vehicles / object
Very high - rejection is almost inevitable	50 per 1000 vehicles / object
Very high - rejection is almost inevitable	> 100 per 1000 vehicles / object

NOTE See AIAG (4).

8 in table 5, "frequency" means the ratio of the number of favorable cases to all possible cases of the event in question during the execution strategic objective or service life. For example, a failure mode that matches a value between 0 and 9. can cause one of the three systems to fail during the task period. Here, the determination of the probability of occurrence of failures is associated with the investigated period of time. It is recommended that this time period be indicated in the heading of the FMEA table.

Best practices can be applied when the probability of occurrence is calculated for the components and their failure modes based on the corresponding failure rates for the expected loads (external operating conditions). If the required information is not available, a score can be assigned. but at the same time specialists performing FMEA. It should be borne in mind that the failure occurrence value is the number of failures per 1000 vehicles during a given time interval (warranty period, vehicle service life, etc.). Thus, it is the calculated or estimated probability of the appearance of a failure mode over the studied period of time. 8 difference from the scale of severity of consequences, the scale of occurrence of failures is not linear and is not logarithmic. Therefore, it should be borne in mind that the corresponding RPN value after calculating the estimates is also non-linear. It must be used with extreme care.

5.3.6.3 Ranking the probability of failure detection

The RPN concept provides for an assessment of the probability of failure detection, i.e., the likelihood that the hardware, verification procedures provided for by the design will detect possible failure modes in a time sufficient to prevent failures at the system level as a whole. For a process FMEA (PFMEA) application, it is the likelihood that a series of process control actions have the ability to detect and isolate a failure before it affects downstream processes or the finished product.

In particular, for products that can be used in several other systems and applications, the probability of detection can be difficult to estimate.

GOST R 51901.12-2007

Table 6 shows one of the diagnostic methods used in the automotive industry.

Table b - Criteria for evaluating the detection of a failure mode

Characteristic detecting	The criterion is the efficiency of the detection of the failure mode on the basis of the specified operations yaitrol
Practically one hundred percent	Designed control almost always detects a potential cause / mechanism and the next type of failure
Very good	There is a very high chance that the design control will detect a potential cause / mechanism and the subsequent type of failure
	high chance that project control will detect a potential cause / mechanism and subsequent failure mode
Moderately good	Moderately high chance that design controls will detect a potential cause / mechanism and subsequent failure mode
Moderate	Moderate chance that design controls will detect a potential cause / mechanism and subsequent failure mode
	Low chance that design controls will detect a potential cause / mechanism and subsequent failure mode
Very weak	Very low chance that design controls will detect a potential cause / mechanism and subsequent failure mode
	Design control is unlikely to detect a potential cause / mechanism and subsequent failure mode
Very bad	It is almost unbelievable that design controls will detect a potential cause / mechanism and subsequent failure mode.
Practically impossible	The control provided by the design cannot detect a potential cause / mechanism and the subsequent type of failure or control is not provided

5.3.6.4 Risk assessment

The intuitive method described above should be accompanied by prioritization of actions aimed at ensuring the highest level of security for the customer (consumer, client). For example, a failure mode with a high severity value, a low occurrence rate and a very high detection value (e.g. 10.3 and 2) may have a much lower RPN (in this case, 60) than a failure mode with a mean of all the listed quantities (e.g. 5 in each case), and. respectively. RPN - 125. Therefore, additional procedures are often used to ensure that failure modes with high severity rank (eg 9 or 10) are prioritized and corrected first. In this case, the decision should also be guided by the severity rank, and not just the RPN. In all cases, the rank of severity must be considered along with the RPN to make a more informed decision.

Risk prioritization values are also determined in other FMEA methods, especially qualitative methods.

RPN values. calculated according to the above tables are often used to guide the reduction of failure modes. In this case, you should take into account the warnings 5.3.2.

RPN has the following disadvantages:

Gaps in value ranges: 88% of ranges are empty, only 120 out of 1000 values are used:

RPN ambiguity: Several combinations of different parameter values result in the same RPN values:

Sensitivity to small changes: small deviations of one parameter have a large impact on the result if other parameters have large values (for example, 9 9 3 = 243 and 9 9 - 4 s 324. while 3 4 3 = 36 and 3 4 - 4 = 48):

Inadequate scale: the failure occurrence table is non-linear (for example, the relationship between two consecutive ranks could be 2.5 and 2):

Inadequate scale of RPN: The difference in values for RPN may seem small, when in fact it is quite significant. For example, values of S = 6.0 * 4, 0 = 2 give RPN - 48. and values of S = 6, O = 5 and O = 2 give RPN - 60. The second value of RPN is not twice as much, while

GOST R 51901.12-2007

while in fact, for 0 = 5, the probability of a failure is twice as high as for 0 = 4. Therefore, the raw values for RPN should not be compared linearly;

Erroneous conclusions based on RPN comparison. because the scales are ordinal, not relative.

RPN analysis requires caution and attention. Correct application of the method requires an analysis of the severity, occurrence and detection values prior to forming a conclusion and taking corrective action.

5.4 Analysis report

5.4.1 Scope and content of the report

The FMEA report can be developed as part of a broader study report, or it can be a stand-alone document. In any case, the report should include an overview and detailed records of the study carried out, as well as diagrams and functional diagrams of the structure of the system. The report should also contain a list of schemes (with an indication of their status) on which the FMEA is based.

5.4.2 Results of the Consequence Analysis

A list of failure consequences for the specific system investigated by the FMEA should be prepared. Table 7 shows a typical set of failure consequences for a starter and electrical circuit car engine.

Table 7 - Example of the consequences of failures for a car starter

NOTE 1 This list is only an example. Each analyzed system or subsystem will have its own set of failure consequences.

Failure consequences reporting may be required to determine the likelihood of system failures. resulting from the listed consequences of failures, and prioritizing corrective and preventive actions. The failure consequences report should be based on a list of the failure consequences of the system as a whole and should include details of the failure modes that affect each failure outcome. The probability of occurrence of each type of failure is calculated for a set period of time for the operation of the facility, as well as for the expected parameters of use and loads. Table 8 shows an example of an overview of the consequences of failures.

Table B - Example of the probabilities of failure consequences

NOTE 2 Such a table can be constructed for various qualitative and quantitative rankings of an object or system.

GOST R 51901.12-2007

The report should also contain a brief description of the method of analysis and equipment. on which it was carried out, the assumptions used and the underlying rules. In addition, it should include lists of:

a) types of failures that lead to serious consequences:

c) design changes that result from the FMEA:

d) the consequences that have been eliminated as a result of the overall design changes.

6 Other studies

6.1 Common cause failure

For reliability analysis, it is not enough to consider only random and independent failures, as common cause failures can occur. For example, the cause of a malfunction of the system or its failure may be the simultaneous malfunction of several components of the system. This could be due to a design error (unreasonable limitation of the allowable component values), environmental influences (lightning), or human error.

The presence of Common Cause Failure (CCF) is contrary to the assumption of independence of the FMEA failure modes, the presence of a CCF implies the possibility of more than one failure occurring simultaneously or within a sufficiently short period of time and the consequent occurrence of the consequences of simultaneous failures.

Typically, CCF sources can be:

Design (software development, standardization);

Manufacturing (shortcomings of batches of components);

Environment (electrical noise, temperature cycling, vibration);

Human factor (incorrect operation or incorrect maintenance actions).

The FMEA should therefore consider the possible sources of CCF when analyzing a system that uses redundancy or a large number of facilities to mitigate the consequences of a failure.

CCF is the result of an event that, due to logical dependencies, causes a simultaneous failure state in two or more components (including dependent failures caused by the consequences of an independent failure). Common cause failures can occur in identical constituent parts with similar failure modes and weak points for different system assembly options and can be redundant.

FMEA's capabilities for CCF analysis are very limited. However, FMEA is a procedure for examining each failure mode and its associated causes in sequence, as well as identifying all periodic testing, preventive maintenance, etc. This method allows the investigation of all causes that can cause a CCF.

It is useful to use a combination of several methods to prevent or mitigate the effects of CCF (system modeling, physical component analysis), including: functional diversity, when redundant branches or parts of the system perform the same function. are not identical and have different types of failures; physical separation to eliminate the effects of environmental or electromagnetic influences causing CCF. etc. Usually FMEA provides for examination of CCF preventive measures. However, these measures should be described in the remarks column of the worksheet to aid in understanding the FMEA as a whole.

6.2 Human factor

Special designs are needed to prevent or reduce some human error. Such measures include providing mechanical blocking of the railway signal and password for computer use or data retrieval. If such conditions exist in the system. the consequences of failure will depend on the type of error. Certain types of human error must be investigated using the system fault tree to verify the effectiveness of the equipment. Even a partial listing of these failure modes is useful for identifying design and procedure flaws. Identifying all kinds of human error is probably not possible.

Many CCF failures are based on human error. For example, improper maintenance of identical objects can cancel out redundancy. To avoid this, non-identical backup elements are often used.

GOST R 51901.12-2007

6.3 Software errors

FMEA. held for hardware complex system, may have a concession for the system software. Thus, decisions on consequences, severity and conditional probabilities arising from FMEA may depend on software elements and their characteristics. sequence and running time. In this case, the relationship between hardware and software should be clearly identified, since a subsequent change or improvement in the software may change the FMEAh derived from it. Approval of software and software changes can be a condition for revising FMEAs and related assessments, for example software logic can be changed to improve safety at the expense of operational reliability.

Failures due to software errors or inconsistencies will have consequences, the values of which must be determined by the design of the software and hardware. The identification of such errors or inconsistencies and the analysis of their consequences are only possible to a limited extent. The consequences of possible software errors on the respective hardware must be evaluated. Recommendations for mitigating such errors for software and hardware are often the result of analysis.

6.4 FMEA and consequences of system failures

FMEA of the system can be performed independently of its specific application and can then be tailored to the specific design of the system. This refers to small kits that can be considered components on their own (e.g. electronic amplifier, electric motor, mechanical valve).

However, it is more typical to develop an FMEA for a specific project with specific consequences of system failures. It is necessary to classify the consequences of system failures, for example: fuse failure, recoverable failure, fatal failure, impaired task performance, task failure, consequences for individuals, groups or society as a whole.

FMEA's ability to account for the most distant consequences of a system failure depends on the design of the system and the relationship of the FMEA with other forms of analysis, such as fault trees, Markov analysis, Petri nets, etc.

7 Applications

7.1 Using FMEA / FMECA

FMEA is a method that is primarily adapted to the investigation of material and equipment failures and can be applied to various types of systems (electrical, mechanical, hydraulic, etc.) and their combinations for parts of equipment, system or project as a whole.

The FMEA should include investigation of software and human actions if they affect the reliability of the system. FMEA can be process research (medical, laboratory, manufacturing, educational, etc.). In this case, it is commonly referred to as Process FMEA or PFMEA. Process FMEAs always consider the goals and objectives of the process and then examine each step of the process as an indicator of adverse outcomes for other steps in the process or meeting the goals of the process.

7.1.1 Application within a project

The user must define how and for what purposes the FMEA is used. FMEA can be used on its own or to complement and support other methods of reliability analysis. FMEA requirements follow from the need to understand the behavior of hardware and its implications for the operation of a system or equipment. FMEA requirements can vary significantly depending on the specifics of the project.

FMEA supports the concept of design analysis and should be applied as early as possible in the design of subsystems and the system as a whole. FMEA is applicable to all levels of the system, but is more suitable for lower levels, characterized by a large number of objects and / or functional complexity. Specific training of the personnel performing the FMEA is essential. Close cooperation of engineers and system designers is required. The FMEA should be updated as the project progresses and the design changes. At the end of the design phase, the FMEA is used to verify the design and to demonstrate that the designed system complies with the specified user requirements, the requirements of standards, guidelines, and regulatory requirements.

GOST R 51901.12-2007

Information derived from FMEA. identifies priorities for statistical process control, sampling and incoming inspections during production and installation, as well as qualification, acceptance, acceptance and commissioning tests. FMEA is the source of information for diagnostic procedures, maintenance in the development of related manuals.

When choosing the depth and how to apply the FMEA to a site or project, it is important to consider the circuits that require FMEA results. time consistency with other activities and establish the required level of competence and control of undesirable types and consequences of failures. This leads to good FMEA planning at the specified levels (system, subsystem, component. Object of the iterative design and development process).

For the FMEA to be effective, its place in the reliability program must be clearly defined, and time, labor and other resources must be identified. It is vital that the FMEA is not shortened to save time and money. If time and money are limited. The FMEA should focus on those parts of the design that are new or use new techniques. For economic reasons, the FMEA can target areas identified as critical by other methods of analysis.

7.1.2 Application to processes

To run PFMEA, you need the following:

a) clear definition of the purpose of the process. If the process is complex, the purpose of the process may conflict with common goal or a goal associated with the product of a process, the product of a series of sequential processes or steps, the product of a particular step in a process, and the corresponding particular goals:

b) an understanding of the individual steps in the process;

c) understanding the potential deficiencies in each step of the process:

d) understanding the implications of each individual flaw (potential failure) on the product of the process;

e) understanding the potential causes of each of the deficiencies or potential failures and nonconformities in the process.

If a process is associated with more than one product name, then its analysis can be performed for individual product types as PFMEA. Process analysis can also be performed according to its steps and potential adverse outcomes that lead to a generalized PFMEA regardless of specific product types.

7.2 Benefits of FMEA

Some of the application features and benefits of FMEA are listed below:

a) avoiding costly modifications due to early identification of design flaws;

b) identification of failures that, one at a time and in combination, have unacceptable or significant consequences, and identification of failure modes that may have serious consequences for the expected or required function.

NOTE 1 Such consequences can include dependent failures.

c) determining the necessary methods to improve the reliability of the design (redundancy, optimal workloads, fault tolerance, component selection, re-sorting, etc.);

d) providing a logical model for assessing the likelihood or rate of occurrence of abnormal system operating conditions in preparation for the criticality analysis:

e) identification of problem areas of safety and responsibility for the quality of products or their non-compliance with mandatory requirements.

NOTE 2 Often independent research is necessary for safety, but overlap is unavoidable and therefore collaboration in the research process is highly desirable:

f) development of a test program to enable the detection of potential recovers:

e) focus on key issues of quality management, analysis of control processes and

production of products:

h) assistance in identifying features overall strategy and a preventive maintenance schedule;

i) assistance and support in the definition of test criteria, test plans and diagnostic procedures (comparison tests, reliability tests);

GOST R 51901.12-2007

j) support for the elimination of design defects and support for the planning of alternate modes of operation and reconfiguration;

k) designers' understanding of the parameters that affect system reliability;

l) development of a final document containing evidence of the actions taken to ensure that the design results meet the requirements of the technical specification for maintenance. This is especially important in the case of product liability.

7.3 Limitations and disadvantages of FMEA

FMEA is extremely effective when it is used to analyze the elements that cause the failure of the entire system or a violation of the basic function of the system. However, FMEA can be difficult and tedious for complex systems with many functions and different sets of components. These complexities increase with multiple operating modes and multiple maintenance and repair policies.

FMEA can be a time consuming and ineffective process if applied unwisely. FMEA studies. the results of which are intended to be used in the future must be determined. FMEA should not be included in the pre-analysis requirements.

Complications, misunderstandings, and errors can occur when trying to cover multiple levels of FMEA studies in a system hierarchy if redundant.

The relationships between people or groups of failure modes or causes of failure modes cannot be effectively represented in the FMEA. since the main assumption for this analysis is the independence of the failure modes. This disadvantage is made even more pronounced by the interactions between software and hardware when the assumption of independence is not validated. The above is true for human interaction with hardware and models of this interaction. The assumption of failure independence does not allow us to pay due attention to failure modes that, if they occur together, can have significant consequences, while each of them individually has a low probability of occurrence. It is easier to investigate the interrelationships of system elements using the FTA fault tree method (GOST 51901.5) for analysis.

PTA is preferred for FMEA applications. since it is limited to connections of only two levels hierarchical structure, for example, identifying the failure modes of objects and determining their consequences for the system in the chain. These consequences then become failure modes at the next level, for example, for a module, etc. However, there is experience with the successful implementation of multi-level FMEAs.

In addition, the disadvantage of FMEA is its inability to assess the overall reliability of the system and thus assess the degree of improvement in its design or changes.

7.4 Relationship with other methods

FMEA (or PMECA) can be applied on its own. As a systemic inductive method of analysis, FMEA is most often used as an adjunct to other methods, especially deductive ones, such as PTA. In the design phase, it is often difficult to decide which method (inductive or deductive) to prefer, since both are used in the analysis. If risk levels are identified for manufacturing equipment and systems, a deductive approach is preferred, but FMEA is still a useful design tool. However, it should be used in addition to other methods. This is especially true when solutions must be found in situations with multiple failures and a chain of consequences. The method used at the outset should depend on the program of the project.

In the early stages of design, when only the functions, the general structure of the system and its subsystems are known, the successful operation of the system can be depicted using a reliability block diagram or a fault tree. However, to compose these systems, an inductive FMEA process must be applied to the subsystems. Under these circumstances, FMEA is not comprehensive. but reflects the result in a visual tabular form. In general, the analysis of a complex system with multiple functions, multiple objects, and interrelationships between these FMEA objects is necessary but not sufficient.

Fault tree analysis (FTA) is a complementary deductive method for analyzing failure modes and their corresponding causes. He walks around to trace the low-level causes leading to high-level failures. Although logical analysis is sometimes used for qualitative analysis of fault sequences, it usually precedes the estimation of high-level failure rates. FTA lets you model interdependencies different types refusals in cases where

GOST R 51901.12-2007

their interaction can lead to a high severity event. This is especially important when the occurrence of one type of failure causes the occurrence of another type of failure with a high probability and high severity. This scenario cannot be successfully simulated with FMEA application... where each type of failure * is considered independently and individually. One of the disadvantages of FMEA is its inability to analyze the interactions and dynamics of a failure mode in the system.

PTA focuses on the logic of coincident (or sequential) and alternative events causing undesirable consequences. FTA allows you to build a correct model of the analyzed system, assess its reliability and probability of failure, and also allows you to assess the impact of design improvements and reducing the number of specific types of failures on the reliability of the system in the chain. The FMEA form is more descriptive. Both methods are used in the general analysis of the safety and reliability of a complex system. However, if the system is based primarily on sequential logic with little redundancy and multiple functions, then FTA is an overly complex way of representing system logic and identifying failure modes. In such cases, FMEA and reliability block diagram method are adequate. In other cases, when FTA is preferred. it should be supplemented with descriptions of the failure modes and their consequences.

When choosing an analysis method, it is necessary to be guided primarily by the specific requirements of the project, not only technical, but also the requirements for indicators of time and cost. effectiveness and use of results. General guidelines:

a) FMEA is applicable when a comprehensive knowledge of the failure characteristics of a facility is required:

b) FMEA is more suitable for small systems, modules or complexes:

c) FMEA is an important tool for research, development, design or other tasks when the unacceptable consequences of failures must be identified and the necessary measures to eliminate or mitigate them must be found:

d) FMEA may be necessary for facilities that have been designed with the latest advances in design where failure characteristics may not have been the same from previous operation;

e) FMEA is more applicable to systems with a large number of components that are linked by a common failure logic:

f) FTA is more suitable for analysis of multiple and dependent failure modes with complex logic and redundancy. The FTA can be used at higher levels of the system structure, early in the project, and when a detailed FMEA is identified at lower levels for in-depth design work.

GOST R 51901.12-2007

Appendix A (informative)

Summary of FMEA and FMECA procedures

A.1 Stages. Overview of Analysis Runs

During the analysis, the following steps of the procedure were to be performed: c) a decision on whether. which method - FMEA or FMECA is needed:

b) defining the boundaries of the system for analysis:

c) understanding the requirements and functions of the system:

d) determination of the failure / operability criterion;

c) determination of the types of failures and the consequences of failures of each object in the report:

0 a description of each consequence of the failure: e) reporting.

Additional steps for FMECA: h) Determine the severity grades of system failures.

I) establishing the values of the severity of the failure modes of the object:

J) determination of the type of object failure and the frequency of consequences:

k) determination of the frequency of the mode of failure:

l) compilation of criticality matrices for the facility failure modes:

m) a description of the severity of the consequences of failure in accordance with the criticality matrix: n) compilation of a criticality matrix for the consequences of system failure, o) compilation of a report for all levels of analysis.

NOTE The estimation of the frequency of the mode and the consequences of failure in FMEA can be performed using steps l>. I) and j).

A.2 FMEA worksheet

A.2.1 Scope of the worksheet

The FMEA worksheet describes the details of the analysis in tabular form. Though general procedure The FMEA is permanent, the worksheet can be tailored to a specific project according to its requirements.

Figure A.1 shows an example of a FMEA worksheet view.

A.2.2 Head of worksheet

The head of the worksheet should include the following information:

Designation of the system as an object as a whole, for which the final consequences are identified. This designation must be consistent with the terminology used in block diagrams, diagrams and figures:

The period and mode of operation selected for analysis:

The object (module, component, or part) examined in this worksheet.

Revision level, date, name of the FMEA coordinating analyst. c also the names of the main team members. providing additional information to control the document.

A.2.3 Completing the worksheet

The entries in the "Object" and "Description of the object and its functions * columns should identify the topic of the analysis. References should be made to a block diagram or other application, a brief description of the object and its function.

A description of the object's failure modes is given in the column “Failure type *. Clause 5.2.3 provides guidance for identifying potential failure modes. The use of a unique identifier “Failure Mode Code * for each unique object failure mode will make it easier to summarize the analysis.

The most likely causes of failure modes are listed in the column “ Possible reasons refusal ". A brief description of the consequences of the type of failure is given in the column "Local consequences of failure". Similar information for the object as a whole is given in the column “Total consequences of failure”. For some FMEA studies, it is desirable to assess the consequences of failure at an intermediate level. In this case, the consequences are indicated in the additional column "Next Higher Assembly Level". The identification of the consequences of a failure mode is discussed in 5.2.5.

A brief description of the method for detecting the mode of failure is given in the column "Method for detecting failure". The detection method may be implemented automatically by the built-in test provided by the design, or may require diagnostic procedures by the involvement of O&M personnel, it is important to identify the method for detecting failure modes to ensure that corrective action is taken.

GOST R 51901.12-2007

Design considerations that mitigate or reduce a particular type of failure, such as redundancy, should be noted in the Failure Compensation Conditions column. Maintenance compensation or operator compensation should also be reported here.

the column “Failure Severity Class” indicates the level of severity established by FMEA analysts.

the column "Frequency or Probability of Failure" indicates the frequency or likelihood of occurrence of a particular type of failure. The scale of the speed must correspond to its value (for example, failures in a million hours, failures for a run of 1000 km, etc.).

8 column "Remarks" indicate observations and recommendations in accordance with 5.3.4.

A.2.4 Notes on the worksheet

The last column of the worksheet should contain any notes necessary to clarify the rest of the entries. Potential future actions, such as recommendations for design improvements, can be recorded and then reported. This column may also include the following:

a) any unusual conditions:

b) the consequences of failures of the backup element:

c) a description of the critical properties of the project:

0) any remarks expanding the information:

f) essential maintenance requirements:

e) dominant causes of failures;

P) dominant consequences of failure:

0 decisions made, such as project analysis.

End object. Period and mode of operation:			Revision:					Prepared by:
	Description of the object and its functions	(faulty	Failure (malfunction) code	reasons for refusal (out of order)	(faulty	The final (faulty	Failure detection method	Terms of refusal compensation	Frequency or likelihood of failure

Figure AL - Example FMEA Worksheet

GOST R 51901.12-2007

Appendix B (informative)

Research examples

B.1 Example 1 - FMECA for vehicle power supply with RPN calculation

Figure 8.1 shows a small portion of the extensive YM for a vehicle. The power supply and its connections with the battery are analyzed.

The battery circuit includes a diode D1. capacitor C9. connecting the positive terminal of the battery to ground. A reverse polarity diode is used, which protects the object from damage if the negative terminal of the battery is connected to the case. The capacitor is an EMI filter. If any of these parts are shorted to ground, the battery will also short to ground, which could result in battery failure.

Object / Function	Potential type of failure	Potential consequences of failure		Potential !.	Failure Mechanism (s).
Subsystem	Potential type of failure	Local aftermath	The final consequences	Potential !.	Failure Mechanism (s).
Power supply

	A short closure	Battery terminal * does not short to ground		Internal component defect	Material destruction
	electric	No backup reverse voltage protection		internal component defect	Crack in a weld or semiconductor
	A short closure	Battery terminal * shorts to ground	Battery leak. trip is not possible	internal component defect	Dielectric breakdown or crack
	electric	No EMI filter	The operation of the object does not meet the requirements	internal component defect	Dielectric exposure, leak, void, or crack
	electric			Internal component defect	Material destruction
	electric	No voltage to turn on the electrical circuit	The object is inoperable. No warning indication	Internal component defect	Crack in weld or material

Figure B.1 - FMEA for the automotive part

GOST R 51901.12-2007

vehicle. Such a refusal, of course, has no warning. Refusal, in which a trip is impossible, is considered dangerous in the vetoboip industry. Therefore, for the failure mode of both named parts, the severity rank S is 10. The values of the occurrence rank O were calculated on the basis of the rates of failure of the parts with the corresponding loads for the operation of the vehicle and then scaled to O for the FMEA of the vehicle. The value of the detection rank D is very low, since the closure of any of the edges to the slice is detected when testing the object for operability.

Failure of any of the above parts will not damage the object, however there is no polarity reversal protection for the diode. If a capacitor that does not filter EMI fails, equipment in the vehicle may be interfered with.

If the coil L1. located between the battery and the electrical circuit for filtration. there is an open circuit, the object is inoperative, because the battery is disconnected, and the warning will not be displayed. The coils have a very low bounce rate, so the spawn rank is 2.

Resistor R91 transfers the battery voltage to the switching transistors. If R91 fails, the object becomes inoperable with a severity rank of 9. Since the resistors have a very low failure rate, the occurrence rank is 2. The detection rank is 1. since the object is not operational.

Appearance rank	Preventive actions	Detection actions	action	Responsible and due date	Action results
Appearance rank	Preventive actions	Detection actions	action	Responsible and due date	Actions taken



	Choosing a higher quality and power component	Evaluation and verification tests are not reliable
	Choosing a higher quality and power component	Evaluation and proof testing for reliability
	Choosing a higher quality and power component	Evaluation and proof testing for reliability
	Choosing a higher quality and power component	Evaluation and proof testing for reliability
	Choosing a higher quality and power component	Evaluation and proof testing for reliability

electronics with RPN calculation

GOST R 51901.12-2007

B.2 Example 2 - FMEA for an engine-generator system

The example illustrates the application of the FMEA method to an engine-generator system. The purpose of the study is limited only to the system and concerns the consequences of component failures associated with the power supply of the motor-generator or any other consequences of failures. This defines the boundaries of the analysis. This example partially illustrates a block diagram representation of the system. Initially, five subsystems were identified (see Figure B.2) and one of them - the heating, ventilation and cooling system - is presented at the lower levels of the structure in relation to the level. on which it was decided to start FMEA (see figure c.H.). The flow charts also show the numbering system used for references in FMEA worksheets.

For one of the engine-generator subsystems, an example worksheet (see Figure B.4) is shown that complies with the recommendations of this standard.

an important honor of the FMEA is the definition and classification of the severity of the consequences of failures for the system as a whole. For the engine-generator system, they are presented in Table B.1.

Table B.1 - Definition and classification of the severity of the consequences of failures for the engine-generator system as a whole

Figure B.2 - Diagram of engine-generator subsystems

Figure 6L - Diagram of the heating, ventilation, cooling system

GOST R 51901.12-2007

System 20 - Heating, ventilation and cooling system

Component

type of failure (malfunction)

The aftermath of refusal

Method or symptom of failure detection

Reservation

Remarks

Heating system (from 12 to 6 collectors on each end) only when the mechanism is not working

Note- Meche- “mzm may overheat. if the heaters do not turn off automatically

Heaters

a) Heater burnout

b) Short circuit ma to ground due to insulation defect

Lower my rub your

No heating - condensation possible<я

a) Temperature less than 5 'Above ambient temperature

b) Use of a fusible fuse or a tested switch

One short circuit not eempo should not lead to the system kotka-zu

One short circuit on the EEMPO should not cause the system to fail.

The body of the heating ther-m "small, cable

Connection to heaters

a) Overheating of terminal or cable of one / six or all heaters

b) Short circuit to ground terminals (traceability)

No or less heating, condensation

Lack of all heating - condensation

Temperature less than b 'Above ambient temperature

Verified

supply

Figure 0.4 - FMEA for system 20

GOST R 51901.12-2007

B.3 Example 3 - FMECA for a manufacturing process

FMECA process examines each manufacturing process of the object in question. FMECA is researching that. what could go wrong. as foreseen, and the existing protective measures (in case of failure), as well as how often this can occur and how such situations can be eliminated by upgrading the facility or process. The aim is to focus on possible (or known) problems in maintaining or achieving the required quality of the finished product. Businesses that assemble complex objects. such as passenger cars are well aware of the need to require component suppliers to perform this analysis. In doing so, component suppliers are the main beneficiaries. Performing analysis forces re-testing of fabrication failures and sometimes failures, resulting in improvement costs.

The form of the FMECA process worksheet is similar to the form of the FMECA product worksheet, but there are some differences (see Figure B.5). The measure of criticality is the Action Priority Value (APW). very close in meaning to the risk priority value (PPW). considered above. Process FMECA examines the ways in which defects and nonconformities occur and the options for delivering to the customer in accordance with quality management procedures. FMECA does not address service failures due to wear or misuse.

GU> OM * SS

Object here is the failure action

Flow * ala "e

AFTERNOON "

(B dark on *

Existing facilities I manage **

SUSHDSTVUMSCHIV

R "xm" "dominoes *

I> JS 10 * 1 "

PREVIEW

e> ah * mi *

Incorrect shoulder measurements or angles

inserts without willows "load on the stamp. Reduced productivity

Misaligned-neya inserting the wrong

thickness of the liner. surrounding the insert Decrease in performance Decrease in resource

production flaws OR controls pumps wom

manufacturer and statistical acceptance control plans

Analysis of sampling plans

Isolation of defective components from usable supplies

Gathering training

Insufficient gloss of nickel plating

Corrosion. Deviations at the final stage

visual inspection in accordance with the statistical acceptance inspection plan

Enable sampling to visually check for correct gloss

inadequate mesh evaluation

insufficient metal pressing Incorrect wall thickness. Waste

during machining, thin walls were found.

deficiencies in production or quality control

visual control "in the plans of statistical acceptance control

Enable any JUICY control to perform a visual check for the correct bling

Resource reduction

Consequence type

implications for the intermediate process, implications for final process: implications for assembly. loLestst "" I am for the user

kind of "ITALY

Wasp k probability of occurrence * 10;

$ ek = severity of consequences on a scale of 1-10.

De (* probability "" of detection before delivery to the customer.

Figure B.5 - Part of the FM EC A process for a machined small bar

GOST R 51901.12-2007

Appendix C (informative)

List of English abbreviations used in the standard

FMEA - Failure Modes and Effects Analysis Method:

FMECA is a method for analyzing the types, consequences and severity of failures:

DFMEA - FMEA. used for project analysis in the automotive industry: PRA - Probabilistic Risk Analysis:

PFMEA - FMEA. used for process analysis:

FTA - Fault Tree Analysis:

RPN - risk priority value:

APN - the value of the priority of actions.

Bibliography

(1J GOST 27.002-89

Reliability in technology. Basic concepts. Industrial product dependability. General principles. Terms and definitions

(2) IEC 60300-3-11: 1999

Reliability management. Part 3. Applied guidance. Section 11. Maintenance focused on reliability

(IEC 60300-3-11: 1999)

(Dependability management - Part 3-11: Application guide-Reliability centred maintenance)

(3) SAE J1739.2000

Potential Failure Mode and Effects Analysis In Design (Design FMEA) and Potential Failure Mode and Effects Analysis in Manufacturing and Assembly Processes (Process FMEA). and Potential Failure Mode and Effects Analysis for Machinery

Potential Failure Mode and Effects Analysts, Third Edition. 2001

GOST R 51901.12-2007

UDC 362: 621.001: 658.382.3: 006.354 OKS 13.110 T58

Key words: analysis of types and consequences of failures, analysis of types, consequences and criticality of failures. failure, redundancy, system structure, type of failure, criticality of failure

Editor L.8 Afanasenko Technical editor of the PA. Guseva Corrector U.C. Kvbashoea Computer layout P.A. Circles oil

Donated to the set 10.04.2003. Signed and stamped on 06.06.2008. Format 60 "64 ^. Offset paper. Arial headset.

Offset printing Uel. print p. 4.65. Uch.-ed. p. 3.90. Circulation 476. Zach. 690.

FSUE STANDARTINFORM *. 123995 Moscow. Granatny lane .. 4.wvrwgoslmto.ru infoggostmlo t

Typed in FSUE "STANDARTINFORM" on a PC.

Printed at the branch of FSUE STANDARTINFORM * ■ - type. Moscow printer ". 105062 Moscow. Lyalin lane, 6.

Analysis of the types and consequences of failures. FMEA analysis: example and application

Failure Modes and Effects Analysis (FMEA)

The risk assessment process consists of:

Discussion

Initial assessment

Minimization

Conclusion

FMEA methodology, examples

An example of FMEA application in the military-industrial complex

FMEA in the automotive industry

Features of analysis methods FMEA, FMECA and FMEDA

General concepts and approaches FMEA, FMECA and FMEDA

Differences between estimates and results of FME-, FMEC- and FMED-analyzes

FMEA terminology

Analysis stages

Analysis types

Purposes of FMEA Analysis

GOSTR

51901.12-

SPECIES AND EFFECTS ANALYSIS METHOD

DISCLAIMERS

Foreword

Introduction

GOST R 51901.12-2007 (IEC 60812: 2006)

1 area of ​​use

2 Normative references

3 Terms and definitions

4 Key points

6 Other studies

7 Applications

Popular

1 area of use