|
FMEA is a way to check that any failure mode has been taken into account in the design. This step is essential in a product design. This analyse is reported in a FMEA document.
The Preliminary Risk Assessment is the first assessment done before re-designing a product.
FMEA Benefits
- Identify the weaknesses of a design and bring solutions
- Identify the possible failures on a system and/or on the linked systems
First of all, it supposes that the list of the possible failure modes is done.
A failure mode is characterized by three points :
-
Severity
-
Frequency
-
Detection
Each point is evalued and affected to a coefficient :
Next, a Preliminary Risk Index (PRI) is defined by the multiplication of each point :
PRI = S x F x D
Now, there is just to define the acceptable level according to the application and to list all the failure modes in a document. A good compromise which always avoids any safety risk is 100. If PRI is equal or above this thresfold, a solution has to be designed to reduce the PRI level.
Example :
An Electonic Control Unit has an emergency button to stop a machine. The Electronic Control Unit drives a relay which stops the machine. We're analysing the Electronic Control Unit output :
|
Designation
|
Type
|
pin number
|
Failure modes
|
system & customer effects
|
Solution
|
S
|
F
|
D
|
PRI
|
|
Emergency relay output
|
digital
|
5
|
Open circuit
Short circuit to Vbatt
Short Circuit to GND
|
No emergency stop
Machine always stopped
No emergency stop
|
?
|
10
|
5
|
10
|
1000
|
In this example, the severity if the failure is maximum. If it doesn't work, there is a safety issue. Severity = 10. As the output relay is wired to the relay and a wire isn't perfect, we could say that the frequency is moderate so Frequency = 5. The designer hasn't used any detection on the output. So detection = 10. The PRI level is 1 000 which is unacceptable.
The designer will add a detection of short circuit to Vbat and open circuit. The new FMEA is :
|
Designation
|
Type
|
pin number
|
Failure modes
|
system & customer effects
|
Solution
|
S
|
F
|
D
|
PRI
|
|
Emergency relay output
|
digital
|
5
|
Open circuit
Short circuit to Vbatt
Short Circuit to GND
|
No emergency stop
Machine always stopped
No emergency stop
|
add detection circuitry by reading the output
|
10
|
5
|
1
|
50
|
The new PRI level is 50 which is acceptable. It means that the function has a high criticality and the severity can't be decreased. The frequency is moderate because of the wiring technology, but we are almost sure to detect the failure and the software will enter in an appropriate mode (it's stop the machine !)
|
