曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
FAA System Safety Handbook, Chapter 9: Analysis Techniques
December 30, 2000
9 - 13
size), immunizing against disease, or warming
up by exercise
And by establishing contingency response
such as early detection of energy release, first
aid, emergency showers, general disaster
plans, recovery of system operation
procedures.
9.7 Failure Modes, Effects, and Criticality Analysis (FMECA)
FMECAs and FMEAs are important reliability programs tools that provide data usable by the SSP. The
performance of an FMEA is the first step in generating the FMECA. Both types of analyses can serve as a
final product depending on the situation. An FMECA is generated from an FMEA by adding a criticality
figure of merit. These analyses are performed for reliability, safety, and supportability information. The
FMECA version is more commonly used and is more suited for hazard control.
Hazard analyses typically use a top down analysis methodology (e.g., Fault Tree). The approach first
identifies specific hazards and isolates all possible (or probable) causes. The FMEA/FMECA may be
performed either top down or bottoms-up, usually the latter.
Hazard analyses consider failures, operating procedures, human factors, and transient conditions in the list
of hazard causes. The FMECA is more limited. It only considers failures (hardware and software). It is
generated from a different set of questions than the HA: “If this fails, what is the impact on the system?
Can I detect it? Will it cause anything else to fail?” If so, the induced failure is called a secondary failure.
FMEAs may be performed at the hardware or functional level and often are a combination of both. For
economic reasons, the FMEA often is performed at the functional level below the printed circuit board or
software module assembly level and at hardware or smaller code groups at higher assembly levels. The
approach is to characterize the results of all probable component failure modes or every low level function.
A frozen bearing (component) or a shaft unable to turn (function) are valid failure modes.
The procedural approach to generating an FMEA is comparable to that of the Fault Hazard Analysis. The
first step is to list all components or low level functions. Then, by examining system block diagrams,
schematics, etc., the function of each component is identified. Next, all reasonably possible failure modes
of the lowest “component” being analyzed are identified. Using a coolant pump bearing as an example (see
Figure 9-5), they might include frozen, high friction, or too much play. For each identified failure mode,
the effect at the local level, an intermediate level, and the top system level are recorded. A local effect
might be “the shaft won’t turn”, the intermediate “pump won’t circulate coolant”, and the system level
“engine overheat and fail”. At this point in the analysis, the FMEA might identify a hazard.
The analyst next documents the method of fault detection. This input is valuable for designing self test
features or the test interface of a system. More importantly, it can alert an air crew to a failure in process
prior to a catastrophic event. A frozen pump bearing might be detected by monitoring power to the pump
motor or coolant temperature. Given adequate warning, the engine can be shut down before damage or the
aircraft landed prior to engine failure. Next, compensating provisions are identified as the first step in
determining the impact of the failure. If there are redundant pumps or combined cooling techniques, the
FAA System Safety Handbook, Chapter 9: Analysis Techniques
December 30, 2000
9 - 14
significance of the failure is less than if the engine depends on a single pump. The severity categories used
for the hazard analysis can be used as the severity class in the FMEA. A comments column is usually
added to the FMEA to provide additional information that might assist the reviewer in understanding any
FMEA column.
Adding a criticality figure of merit is needed to generate the FMECA, shown in Figure 9-5, from the
FMEA. Assigning severity levels can not be performed without first identifying the purpose of the
FMECA. For example, a component with a high failure rate would have a high severity factor for a
reliability analysis: a long lead time or expensive part would be more important in a supportability analysis.
Neither may be significant from a safety perspective. Therefore, a safety analysis requires a unique
criticality index or equation. The assignment of a criticality index is called a criticality analysis. The Index
is a mathematical combination of severity and probability of occurrence (likelihood of occurrence).
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(51)
