14. Fault Hazard Analysis

Chapter
14
Fault Hazard Analysis
14.1
INTRODUCTION
Fault hazard analysis (FaHA)is an analysis technique for identifying those hazards arising from component failure modes.It is accomplished by examining the poten-tial failure modes of subsystems,assemblies,or components and determining which failure modes can form undesired states that could result in a mishap.
14.2BACKGROUND
The FaHA technique falls under the detailed design hazard analysis type (DD-HAT)analysis.The basic hazard analyses types are described in Chapter 3.The purpose of FaHA is to identify hazards through the analysis of potential failure modes in the hardware that comprises a subsystem.
The FaHA is applicable to analysis of all types of systems and equipment.FaHA can be implemented on a subsystem,a system,or an integrated set of systems.The FaHA can be performed at any level from the component level through the system level.It is hardware oriented and not suited for software analysis.
The FaHA is a thorough technique for evaluating potential failure modes.How-ever,it has the same limitations as the FMEA.It looks at single failures and not com-binations of failures.FaHAs generally overlook hazards that do not result entirely from failure modes,such as poor design,timing errors,and the like.
The conduct of an FaHA requires a basic understanding of hazard analysis theory,failure modes,and a detailed understanding of the system under analysis.The meth-odology is similar to failure mode and effects analysis (FMEA).Although the FaHA
261
Hazard Analysis Techniques for System Safety ,by Clifton A.Ericson,II Copyright #2005John Wiley &Sons,Inc.
262FAULT HAZARD ANALYSIS
is a valuable hazard analysis technique,the subsystem hazard analysis(SSHA)has replaced the FaHA.The SSHA methodology includes considering failure modes for safety implications,and thus it accomplishes the same objective as the FaHA.
The FaHA technique is not recommended for general usage.Other safety analysis techniques are more cost effective for the identification of hazards and root causes, such as the SSHA.The FaHA should be used only when a rigorous analysis of all component failure modes is required.The FaHA technique is uncomplicated and easily mastered using the worksheets and instructions provided in this chapter. 14.3HISTORY
The Boeing Company developed the FaHA in1965for the Minuteman program as a variation of the FMEA technique.It was developed to allow the analyst to stop the analysis at a point where it becomes clear that a failure mode did not contribute to a hazard,whereas the FMEA requires complete evaluation of all failure modes. 14.4THEORY
The FaHA is a qualitative and/or quantitative analysis method.The FaHA can be used exclusively as a qualitative analysis or,if desired,expanded to a quantitative one for individual component failure modes.The FaHA requires a detailed investi-gation of the subsystems to determine which components can fail leading to a hazard and resultant effects to the subsystem and its operation.
The FaHA answers a series of questions:
.What can fail?
.How it can fail?
.How frequently will it fail?
.What are the effects of the failure?
.What hazards result as a consequence of failure?
The FaHA considers total functional and out-of-tolerance modes of failure.For example,a5percent,5000-V(+250-V)resistor can have as functional failure modes“failing open”or“failing short,”while the out-of-tolerance modes might include“too low a resistance”or“too high a resistance.”
To conduct an FaHA,it is necessary to know and understand the following sys-tem characteristics:
.Equipment mission
.Operational constraints
.Success and failure boundaries
.Realistic failure modes and their probability of occurrence
14.5METHODOLOGY263
The general FaHA approach involves the following:
.Analyzing each component
.Analyzing all component failure modes
.Determining if failure mode directly causes hazard
.Determining the failure mode effect on subsystem and system
.Determining if the component failure can be induced by another component The FaHA approach utilizing a columnar form with specially selected entries provides optimum results.This approach establishes a means for systematically ana-lyzing a system or subsystem design for the identification of hazards.In addition to identifying hazards,data in the FaHA form provides useful information for other safety analyses,such as the fault tree analysis.
The purpose of the FaHA is to identify hazards existing within a subsystem due to potential hardware component failure.This is accomplished by examining the causes and effects of subsystem component failures.
14.5METHODOLOGY
Table14.1lists the basic steps in the FaHA process.The FaHA methodology is demonstrated in Figure14.1which contains a hypothetical system,consisting of two subsystems,shown in functional block diagram format.In performing an FaHA,the idea is to break each subsystem into major components or black boxes, whose failure modes can be evaluated.
The next step is to identify and evaluate all credible failure modes for each com-ponent within the black box or subsystem.For instance,in subsystem1,component B may fail“open.”The effects of this failure mode upon components A and C are determined and also the effects at the subsystem interface with subsystem2.
Secondary factors that could cause component B to fail open are identified. For instance,excessive heat radiated from component C may cause component B to fail open.
Events“upstream”of component B that could directly command component B to fail open are identified.These types of events are usually a part of the normal sequence of planned events,except they occur at the wrong time and may not be controllable once they occur on their own.For example,a short circuit in component A may output from component A the signal that commands component B to respond in the open mode.
When the FaHA is completed,the effects of failures in subsystem1will terminate at the interface,and the upstream events commanding failures in subsystem2will begin from the interface.Hence,it is possible to determine interface hazards by comparing the“effects”of subsystem1with the“upstream events”of subsystem2. This is an indirect result of the FaHA.
Output 3
Interface
Figure 14.1Example system interface.
TABLE 14.1FaHA Process Step Task Description
1Define system.Define,scope,and bound system.Establish indenture levels for items to be analyzed.
2Plan FaHA.Establish FaHA goals,definitions,worksheets,schedule,and process.Define credible failures of interest for the analysis.
3
Acquire data.
Acquire all of the necessary design and process data needed for the FaHA.Refine the item indenture levels for analysis.Data can include functional diagrams,schematics,and drawings for the system,subsystems,and functions.Sources for this information could include design specifications,functional block diagrams,sketches,drawings,and schematics.
4Partition system.Divide the system under analysis into smaller logical and manageable segments,such as subsystems,units,or functional boxes.
5
Conduct FaHA.
For analyses performed down to the component level,a complete component list with the specific function of each component is prepared for each module as it is to be analyzed.Perform the FaHA on each item in the identified list of components.This step is further expanded in the next section.Analysis identifies:
.Failure mode
.Immediate failure effect .System-level failure effect
.
Potential hazard and associated risk
6
Recommend corrective action.Recommend corrective action for failure modes with unacceptable risk or criticality to program manager for action.
7
Monitor corrective action.Review the FaHA at scheduled intervals to ensure that corrective action is being implemented.
8
Document FaHA.
Documentation of the entire FaHA process,including the worksheets.Update for new information and closure of assigned corrective actions.
264
FAULT HAZARD ANALYSIS
14.6WORKSHEET
The FaHA is a formal and detailed hazard analysis utilizing structure and rigor.It is desirable to perform the FaHA using a worksheet.Although the format of the analy-sis worksheet is not critical,a recommended FaHA format is shown in Figure 14.2.This is the form that was successfully used on the Minuteman missile weapon system program.
The intended content for each column is described as follows:
ponent This column identifies the major functional or physical hard-ware components within the subsystem being analyzed.The component should be identified by part number and descriptive title.
2.Failure Mode This column identifies all credible failure modes that are possible for the identified component.This information can be obtained from the FMEA,manufacturer’s data or testing.(Note:This column matches the “primary”cause question in an FTA.)
3.Failure Rate This column provides the failure rate or failure probability for the identified mode of failure.The source of the failure rate should also be provided for future reference.
4.Operational Mode This column identifies the system phase or mode of operation during the indicated failure mode.
5.Effect on Subsystem This column identifies the direct effect on the subsys-tem and components within the subsystem for the identified failure mode.
6.Secondary Causes This column identifies secondary factors that may cause the component to fail.Abnormal and out-of-tolerance conditions may cause the component ponent tolerance levels should be provided.Also,environmental factors or common cause events may be a secondary cause for failure.(Note:This column matches the “secondary”cause ques-tion in an FTA.)
Fault Hazard Analysis
9Effect on
System
Failure Rate Component
Upstream
Command
Causes
System
Mode Failure Mode
Effect on
Subsystem
Secondary Causes Remarks
MRI
Subsystem_________Assembly/Unit__________Analyst__________
510
1234678Figure 14.2Recommended FaHA worksheet.
14.6WORKSHEET
265
7.Upstream Command Causes This column identifies those functions,events,or failures that directly force the component into the indicated failure mode.(Note:This column matches the “command”cause question in an FTA.)
8.Mishap Risk Index (MRI)This column provides a qualitative measure of mishap risk for the potential effect of the identified hazard,given that no mitigation techniques are applied to the hazard.Risk measures are a combi-nation of mishap severity and probability,and the recommended values from MIL-STD-882are shown below.
Severity Probability I.Catastrophic A.Frequent II.Critical B.Probable III.Marginal C.Occasional IV.Negligible
D.Remote
E.Improbable
9.Effect on System This column identifies the direct effect on the system of the indicated component failure mode.
10.Remarks This column provides for any additional information that may be
pertinent to the analysis.
14.7EXAMPLE
In order to demonstrate the FaHA technique,the same hypothetical small missile system from Chapter 4on preliminary hazard list (PHL)analysis will be used.The basic preliminary component and function design information from the PHL is provided again in Figure 14.3.
Storage
Transportation Handling Standby Alert Launch Flight
Command Response Impact Missile Body Warhead Engine (Jet) Fuel (Liquid) Computer Software Navigation
Communications Guidance Battery Functions
Components
Figure 14.3Missile system component list and function list.
266
FAULT HAZARD ANALYSIS
Typically,an FaHA would be performed on each of the component subsystem designs.For this FaHA example,the battery subsystem has been selected for evalu-ation using the FaHA technique.The battery design is shown in Figure 14.4.
In this design the electrolyte is contained separately from the battery plates by a frangible membrane.When battery power is desired,the squib is fired,thereby breaking the electrolyte housing and releasing electrolyte into the battery,thus ener-gizing the battery.
The battery subsystem is comprised of the following components:1.Case
2.Electrolyte
3.Battery plates
4.Frangible container separating electrolyte from battery plates
5.
Squib that breaks open the electrolyte container
The battery FaHA is shown in Table 14.2.
The following conclusions can be derived from the FaHA worksheet contained in Table 14.2:
1.The failures with a risk level of 2C indicate that the failure mode leaves the system in an unsafe state,which will require further analysis to evaluate the unsafe state and design mitigation to reduce the risk.
2.The failures with a risk level of 4C indicate that the failure mode leaves the mis-sile in a state without power,resulting in a dud missile (not a safety problem).14.8
ADVANTAGES AND DISADVANTAGES
The following are advantages of the FaHA technique:1.FaHAs are more easily and quickly performed than other techniques (e.g.,FTA).2.FaHAs can be performed with minimal training.3.FaHAs are inexpensive.
4.
FaHAs forces the analyst to focus on system elements and hazards.
Contained
Electrolyte
Squib
Battery Plates and Terminals
Figure 14.4Example missile battery design.
14.8ADVANTAGES AND DISADVANTAGES
267
T A B L E 14.2F a H A W o r k s h e e t f o r B a t t e r y
F a u l t H a z a r d A n a l y s i s
S u b s y s t e m :M i s s i l e
A s s e m b l y /U n i t :
B a t t e r y A n a l y s t :D a t e :
C o m p o n e n t
F a i l u r e M o d e F a i l u r e R a t e
S y s t e m M o d e E f f e c t o n S u b s y s t e m S e c o n d a r y C a u s e s U p s t r e a m C o m m a n d C a u s e s M R I
E f f e c t O n S y s t e m R e m a r k s
B a t t e r y s q u i b S q u i b f a i l s t o i g n i t e
3.5Â1025
M a n u f .d a t a F l i g h t N o p o w e r o u t p u t f r o m b a t t e r y E x c e s s i v e s h o c k
N o i g n i t i o n c o m m a n d
4C D u d m i s s i l e
S a f e
S q u i b i g n i t e s i n a d v e r t e n t l y
1.1Â1029
M a n u f .d a t a
G r o u n d o p e r a t i o n s B a t t e r y p o w e r i s i n a d v e r t e n t l y a p p l i e d H e a t ;s h o c k I n a d v e r t e n t i g n i t i o n c o m m a n d
2C
U n s a f e s y s t e m s t a t e
F u r t h e r a n a l y s i s r e q u i r e d
B a t t e r y e l e c t r o l y t e E l e c t r o l y t e l e a k a g e
4.1Â1026
M a n u f .d a t a G r o u n d o p e r a t i o n s
C o r r o s i o n ;g a s e s ;fir e
E x c e s s i v e s h o c k ;p u n c t u r e M a n u f a c t u r i n g d e f e c t
2C
U n s a f e s y s t e m s t a t e F u r t h e r a n a l y s i s r e q u i r e d B a t t e r y
p o w e r
P r e m a t u r e p o w e r o u t p u t
1.0Â10210
M a n u f .d a t a
G r o u n d o p e r a t i o n s
P o w e r i s i n a d v e r t e n t l y a p p l i e d t o m i s s i l e e l e c t r o n i c s N o n e
E l e c t r o l y t e l e a k a g e i n t o b a t t e r y c e l l s
2C
U n s a f e s y s t e m s t a t e F u r t h e r a n a l y s i s r e q u i r e d
N o p o w e r o u t p u t
2.2Â1026
M a n u f .d a t a F l i g h t N o p o w e r o u t p u t t o m i s s i l e e l e c t r o n i c s B a t t e r y d a m a g e
B r o k e n c a b l e s
4C D u d m i s s i l e
S a f e
B a t t e r y c a s e
C a s e l e a k s
1.0Â10212
M a n u f .d a t a
F l i g h t
N o p o w e r o u t p u t
E x c e s s i v e s h o c k
4C D u d m i s s i l e
S a f e
G r o u n d o p e r a t i o n s C o r r o s i o n ;g a s e s ;fir e E x c e s s i v e s h o c k
2C U n s a f e s t a t e
F u r t h e r a n a l y s i s r e q u i r e d
P a g e :1o f 1
268
BIBLIOGRAPHY269 The following are disadvantages of the FaHA technique:
1.FaHAs focus on single failure modes and not combinations of failure modes.
2.The FaHA focuses on failure modes,overlooking other types of hazards
(e.g.,human errors).
3.FaHAs are not applicable to software since software has no failure modes.
14.9COMMON MISTAKES TO AVOID
Whenfirst learning how to perform an FaHA,it is commonplace to commit some traditional errors.The following is a list of typical errors made during the conduct of an FaHA:
1.Not fully understanding the FaHA technique
ing the FaHA technique when another technique might be more appropriate 14.10SUMMARY
This chapter discussed the FaHA technique.The following are basic principles that help summarize the discussion in this chapter:
1.The primary purpose of the FaHA is to identify hazards by focusing on poten-
tial hardware failure modes.Every credible single failure mode for each com-ponent is analyzed to determine if it can lead to a hazard.
2.FaHA is a qualitative and/or quantitative analysis tool.
3.The use of a functional block diagram greatly aids and simplifies the FaHA
process.
BIBLIOGRAPHY
Ericson,C.A.,Boeing Document D2-113072-2,System Safety Analytical Technology—Fault Hazard Analysis,1972.
Harris,R.W.,Fault Hazard Analysis,USAF—Industry System Safety Conference,Las Vegas,Feb.,1969.。