Guidance Notes for Failure Modes and Effects Analysis (FMEA)
November 2003 - Draft
Copyright © 2003
American Bureau of Shipping ABS Plaza 16855 Northchase Drive Houston, ! ""#6# $SA
Contents
SECTION 1 General 1%1 &ntro'uction 1%( Scope
SECTION 2 FMEA Proe!"re (%1 )eneral (%( S*stem 'efinition (%+ Development of s*stem loc- 'iagrams (%. &'entification of failure mo'es, causes an' effects 2.4.1 Level of Analysis Analysis 2.4.2 Common-cause failure 2.4.3 Human intervention 2.4.4 Softare !rror (%5 /ailure effects 2.".1 Local !ffect an# !n# !ffect 2.".2 !valuation of !n# effect (%6 /ailure 'etection 2.$.1 Hi##en fault (%" 0orrective measures 2.%.1 Human error 2.%.2 &ntegrity of Change over mechanisms mechanisms (%8 Documentation
SECTION 3 #se of Probab$l$t% Cone&t +%1 )eneral +%( erms erms associate' ith proailities proailities
Anne' 1 Anne' 2 Anne' 3 Anne' (
'(!A for )ynamic *ositioning System '(!A for *ropulsion +e#un#ancy '(!A for High Spee# Craft ,HSC (achinery Systems '(!A for *ropulsion +emote Control System
2
SECTION 1) General 1)1 Intro!"t$on 'ailure mo#es an# effects analysis ,'(!A is a metho# of reliaility analysis inten#e# to i#entify failures hich have conse/uences affecting the functioning of a system ithin the limits of a given application thus enaling priorities for corrective action to e set. enerally failures or failure mo#es of any component ill a#versely affect system performance. &n the stu#y of system reliaility safety an# availaility oth /ualitative an# /uantitative analyses are nee#e# an# these complement one another. uantitative analysis metho#s allo the calculation or pre#iction of performance measures of the system hile fulfilling a specific tas or in long-term operation un#er specific con#itions. ypical measures #enote reliaility safety availaility failure rates an# mean time to failure ,('. he /uantitative assessment of postulate# failure mo#es in terms of the plausiility of their occurrence allos the rational #ecision ofhether corrective actions are re/uire#.
1)2 So&e hese ui#ance 5otes #escrie failure mo#es an# effects analysis ,'(!A an# give gui#ance as to ho they may e applie# to achieve various o6ectives connecte# ith the #evelopment of reliale #esigns. Anne7 1 to Anne7 4 a##ress more specific gui#ance for the folloing systems for hich A8S rules re/uire '(!A e carrie# out. Anne7-1 Anne7-2 Anne7-3 Anne7-4
)ynamic *ositioning system *ropulsion +e#un#ancy system *ropulsion remote control system High Spee# Craft systems
3
SECTION 2 FMEA Proe!"re 2)1 General he analysis is usually presente# on a orsheet that contains a core of essential information hich can e #evelope# an# e7ten#e# to suit the particular system or pro6ect to hich it is applie#. A typical e7ample of a orsheet is shon in 'igure 1. he folloing steps are necessary to perform '(!A9
Define the s*stem to e anal*ze' ,see 2.2
&llustrate the interrelationships of functional elements of the s*stem * means of loc- 'iagrams ,see 2.3
&'entif* all potential failure mo'es, their causes an' effects ,see 2.4
2valuate the effects on the s*stem of each failure mo'e ,see 2."
&'entif* failure 'etection metho's ,see 2.$
&'entif* corrective measures for failure mo'es ,see 2.%
Document the anal*sis ,see 2.:
4
Figure 1 FMEA *or+s,eet
Name of system………………………………………..…
References…………………………………………………
Mode of operation………………………………………..
System boc! diagrams…………………………………..
S"eet No………………………………………………….. #ate……………………………………………………….. Name of anayst………………………………………….. E%uipment name or number
Function
Ident. No.
Faiure mode
Faiure cause
#ra$ings……………………………………………………
Faiure effect (oca effect End effect
"
Faiure detection
Correcti&e action
Se&erity of faiure effect
'robabiity of faiure )if appicabe*
Remar!s
2)2 S%stem !ef$n$t$on he first step in an '(!A stu#y is a #etaile# e7amination of the system to e analy;e# through the use of #raings an# e/uipment manuals. A thorough un#erstan#ing of the system un#er analysis is essential prior to un#ertaing '(!A. A narrative #escription of the system an# its functional re/uirements shoul# e #ran up inclu#ing the folloing information9 1. general #escription of system operation an# structure< 2. functional relationship among the system elements< 3. acceptale functional performance limits of the system an# its constituent elements in each of the typical operational mo#es< an# 4. system constraints.
2)3 Develo&ment of s%stem blo+ !$arams he ne7t step is to #evelop loc #iagram,s shoing the functional flo se/uence of the system an# functional inter#epen#ence of su-system or e/uipment oth for technical un#erstan#ing of the functions an# operation of the system an# for the suse/uent analysis. As a minimum the loc #iagram contains9 1. rea#on of the system into ma6or su-systems or e/uipment< 2. all appropriate laele# inputs an# outputs an# i#entification numers y hich each su-system is consistently reference#< an# 3. all re#un#ancies alternative signal paths an# other engineering features hich provi#e =fail-safe= measures. &t may e necessary to have a #ifferent set of loc #iagrams prepare# for each operational mo#e. >ther metho#s such as fault-tree #iagrams or narrative #escriptions may e use# in lue.
2)( I!ent$f$at$on of fa$l"re mo!es. a"ses an! effets 'ailure mo#e is the manner y hich a failure is oserve#. &t generally #escries the ay the failure occurs an# its impact on the e/uipment or system. As an e7ample a list of failure mo#es is given in ale 1. he failure mo#es liste# in ale & can #escrie the failure of any system element in sufficiently specific terms. ?hen use# in con6unction ith performance specifications governing the inputs an# outputs on the system loc #iagram all potential failure mo#es can thus e i#entifie# an# #escrie#. 'or e7ample a poer supply may have a failure mo#e #escrie# as =loss of output= ,2@ an# a failure cause of =open ,electrical= ,31. ale 1 3 24ample of a set of failure mo'es 1 2 3 4 " $ % : @ 10 11 12 13 14 1" 1$
Structural failure ,rupture *hysical in#ing or 6amming iration 'ails to remain ,in position 'ails to open 'ails to close 'ails open 'ails close# &nternal leaage !7ternal leaage 'ails out of tolerance ,high 'ails out of tolerance ,lo &na#vertent operation &ntermittent operation !rratic operation !rroneous in#ication
1%
+estricte# flo
1: 1@ 20 21 22 23 24 2" 2$ 2% 2: 2@ 30 31 32 33
'alse actuation 'ails to stop 'ails to start 'ails to sitch *remature operation )elaye# operation !rroneous input ,increase# !rroneous input ,#ecrease# !rroneous output ,increase# !rroneous output ,#ecrease# Loss of input Loss of output Shorte# ,electrical >pen ,electrical Leaage ,electrical >ther uni/ue failure con#itions as applicale to the system characteristics re/uirements an# op erational constraints
&n the '(!A the #efinitions of failure mo#es failure causes an# failure effects #epen# on the level of analysis. As the analysis progresses the failure effects i#entifie# at the loer level may ecome failure mo#es at the higher level. Similarly the failure mo#es at the loer level may ecome the failure causes at the higher level an# so on. 'or e7ample the hy#raulic line of a steering gear system might have a failure mo#e of =e7ternal leaage= ,10. his failure mo#e of the hy#raulic line coul# ecome a failure cause of the steering gear systemBs failure mo#e =loss of output= ,2@.
2)()1 /evel of Anal%s$s &t is recommen#e# that each system e consi#ere# in a top-#on approach starting from the systemBs functional output an# failure is assume# y one possile cause at a time. Since a failure mo#e may have more than one cause all potential in#epen#ent causes for each failure mo#e are i#entifie#. '(!A then progresses to the susystem level an# on #on to the e/uipment level or component level until all plausile failure mo#es are i#entifie# an# the systems responses to failures are e7amine#. Hoever if it can e shon that a system eing analy;e# can fail ithout any a#verse effect then there is no nee# to consi#er them further unless the failure can go un#etecte# y an operator ,see 2.6.1 Hidden failure. o #eci#e that there is no a#verse effect #oes not mean 6ust the i#entification of system re#un#ancy. he re#un#ancy shoul# e shon to e imme#iately effective or rought on line ith negligile time lag. *articular attention is to e pai# to fault #etestaility for all plausile mo#es of failure an# to the integrity of the mechanism that ring the re#un#ant system on line upon failure #etection ,see 2.7.1 Integrity of changeover mechanism. &n #eci#ing the level of analysis it shoul# e ept in min# that the aim of con#ucting '(!A is to #emonstrate that the ris associate# ith the failures in the system eing e7amine# have een re#uce# as far as reasonaly practicale. 2)()2 Common-a"se fa$l"re Common-cause ,or Dcommon mo#eB failures ,CC' that may e7ist in functionally re#un#ant systems are also to e i#entifie#. A CC' is the result of an event that ecause of logical #epen#encies causes a coinci#ence of failure states in to or more components ,e7clu#ing secon#ary failures cause# y the effects of a primary failure. !7amples of common cause of failures are9 1. Simultaneous failure of to cooling ater pumps #ue to simultaneous poer failure cause# y the #amage to an electrical caleay hich containe# poer supply cales for the pumps resulting in lacout con#itions. 2. Simultaneous failure of to computer netors #ue to softare-relate# failure resulting in the total loss of computer functionality. 2)()3 "man $ntervent$on ?here human intervention is an integral part of system #esign the conse/uence of the failure of the re/uire# human intervention shoul# e evaluate#. 'or instance if the se/uence is9 Efailure alarm operator action start of ac-up ac-up in service= the effects of #elay is to e consi#ere#. 2)()( Soft*are error (alfunctions #ue to softare errors or ina#e/uacies ill have effects hose significance ill e #etermine# y oth har#are an# softare #esign. he effects upon associate# har#are of possile errors in softare or ina#e/uacies shoul# e analy;e# for all har#are pro#ucts involving softare. he analysis shoul# inclu#e ut not e limite# to the folloing9 Har#are-softare interaction analysis that e7amines softare reactions to har#are failures. • • >verloa#ing con#itions ,e.g. anormally large numer of har#are malfunction messages sent to a monitoring system or anormally large numer of spurious signals generate# in optical netor..
:
2) Fa$l"re effets 2))1 /oal Effet an! En! Effet he conse/uence of a failure mo#e on the operation function or status of an e/uipment or a system is calle# a Bfailure effectB. 'ailure effects on a specific susystem or e/uipment un#er consi#eration are calle# =local failure effects=. he evaluation of local failure effects ill help to #etermine the effectiveness of any re#un#ant e/uipment or corrective action at that system level. &n certain instances there may not e a local effect eyon# the failure mo#e itself. he impact of an e/uipment or su-system failure on the system output ,system function is calle# an =en# effect=. An e7ample of local effect is E No.1 and No.2 lubricating oil pumps simultaneously seize to operate F an# e7ample of the correspon#ing en# effect is E immediate blackout condition F. Local effects an# en# effects shoul# e evaluate# an# recor#e# in the '(!A or sheet.
2))2 Eval"at$on of En! effet !n# effects are to e evaluate# an# their severity classifie#. he classification coul# e for instance in accor#ance ith the folloing criticality categories9 1. catastrophic 2. ha;ar#ous 3. ma6or 4. minor hese criticality classifications an# the assessment of the proaility of failure occurrence are use# to #etermine hether corrective measures shoul# e provi#e#. 'or instance Eif the en# effect of a failure is classifie# as ha;ar#ous or catastrophic ac-up e/uipment is usually re/uire# to prevent or minimi;e such effect. 'or ha;ar#ous failure effects corrective operational proce#ures may e accepte#F. he principle of such a ris assessment shoul# e #etermine# at the outset of the '(!A.
2) Fa$l"re !etet$on he '(!A stu#y in general only analyses failure effects ase# on a single failure in the system an# therefore a failure #etection means such as visual or au#ile arning #evices automatic sensing #evices sensing instrumentation or other uni/ue in#ications shoul# e i#entifie#. 2))1 $!!en fa"lt ?here the system element failure is non-#etectale ,i.e. a hi##en fault or any failure hich #oes not give any visual or au#ile in#ication to the operator an# the system can continue ith its specific operation the analysis is to e e7ten#e# to #etermine the effects of a secon# failure hich in comination ith the first un#etectale failure may result in a more severe failure effect e.g. ha;ar#ous or catastrophic effect. !7amples of Dhi##en fault are9 1. Automatic change over sitch 2. Sensors ith no self-monitoring functions 3. (anual selector sitch left in the rong position ,human error 4. Softare errors
2) Corret$ve meas"res he response of any ac-up e/uipment or any corrective action initiate# at a given system level to prevent or re#uce the effect of the failure mo#e of a system element or e/uipment shoul# also e i#entifie# an# evaluate#. &n consi#ering a corrective measure the use of a proaility concept is useful ,see 3.1. *rovisions hich are features of the #esign at any system level to nullify the effects of a malfunction or failure such as controlling or #eactivating system elements to halt generation or propagation of failure effects or activating ac-up or stan#y items or systems shoul# e #escrie#. Corrective #esign provisions inclu#e9
@
1. re#un#ancies that allo continue# an# safe operation< 2. safety #evices monitoring or alarm provisions hich permit restricte# operation or limit #amage< an# 3. alternative mo#es of operation. &t shoul# e note# that corrective responses acceptale in one operational mo#e may not e acceptale at another e.g. a re#un#ant system element ith consi#erale time lag to e rought into line hile meeting the operational mo#e =normal seagoing con#itions at full spee#= may result in a catastrophic effect in another operational mo#e e.g. =ma7imum permitte# operating spee# in congeste# ater=.
2))1 "man error *rovisions hich re/uire operator action to circumvent or mitigate the effects of the postulate# failure are to e #escrie#. he possiility an# effect of operator error shoul# e consi#ere# if the corrective action or the initiation of the re#un#ancy re/uires operator input hen evaluating the means to eliminate the local failure effects. 2))2 Inter$t% of C,ane over me,an$sms Safety #evices monitoring provisions an# automatic changeover mechanism for re#un#ancy etc. hich are provi#e# as provisions for corrective measures are also su6ect to failure. hese systems G e/uipment are often Dhi##en fault ,see 2.$ an# therefore it is necessary to assess the lielihoo# of failure an# the impact of the failure. Such an assessment may reveal the nee# for an a##itional corrective measure to e provi#e#.
2)4 Do"mentat$on &t is helpful to perform '(!A on orsheet,s as shon in 'igure-1. he orsheet,s shoul# e organi;e# to first #isplay the highest system level an# then procee# #on through #ecreasing system levels. he '(!A report shoul# e a self-containe# #ocument ith a full #escription of the systems an# their functions an# the propose# operation an# environmental con#itions for the failure mo#es causes an# effects to e un#erstoo# ithout any nee# to refer to other plans an# #ocuments not in the report. he analysis assumptions an# system loc #iagrams shoul# e inclu#e# here appropriate. he report shoul# contain a summary of conclusions an# recommen#ations for each of the systems analy;e# in the system failure analysis an# the e/uipment failure analysis. &t shoul# also list all proale failures an# their proaility of failure an# here applicale the corrective actions or operational restrictions for each system in each of the operational mo#es un#er analysis. he report usually contains the test program an# references any other test reports an# the '(!A trials.
10
SECTION 3 #se of Probab$l$t% Cone&t 3)1 General >nce a failure mo#e is i#entifie# it is necessary to assess hether appropriate corrective measures have een provi#e# as #escrie in the prece#ing sections. Hoever in certain instances the proaility of a postulate# failure mo#e ith the associate# failure cause is so e7tremely remote that a corrective measure may not e consi#ere#. >n the other han# if the proaility of a postulate# failure mo#e is fairly high ut the conse/uence of the failure is minor then a corrective measure may not e consi#ere#. &n other instances if the proaility of a postulate# failure mo#e is fairly remote ut the conse/uence of the failure coul# e Dcatastrophic then certain corrective measures ought to e provi#e#. Since the criticality of failure varies #epen#ing on application it is important to #etermine acceptaility criteria at the outset of the analysis. 'or e7ample &(> HSC co#e stipulates the folloing ris acceptaility criteria as in 'igure-2. F$"re-2 E'am&le ae&tane r$ter$a 5 IMO SC Co!e &f corrective measures or re#un#ancy as #escrie# in the prece#ing paragraphs are not provi#e# for any failure as an alternative the proaility of occurrence of such failure shall meet the folloing criteria of acceptance9 1. a failure mo#e hich results in a catastrophic effect shall e assesse# to e e7tremely improale< 2. a failure mo#e assesse# as e7tremely remote shall not result in orse than ha;ar#ous effects< an# 3. a failure mo#e assesse# as either fre/uent or reasonaly proale shall not result in orse than minor effects.
5umerical values for various levels of proaility are #escrie# in the folloing sections. &n areas here there are no #ata from craft here the '(!A is to #etermine the level of proailities of failure other sources can e use# such as9 1. orshop test< or 2. history of reliaility use# in other areas un#er similar operating con#itions< or 3. mathematical mo#el if applicale.
3)2 Terms asso$ate! *$t, &robab$l$t$es )ifferent un#esirale events may have #ifferent or#ers of acceptale proaility. &n connection ith this it is convenient to agree on stan#ar#i;e# e7pressions to e use# to convey the relatively acceptale proailities of various occurrences i.e. to perform a /ualitative raning process. 3)2)1 O"rrenes Occurrence is a con#ition involving a potential loering of the level of safety. Failure is an occurrence in hich a part or parts of a system eing evaluate# fail or malfunction e.g. runaay. A failure inclu#es9 1. a single failure< 2. in#epen#ent failures in comination ithin a system< 3. in#epen#ent failures in cominations involving more than one system taing into account9 - - any un#etecte# failure that is alrea#y present< - such further failures as oul# e reasonaly e7pecte# to follo the failure un#er consi#eration< an# 4. common cause failure Event is an occurrence hich has its origin outsi#e the system eing evaluate# ,e.g. aves.
11
Error is an occurrence arising as a result of incorrect action y the operating cre maintenance personnel or softare.
3)2)2 Probab$l$t% of o"rrenes Frequent is one hich is liely to occur often #uring the operational life of a particular craft. Reasonably probable is one hich is unliely to occur often ut hich may occur several times #uring the total operational life of a particular craft. Recurrent is a term emracing the total range of fre/uent an# reasonaly proale. Remote is one hich is unliely to occur to every craft ut may occur to a fe craft of a type over the total operational life of a numer of craft of the same type. Extremely remote is one hich is unliely to occur hen consi#ering the total operational life of a numer of craft of the type ut nevertheless shall e consi#ere# as eing possile. Extremely improbable is one hich is so e7tremely remote that it shall not e consi#ere# as possile to occur. 3)2)3 Effets Effect is a situation arising as a result of an occurrence. Minor effect is an effect hich may arise from a failure an event or an error as #efine# in 3.2.1 hich can e rea#ily compensate# for y the operating cre. &t may involve9 ". a small increase in the operational #uties of the cre or in their #ifficulty in performing their #uties< or $. a mo#erate #egra#ation in han#ling characteristics< or %. slight mo#ification of the permissile operating con#itions. Major effect is an effect hich pro#uces9 1. a significant increase in the operational #uties of the cre or in their #ifficulty in performing their #uties hich y itself shall not e outsi#e the capaility of a competent cre provi#e# that another ma6or effect #oes not occur at the same time< or 2. significant #egra#ation in han#ling characteristics< or 3. significant mo#ification of the permissile operating con#itions ut ill not remove the capaility to complete a safe 6ourney ithout #eman#ing more than normal sill on the part of the operating cre. Hazardous effect is an effect hich pro#uces9 1. a #angerous increase in the operational #uties of the cre or in their #ifficulty in performing their #uties of such magnitu#e that they cannot reasonaly e e7pecte# to cope ith them an# ill proaly re/uire outsi#e assistance< or 2. #angerous #egra#ation of han#ling characteristics< or 3. #angerous #egra#ation of the strength of the craft< or 4. marginal con#itions for or in6ury to occupants< or ". an essential nee# for outsi#e rescue operations. Catastrophic effect is an effect hich results in the loss of the craft an#Gor in fatalities.
3)2)( N"mer$al val"es ?here numerical proailities are use# in assessing compliance ith re/uirements using the terms similar to those given aove the folloing appro7imate values may e use# as gui#elines to assist in provi#ing a common point of reference. he proailities /uote# shall e on an hourly or per -6ourney asis #epen#ing on hich is more appropriate to the assessment in /uestion. 're/uent +easonaly proale
(ore than 10-3 10-3 to 10-"
12
+emote !7tremely remote !7tremely improale
10-" to 10-% 10-% to 10-@ ?hile no appro7imate numerical proaility is given for this the figures use# shall e sustantially less than 10-@
5ote9 )ifferent occurrences may have #ifferent acceptale proailities accor#ing to the severity of their conse/uences.
13
Anne' 1 FMEA for D%nam$ Pos$t$on$n S%stem
1) General his anne7 provi#es a##itional gui#ance specific to # ynamic positioning systems an# therefore shoul# e rea# in con6unction ith the ui#ance 5otes section 1 through 3.
2) Ob6et$ves he section 4-3-"G1".1.4 of the +ules re/uires that a failure mo#es an# effects analysis ,'(!A is to e con#ucte# an# sumitte# to A8S for revie. his re/uirement is applicale for )* systems for hich )*S-2 or )*S-3 class notation is re/ueste#. he o6ective of the '(!A is to #emonstrate that9 1. sufficient re#un#ancy is provi#e# in the #ynamic positioning system in accor#ance ith the rules such that no single failure an# its conse/uential series of events ill result in the total loss of )* capaility ut certain re#uce# capaility remains availale even if a orst case single failure occurs. his re#uce# capaility shoul# e verifie# to e sufficient to eep the )* ship G )* offshore unit ithin the #esire# position un#er the #eclare# ma7imum operating environmental con#itions ,i.e. in# spee# ave height an# current spee#. 2. the re#un#ancy oul# e imme#iately effective or rought into service ith negligile time lag such that the )* ship G offshore unit ill not #rift off outsi#e the safe #istance from the initial target position.
3) S$nle-fa$l"re Cone&t '(!A is ase# on a single-failure concept un#er hich each s ystem at various levels of a systems functional hierarchy is assume# to fail y one proale cause at a time. he rule stipulates that for the purpose of classification the e7tent of Esingle failureF hich must e consi#ere# in '(!A varies #epen#ing on the classification notation re/ueste# as summari;e# in ale-1. Any failure mo#e hich coul# cause the loss of station eeping capaility must e guar#e# against y re#un#ancy unless the proaility of postulate# failure is e7tremely remote. &n general the failure of roust static components such as pipes or pipe manifol#s nee# not e consi#ere# unless they are su6ecte# to the threat of mechanical #amages #ue to the location here they are installe#. ?here it is not possile to provi#e re#un#ancy to a single component such as a changeover sitch a case shoul# e ma#e to #emonstrate that the proaility of failure is e7tremely remote. Since )* control systems are of a comple7 nature involving computer har#are an# softare particular attention shoul# e pai# to the possile sources of common cause failure an# softare error as #escrie# in 2.4.2 an# 2.4.4 of the ui#ance 5otes.
14
ale31 24tent of single failure to e consi'ere'
DP notation
/ailure to e consi'ere'
)*S-2
Any single failure in the )* system ,i.e. thruster system control system computer netor system poer generation system poer #istriution system au7iliary systems hether a single component or a single su-system.
)*S-3
Any single failure in the )* system ,i.e. thruster system control system computer netor system poer generation system poer #istriution system au7iliary systems hether a single component or a single su-system. 'urther a total loss of compartment,s #ue to fire or floo# resulting in the total of )* su-systems installe# therein must e consi#ere#.
- en# of Anne7 1-
1"
Anne' 2 FMEA for Pro&"ls$on 7e!"n!an% 1) General his anne7 provi#es a##itional gui#ance specific to propulsion re#un#ancy as per the *ropulsion +e#un#ancy ui#e an# therefore shoul# e rea# in con6unction ith the ui#ance 5otes section 1 through 3.
2) Ob6et$ves *ropulsion +e#un#ancy ui#e section-4 re/uires that a failure mo#es an# effects analysis ,'(!A is to e con#ucte# an# sumitte# to A8S for revie. he o6ective of the '(!A is to #emonstrate that re/uire# re#un#ancy has een provi#e# ithin the machinery systems such that no single failure ill result in the total loss of ships propulsion capaility an# the maneuveraility ut that certain re#uce# capaility in accor#ance ith the rules remains availale. '(!A is also to #emonstrate that upon single failure the propulsion an# steering system ill e either maintaine# in full or a re#un#ant propulsion capaility ill ecome effective ithin to minutes. he minimum re/uire# re#un#ant propulsion capaility are stipulate# in section %.1 or %.2 as applicale #epen#ing on hether the a##itional notation EF is re/ueste# or not as summari;e# in ale-1. ale31 e'un'ant propulsion capailit*
5otation ith EF ,such as +1
he vessel must e capale of maneuvering into an orientation of least resistance to eather an# once in that orientation maintain position such that the vessel ill not #rift for at least 3$ hours. his must e possile in all eather con#itions up to in# spee# of 1% mGs an# significant ave height of 4." m ith %.3 secon#s mean perio# oth of hich are acting concurrently in the same #irection.
5otation ithout EF ,such as +1
he vessel must e ale to a#vance at a spee# of at least onehalf its #esign spee# or seven nots hichever is less for at least 3$ hours.
3) S$nle-fa$l"re Cone&t '(!A is ase# on a single-failure concept un#er hich each s ystem at various levels of a systems functional hierarchy is assume# to fail y one proale cause at a time. he *ropulsion +e#un#ancy ui#e stipulates that for the purpose of classification the e7tent of Esingle failureF hich must e consi#ere# in '(!A varies #epen#ing on the classification notation re/ueste# as summari;e# ale-2. Any failure mo#e hich coul# cause the loss of station eeping capaility must e guar#e# against y re#un#ancy unless the proaility of postulate# failure is e7tremely remote. &n general the failure of roust static components such as pipes or pipe manifol#s nee# not e consi#ere# unless they are su6ecte# to the threat of mechanical #amages #ue to the location here they are installe#. ?here it is not possile to provi#e re#un#ancy to a single component such as a changeover sitch a case shoul# e ma#e to #emonstrate that the proaility of failure is e7tremely remote.
1$
ale3( 24tent of single failure to e consi'ere'
+-1 +1
Single failure in the propulsion machines its au7iliary service systems an# its control systems. he failure of the single propulsor or ru##er or total loss of machinery space or steering flat #ue to fire or floo# may not e consi#ere#.
+-2 +2
Single failure in the propulsion machines propulsors au7iliary service systems control systems an# steering systems. otal loss of machinery space or steering flat #ue to fire or floo# may not e consi#ere#.
+1-S +1-S
As for +1 ut the total loss of machinery space or steering flat #ue to fire or floo# shoul# also e consi#ere#.
+2-S +2-S
As for +2 ut the total loss of machinery space or steering flat #ue to fire or floo# shoul# also e consi#ere#.
- !n# of Anne7 2 -
1%
Anne' 3 FMEA for $, S&ee! Craft 8SC9 Ma,$ner% S%stems 1
Intro!"t$on
his anne7 provi#es a##itional gui#ance specific to HSC machinery systems an# therefore shoul# e rea# in con6unction ith the ui#ance 5otes section 1 through 3. his part of gui#ance is largely ase# on the &(> HSC Co#e Anne7 3 an# 4 an# it is applicale to HSCs here they are to e uilt to &(> HSC Co#e. 1.1 &n the case of tra#itional craft it has een possile to specify certain aspects of #esign or construction in some level of #etail in a ay hich as consistent ith some level of ris hich ha# over the years een intuitively accepte# ithout having to e #efine#. 1.2 ?ith the #evelopment of large high-spee# craft this re/uire# e7perience has not een i#ely availale. Hoever ith the no roa# acceptance of the proailistic approach to safety assessments ithin the in#ustry as a hole it is propose# that an analysis of failure performance may e use# to assist in the assessment of the safety of operation of high-spee# craft. 1.3 A practical realistic an# #ocumente# assessment of the failure characteristics of the craft an# its component systems shoul# e un#ertaen ith the aim of #efining an# stu#ying the important failure con#itions that may e7ist. 1." '(!A for high-spee# craft is ase# on a single-failure concept un#er hich each system at various levels of a systemBs functional hierarchy is assume# to fail y one proale cause at a time. he effects of the postulate# failure are analy;e# an# classifie# accor#ing to their severity. Such effects may inclu#e secon#ary failures ,or multiple failures at other level,s. Any failure mo#e hich may cause a catastrophic effect to the craft shoul# e guar#e# against y system or e/uipment re#un#ancy unless the proaility of such failure is e7tremely improale ,refer to $ of this Anne7. 'or failure mo#es causing ha;ar#ous effects corrective measures may e accepte# in lieu. A test program shoul# e #ran to confirm the conclusions of '(!A. 1.$ ?hile '(!A is suggeste# as one of the most fle7ile analysis techni/ues it is accepte# that there are other metho#s hich may e use# an# hich in certain circumstances may offer an e/ually comprehensive insight into particular failure characteristics.
2)
Ob6et$ves
2.1 he primary o6ective of '(!A is to provi#e a comprehensive systematic an# #ocumente# investigation hich estalishes the important failure con#itions of the craft an# assesses their significance ith regar# to the safety of the craft its occupants an# the environment an# to #emonstrate that the ris associate# ith the failures in the system eing e7amine# have een re#uce# as far as reasonaly practicale. 2.2
3)
he main aims of un#ertaing the analysis are to9 1. provi#e the A#ministration ith the results of a stu#y into the craftBs failure characteristics so as to assist in an assessment of the levels of safety propose# for the craftBs operation< 2. provi#e craft operators ith #ata to generate comprehensive training operational an# maintenance programs an# #ocumentation< an# 3. provi#e craft an# system #esigners ith #ata to au#it their propose# #esigns.
So&e of a&&l$at$on an! ob6et$ves of FMEA
1:
'(!A shoul# e con#ucte# for each high-spee# craft efore its entry into service in respect of the folloing systems as per &(> HSC co#e Anne7 4G3.1. 1. )irection control system ,see 3.1 2. *ropulsion machinery system ,see 3.2 3. !lectrical system ,see 3.3 4. Staili;ation system ,see 3.4 ". *ropulsion re#un#ancy for category-8 craft ,see 3."
3)1 D$ret$onal Control S%stem ".2 of the &(> HSC co#e stipulates that a #esign incorporating a poer #rive or an actuation system employing poere# components for normal #irectional control is to provi#e a secon#ary means of actuating the #evice unless an alternative system is provi#e#. he secon#ary means of actuating the #irectional control #evice may e manually #riven if it is foun# to e a#e/uate earing in min# the craftBs si;e an# #esign an# any limitations of spee# or other parameters that may e necessary. iven these #esign con#itions the purpose of '(!A is to #emonstrate that9 1. the #irectional control systems have een constructe# so that a single failure in one #rive or system as appropriate ill not ren#er any other one inoperale or unale to ring the craft to a safe situation ,the A#ministration may allo a short perio# of time to permit the connection of a secon#ary control #evice hen the #esign of the craft is such that such #elay ill not in their opinion ha;ar# the craft an# 2. the proaility of total failure of all #irectional control systems is e7tremely remote hen the craft is operating normally i.e. e7clu#ing emergency situations such as groun#ing collision or a ma6or fire.
3)2 Ma,$ner% S%stems he purpose of '(!A is to #emonstrate that means have een provi#e# so that normal operation of propulsion machinery can e sustaine# or restore# even though one of the essential au7iliaries ecomes inoperative. Special consi#eration shoul# e given to the malfunctioning of9 1. a generating set hich serves as a main source of electrical poer< 2. the fuel oil supply systems for engines< 3. the sources of luricating oil pressure< 4. the sources of ater pressure< ". an air compressor an# receiver for starting or control purposes< an# $. the hy#raulic pneumatic or electrical means for control in main propulsion machinery inclu#ing controllale-pitch propellers. Having regar# to overall safety consi#erations a partial re#uction in propulsion capaility from normal operation may e accepte#.
3)3 Eletr$al S%stem 12 of the &(> HSC co#e stipulates that electrical installations shoul# e such that9 1. all electrical au7iliary services necessary for maintaining the craft in normal operation an# haitale con#itions ill e ensure# ithout recourse to the emergency source of electrical poer< 2. electrical services essential for safety ill e ensure# un#er various emergency con#itions an# 3. the safety of passengers cre an# craft from electrical ha;ar#s ill e ensure#. 'urthermore here loss of a particular essential service oul# cause serious ris to the craft the service shall e fe# y at least to in#epen#ent circuits in such a ay that no single failure in the electrical supply or #istriution systems oul# affect oth supplies. iven these #esign con#itions the purpose of '(!A is to #emonstrate that9 he electrical system shall e #esigne# an# installe# so that the proaility of the craft eing at ris of failure of a service is e7tremely remote.
1@
3)( Stab$l$:at$on s%stem he purpose of '(!A is to #emonstrate that9 1. staili;ation systems have een so #esigne# that in case of failure or malfunctioning of any one of the staili;ation #evices or e/uipment it oul# e possile either to ensure maintaining the main parameters of the craftBs motion ithin safe limits ith the ai# of oring staili;ation #evices or to put the craft into the #isplacement or other safe mo#e an# 2. in case of failure of any automatic e/uipment or staili;ation #evice or of its poer #rive the parameters of craft motion shall remain ithin safe limits. 3) Cateor% 5 ; Craft ,i @.% of the &(> HSC co#e stipulates that Category 8 craft is provi#e# ith at least to in#epen#ent means of propulsion so that the failure of one engine or its support systems oul# not cause the failure of the other engine or engine systems an# ith a##ition machinery controls in or close to the machinery space. ,ii 'urthermore @.: of the &(> HSC co#e stipulates that Category 8 craft is capale of maintaining the essential machinery an# control so that in the event of a fire or other casualties in any one compartment on oar# the craft can return to a port of refage un#er its on poer. iven these #esign con#itions the purpose of '(!A is to #emonstrate that these to re/uirements for propulsion re#un#ancy are met un#er stipulate# failure con#itions.
() S%stem fa$l"re mo!e an! effets anal%s$s 8efore procee#ing ith a #etaile# '(!A into the effects of the failure of the system elements on the system functional output it is necessary to perform a functional failure analysis of the craftBs important systems. &n this ay only systems hich fail the functional failure analysis nee# to e investigate# y a more #etaile# '(!A. ?hen con#ucting a system '(!A the folloing typical operational mo#es ithin the normal #esign environmental con#itions of the craft shoul# e consi#ere#< 1. normal seagoing con#itions at full spee#< 2. ma7imum permitte# operating spee# in congeste# aters< an# 3. maneuvering alongsi#e. he functional inter#epen#ence of these systems shoul# also e #escrie# in either loc #iagrams or faulttree #iagrams or in a narrative format to enale the failure effects to e un#erstoo#. As far as applicale each of the systems to e analy;e# is assume# to fail in the folloing failure mo#es 9 1 complete loss of function< 2 rapi# change to ma7imum or minimum output< 3 uncontrolle# or varying output< 4 premature operation< " failure to operate at a prescrie# time< an# $ failure to cease operation at a prescrie# time. )epen#ing on the system un#er consi#eration other failure mo#es may have to e taen into account. &f a system can fail ithout any ha;ar#ous or catastrophic effect there is no nee# to con#uct a #etaile# '(!A into the system architecture. See 2.4.1 ELevel of analysisF of the ui#ance 5otes. 'or systems hose in#ivi#ual failure can cause ha;ar#ous or catastrophic effects an# here a re#un#ant system is not provi#e# a #etaile# '(!A as #escrie# in the folloing paragraphs shoul# e folloe#. +esults of the system
20
functional failure analysis shoul# e #ocumente# an# confirme# y a practical test program #ran up from the analysis. ?here a system the failure of hich may cause a ha;ar#ous or catastrophic effect is provi#e# ith a re#un#ant system a #etaile# '(!A may not e re/uire# provi#e# that9 1. the re#un#ant system can e put into operation or can tae over the faile# system ithin the timelimit #ictate# y the most onerous operational mo#e in 4.2 ithout ha;ar#ing the craft< 2. the re#un#ant system is completely in#epen#ent from the system an# #oes not share any common system element the failure of hich oul# cause failure of oth the system an# the re#un#ant system. Common system elements may e acceptale if the proaility of failure complies ith section 13< an# 3. the re#un#ant system may share the same poer source as the system. &n such case an alternative poer source shoul# e rea#ily availale ith regar# to the re/uirement of .1. See further gui#ance in 2.4.1 ELevel of analysisF of the ui#ance 5otes. 'urthermore in assessing the re#un#ancy system special attention is to e pai# to the means of failure #etection an# the integrity of change over mechanism provi#e# eteen re#un#ant systems. See section 2.$ an# 2.% of the ui#ance 5otes. he proaility an# effects of operator error to ring in the re#un#ant system shoul# also e consi#ere#.
) E<"$&ment fa$l"re mo!e an! effets anal%s$s he systems to e su6ect to a more #etaile# '(!A investigation at this stage shoul# inclu#e all those that have faile# the system '(!A an# may inclu#e those that have a very important influence on the safety of the craft an# its occupants an# hich re/uire an investigation at a #eeper level than that un#ertaen in the system functional failure analysis. hese systems are often those hich have een specifically #esigne# or a#apte# for the craft such as the craftBs electrical an# hy#raulic systems.
) #se of &robab$l$t% one&t &f corrective measures or re#un#ancy as #escrie# in section 2.% of the ui#ance 5otes are not provi#e# for any failure as an alternative the proaility of occurrence of such failure shoul# meet the folloing criteria of acceptance9 1. a failure mo#e hich results in a catastrophic effect shoul# e assesse# to e e7tremely improale< 2. a failure mo#e assesse# as e7tremely remote shoul# not result in orse than ha;ar#ous effects< an# 3. a failure mo#e assesse# as either fre/uent or reasonaly proale shoul# not result in orse than minor effects. 5umerical values for various levels of proailities are lai# #on in section 3 of the ui#ance 5otes.
) Do"mentat$on &t is helpful to perform '(!A on orsheet,s as shon in figure-1. he orsheet,s shoul# e organi;e# to first #isplay the highest system level an# then procee# #on through #ecreasing system levels.
4) Test &roram An '(!A test program shoul# e #ran up to prove the conclusions of '(!A. &t is recommen#e# that the test program shoul# inclu#e all systems or system elements hose failure oul# lea# to9 ma6or or more severe effects< restricte# operations< an#
21
any other corrective action. 'or e/uipment here failure cannot e easily simulate# on the craft the results of other tests can e use# to #etermine the effects an# influences on the systems an# craft. he trials shoul# also inclu#e investigations into9 .1 the layout of control stations ith particular regar# to the relative positioning of sitches an# other control #evices to ensure a lo potential for ina#vertent an# incorrect cre action particularly #uring emergencies an# the provision of interlocs to prevent ina#vertent operation for important system operation< .2 the e7istence an# /uality of the craftBs operational #ocumentation ith particular regar# to the pre-voyage checlists. &t is essential that these checs account for any unreveale# failure mo#es i#entifie# in the failure analysis< an# .3 the effects of the main failure mo#es as prescrie# in the theoretical analysis. he '(!A tests onoar# shoul# e con#ucte# in con6unction ith provisions specifie# in ".3 1$.4 an# 1%.4 of the &(> HSC Co#e efore the craft enters into service.
=) FMEA re&ort he '(!A report shoul# e a self-containe# #ocument ith a full #escription of the craft its systems an# their functions an# the propose# operation an# environmental con#itions for the failure mo#es causes an# effects to e un#erstoo# ithout any nee# to refer to other plans an# #ocuments not in the report. he analysis assumptions an# system loc #iagrams shoul# e inclu#e# here appropriate. he report shoul# contain a summary of conclusions an# recommen#ations for each of the systems analy;e# in the system failure analysis an# the e/uipment failure analysis. &t shoul# also list all proale failures an# their proaility of failure an# here applicale the corrective actions or operational restrictions for each system in each of the operational mo#es un#er analysis. he report shoul# contain the test programme an# reference any other test reports an# the '(!A trials.
- !n# of Anne7 3 -
22
Anne' ( FMEA for Pro&"ls$on 7emote Control S%stem 1) General his anne7 provi#e a##itional gui#ance specific to propulsion remote control system an# therefore shoul# e rea# in con6unction ith the ui#ance 5otes section 1 through 3.
2) P"r&ose of FMEA *art 4 Chapter @ Section 1 @.11 of the Steel essel +ule recommen# that a failure mo#es an# effects analysis ,'(!A e con#ucte# on propulsion remote control system Eto investigate if any single failure in control system oul# lea# to un#esirale conse/uences such as loss of propulsion loss of propulsion control etc.F. he term Econtrol systemF here is use# in a roa#er sense an# it inclu#es monitoring system an# safety system. he intent of this re/uirement is that if some failure mo#es ere foun# to e7ist hich coul# lea# to un#esirale conse/uences then certain safeguar#s or fallac arrangements shoul# e provi#e# such that un#esirale situations can e avoi#e# from occurring. +ules #o not re/uire re#un#ancy e provi#e# in propulsion control system an# therefore the +ules accept that in the event of single failure the functionalities of the system oul# e compromise#. Hoever the rules e7pect that failures in the systems e safely containe#. o achieve this +ules stipulate the folloing provisions. •
• •
&nter-in#epen#ence eteen control monitoring an# safety systems. his allos in the event of control system failure the safety system to automatically safeguar# the machinery systems. &n other cases it allos cre to intervene ase# on the information provi#e# y monitoring system. *rovisions for local control an# means of communication from the ri#ge. Control system to fail in the least #angerous ay ,fail safe concept. 'or instance in the event of remote control system failure the main engine is to continue to operate accor#ing to the last comman#.
herefore the o6ective of con#ucting '(!A is to confirm that the aove safety provisions oul# e availale un#er any single failure con#itions hence minimi;ing the chance of un#esirale situations from occurring.
- !n# of Anne7 4 -
23
