1、SAE AIRJ5022 96 7943725 0545726 O00 The Engineering Society mAEFtwAdvancing Mobiliy -Land Sea Air and Space. INTERNATIONAL 400 Commonwealth Warrendale. PA 15096-0001 AEROSPACE INFORMATION REPORT Submitted for recognition as an American National Standard AIR5022 Issued 1996-07 RELIABILITY AND SAFETY
2、PROCESS INTEGRATION TABLE OF CONTENTS 1 . 2 . 2.1 2.1.1 2.1.2 2.2 3 . 3.1 3.2 3.3 3.4 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.4.7 3.5 3.5.1 3.5.2 3.5.3 3.5.4 3.5.5 3.5.6 3.5.7 SCOPE . 3 REFERENCES . 3 Applicable Documents 3 SAE Publications 3 U.S. Government Publications 3 List of Acronyms . 4 TECHNIC
3、AL REQUIREMENTS 5 Overview . 5 Statement of Need 7 Introduction to the Concept . 7 Introduction . 7 Failure Mode, Effects, and Criticality Analysis (FMECA) . 7 Reliability Allocation 9 Hazard Analysis 9 Fault Tree Analysis . 9 Testing and FRACAS . 9 Details of Reliability and Safety Interrelationshi
4、ps . 9 Reliability Prediction - FMECA 10 FMECA - MODE FAILURE RATE - FAULT TREE ANALYSIS . 10 FRACAS - FMECA 10 HAZARD ANALYSIS -. FAULT TREE ANALYSIS 10 FMECA - DETECTION METHOD/COMPENSATING PROVISIONS - FAULT TREE ANALYSIS . 11 FRACAS - FAULT TREE ANALYSIS 1 Coordination and Control 11 Discussion
5、of Each Analysis as Currently Performed 7 Reliability Prediction 9 . . CAE Technical Standards Board Ruies provide that: This report is published by CAE to advance the state of technical and engineering sciences . lhe use of this report is entirely voluntary . and its applicabilily and suitability f
6、or any particular use. induding any patent infringement arising therefmrn. is the sole responsibiiity of the user.“ CAE reviews each technical report at least every five yean at which time it may be reaffirmed. mised. or cancelled . CAE invites your written comments and suggestions . Copytight 1996
7、Cociety of Automolive Engineers. Inc . All tights MeNed . Printed in U.S.A. SAE AIRs5022 96 7943725 0545727 T47 SAE AIR5022 TABLE OF CONTENTS (CONTINUED) 3.6 Example of R the effect of each failure mode on other items (the failure effects); and a measure of effects of each failure mode on the perfor
8、mance of the entire system (the criticality). FMECA is performed for each system function or each system componenVpiece part. Each potential failure mode is ranked by the severity of its effects to help prioritize corrective actions that may be taken to eliminate or control the high risk items. FMEC
9、A is used in maintainability analysis, safety analysis, survivability and vulnerability analysis, LSA, maintenance plan analysis, and testability analysis. -7- SAE AIR*5022 76 7743725 0545733 240 SAE AIR5022 Worst Case Analysis Markov Analysis Cause Consequen Analysis Safety Case The example given a
10、bove is not exhaustive. It shows some of the common tasks which are relevant to both reliability and safety. The program integrity is enhanced by integrated effort. FIGURE 2 - Reliability and Safety Program Relationships 1 -a- SAE AIR*5022 7b 7743725 0545734 187 SAE AIR5022 3.4.3 3.4.4 3.4.5 3.4.6 3
11、.4.7 Reliability Allocation: Reliability allocation is a top-down method of distributing specific quantitative reliability requirements to a systems lower indenture levels. All items at each level of the system hierarchy are assigned values that combine to the next higher level of assembly. Reliabil
12、ity Prediction: In reliability prediction each item is analyzed to determine its predicted failure frequency or probability using accepted assessment methods. Rates for each set of items are combined to the next higher level assembly and so on through the system level. Hazard Analysis: Hazard Analys
13、is identifies any factor associated with a system that is a potential risk to personnel or equipment. A comprehensive analysis should include hazards posed directly by the operation of the equipment; hazards that arise as a side effect of operation or maintenance; and hazards posed by tools, support
14、 equipment, or solvents used in the operation and maintenance of the equipment. Often, several separate types of hazard analyses are performed and documented; PHA (Preliminary Hazard Analysis), SSHA (Subsystem Hazard Analysis), SHA (System Hazard Analysis, 08SHA (Operating and Support Hazard Analysi
15、s), and FHA (Functional Hazard Analysis) each have a specific focus and purpose. Fault Tree Analysis: Fault tree analysis begins with a system level undesired event identified from the Hazards Analysis. For each top level event the item failures or combinations of item failures that could cause the
16、event to occur are identified. The process of subdivision continues until the bottom fault tree layers include basic failure events or conditions that are independent and can be quantified. Testing and FRACAS: Throughout a development program, testing is conducted for many different purposes. The eq
17、uipment being tested will be at various stages of design maturity, and can include components, subassemblies, and the overall system. It is essential that during development phases, all nonconformances are recorded so that they can be investigated and design improvements implemented. The process to
18、record and report the nonconformances, and to monitor the related corrective actions, is called the Failure Reporting, Analysis, and Corrective Action System (FRACAS). To ensure completeness and consistency, a development program should have only one FRACAS. All departments involved in the products
19、design and testing should utilize the common FRACAS database to contribute and extract relevant reliability and safety information 3.5 Details of Reliability and Safety Interrelationships (Reference Figure 1 ): This section provides specific examples of technical information which is common to two o
20、r more separate reliability andor safety tasks. Each such common data element represents a potential i opportunity to eliminate duplicate work effort, if total reliability and safety functions are integrated effectively. -9- SAE AIR5022 I 3.5.1 3.5.2 3.5.3 3.5.4 Reliability Prediction - FMECA: The r
21、eliability prediction typically provides component-level failure rates which can be directly transferred to the corresponding data element in the FMECA. Often, though, the FMECA requires additional detail such as failure rates for the individual failure modes (of each component), or estimates of the
22、 frequency that a specific failure mode will result in a particular system effect or criticality. FMECA -MODE FAILURE RATE -FAULT TREE ANALYSIS: The Fault Tree includes, as basic failure events, all component failure modes that cause or contribute to the top hazard (undesired event) being analyzed.
23、The FMECA documents the predicted failure occurrence rate of each component failure mode. The Fault Tree can be quantified by assigning the corresponding FMECA failure rate to each Fault Tree basic failure event. These failure rates are used in conjunction with the mission length and any potential d
24、ormancy period to calculate the expected failure probability for each event. The probability for the top hazard can then be calculated based on these event probabilities, and the specific system configuration (e.g., redundancies) modeled in the fault tree. FRACAS - FMECA: Examination of FRACAS failu
25、re mode data collected during actual use of the item, or during testing, can: a. Identify component failure modes overlooked when performing the initial FMECA; these additional modes can be added to the FMECA. b. Highlight component failure modes which have higher actual failure rates then predicted
26、 in the initial FMECA. c. Verify that the FMECA accurately states the effects and severity of those failures experienced during testing. d. Identify areas needing BIT or fault detection. e. Assist in identifying methods of detection and the mission equipment list required by Task 103 maintainability
27、 analyses. f. Verify that MIL-STD-1629AI Task 103 Maintainability analyses do no conflict with actual test experience. HAZARD ANALYSIS - FAULT TREE ANALYSIS: The completed Hazard Analysis identifies and categorizes potential product hazards that require further review and analysis. Fault Tree Analys
28、is (FTA) is performed on each of these identified potential hazards, to determine all possible causes. The hazard category, or severity, helps establish the priority in which the hazards will be analyzed using RA. In addition, the Hazard Analysis typically provides information on potential failure c
29、auses, including design, environment, operational, and maintenance considerations. This information often represents “lessons learned“ from experience with other products. These potential failure causes should be carefully reviewed, and included in the fault tree analysis as needed. SAE AIR*5022 96
30、7943725 054573b T5T SAE AIR5022 3.5.5 FMECA - DETECTION METHOD /COMPENSATING PROVISIONS FAULT TREE ANALYSIS: The failure detection method, as documented in the FMECA, is very important to the Fault Tree Analyst, because it can help determine if a failure mode is potentially dormant. For example, if
31、a specific failure mode is detected via a “daily visual inspection“, that mode is potentially dormant for a full 24 hour period. A failure mode detected by “electronic built-in-test“ would have no dormancy if it is annunciated when detected. The dormancy period, along with the mode failure rate and
32、mission length is used to calculate the probability for each basic failure event in the Fault Tree. The FMECA typically includes a column titled “Compensating Provisions“ or “Remarks“ that may describe special design, operation, or maintenance features pertinent for specific component failure modes.
33、 For each basic failure event in the Fault Tree, the corresponding FMECA record should be reviewed to ensure that these accommodation features are properly modeled. 3.5.6 FRACAS - FAULT TREE ANALYSIS: The severity and effects of a failure may be verified by the failure verification and cause investi
34、gation FRACAS process. The FRACAS may identify hazards not previously addressed by the FTA. The FRACAS may determine what studies should be done. 3.5.7 Coordination and Control: Just as specific departments are assigned responsibility for specific analysis tasks, specific departments should be assig
35、ned responsibility for the specific data elements which are used in these analysis tasks. Even when these data elements are common to two or more reliability and/or safety tasks, one department should be assigned responsibility to develop, maintain, and provide this data to all analysts requiring it
36、. For example, the FMECA should be the source of all failure modes, rates, and effects information. If related safety or maintainability analyses reveal errors or omissions, the FMECA should be updated so that it remains the most current, accurate, and complete source for this data. Control of the t
37、otal process, therefore, becomes an important consideration. There should be a common database developed between the various affected disciplines, accessible to all, but strictly controlled by one designated department or individual. If the data is computerized, a local area network (LAN) is the mos
38、t effective method of sharing common data. Defined elements in the common database could be assigned “write“ permission to specific individuals, with all others having only “read“ capability. An example of R&S integration is given in 3.6. - 11 - SAE AIRm5022 96 m 7943725 0545737 996 m SAE AIR5022 3.
39、6 Example of R&S Processes: Turbine Engine Overspeed Control: 3.6.1 Description of Turbine Engine Overspeed Control: The model chosen to illustrate the integration of Reliability and Safety analysis tools is an overspeed control mode of a turbine engine electronic control. The control scheme describ
40、ed here does not represent any specific turbine engine system. In fact, to make the example clearer to perform and explain, the system as described is much simpler than a real-world system. The Engine overspeed control system includes the following components: a. Analog Overspeed Control b. Digital
41、Electronic Fuel Control c. Fuel Metering Valve d. Fuel Cut-off Valve e. Primary Speed Sensor f. Secondary Speed Sensor Other system hardware such as electrical harnesses and fuel tubing have been excluded for simplification. The significant features and functions of the overspeed control system are:
42、 a. b. C. d. The Analog Overspeed Control monitors engine speed using both the Primary and Secondary Speed Sensors. If either sensor provides an indication of overspeed, the Analog Control signals the cut-off valve to close. This shuts off fuel to the engine, causing the engine to safely shutdown. T
43、he Primary Speed Sensor contains two sensing elements (or drivers), and thus provides two separate engine speed indications. For purposes of overspeed detection, the two drivers are in series, such that both must detect an overspeed condition in order for the condition to be recognized by the Analog
44、 Overspeed Control. (The drivers are in series so that a simple short circuit of one driver wont cause an inadvertent engine shutdown.) The Secondary Speed Sensor is identical to the Primary Speed Sensor, and provides complete redundancy in detecting an overspeed condition. The Digital Electronic Fu
45、el Control electronically controls the Fuel Metering Valve based on the operator selected engine speed. If engine speed decreases, the Digital Electronic Fuel Control will signal the Fuel Metering Valve to move toward the full open position until the engine speed returns to the desired set point. Si
46、milarly, if engine speed increases, the Digital Engine Fuel Control will signal the Fuel Metering Valve to move toward the closed position. -12- SAE AIR*5022 96 7743725 0545738 822 SAE AIR5022 3.6.1 (Continued): e. The Digital Electronic Fuel Control will use the Primary Speed Sensor to measure engi
47、ne speed, unless the Primary Sensor is detected in a failed condition. In this case, the digital control will use the Secondary Speed Sensor. A failed condition is detected if the sensor provides a speed value outside the range of normal speeds, or if the two drivers provide significantly different
48、speed values. NOTE: If the Secondary Speed Sensor is also detected failed, the digital control will shutdown the engine). 3.6.2 Reliability and Safety Analysis Tasks for Overspeed Control Example System: 3.6.2.1 3.6.2.2 Failure Mode, Effects, and Criticality Analysis (FMECA): The Failure Modes, Effe
49、cts, and Criticality Analysis (FMECA) is a structured technique to identify how each potential failure mode impacts system operation. The analysis documents not only how the system operation may be impaired, but the detection means used to identify when the failure has occurred. Accommodation provisions, such as redundancies or scheduled maintenance tasks, are also documented. Figure 3 provides the FMECA worksheet developed for the Primary Speed Sensor of the overspeed control system. The FMECA document typically becomes a focal point for the entire reliabil
