9.1 Failure mode is the manner by which a failure
is observed. It generally describes the way the failure occurs and
its impact on the equipment or system. As an example, a list of failure
modes is given in table 1. The failure
modes listed in table 1 can describe
the failure of any system element in sufficiently specific terms.
When used in conjunction with performance specifications governing
the inputs and outputs on the system block diagram, all potential
failure modes can be thus identified and described. Thus, for example,
a power supply may have a failure mode described as "loss of output"(29),
and a failure cause "open (electrical)"(31).
Table1 Example of a set of Failure
Modes
| 1
|
Structual Failure
(Rupture)
|
18
|
False Actuation
|
| 2
|
Physical binding or
jamming
|
19
|
Fails to stop
|
| 3
|
Vibration
|
20
|
Fails to start
|
| 4
|
Fails to remain in
position
|
21
|
Fails to
switch
|
| 5
|
Fails to open
|
22
|
Premature operation
|
| 6
|
Fails to close
|
23
|
Delayed operation
|
| 7
|
Fails open
|
24
|
Erroneous input
(increased)
|
| 8
|
Fails closed
|
25
|
Erroneous input
(decreased)
|
| 9
|
Internal
leakage
|
26
|
Erroneous output
(increased)
|
| 10
|
External
leakage
|
27
|
Erroneous output
(decreased)
|
| 11
|
Fails out sof tolerance
(high)
|
28
|
Loss of input
|
| 12
|
Fails out of tolerance
(low)
|
29
|
Loss of output
|
| 13
|
Inadvertant operation
|
30
|
Shorted
(Electrical)
|
| 14
|
intermittent operation
|
31
|
Open
(Electrical)
|
| 15
|
Erratic operation
|
32
|
Leakage
(Electrical)
|
| 16
|
Erroneous
|
33
|
Other unique failure
conditions as applicaible to the system characteristics, requirements and
operational constraints.
|
| 17
|
Restricted flow
|
|
|
9.2 A failure mode in a system element could also
be the failure cause of a system failure. For example, the hydraulic
line of a steering gear system might have a failure mode of "external
leakage"(10). This failure mode of the hydraulic line could become
a failure cause of the steering gear system's failure mode "loss of
output"(29).
9.3 Each system should be considered in a top-down
approach, starting from the system's functional output, and failure
should be assumed by one possible cause at a time. Since a failure
mode may have more than one cause, all potential independent causes
for each failure mode should be identified.
9.4 If major systems can fail without any adverse
effect there is no need to consider them further unless the failure
can go undetected by an operator. To decide that there is no adverse
effect does not mean just the identification of system redundancy.
The redundancy should be shown to be immediately effective or brought
on line with negligible time lag. In addition, if the sequence is:
"failure-alarm-operator action - start of back up - back up
in service", the effects of delay should be considered.