Mbsa s1 - Intro Et Fmea

Model-Based Safety Assessment
Faïda MHENNI
Phd. Eng. Associate Professor
Institut Supérieur de Mécanique de Paris – ISAE-SUPMECA
Faïda Mhenni faida.mhenni@isae-supmeca.fr Model-Based Safety Assessment (MBSA) 1

Content
Introduction
Terminology
Safety Standards
Safety Analysis Approches
Safety Analysis Techniques

Introduction

Introduction
• System Design focuses on how to accomplish the objective of the
system in terms of nominal operation and performances. It aims at
translating the system requirements specifications into a description of
a solution (through formal and informal models) that satisfies the
requirements in a format that can be implemented.
Design is mainly about how the system SYSTEM DESIGN

operates assuming everything will happen as
expected i.e. the system succeeds in performing
perfectly all its expected functions.
REQUIRMENTS IMPLEMENTATION
Faïda Mhenni - faida.mhenni@supmeca.fr 4

Introduction
• However, during its operation the system can behave differently from
expected:
o when misused (different operational conditions or different uses than what it was
designed for, …)
o because it fails to perform required functions (wear, failure, design errors…)
• This can have undesirable consequences such as damage, injury or

death à There is a mishap risk in using technical systems.
Why are we still using systems despite the inherent mishap risk?
Introduction: Risk Acceptance
• Risks Acceptability :
• benefit from the use of technical systems
• balance between frequency of occurrence and severity of
consequences
Q1: How to define acceptable risk

level?
Q2: How to make sure the risk is
within acceptable limits?

Introduction
How to define acceptable risk level?
• defined by the user,
• regulations,
• competitors,
• …

Introduction
How to make sure the risk is within acceptable limits?
• Applying system safety during the development of the system.
• System safety is the formal process of identifying and controlling mishap risk.
As systems become more complex and more hazardous, more effort is
required to understand and manage system mishap risk.
o Qualitative safety analysis: identify possible system failures, their rate of occurrence and their
effects in order to perform corrective actions
o Quantitative safety analysis: evaluate the reliability using statistical techniques and methods
• The realistic objective of system safety is that of developing a system with

acceptable mishap risk.
• The goal of system safety is the protection of life, systems, equipment, and
the environment.

Introduction
• System Safety is accomplished by identifying potential hazards,
assessing their risks, and implementing corrective actions to eliminate
or mitigate the identified hazards.
• Implementing safety process early enough, since the conceptual

phase to avoid design changes late in the design process and thus
reduce development costs and TTM.
• Identify and classify failure conditions associated with the system by

their severity à establish the safety objectives.
• Hazard mitigation methods are implemented into system design via

system safety requirements (SSRs).

Introduction: Corrective actions
• System safety corrective actions are:
o Preventive (prevent the mishap from
happening) by reducing the probability
• Redundant components, reliable components,
diagnosis to detect hazards before producing
accidents, …
and/or
o Protective (protecting in case of mishap):

reducing the severity of the mishap.
• Airbag, safety belt, …
• Fire-fighting systems, fire containment systems,

emergency shut-down systems, …

Exercice
• Pour chacun des éléments (mesures de réduction de risque) suivants,
indiquer s’il est protectif, préventif ou les deux:
o Airbag dans une voiture
(protectif car permet d’éviter le choc de la tête sur le pare-brise en cas d’accident)
o Procédures d’évacuation de personnel en cas de feu
(protectif car a pour objectif de protéger les personnes après occurrence de
l’accident (incendie))
o Système de diagnostic
(préventif car essaye de détecter et donc prévenir un accident avant son
occurrence)
o Assurer les biens matériels de valeur
(protectif car réduit les effets (coûts engendrés) en cas d’accident)

Terminology

Terminology
ref: [Jean-Claude Laprie]

Terminology - Attributes
• Dependability (sûreté de fonctionnement): delivery of a service that can justifiably
be trusted, thus avoidance of failure that are unacceptably frequent or severe.
• Reliability: (fiabilité) ability of an item to perform a required function, under given
environmental and operational conditions and for a stated period of time (ISO8402)
• Availability: (disponibilité) ability of an item (under combined aspects of its reliability,
maintainability and maintenance support) to perform its required function at a
stated instant of time or over a stated period of time (BS4778)
• Safety: freedom from those conditions that can cause death, injury, occupational
illness, or damage to or loss of equipment or property (MIL-STD-882D).
• Maintainability: (maintenabilité) ability of an item, under stated conditions of use, to
be retained in, or restored to, a state in which it can perform its required functions,
when maintenance is performed under stated conditions and using prescribed
procedures and resources (BS4778)
Reliability, Availability, Safety and Maintainability are often related to as RAMS.

Terminology - Attributes
• Security: often used in relation to information and computer systems. In
this context, security may be defined as “dependability with respect to
prevention of unauthorized access to and/or handling of information”
(Laprie 1992).
o Availability
o Confidentiality Dependability
o Integrity
Security & Safety

Maintenabilité
Availability
Reliability
Terminology - Threats
• Fault: defect within a component. A defect can be native (due to
design or production) or appear progressively (wear). A defect can
also be dormant (no impact on the system behavior yet) or active
(causing an error).
o Example: code error, micro-crack in a mechanical part, …)
• Error: activation of a fault.

o Example: execution of the erroneous code, stress on the mechanical part
presenting a micro-crack, …)
• Failure: the inability of a system or component to perform required

function according to its specification.
Fault Error Failure

Terminology - Threats
• Exemple: séquence de défaut, erreur et défaillance d’un THSA pour 2
vols consécutifs:
o Vol 1:
Défaut sur la vis Fonctionnement

(vieillissement, sur- Vis cassée dégradé plan
sollicitation,… arrière
o Vol 2:
tige vis
Tige seule
Plan arrière
(insuffisant pour Tige cassée
flottant
supporter l’effort)
source image: https://patents.google.com/patent/EP3127805A1/en

Safety Standards

Aerospace Recommended Practice (ARP)
• ARP4754 A: Guidelines For Development Of Civil Aircraft and Systems.
• ARP4761: Guidelines and Methods for Conducting the Safety

Assessment Process on Civil Airborne Systems and Equipment.

ARP 4761 Overview

ARP 4761 Overview
• Zonal Safety Analysis: Aircraft zones differ in usage,
pressurization, temperature range, exposure to
severe weather and lightning strikes, and the
hazards contained such as ignition sources,
flammable fluids, flammable vapors, or rotating
machines. Accordingly, installation rules differ by
zone. For example, installation requirements for
wiring depends on whether it is installed in a fire
zone, rotor burst zone, or cargo area.
• ZSA includes verification that a system's equipment
and interconnecting wires, cables, and hydraulic
and pneumatic lines are installed in accordance
with defined installation rules and segregation
requirements. ZSA evaluates the potential for
equipment interference. It also considers failure
modes and maintenance errors that could have a
cascading effect on systems
https://en.wikipedia.org/wiki/Zonal_safety_analysis

IEC 61508 (1/2)
IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems
(E/E/PE, or E/E/PES).
• Class I: Unacceptable in any circumstance;

• Class II: Undesirable: tolerable only if risk reduction is impracticable
or if the costs are grossly disproportionate to the improvement
gained;
• Class III: Tolerable if the cost of risk reduction would exceed the
improvement (ALARP);
• Class IV: Acceptable as it stands, though it may need to be
monitored.
IEC 61508 (2/2)
• Safety Integrity Level (SIL): provides a target to attain in regards to a
system's development. A risk assessment effort yields a target SIL,
which thus becomes a requirement for the final system.

IEC 61508 Industry specific variants
• (Railway) IEC 62279: Railway applications – Communications, signalling
and processing systems – Software for railway control and protection
systems.
• (Automotive) ISO 26262: Road vehicles - Functional safety.
• (Nuclear power plants) IEC 61513: Nuclear power plants -
Instrumentation and control important to safety - General
requirements for systems.
• …

MIL-STD-882E
• Severity Categories

MIL-STD-882E
• Probability levels (qualitative)
When available, the use of appropriate and representative quantitative data that
defines frequency or rate of occurrence for the hazard, is generally preferable to
qualitative analysis

MIL-STD-882E (2012)
• Risk assessment matrix

Exemple
• Exemple : un frein de bicyclette
Le frein est conçu, fabriqué et installé afin de ralentir et arrêter la
bicyclette.
• Évènement accidentel 1: le frein ne remplit pas sa fonction (ne
freine pas). Une cause potentielle serait la rupture du câble. La
conséquence serait la chute du passager avec ou sans
blessures
Absence de Chute et blessure
Câble brisé
freinage du passager
• Évènement accidentel 2: Les pièces du frein se désolidarisent

du vélo et tombent dans les rayons de la roue et entraînent la
rupture de ces derniers et/ou la blessure du passager (en étant
projetés sur lui par exemple).
Blessure passager
Desserrage des Chute des
pièces pièces Rupture des
rayons de la roue
28
Exemple
• Pour le cas du frein de vélo, lequel des évènements accidentels
ci-dessous est le plus critique?
o Absence de freinage
o Chute de pièces
• Réponse: Absence de freinage; en effet, même si les deux

évènements peuvent conduire à une blessure du passager, les
problèmes de freinage sont beaucoup plus fréquents.
29
Safety Analysis Approaches

Why System safety?
• Why ensuring system safety is vital?
o Potential losses due to compensation to pay to the injured party
o Cost of product recall
o Loss of reputation in the market
o …

System Modeling Approaches
• Inductive Methods: “what happens if …?”
o Reasoning from individual cases to general conclusion. à Bottom-up
o Examples: Failure mode and effects analysis (FMEA), HAZard and OPerability
analysis (HAZOP)
• Deductive Methods: “how could it happen?”
o Reasoning from the general to the specific. à Top-down
o Examples: Fault tree analysis (FTA), Event tree analysis (ETA), Common cause
failure analysis (CCFA)

Safety Analysis Approaches
• Behavioral safety analysis • Compositional safety

o Model checking
analysis
o Fault injection simulation
o FMEA: Failure Mode Effects Analysis
o …
o FTA: Fault Tree Analysis
o RBD: Reliability Block Diagram
o Markov Chains
o Petri Nets
o …

MBSA
• Motivation: Systems are more complex and more safety critical
o Autonomous systems : UAV, Autonomous vehicles, autonomous flying taxis…
o Medical advanced devices
à Need for more rigorous methods à Model-Based

• Objectives: tighter integration between safety assessment and design
artifacts (models)
• Examples:
o (Hierarchically Performed Hazard Origin and Propagation Studies ) HiP-HOPS
o AltaRica

MBSA
• Safety Assessment Models can be:
o Defined through extension of the models used in the system development
process,
Fault injection through failure mode models
• J The key advantage of the model extension approach is consistency, by

construction, of the safety analyses and the ‘real’ design model of the system.
• L The use of system models (that are abstractions of the system defined with an
intended goal in mind) may impose undue constraints on the safety assessment
leading to incomplete analysis results with respect to the real-world behavior of the
system
• L High computational complexity of the extended model

MBSA
• Safety Assessment Models can be:
o Performed on the basis of dedicated models defined by safety engineers and
obtained through ‘manual’ assessment of the system (component behavior is
characterized primarily as dependency of the outputs on components inputs and
internal malfunctions).
• J Models are created for the goal of safety assessment à avoid unnecessary
complexity.
• L Losing the provable validity of the safety analysis results with respect to design, and
replacing consistency by construction with some form of traceability between models
in design and safety domains.

Safety Analysis Techniques

Safety Analysis: FMEA
• FMEA: Failure Mode and Effects Analysis
o Bottom-up inductive evaluation technique
o Purpose: determine if design changes are necessary due to unacceptable reliability, safety, or
operation resulting from potential failure modes
• FMECA: Failure Mode, Effects and Criticality Analysis

o Includes information about criticality and detection of the potential failure modes.
[Ericson 2005]

• The FMEA technique is a qualitative and quantitative analysis method used
for the evaluation of potential failure modes. The FMEA is a technique that
answers a series of questions:
o What can fail? (item)
o How does it fail? (failure mode + cause)
o How frequently will it fail? (Failure rate)
o What are the effects of the failure?
o What is the reliability/safety consequence of the failure?

• Functional Approach: the functional FMEA is performed on functions.
This approach focuses on ways in which functional objectives of a
system go unsatisfied or are erroneous. The functional approach tends
to be more of a system-level analysis.
• Structural Approach: the structural FMEA is performed on hardware
and focuses on potential hardware failure modes. The structural
approach tends to be a detailed analysis at the component level.
• Hybrid Approach: the hybrid FMEA is a combination of the structural
and the functional approaches. The hybrid approach begins with the
functional analysis of the system and then transitions to a focus on
hardware

• FMEA Process

• Failure: the inability of a system, subsystem, or component to perform
its required function.
• Failure Mode: is the manner in which the item or operation fails to
meet or deliver the intended function and its requirements
• Cause: process or mechanism responsible for initiating the failure.
Includes physical failure, design defects, manufacturing defects,
environmental force
• Effect: is the consequence of the failure

• Detection method describes how a failure mode or cause is detected
(before resulting in a serious consequence), based on current or
planned actions
• Current controls are the methods or actions currently planned, or that
are already in place, to reduce or eliminate the risk associated with
each potential cause
• Recommended Actions: methods for eliminating or mitigating the
effects of the potential failure mode

• RPN (Risk priority number) is a numerical ranking of the risk of each
potential failure mode/cause, made up of the arithmetic product of
the three elements: severity of the effect (S), likelihood of occurrence
of the cause (O), and likelihood of detection of the cause (D).
o Severity: rates the severity of the potential effect of the failure.
o Occurrence: rates the likelihood that the failure will occur.
o Detection: rates the likelihood that the problem will be detected before it results
in a mishap.
RPN = 𝑆 # 𝑂 # 𝐷

• Functional Failure Modes:
F(t) F(t) F(t) F(t) F(t)
t t t t t
Function Loss No Function (fails to start) Operates inadvertently Performs incorrectly Fails to stop
• Hardware Failure Modes: basic failure categories

o catastrophic: complete failure
• resistor: fails open or fails shorted
o partial / out-of-tolerance: the component is functional but not within specified

operating boundaries
• resistor: too low resistance, too high resistance
o intermittent failure

• For each item (subsystem, assembly, component, or function), identify
the potential failure modes and evaluate their effect(s).
• Severity (of system Effect) and probability (failure rate) evaluation of
failure modes provides a prioritized list for corrective actions
• Document the analysis and capture recommended design changes.
• FMEA has the capability to include failure rates for each failure mode
in order to achieve a quantitative probabilistic analysis.

Example of severity ranking
Effect Severity of the Effect Ranking
Hazardous Affects safe vehicle operation and/or involves non-compliance with 10

without warning government regulations without warning
Hazardous with Affects safe vehicle operation and/or involves non-compliance with 9
warning government regulations with warning
Very High Vehicle/item inoperable with loss of primary function 8
High Vehicle/item operable but at reduced level of performance. Customer 7
dissatisfied
Moderate Vehicle/item operable but comfort/ convenience item inoperable. Customer 6
experiences discomfort
Low Vehicle/item operable but comfort/ convenience item operable but at 5
reduced level of performance. Customer experiences some dissatisfaction
Very low Fit & Finish/Squeak & Rattle item does not conform. Defect noticed by 4
most customers
Minor Fit & Finish/Squeak & Rattle item does not conform. Defect noticed by 3
average customer.
Very Minor Fit & Finish/Squeak & Rattle item does not conform. Defect noticed by 2
discriminating customers
None No Effect 1
Example of occurrence probability ranking
Probability of Possible Failure Rates Ranking
Failure
Very High: >= 1 in 2 10
failure is almost
inevitable 1 in 3 9
High: repeated 1 in 8 8
failures
1 in 20 7
Moderate: 1 in 80 6
occasional
failures 1 in 400 5
1 in 2.000 4
Low: relatively 1 in 15.000 3
few failures
1 in 150.000 2
Remote: failure <= 1 in 1.500.000 1
is unlikely

Example of detection ranking
Effect Likelihood of detection by Design Control Ranking
Absolute Design control will not and/or cannot detect a potential cause/mechanism 10
Uncertainty and subsequent failure mode, or there is no Design Control
Very Remote Very remote chance the Design Control will detect a potential 9
cause/mechanism and subsequent failure mode
Remote Remote chance the Design Control will detect a potential cause/mechanism 8
and subsequent failure mode
Very Low Very low chance the Design Control will detect a potential 7
Low Low chance the Design Control will detect a potential cause/mechanism 6
Moderate Moderate chance the Design Control will detect a potential 5
Moderately high Moderately high chance the Design Control will detect a potential 4
High High chance the Design Control will detect a potential cause/mechanism 3
Very High Very High chance the Design Control will detect a potential 2
Almost Certain Design Control will almost certainly detect a potential cause/mechanism 1

• Which of the following failure modes is most critical?
o Failure Mode 1:
• Severity: Hazardous without warning (10);
• Occurrence: Low (3);

Is RPN sufficient?
• Detection: High (3)
o Failure Mode 2:
• Severity: Minor (3);
• Occurrence: Low (3);
• Detection: High (10)

• Different possible sheets

• Requires a detailed understanding of the system design and
operation
• L FMEA techniques focus on failure modes and can therefore miss or
overlook certain hazards
• L FMEA is limited because it considers only single item failures and
not the combination of failures

Safety Analysis: FMEA – Example 1
• Missile Battery:
o Is inactive and inert until activated by a pyrotechnic squib
o The electrolyte is separated from the battery plates by a frangible membrane
o When battery power is desired, the squib is fired to break the membrane, and
the released electrolyte energizes the battery.
(Boîtier)
(Amorceur)
(Plaques et
cosses)

Safety Analysis: FMEA – Example 1
Component Failure Causal
Causal Factors Immediate System Effect Detection Hazard Risk Recommended
Mode Factors Effect Method Actions
Case Cracks Manufacturing Electrolyte No output from Inspection Fire Source 2D Add system
defect leakage battery sensor
Electrolyte
Pinhole Material defect Electrolyte No output from Inspection Fire Source 2E Add system
Battery
leakage battery sensor
Plates and
Electrolyte
Terminals
Membrane
Battery
Plates and
Squib
Terminals
Membrane
Squib

The End

Mbsa s1 - Intro Et Fmea

Uploaded by

Copyright:

Available Formats

You might also like

Mbsa s1 - Intro Et Fmea

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mbsa s1 - Intro Et Fmea

Uploaded by

Copyright:

Available Formats

Model-Based Safety Assessment

Faïda Mhenni faida.mhenni@isae-supmeca.fr Model-Based Safety Assessment (MBSA) 1

Safety Analysis Approches

Safety Analysis Techniques

Faïda Mhenni faida.mhenni@isae-supmeca.fr Model-Based Safety Assessment (MBSA) 2

Faïda Mhenni faida.mhenni@isae-supmeca.fr Model-Based Safety Assessment (MBSA) 3

Design is mainly about how the system SYSTEM DESIGN

Faïda Mhenni - faida.mhenni@supmeca.fr 4

o because it fails to perform required functions (wear, failure, design errors…)

• This can have undesirable consequences such as damage, injury or

Q1: How to define acceptable risk

Faïda Mhenni - faida.mhenni@supmeca.fr 6

Faïda Mhenni - faida.mhenni@supmeca.fr 7

• The realistic objective of system safety is that of developing a system with

Faïda Mhenni - faida.mhenni@supmeca.fr 8

• Implementing safety process early enough, since the conceptual

• Identify and classify failure conditions associated with the system by

• Hazard mitigation methods are implemented into system design via

Faïda Mhenni - faida.mhenni@supmeca.fr 9

o Protective (protecting in case of mishap):

• Fire-fighting systems, fire containment systems,

Faïda Mhenni - faida.mhenni@supmeca.fr 10

Faïda Mhenni - faida.mhenni@supmeca.fr 11

Faïda Mhenni faida.mhenni@isae-supmeca.fr Model-Based Safety Assessment (MBSA) 12

ref: [Jean-Claude Laprie]

Faïda Mhenni - faida.mhenni@supmeca.fr 13

Faïda Mhenni - faida.mhenni@supmeca.fr 14

Security & Safety

• Error: activation of a fault.

• Failure: the inability of a system or component to perform required

Fault Error Failure

Faïda Mhenni - faida.mhenni@supmeca.fr 16

Défaut sur la vis Fonctionnement

source image: https://patents.google.com/patent/EP3127805A1/en

Faïda Mhenni - faida.mhenni@supmeca.fr 17

Faïda Mhenni faida.mhenni@isae-supmeca.fr Model-Based Safety Assessment (MBSA) 18

• ARP4761: Guidelines and Methods for Conducting the Safety

Faïda Mhenni - faida.mhenni@supmeca.fr 19

Faïda Mhenni - faida.mhenni@supmeca.fr 20

Faïda Mhenni - faida.mhenni@supmeca.fr 21

• Class I: Unacceptable in any circumstance;

Faïda Mhenni - faida.mhenni@supmeca.fr 23

Faïda Mhenni - faida.mhenni@supmeca.fr 24

Faïda Mhenni - faida.mhenni@supmeca.fr 25

Faïda Mhenni - faida.mhenni@supmeca.fr 26

Faïda Mhenni - faida.mhenni@supmeca.fr 27

• Évènement accidentel 2: Les pièces du frein se désolidarisent

• Réponse: Absence de freinage; en effet, même si les deux

Faïda Mhenni faida.mhenni@isae-supmeca.fr Model-Based Safety Assessment (MBSA) 30

o Cost of product recall

o Loss of reputation in the market

Faïda Mhenni - faida.mhenni@supmeca.fr 31

o Reasoning from individual cases to general conclusion. à Bottom-up

• Deductive Methods: “how could it happen?”

o Reasoning from the general to the specific. à Top-down

Faïda Mhenni - faida.mhenni@supmeca.fr 32

• Behavioral safety analysis • Compositional safety

o RBD: Reliability Block Diagram

Faïda Mhenni - faida.mhenni@supmeca.fr 33