EN 60812:2006

SLOVENSKI STANDARD
01-januar-2007
1DGRPHãþD
SIST HD 485 S1:2004
$QDOL]QHWHKQLNH]DVLVWHPVNR]DQHVOMLYRVW±3RVWRSHN]DDQDOL]RYUVWHRNYDULQ
QMLKRYLKXþLQNRY)0($,(&
Analysis techniques for system reliability - Procedure for failure mode and effects
analysis (FMEA)
Analysetechniken für die Funktionsfähigkeit von Systemen - Verfahren für die
Fehlzustandsart- und -auswirkungsanalyse (FMEA)
Techniques d'analyse de la fiabilité du système - Procédure d'analyse des modes de
défaillance et de leurs effets (AMDE)
Ta slovenski standard je istoveten z: EN 60812:2006
ICS:
21.020 =QDþLOQRVWLLQQDþUWRYDQMH Characteristics and design of
VWURMHYDSDUDWRYRSUHPH machines, apparatus,
equipment
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 60812
NORME EUROPÉENNE
May 2006
EUROPÄISCHE NORM
ICS 03.120.01; 03.120.30; 21.020 Supersedes HD 485 S1:1987

English version
Analysis techniques for system reliability –
Procedure for failure mode and effects analysis (FMEA)
(IEC 60812:2006)
Techniques d'analyse  Analysetechniken für
de la fiabilité du système – die Funktionsfähigkeit von Systemen –
Procédure d'analyse des modes Verfahren für die Fehlzustandsart-
de défaillance et de leurs effets (AMDE) und -auswirkungsanalyse (FMEA)
(CEI 60812:2006) (IEC 60812:2006)

This European Standard was approved by CENELEC on 2006-03-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Cyprus, the Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: rue de Stassart 35, B - 1050 Brussels

© 2006 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 60812:2006 E
Foreword
The text of document 56/1072/FDIS, future edition 2 of IEC 60812, prepared by IEC TC 56,
Dependability, was submitted to the IEC-CENELEC parallel vote and was approved by CENELEC as
EN 60812 on 2006-03-01.
This European Standard supersedes HD 485 S1:1987.
The main changes from HD 485 S1:1987 are as follows:
– introduction of the failure modes effects and criticality concepts;
– inclusion of the methods used widely in the automotive industry;
– added references and relationships to other failure modes analysis methods;
– added examples;
– guidance on advantages and disadvantages of different FMEA methods.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
(dop) 2006-12-01
national standard or by endorsement
– latest date by which the national standards conflicting
(dow) 2009-03-01
with the EN have to be withdrawn
Annex ZA has been added by CENELEC.
__________
Endorsement notice
The text of the International Standard IEC 60812:2006 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:
IEC 60300-1 NOTE Harmonized as EN 60300-1:2003 (not modified).
IEC 60300-2 NOTE Harmonized as EN 60300-2:2004 (not modified).
IEC 61160 NOTE Harmonized as EN 61160:2005 (not modified).
ISO 9000 NOTE Harmonized as EN ISO 9000:2000 (not modified).
__________
- 3 - EN 60812:2006
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

NOTE  When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD
applies.
Publication Year Title EN/HD Year
IEC 60300-3-1 2003 Dependability management EN 60300-3-1 2004
Part 3-1: Application guide - Analysis
techniques for dependability - Guide on
methodology
1) 2)
IEC 61025 Fault tree analysis (FTA) HD 617 S1
- 1992
1) 2)
IEC 61078 Analysis techniques for dependability - EN 61078
- 2006
Reliability block diagram and Boolean
methods
1)
Undated reference.
2)
Valid edition at date of issue.

INTERNATIONAL IEC
STANDARD 60812
Second edition
2006-01
Analysis techniques for system reliability –
Procedure for failure mode
and effects analysis (FMEA)
© IEC 2006 Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
PRICE CODE
X
Commission Electrotechnique Internationale
International Electrotechnical Commission
МеждународнаяЭлектротехническаяКомиссия
For price, see current catalogue

60812  IEC:2006 – 3 –
CONTENTS
FOREWORD.7

1 Scope.11
2 Normative references .11
3 Terms and definitions .11
4 Overview .15
4.1 Introduction .15
4.2 Purpose and objectives of the analysis.17
5 Failure modes and effects analysis.19
5.1 General considerations.19
5.2 Preliminary tasks.21
5.3 Failure mode, effects, and criticality analysis (FMECA) .41
5.4 Report of analysis .55
6 Other considerations .59
6.1 Common-cause failures.59
6.2 Human factors.59
6.3 Software errors .61
6.4 FMEA regarding consequences of system failure .61
7 Applications.61
7.1 Use of FMEA/FMECA .61
7.2 Benefits of FMEA .65
7.3 Limitations and deficiencies of FMEA .65
7.4 Relationships with other methods .67

Annex A (informative) Summary of procedures for FMEA and FMECA .71
Annex B (informative) Examples of analyses.79

Bibliography.93

Figure 1 – Relationship between failure modes and failure effects in a system hierarchy .25
Figure 2 – Analysis flowchart .39
Figure 3 – Criticality matrix .47
Figure A.1 – Example of the format of an FMEA worksheet.77
Figure B.1 – FMEA for a part of automotive electronics with RPN calculation.81
Figure B.2 – Diagram of subsystems of a motor generator set .83
Figure B.3 – Diagram of enclosure heating, ventilation and cooling systems .85
Figure B.4 – FMEA for sub-system 20.87
Figure B.5 − Part of a process FMECA for machined aluminium casting.91

60812  IEC:2006 – 5 –
Table 1 – Example of a set of general failure modes.29
Table 2 – Illustrative example of a severity classification for end effects .35
Table 3 – Risk/criticality matrix .49
Table 4 – Failure mode severity.51
Table 5 – Failure mode occurrence related to frequency and probability of occurrence .51
Table 6 – Failure mode detection evaluation criteria .53
Table 7 – Example of a set of failure effects (for a motor vehicle starter) .57
Table 8 – Example of a failure effects probability .57
Table B.1 – Definition and classification of the severity of the effects of failures on the
complete M-G system .83

60812  IEC:2006 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
ANALYSIS TECHNIQUES FOR SYSTEM RELIABILITY –
PROCEDURE FOR FAILURE MODE
AND EFFECTS ANALYSIS (FMEA)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60812 has been prepared by IEC technical committee 56:
Dependability.
This second edition cancels and replaces the first edition published in 1985 and constitutes a
technical revision.
The main changes from the previous edition are as follows:
– introduction of the failure modes effects and criticality concepts;
– inclusion of the methods used widely in the automotive industry;
– added references and relationships to other failure modes analysis methods;
– added examples;
– provided guidance of advantages and disadvantages of different FMEA methods.

60812  IEC:2006 – 9 –
The text of this standard is based on the following documents:
FDIS Report on voting
56/1072/FDIS 56/1091/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
60812  IEC:2006 – 11 –
ANALYSIS TECHNIQUES FOR SYSTEM RELIABILITY –
PROCEDURE FOR FAILURE MODE
AND EFFECTS ANALYSIS (FMEA)
1 Scope
This International Standard describes Failure Mode and Effects Analysis (FMEA) and Failure
Mode, Effects and Criticality Analysis (FMECA), and gives guidance as to how they may be
applied to achieve various objectives by
− providing the procedural steps necessary to perform an analysis;
− identifying appropriate terms, assumptions, criticality measures, failure modes;
− defining basic principles;
− providing examples of the necessary worksheets or other tabular forms.
All the general qualitative considerations presented for FMEA will apply to FMECA, since the
latter is an extension of the other.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60300-3-1:2003, Dependability management – Part 3-1: Application guide – Analysis
techniques for dependability – Guide on methodology
IEC 61025, Fault tree analysis (FTA)
IEC 61078, Analysis techniques for dependability – Reliability block diagram method
3 Terms and definitions
For the purposes of this document, the following definitions apply.
3.1
item
any part, component, device, subsystem, functional unit, equipment or system that can be
individually considered
NOTE 1 An item may consist of hardware, software or both, and may also in particular cases include people.
NOTE 2 A number of items, e.g. a population of items or a sample, may itself be considered as an item.
[IEV 191-01-01]
60812  IEC:2006 – 13 –
A process can also be defined as an item which carries out a predetermined function and for
which a process FMEA or FMECA is carried out. Normally, a hardware FMEA does not
address people and their interactions with hardware/software, while a process FMEA normally
includes actions of people.
3.2
failure
termination of the ability of an item to perform a required function
[IEV 191-04-01]
3.3
fault
state of an item characterized by the inability to perform a required function, excluding the
inability during preventive maintenance or other planned actions, or due to lack of external
resources
NOTE 1 A fault is often the result of a failure of the item itself, but may exist without prior failure.
[IEV 191-05-01]
NOTE 2 In this document “fault” is used interchangeably with the term “failure” for historical reasons.
3.4
failure effect
consequence of a failure mode in terms of the operation, function or status of the item
3.5
failure mode
manner in which an item fails
3.6
failure criticality
combination of the severity of an effect and the frequency of its occurrence or other attributes
of a failure as a measure of the need for addressing and mitigation
3.7
system
set of interrelated or interacting elements
NOTE 1 In the context of dependability, a system will have
a) defined purposes expressed in terms of required functions;
b) stated conditions of operation use (see 191-01-12);
c) a defined boundary.
NOTE 2 The structure of a system is hierarchical.
[ISO 9000:2000]
3.8
failure severity
significance or grading of the failure mode’s effect on item operation, on the item surrounding,
or on the item operator; failure mode effect severity as related to the defined boundaries of
the analysed system
60812  IEC:2006 – 15 –
4 Overview
4.1 Introduction
Failure Modes and Effect Analysis (FMEA) is a systematic procedure for the analysis of a
system to identify the potential failure modes, their causes and effects on system performance
(performance of the immediate assembly and the entire system or a process). Here, the term
system is used as a representation of hardware, software (with their interaction) or a process.
The analysis is successfully performed preferably early in the development cycle so that
removal or mitigation of the failure mode is most cost effective. This analysis can be initiated
as soon as the system is defined enough to be presented as a functional block diagram where
performance of its elements can be defined.
FMEA timing is essential; if done early enough in the development cycle, then incorporating
the design changes to overcome deficiencies identified by the FMEA may be cost effective. It
is therefore important that the FMEA task and its deliverables be incorporated into the
development plan and schedule. Thus, FMEA is an iterative process that takes place
coincidentally with design process.
FMEA is applicable at various levels of system decomposition from the highest level of block
diagram down to the functions of discrete components or software commands. The FMEA is
also an iterative process that is updated as the design develops. Design changes will require
that relevant parts of the FMEA be reviewed and updated.
A thorough FMEA is a result of a team composed of individuals qualified to recognize and
assess the magnitude and consequences of various types of potential inadequacies in the
product design that might lead to failures. Advantage of the team work is that it stimulates
thought process, and ensures necessary expertise.
FMEA is considered to be a method to identify the severity of potential failure modes and to
provide an input to mitigating measures to reduce risk. In some applications however, FMEA
also includes an estimation of the probability of occurrence of the failure modes. This
enhances the analysis by providing a measure of the failure mode’s likelihood.
Application of FMEA is preceded by a hierarchical decomposition of the system (hardware
with software, or a process) into its more basic elements. It is useful to employ simple block
diagrams to illustrate this decomposition (IEC 61078). The analysis then starts with lowest
level elements. A failure mode effect at a lower level may then become a failure cause of a
failure mode of an item in the next higher level. The analysis proceeds in a bottom-up fashion
until the end effect on the system is identified. Figure 1 illustrates this relationship.
FMECA (Failure Modes, Effects and Criticality Analysis) is an extension to the FMEA to
include a means of ranking the severity of the failure modes to allow prioritization of
countermeasures. This is done by combining the severity measure and frequency of occur-
rence to produce a metric called criticality.
The principles of an FMEA may be applied outside of engineering design. FMEA procedure
can be applied to a manufacturing or any other work process such as in hospitals, medical
laboratories, school systems, or others. When FMEA is applied to a manufacturing process,

60812  IEC:2006 – 17 –
this procedure is known in industry as the Process FMEA, or PFMEA. For an FMEA to be
effective, adequate resources for a team work have to be committed. A thorough
understanding of the system under analysis may not be essential for a preliminary FMEA.
With development of design, a detailed failure mode analysis requires thorough knowledge of
the design performance and its specifications. Complex engineering designs usually require
the involvement of multiple areas of design expertise (e.g. mechanical engineering, electrical
engineering, systems engineering, software engineering, maintenance support, etc).
FMEA generally deals with individual failure modes and the effect of these failure modes on
the system. Each failure mode is treated as independent. The procedure is therefore
unsuitable for consideration of dependent failures or failures resulting from a sequence of
events. To analyse these situations other methods and techniques, such as Markov analysis
(see IEC 61165) or fault tree analysis (see IEC 61025), may be required.
In determining the impact of a failure, one must consider higher level induced – resultant
failures and possibly the same level of induced failures. The analysis should indicate,
wherever possible the combination of failure modes or their sequence that was a cause of a
higher level effect. In that case additional modelling is required to estimate the magnitude or
probability of occurrence of such an effect.
FMEA is a flexible tool that can be tailored to meet specific industry or product needs.
Specialized worksheets requiring specific entries may be adapted for certain applications. If
severity levels of failure modes are defined, they may be defined differently for different
systems or different system levels.
4.2 Purpose and objectives of the analysis
The reasons for undertaking Failure Mode Effects Analysis (FMEA) or Failure Mode Effects
and Criticality Analysis (FMECA) may include the following:
a) to identify those failures which have unwanted effects on system operation, e.g. preclude
or significantly degrade operation or affect the safety of the user;
b) to satisfy contractual requirements of a customer, as applicable;
c) to allow improvements of the system’s reliability or safety (e.g. by design modifications or
quality assurance actions);
d) to allow improvement of the system’s maintainability (by highlighting areas of risk or
nonconformity for maintainability).
In view of the above reasons for undertaking a FMEA effort, the objectives of an FMEA (or
FMECA) may include the following:
a) a comprehensive identification and evaluation of all the unwanted effects within the
defined boundaries of the system being analysed, and the sequences of events brought
about by each identified item failure mode, from whatever cause, at various levels of the
system’s functional hierarchy;
b) the determination of the criticality or priority for addressing/mitigation (see Clause 6) of
each failure mode with respect to the system’s correct function or performance and the
impact on the process concerned;

60812  IEC:2006 – 19 –
c) a classification of identified failure modes according to relevant characteristics, including
their ease of detection, capability to be diagnosed, testability, compensating and operating
provisions (repair, maintenance, logistics, etc.);
d) identification of system functional failures and estimation of measures of the severity and
probability of failure;
e) development of design improvement plan for mitigation of failure modes;
f) support the development of an effective maintenance plan to mitigate or reduce likelihood
of failure (see IEC 60300-3-11).
NOTE When criticality or probability of occurrence is addressed, the comments regard FMECA methodology.
5 Failure modes and effects analysis
5.1 General considerations
Traditionally there have been wide variations in the manner in which FMEA is conducted and
presented. The analysis is usually done by identifying the failure modes, their respective
causes and immediate and final effects. The analytical results can be presented on a
worksheet that contains a core of essential information for entire system and details
developed for that specific system. It shows the ways the system could potentially fail, the
components and their failure modes that would be the cause of system failure, and the
cause(s) of occurrence of each individual failure mode.
The FMEA effort applied to the complex products might be very extensive. This effort may be
sometimes reduced by having in mind that design of some subassemblies or their parts may
not be entirely new and by identifying parts of the product design that are a repetition or a
modification of a previous product design. The newly constructed FMEA should use
information on those existing subassemblies to the highest possible extent. It must also point
to the need for eventual test or full analysis of the new features and items. Once a detailed
FMEA is created for one design, it can be updated and improved for the succeeding
generations of that design, which constitutes a significantly less effort than the entirely new
analysis.
When using an existing FMEA from a previous product version, it is essential to make sure
that the repeated design is indeed used in the same manner and under the same stresses as
the previous design. The new operational or environmental stresses may require review of the
previously completed FMEA. Different environmental and operational stresses may require an
entirely new FMEA to be created in view of the new operational conditions.
The FMEA procedure consists of the following four main stages:
a) establishment of the basic ground rules for the FMEA and planning and scheduling to
ensure that the time and expertise is available to do the analysis;
b) executing the FMEA using the appropriate worksheet or other means such as a logic
diagrams or fault trees;
c) summarizing and reporting of the analysis to include any conclusions and
recommendations made;
d) updating the FMEA as the development activity progresses.

60812  IEC:2006 – 21 –
5.2 Preliminary tasks
5.2.1 Planning for the analysis
FMEA activities, follow up activities, procedures, relationship with other reliability activities,
processes for management of corrective actions and for their closure, and milestones, should
be integrated into the overall program plan.
The reliability program plan should describe the FMEA analysis method to be used. This
description may be a summary description or a reference to a source document containing the
method description.
This plan should contain the following points.
− clear definition of the specific purposes of the analysis and expected results;
− the scope of the present analysis in terms of how the FMEA should focus on certain
design elements. The scope should reflect the design maturity, elements of the design
that may be considered to be a risk because they perform a critical function or because of
immaturity of the technology used;
− description of how the present analysis supports the overall project dependability;
− identified measures used for control of the FMEA revisions and the relevant
documentation. Revision control of the analysis documents and worksheets and archive
methods should be specified;
− participation of design experts in the analysis so that they are available when needed;
− key project schedule milestones clearly marked to ensure the analysis is executed in a
timely manner;
− manner of closure of all actions identified in the process of mitigation of identified failure
modes that need to be addressed.
The plan should reflect the consensus of all participants and should be approved by project
management. Final review of the completed FMEA in the final stage of the design of a product
or its manufacturing process (process FMEA) identifies all of the recorded actions for
mitigation of failure modes of concern and the manner of their closure.
5.2.2 System structure
5.2.2.1 Information on system structure
The following items need to be included into the information on system structure:
a) different system elements with their characteristics, performances, roles and functions;
b) logical connections between elements;
c) redundancy level and nature of the redundancies;
d) position and importance of the system within the whole facility (if possible);
e) inputs and outputs of the system;
f) changes in system structure for varying operational modes.
Information pertaining to functions, characteristics and performances are required for all
system levels considered up to the highest level so that FMEA could properly address failure
modes that preclude any of those functions.

60812  IEC:2006 – 23 –
5.2.2.2 Defining system boundary for the analysis
The system boundary forms the physical and functional interface between the system and its
environment, including other systems with which the analysed system interacts. The definition
of the system boundary for the analysis should correspond to the boundary as defined for
design and maintenance. This should apply to a system at any level. Systems and/or
components outside the boundaries should explicitly be defined for exclusion.
The definition of the system boundary is more likely to be influenced by design, intended use,
source of supply, or commercial criteria rather than the optimum requirements of the FMEA.
However, where it is possible to define the boundaries to facilitate the system FMEA and its
integration with other related studies in the programme, such action is preferable. This is
especially so if the system is functionally complex with multiple interconnections between
items within the boundary and multiple outputs crossing the boundary. In such cases it could
be advantageous to define a study boundary from functional rather than hardware and
software point of view to limit the number of input and output links to other systems. This
would tend to reduce the number of system failure effects.
Care should be taken to ensure that other systems or components outside the boundaries of
the subject system are not forgotten, by explicitly stating that they are excluded from the
particular study.
5.2.2.3 Levels of analysis
It is important to determine the indenture level in the system that will be used for the analysis.
For example, systems can be broken down by function or into subsystems, replaceable units,
or individual components (see Figure 1). Ground rules for selecting the system indenture
levels for analysis depend on the results desired and the availability of design information.
The following guidelines are useful.
a) The highest level within the system is selected from the design concept and specified
output requirements.
b) The lowest level within the system at which the analysis is effective is that level for which
information is available to establish definition and description of functions. The selection
of the appropriate system level is influenced by previous experience. Less detailed
analysis may be justified for a system based on a mature design, with a good reliability,
maintainability and safety record. Conversely, greater details and a correspondingly lower
system level are indicated for any newly designed system or a system with unknown
reliability history.
c) The specified or intended maintenance and repair level may be a valuable guide in
determining lower system levels.

60812  IEC:2006 – 25 –
Subsystem
Subsystem Subsystem Subsystem
1 4 5
Subsystem
System failure cause
System
Failure modes
Effect: subsystem 4 failure
Module Module Module Module
1 2 3 4
Subsystem 4 failure cause
Subsystem 4
Failure modes
Effect: module 3 failure
Module 3
Part
Part Part Part
1 2 5
Part
Module 3 failure cause
Failure modes
Effect: part 2 failure
Mode Mode Mode
1 2 3
Part 2 failure cause
Part 2
Failure causes
Effect: failure mode 3 occurrence
Cause Cause Cause
1 2 3
Part 2, Mode 3 failure causes
IEC  2640/05
Figure 1 – Relationship between failure modes and failure effects in a system hierarchy

60812  IEC:2006 – 27 –
In the FMEA, the definitions of failure modes, failure causes and failure effects depend on the
level of analysis and system failure criteria. As the analysis progresses, the failure effects
identified at the lower level may become failure modes at the higher level. The failure modes
at the lower level may become the failure causes at the higher level, and so on.
When a system is broken down into its elements, effects of one or more of the failure mode
causes make a failure mode, which in turn is a cause of the higher level effect, a part failure.
Part failure is then the cause of a module failure (effect), which in itself is a cause of a
subsystem failure. The effect of a cause of one system level thus becomes a cause of another
effect at a higher level. The above rationale is shown in Figure 1.
5.2.2.4 Representation of system structure
Symbolic representations of the system structure and operation, especially diagrams, are very
useful to aid the analysis.
Simple diagrams should be created, highlighting all the functions essential to the system. In
the diagram, the blocks are linked together by lines that represent the inputs and outputs for
each function. Usually, the nature of each function and each input needs to be precisely
described. There may be several diagrams to cover different phases of system operation.
As the system design progresses, a component block diagram can be created with blocks
representing actual components or parts. With this additional knowledge more precise
identification of potential failure modes and causes becomes possible.
The diagrams should display any series and redundant relationships among the elements and
the functional interdependencies between them. This allows the functional failures to be
tracked through the system. More than one diagram may be needed to display the alternative
modes of system operation. Separate diagrams may be required for each operational mode.
As a minimum, the block diagram should contain the following:
a) breakdown of the system into major subsystems including functional relationships;
b) all appropriately labelled inputs and outputs and identification numbers by which each
subsystem is consistently referenced;
c) all redundancies, alternative signal paths and other engineering features which provide
protection against system failures.
5.2.2.5 System initiation, operation, control and maintenance
The status of the different operating conditions of the system should be specified, as well as
the changes in the configuration or the position of the system and its components during the
different operational phases. The minimum performances demanded of the system should be
defined such that success and/or failure criteria can be clearly understood. Such specific
requirements as availability or safety should be considered in terms of specified minimum
levels of performance to be achieved and maximum levels of damage or harm to be accepted.
It is necessary to have an accurate knowledge of
a) the duration of each function the system may be called upon to perform;
b) the time interval between periodic tests;

60812  IEC:2006 – 29 –
c) the time available for corrective action before serious consequences occur to the system;
d) the entire facility, the environment and/or the personnel, including interfaces and
interactions with operators;
e) operating procedures during system start-up, shut-down and other operational transitions;
f) control during the operational phases;
g) preventive and/or corrective maintenance;
h) procedures for routine testing, if employed.
It has been stated that one of the uses of FMEA is to assist in the development of the
maintenance strategy. However, if the latter has been pre-determined, information on
maintenance facilities, equipment and spares should be known for both preventive and
corrective maintenance.
5.2.2.6 System environment
The environmental conditions of the system should be specified, including ambient conditions
and those created by other systems in the vicinity. The system should be delineated with
respect to its relationships, dependencies, or interconnections with auxiliary or other systems
and human interfaces.
At the design stage these facts are usually not all known and therefore approximations and
assumptions will be needed. As the project progresses, the data will have to be augmented
and the FMEA modified to allow for new information or changed assumptions or approxi-
mations. Often the FMEA will be helpful in defining the required conditions.
5.2.3 Failure mode determination
Successful operation of a given system is subject to the performance of certain critical system
elements. The key to evaluation of system performance is the identification of those critical
elements. The procedures for identifying failure modes, their causes and effects can be
effectively enhanced by the preparation of a list of failure modes anticipated in the light of the
following:
a) the use of the system;
b) the particular system element involved;
c) the mode of operation;
d) the pertinent operational specifications;
e) the time constraints;
f) the environmental stresses;
g) the operational stresses.
An example list of general failure modes is given in Table 1.
Table 1 – Example of a set of general failure modes
1 Failure during operation
2 Failure to operate at a prescribed time
3 Failure to cease operation at a prescribed time
4 Premature operation
NOTE This listing is an example only. Different lists would be required for different types of systems.

60812  IEC:2006 – 31 –
Virtually every type of failure mode can be classified into one or more of these categories.
However, these general failure mode categories are too broad in scope for definitive analysis;
consequently, the list needs to be expanded to make the categories more specific. When used
in conjunction with performance specifications governing the inputs and outputs on the
reliability block diagram, all potential failure modes can be identified and described. It should
be noted that a given failure mode may have several causes.
It is important that evaluation of all items within the system boundaries at the lowest level
commensurately with the objectives of the analysis is undertaken to identify all potential
failure modes. Investigation to determine possible failure causes and also failure effects on
subsystem and system function can then be undertaken.
Item suppliers should identify the potential item failure modes within their products. To assist
this function typical failure mode data can be sought from the following areas:
a) for new items, reference can be made to other items with similar function and structure
and to the results of tests performed on them under appropriate stress levels;
b) for new items, the design intent and detailed functional analysis yields the potential failure
modes and their causes. This method is preferred to the one in a), because the stresses
and the operation itself might be different from the similar items. An example of this
situation may be the use of a signal processor different than the one used in the similar
design;
c) for items in use, in-service records and failure data may be consulted;
d) potential failure modes can be deduced from functional and physical parameters typical of
the operation of the item.
It is important that item failure modes are not omitted for lack of data and that initial estimates
are improved by test results and design progression. The FMEA should record the status of
such estimates.
The identification of failure modes and, where necessary, the determination of remedial
design actions, preventative quality assurance actions or preventative maintenance actions is
of prime importance. It is more important to identify and, if possible, to mitigate the failure
modes effects by design measures, than to know their prob
...