IEC 60812:2006
(Main)Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA)
Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA)
This International Standard describes Failure Mode and Effects Analysis (FMEA) and Failure Mode, Effects and Criticality Analysis (FMECA), and gives guidance as to how they may be applied to achieve various objectives by: providing the procedural steps necessary to perform analysis; identifying appropriate terms; defining basic principles; providing examples of the necessary worksheets or other tabular forms.
Techniques d'analyse de la fiabilité du système - Procédure d'analyse des modes de défaillance et de leurs effets (AMDE)
La présente Norme Internationale décrit l'analyse des modes de défaillance et de leurs effets (AMDE) et l'analyse des modes de défaillance, de leurs effets et de leur criticité (AMDEC), et apporte des conseils sur l'application de ces méthodes selon les divers objectifs recherchés, de la façon suivante: en fournissant la procédure à suivre pour réaliser une analyse, en spécifiant les termes pertinents, les hypothèses, les mesures de criticité, les modes de défaillance, en déterminant les principes de base, en fournissant des exemples-types de documents et tableaux.
General Information
Relations
Overview
IEC 60812:2006 - Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA) describes how to perform Failure Mode and Effects Analysis (FMEA) and Failure Mode, Effects and Criticality Analysis (FMECA). The standard gives procedural steps, defines terms and basic principles, and provides examples of worksheets and tabular forms. It emphasizes early, iterative application during design or process development to identify potential failure modes, their causes and effects, and to support cost‑effective mitigation and risk reduction.
Key topics and requirements
- FMEA / FMECA procedure: step‑by‑step analysis workflow from system decomposition to reporting, including guidance for preparing and updating analyses as designs evolve.
- System decomposition: hierarchical representation (hardware, software, processes) using block diagrams to determine analysis levels.
- Terms and definitions: consistent definitions for item, failure, fault, failure mode, failure effect, severity, occurrence and criticality.
- Severity, occurrence and detection: qualitative and (where applicable) quantitative considerations for assessing failure mode impact and likelihood; criticality combines severity with frequency or probability attributes.
- Worksheets and examples: illustrative FMEA/FMECA worksheet formats and example analyses (annexes include sample worksheets, RPN examples and criticality matrices).
- Special considerations: treatment of common‑cause failures, human factors, software errors and consequences of system failure.
- Outputs and reporting: guidance on documenting results, recommended corrective actions and tracking design changes.
- Method relationships: guidance on how FMEA/FMECA relates to other dependability methods (e.g., Fault Tree Analysis and Reliability Block Diagrams).
Practical applications and users
IEC 60812 is used to support reliability, safety and quality engineering across industries:
- Who uses it: design and reliability engineers, system architects, safety engineers, process engineers, quality teams, maintainers and regulatory bodies.
- Typical applications: product development and design reviews, process FMEA for manufacturing, safety analysis for automotive/electronics/aerospace, maintenance planning, and supplier or component qualification.
- Benefits: early identification of design weaknesses, prioritization of mitigation actions, improved documentation for audits and regulatory compliance, and inputs to risk management and maintenance strategies.
Related standards
- IEC 60300-3-1 - Dependability management: application guide for analysis techniques
- IEC 61025 - Fault tree analysis (FTA)
- IEC 61078 - Reliability block diagram method
Keywords: IEC 60812, FMEA, FMECA, failure modes and effects analysis, reliability, criticality, risk assessment, FMEA worksheet, failure severity.
Standards Content (Sample)
INTERNATIONAL IEC
STANDARD 60812
Second edition
2006-01
Analysis techniques for system reliability –
Procedure for failure mode
and effects analysis (FMEA)
This English-language version is derived from the original
bilingual publication by leaving out all French-language
pages. Missing page numbers correspond to the French-
language pages.
Reference number
Publication numbering
As from 1 January 1997 all IEC publications are issued with a designation in the
60000 series. For example, IEC 34-1 is now referred to as IEC 60034-1.
Consolidated editions
The IEC is now publishing consolidated versions of its publications. For example,
edition numbers 1.0, 1.1 and 1.2 refer, respectively, to the base publication, the
base publication incorporating amendment 1 and the base publication incorporating
amendments 1 and 2.
Further information on IEC publications
The technical content of IEC publications is kept under constant review by the IEC,
thus ensuring that the content reflects current technology. Information relating to
this publication, including its validity, is available in the IEC Catalogue of
publications (see below) in addition to new editions, amendments and corrigenda.
Information on the subjects under consideration and work in progress undertaken
by the technical committee which has prepared this publication, as well as the list
of publications issued, is also available from the following:
• IEC Web Site (www.iec.ch)
• Catalogue of IEC publications
The on-line catalogue on the IEC web site (www.iec.ch/searchpub) enables you to
search by a variety of criteria including text searches, technical committees
and date of publication. On-line information is also available on recently issued
publications, withdrawn and replaced publications, as well as corrigenda.
• IEC Just Published
This summary of recently issued publications (www.iec.ch/online_news/ justpub)
is also available by email. Please contact the Customer Service Centre (see
below) for further information.
• Customer Service Centre
If you have any questions regarding this publication or need further assistance,
please contact the Customer Service Centre:
Email: custserv@iec.ch
Tel: +41 22 919 02 11
Fax: +41 22 919 03 00
INTERNATIONAL IEC
STANDARD 60812
Second edition
2006-01
Analysis techniques for system reliability –
Procedure for failure mode
and effects analysis (FMEA)
© IEC 2006 Copyright - all rights reserved
No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical,
including photocopying and microfilm, without permission in writing from the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
PRICE CODE
X
Commission Electrotechnique Internationale
International Electrotechnical Commission
МеждународнаяЭлектротехническаяКомиссия
For price, see current catalogue
60812 IEC:2006 – 3 –
CONTENTS
FOREWORD.7
1 Scope.11
2 Normative references .11
3 Terms and definitions .11
4 Overview .15
4.1 Introduction .15
4.2 Purpose and objectives of the analysis.17
5 Failure modes and effects analysis.19
5.1 General considerations.19
5.2 Preliminary tasks.21
5.3 Failure mode, effects, and criticality analysis (FMECA) .41
5.4 Report of analysis .55
6 Other considerations .59
6.1 Common-cause failures.59
6.2 Human factors.59
6.3 Software errors .61
6.4 FMEA regarding consequences of system failure .61
7 Applications.61
7.1 Use of FMEA/FMECA .61
7.2 Benefits of FMEA .65
7.3 Limitations and deficiencies of FMEA .65
7.4 Relationships with other methods .67
Annex A (informative) Summary of procedures for FMEA and FMECA .71
Annex B (informative) Examples of analyses.79
Bibliography.93
Figure 1 – Relationship between failure modes and failure effects in a system hierarchy .25
Figure 2 – Analysis flowchart .39
Figure 3 – Criticality matrix .47
Figure A.1 – Example of the format of an FMEA worksheet.77
Figure B.1 – FMEA for a part of automotive electronics with RPN calculation.81
Figure B.2 – Diagram of subsystems of a motor generator set .83
Figure B.3 – Diagram of enclosure heating, ventilation and cooling systems .85
Figure B.4 – FMEA for sub-system 20.87
Figure B.5 − Part of a process FMECA for machined aluminium casting.91
60812 IEC:2006 – 5 –
Table 1 – Example of a set of general failure modes.29
Table 2 – Illustrative example of a severity classification for end effects .35
Table 3 – Risk/criticality matrix .49
Table 4 – Failure mode severity.51
Table 5 – Failure mode occurrence related to frequency and probability of occurrence .51
Table 6 – Failure mode detection evaluation criteria .53
Table 7 – Example of a set of failure effects (for a motor vehicle starter) .57
Table 8 – Example of a failure effects probability .57
Table B.1 – Definition and classification of the severity of the effects of failures on the
complete M-G system .83
60812 IEC:2006 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
ANALYSIS TECHNIQUES FOR SYSTEM RELIABILITY –
PROCEDURE FOR FAILURE MODE
AND EFFECTS ANALYSIS (FMEA)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60812 has been prepared by IEC technical committee 56:
Dependability.
This second edition cancels and replaces the first edition published in 1985 and constitutes a
technical revision.
The main changes from the previous edition are as follows:
– introduction of the failure modes effects and criticality concepts;
– inclusion of the methods used widely in the automotive industry;
– added references and relationships to other failure modes analysis methods;
– added examples;
– provided guidance of advantages and disadvantages of different FMEA methods.
60812 IEC:2006 – 9 –
The text of this standard is based on the following documents:
FDIS Report on voting
56/1072/FDIS 56/1091/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
60812 IEC:2006 – 11 –
ANALYSIS TECHNIQUES FOR SYSTEM RELIABILITY –
PROCEDURE FOR FAILURE MODE
AND EFFECTS ANALYSIS (FMEA)
1 Scope
This International Standard describes Failure Mode and Effects Analysis (FMEA) and Failure
Mode, Effects and Criticality Analysis (FMECA), and gives guidance as to how they may be
applied to achieve various objectives by
− providing the procedural steps necessary to perform an analysis;
− identifying appropriate terms, assumptions, criticality measures, failure modes;
− defining basic principles;
− providing examples of the necessary worksheets or other tabular forms.
All the general qualitative considerations presented for FMEA will apply to FMECA, since the
latter is an extension of the other.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60300-3-1:2003, Dependability management – Part 3-1: Application guide – Analysis
techniques for dependability – Guide on methodology
IEC 61025, Fault tree analysis (FTA)
IEC 61078, Analysis techniques for dependability – Reliability block diagram method
3 Terms and definitions
For the purposes of this document, the following definitions apply.
3.1
item
any part, component, device, subsystem, functional unit, equipment or system that can be
individually considered
NOTE 1 An item may consist of hardware, software or both, and may also in particular cases include people.
NOTE 2 A number of items, e.g. a population of items or a sample, may itself be considered as an item.
[IEV 191-01-01]
60812 IEC:2006 – 13 –
A process can also be defined as an item which carries out a predetermined function and for
which a process FMEA or FMECA is carried out. Normally, a hardware FMEA does not
address people and their interactions with hardware/software, while a process FMEA normally
includes actions of people.
3.2
failure
termination of the ability of an item to perform a required function
[IEV 191-04-01]
3.3
fault
state of an item characterized by the inability to perform a required function, excluding the
inability during preventive maintenance or other planned actions, or due to lack of external
resources
NOTE 1 A fault is often the result of a failure of the item itself, but may exist without prior failure.
[IEV 191-05-01]
NOTE 2 In this document “fault” is used interchangeably with the term “failure” for historical reasons.
3.4
failure effect
consequence of a failure mode in terms of the operation, function or status of the item
3.5
failure mode
manner in which an item fails
3.6
failure criticality
combination of the severity of an effect and the frequency of its occurrence or other attributes
of a failure as a measure of the need for addressing and mitigation
3.7
system
set of interrelated or interacting elements
NOTE 1 In the context of dependability, a system will have
a) defined purposes expressed in terms of required functions;
b) stated conditions of operation use (see 191-01-12);
c) a defined boundary.
NOTE 2 The structure of a system is hierarchical.
[ISO 9000:2000]
3.8
failure severity
significance or grading of the failure mode’s effect on item operation, on the item surrounding,
or on the item operator; failure mode effect severity as related to the defined boundaries of
the analysed system
60812 IEC:2006 – 15 –
4 Overview
4.1 Introduction
Failure Modes and Effect Analysis (FMEA) is a systematic procedure for the analysis of a
system to identify the potential failure modes, their causes and effects on system performance
(performance of the immediate assembly and the entire system or a process). Here, the term
system is used as a representation of hardware, software (with their interaction) or a process.
The analysis is successfully performed preferably early in the development cycle so that
removal or mitigation of the failure mode is most cost effective. This analysis can be initiated
as soon as the system is defined enough to be presented as a functional block diagram where
performance of its elements can be defined.
FMEA timing is essential; if done early enough in the development cycle, then incorporating
the design changes to overcome deficiencies identified by the FMEA may be cost effective. It
is therefore important that the FMEA task and its deliverables be incorporated into the
development plan and schedule. Thus, FMEA is an iterative process that takes place
coincidentally with design process.
FMEA is applicable at various levels of system decomposition from the highest level of block
diagram down to the functions of discrete components or software commands. The FMEA is
also an iterative process that is updated as the design develops. Design changes will require
that relevant parts of the FMEA be reviewed and updated.
A thorough FMEA is a result of a team composed of individuals qualified to recognize and
assess the magnitude and consequences of various types of potential inadequacies in the
product design that might lead to failures. Advantage of the team work is that it stimulates
thought process, and ensures necessary expertise.
FMEA is considered to be a method to identify the severity of potential failure modes and to
provide an input to mitigating measures to reduce risk. In some applications however, FMEA
also includes an estimation of the probability of occurrence of the failure modes. This
enhances the analysis by providing a measure of the failure mode’s likelihood.
Application of FMEA is preceded by a hierarchical decomposition of the system (hardware
with software, or a process) into its more basic elements. It is useful to employ simple block
diagrams to illustrate this decomposition (IEC 61078). The analysis then starts with lowest
level elements. A failure mode effect at a lower level may then become a failure cause of a
failure mode of an item in the next higher level. The analysis proceeds in a bottom-up fashion
until the end effect on the system is identified. Figure 1 illustrates this relationship.
FMECA (Failure Modes, Effects and Criticality Analysis) is an extension to the FMEA to
include a means of ranking the severity of the failure modes to allow prioritization of
countermeasures. This is done by combining the severity measure and frequency of occur-
rence to produce a metric called criticality.
The principles of an FMEA may be applied outside of engineering design. FMEA procedure
can be applied to a manufacturing or any other work process such as in hospitals, medical
laboratories, school systems, or others. When FMEA is applied to a manufacturing process,
60812 IEC:2006 – 17 –
this procedure is known in industry as the Process FMEA, or PFMEA. For an FMEA to be
effective, adequate resources for a team work have to be committed. A thorough
understanding of the system under analysis may not be essential for a preliminary FMEA.
With development of design, a detailed failure mode analysis requires thorough knowledge of
the design performance and its specifications. Complex engineering designs usually require
the involvement of multiple areas of design expertise (e.g. mechanical engineering, electrical
engineering, systems engineering, software engineering, maintenance support, etc).
FMEA generally deals with individual failure modes and the effect of these failure modes on
the system. Each failure mode is treated as independent. The procedure is therefore
unsuitable for consideration of dependent failures or failures resulting from a sequence of
events. To analyse these situations other methods and techniques, such as Markov analysis
(see IEC 61165) or fault tree analysis (see IEC 61025), may be required.
In determining the impact of a failure, one must consider higher level induced – resultant
failures and possibly the same level of induced failures. The analysis should indicate,
wherever possible the combination of failure modes or their sequence that was a cause of a
higher level effect. In that case additional modelling is required to estimate the magnitude or
probability of occurrence of such an effect.
FMEA is a flexible tool that can be tailored to meet specific industry or product needs.
Specialized worksheets requiring specific entries may be adapted for certain applications. If
severity levels of failure modes are defined, they may be defined differently for different
systems or different system levels.
4.2 Purpose and objectives of the analysis
The reasons for undertaking Failure Mode Effects Analysis (FMEA) or Failure Mode Effects
and Criticality Analysis (FMECA) may include the following:
a) to identify those failures which have unwanted effects on system operation, e.g. preclude
or significantly degrade operation or affect the safety of the user;
b) to satisfy contractual requirements of a customer, as applicable;
c) to allow improvements of the system’s reliability or safety (e.g. by design modifications or
quality assurance actions);
d) to allow improvement of the system’s maintainability (by highlighting areas of risk or
nonconformity for maintainability).
In view of the above reasons for undertaking a FMEA effort, the objectives of an FMEA (or
FMECA) may include the following:
a) a comprehensive identification and evaluation of all the unwanted effects within the
defined boundaries of the system being analysed, and the sequences of events brought
about by each identified item failure mode, from whatever cause, at various levels of the
system’s functional hierarchy;
b) the determination of the criticality or priority for addressing/mitigation (see Clause 6) of
each failure mode with respect to the system’s correct function or performance and the
impact on the process concerned;
60812 IEC:2006 – 19 –
c) a classification of identified failure modes according to relevant characteristics, including
their ease of detection, capability to be diagnosed, testability, compensating and operating
provisions (repair, maintenance, logistics, etc.);
d) identification of system functional failures and estimation of measures of the severity and
probability of failure;
e) development of design improvement plan for mitigation of failure modes;
f) support the development of an effective maintenance plan to mitigate or reduce likelihood
of failure (see IEC 60300-3-11).
NOTE When criticality or probability of occurrence is addressed, the comments regard FMECA methodology.
5 Failure modes and effects analysis
5.1 General considerations
Traditionally there have been wide variations in the manner in which FMEA is conducted and
presented. The analysis is usually done by identifying the failure modes, their respective
causes and immediate and final effects. The analytical results can be presented on a
worksheet that contains a core of essential information for entire system and details
developed for that specific system. It shows the ways the system could potentially fail, the
components and their failure modes that would be the cause of system failure, and the
cause(s) of occurrence of each individual failure mode.
The FMEA effort applied to the complex products might be very extensive. This effort may be
sometimes reduced by having in mind that design of some subassemblies or their parts may
not be entirely new and by identifying parts of the product design that are a repetition or a
modification of a previous product design. The newly constructed FMEA should use
information on those existing subassemblies to the highest possible extent. It must also point
to the need for eventual test or full analysis of the new features and items. Once a detailed
FMEA is created for one design, it can be updated and improved for the succeeding
generations of that design, which constitutes a significantly less effort than the entirely new
analysis.
When using an existing FMEA from a previous product version, it is essential to make sure
that the repeated design is indeed used in the same manner and under the same stresses as
the previous design. The new operational or environmental stresses may require review of the
previously completed FMEA. Different environmental and operational stresses may require an
entirely new FMEA to be created in view of the new operational conditions.
The FMEA procedure consists of the following four main stages:
a) establishment of the basic ground rules for the FMEA and planning and scheduling to
ensure that the time and expertise is available to do the analysis;
b) executing the FMEA using the appropriate worksheet or other means such as a logic
diagrams or fault trees;
c) summarizing and reporting of the analysis to include any conclusions and
recommendations made;
d) updating the FMEA as the development activity progresses.
60812 IEC:2006 – 21 –
5.2 Preliminary tasks
5.2.1 Planning for the analysis
FMEA activities, follow up activities, procedures, relationship with other reliability activities,
processes for management of corrective actions and for their closure, and milestones, should
be integrated into the overall program plan.
The reliability program plan should describe the FMEA analysis method to be used. This
description may be a summary description or a reference to a source document containing the
method description.
This plan should contain the following points.
− clear definition of the specific purposes of the analysis and expected results;
− the scope of the present analysis in terms of how the FMEA should focus on certain
design elements. The scope should reflect the design maturity, elements of the design
that may be considered to be a risk because they perform a critical function or because of
immaturity of the technology used;
− description of how the present analysis supports the overall project dependability;
− identified measures used for control of the FMEA revisions and the relevant
documentation. Revision control of the analysis documents and worksheets and archive
methods should be specified;
− participation of design experts in the analysis so that they are available when needed;
− key project schedule milestones clearly marked to ensure the analysis is executed in a
timely manner;
− manner of closure of all actions identified in the process of mitigation of identified failure
modes that need to be addressed.
The plan should reflect the consensus of all participants and should be approved by project
management. Final review of the completed FMEA in the final stage of the design of a product
or its manufacturing process (process FMEA) identifies all of the recorded actions for
mitigation of failure modes of concern and the manner of their closure.
5.2.2 System structure
5.2.2.1 Information on system structure
The following items need to be included into the information on system structure:
a) different system elements with their characteristics, performances, roles and functions;
b) logical connections between elements;
c) redundancy level and nature of the redundancies;
d) position and importance of the system within the whole facility (if possible);
e) inputs and outputs of the system;
f) changes in system structure for varying operational modes.
Information pertaining to functions, characteristics and performances are required for all
system levels considered up to the highest level so that FMEA could properly address failure
modes that preclude any of those functions.
60812 IEC:2006 – 23 –
5.2.2.2 Defining system boundary for the analysis
The system boundary forms the physical and functional interface between the system and its
environment, including other systems with which the analysed system interacts. The definition
of the system boundary for the analysis should correspond to the boundary as defined for
design and maintenance. This should apply to a system at any level. Systems and/or
components outside the boundaries should explicitly be defined for exclusion.
The definition of the system boundary is more likely to be influenced by design, intended use,
source of supply, or commercial criteria rather than the optimum requirements of the FMEA.
However, where it is possible to define the boundaries to facilitate the system FMEA and its
integration with other related studies in the programme, such action is preferable. This is
especially so if the system is functionally complex with multiple interconnections between
items within the boundary and multiple outputs crossing the boundary. In such cases it could
be advantageous to define a study boundary from functional rather than hardware and
software point of view to limit the number of input and output links to other systems. This
would tend to reduce the number of system failure effects.
Care should be taken to ensure that other systems or components outside the boundaries of
the subject system are not forgotten, by explicitly stating that they are excluded from the
particular study.
5.2.2.3 Levels of analysis
It is important to determine the indenture level in the system that will be used for the analysis.
For example, systems can be broken down by function or into subsystems, replaceable units,
or individual components (see Figure 1). Ground rules for selecting the system indenture
levels for analysis depend on the results desired and the availability of design information.
The following guidelines are useful.
a) The highest level within the system is selected from the design concept and specified
output requirements.
b) The lowest level within the system at which the analysis is effective is that level for which
information is available to establish definition and description of functions. The selection
of the appropriate system level is influenced by previous experience. Less detailed
analysis may be justified for a system based on a mature design, with a good reliability,
maintainability and safety record. Conversely, greater details and a correspondingly lower
system level are indicated for any newly designed system or a system with unknown
reliability history.
c) The specified or intended maintenance and repair level may be a valuable guide in
determining lower system levels.
60812 IEC:2006 – 25 –
Subsystem
Subsystem Subsystem Subsystem
1 4 5
Subsystem
System failure cause
System
Failure modes
Effect: subsystem 4 failure
Module Module Module Module
1 2 3 4
Subsystem 4 failure cause
Subsystem 4
Failure modes
Effect: module 3 failure
Module 3
Part
Part Part Part
1 2 5
Part
Module 3 failure cause
Failure modes
Effect: part 2 failure
Mode Mode Mode
1 2 3
Part 2 failure cause
Part 2
Failure causes
Effect: failure mode 3 occurrence
Cause Cause Cause
1 2 3
Part 2, Mode 3 failure causes
IEC 2640/05
Figure 1 – Relationship between failure modes and failure effects in a system hierarchy
60812 IEC:2006 – 27 –
In the FMEA, the definitions of failure modes, failure causes and failure effects depend on the
level of analysis and system failure criteria. As the analysis progresses, the failure effects
identified at the lower level may become failure modes at the higher level. The failure modes
at the lower level may become the failure causes at the higher level, and so on.
When a system is broken down into its elements, effects of one or more of the failure mode
causes make a failure mode, which in turn is a cause of the higher level effect, a part failure.
Part failure is then the cause of a module failure (effect), which in itself is a cause of a
subsystem failure. The effect of a cause of one system level thus becomes a cause of another
effect at a higher level. The above rationale is shown in Figure 1.
5.2.2.4 Representation of system structure
Symbolic representations of the system structure and operation, especially diagrams, are very
useful to aid the analysis.
Simple diagrams should be created, highlighting all the functions essential to the system. In
the diagram, the blocks are linked together by lines that represent the inputs and outputs for
each function. Usually, the nature of each function and each input needs to be precisely
described. There may be several diagrams to cover different phases of system operation.
As the system design progresses, a component block diagram can be created with blocks
representing actual components or parts. With this additional knowledge more precise
identification of potential failure modes and causes becomes possible.
The diagrams should display any series and redundant relationships among the elements and
the functional interdependencies between them. This allows the functional failures to be
tracked through the system. More than one diagram may be needed to display the alternative
modes of system operation. Separate diagrams may be required for each operational mode.
As a minimum, the block diagram should contain the following:
a) breakdown of the system into major subsystems including functional relationships;
b) all appropriately labelled inputs and outputs and identification numbers by which each
subsystem is consistently referenced;
c) all redundancies, alternative signal paths and other engineering features which provide
protection against system failures.
5.2.2.5 System initiation, operation, control and maintenance
The status of the different operating conditions of the system should be specified, as well as
the changes in the configuration or the position of the system and its components during the
different operational phases. The minimum performances demanded of the system should be
defined such that success and/or failure criteria can be clearly understood. Such specific
requirements as availability or safety should be considered in terms of specified minimum
levels of performance to be achieved and maximum levels of damage or harm to be accepted.
It is necessary to have an accurate knowledge of
a) the duration of each function the system may be called upon to perform;
b) the time interval between periodic tests;
60812 IEC:2006 – 29 –
c) the time available for corrective action before serious consequences occur to the system;
d) the entire facility, the environment and/or the personnel, including interfaces and
interactions with operators;
e) operating procedures during system start-up, shut-down and other operational transitions;
f) control during the operational phases;
g) preventive and/or corrective maintenance;
h) procedures for routine testing, if employed.
It has been stated that one of the uses of FMEA is to assist in the development of the
maintenance strategy. However, if the latter has been pre-determined, information on
maintenance facilities, equipment and spares should be known for both preventive and
corrective maintenance.
5.2.2.6 System environment
The environmental conditions of the system should be specified, including ambient conditions
and those created by other systems in the vicinity. The system should be delineated with
respect to its relationships, dependencies, or interconnections with auxiliary or other systems
and human interfaces.
At the design stage these facts are usually not all known and therefore approximations and
assumptions will be needed. As the project progresses, the data will have to be augmented
and the FMEA modified to allow for new information or changed assumptions or approxi-
mations. Often the FMEA will be helpful in defining the required conditions.
5.2.3 Failure mode determination
Successful operation of a given system is subject to the performance of certain critical system
elements. The key to evaluation of system performance is the identification of those critical
elements. The procedures for identifying failure modes, their causes and effects can be
effectively enhanced by the preparation of a list of failure modes anticipated in the light of the
following:
a) the use of the system;
b) the particular system element involved;
c) the mode of operation;
d) the pertinent operational specifications;
e) the time constraints;
f) the environmental stresses;
g) the operational stresses.
An example list of general failure modes is given in Table 1.
Table 1 – Example of a set of general failure modes
1 Failure during operation
2 Failure to operate at a prescribed time
3 Failure to cease operation at a prescribed time
4 Premature operation
NOTE This listing is an example only. Different lists would be required for different types of systems.
60812 IEC:2006 – 31 –
Virtually every type of failure mode can be classified into one or more of these categories.
However, these general failure mode categories are too broad in scope for definitive analysis;
consequently, the list needs to be expanded to make the categories more specific. When used
in conjunction with performance specifications governing the inputs and outputs on the
reliability block diagram, all potential failure modes can be identified and described. It should
be noted that a given failure mode may have several causes.
It is important that evaluation of all items within the system boundaries at the lowest level
commensurately with the objectives of the analysis is undertaken to identify all potential
failure modes. Investigation to determine possible failure causes and also failure effects on
subsystem and system function can then be undertaken.
Item suppliers should identify the potential item failure modes within their products. To assist
this function typical failure mode data can be sought from the following areas:
a) for new items, reference can be made to other items with similar function and structure
and to the results of tests performed on them under appropriate stress levels;
b) for new items, the design intent and detailed functional analysis yields the potential failure
modes and their causes. This method is preferred to the one in a), because the stresses
and the operation itself might be different from the similar items. An example of this
situation may be the use of a signal processor different than the one used in the similar
design;
c) for items in use, in-service records and failure data may be consulted;
d) potential failure modes can be deduced from functional and physical parameters typical of
the operation of the item.
It is important that item failure modes are not omitted for lack of data and that initial estimates
are improved by test results and design progression. The FMEA should record the status of
such estimates.
The identification of failure modes and, where necessary, the determination of remedial
design actions, preventative quality assurance actions or preventative maintenance actions is
of prime importance. It is more important to identify and, if possible, to mitigate the failure
modes effects by design measures, than to know their probability of occurrence. When it is
difficult to assign priorities, criticality analysis may be required.
5.2.4 Failure causes
The most likely causes for each potential failure mode should be identified and described.
Since a failure mode can have more than one cause, the most likely potential independent
causes for each failure mode need to be identified and described.
The identification and description of failure causes is not always necessary for all failure
modes identified in the analysis. Identification and description of failure causes, as well as
suggestions for their mitigation should be done on the basis of the failure effects and their
severity. The more severe the effects of failure modes, the more accurately failure causes
should be identified and described. Otherwise, the analyst may dedicate unnecessary effort
on the identification of failure causes of such failure modes that have no or a very minor effect
on system functionality.
60812 IEC:2006 – 33 –
Failure causes may be determined from analysis of field failures or failures in test units. When
the design is new and without precedent, failure causes may be established by eliciting the
opinion of experts.
When the causes of each failure mode are identified the recommended action will be
evaluated based on their estimated probability of occurrence and the severity of their effect.
5.2.5 Failure effects
5.2.5.1 Failure effects definition
A failure effect is the consequence of a failure mode in terms of the operation, function or
status of a system (see definition 3.4). A failure effect may be caused by one or more failure
modes of one or more items.
The consequences of each failure mode on system element operation, function, or status
need to be identified, evaluated and recorded. Maintenance activities and system objectives
should also be considered whenever pertinent. A failure effect may also influence the next
level up and ultimately the highest level under analysis. Therefore, at each level, the effect of
failures on the level above should be evaluated.
5.2.5.2 Local failure effects
The expression “local effects” refers to the effects of the failure mode on the system element
under consideration. The consequences of each possible failure on the output of the item
should be described. The purpose of identifying the local effects is to provide a basis for
judgement when evaluating existing alternative provisions or devising recommended
corrective actions. In certain instances, there may not be a local effect beyond the failure
mode itself.
5.2.5.3 Failure effects at the system level
When identifying end effects, the impact of a possible failure on the highest system level is
defined and evaluated by the analysis of all intermediate levels. The end effect described may
be the result of multiple failures. (For example, failure of a safety device results in a
catastrophic end effect only in the event that both the safety device fails and the prime
function for which the safety device is designed goes beyond allowed limits.)
...
NORME CEI
INTERNATIONALE 60812
Deuxième édition
2006-01
Techniques d’analyse de la fiabilité du système –
Procédure d’analyse des modes de défaillance
et de leurs effets (AMDE)
Cette version française découle de la publication d’origine
bilingue dont les pages anglaises ont été supprimées.
Les numéros de page manquants sont ceux des pages
supprimées.
Numéro de référence
CEI 60812:2006(F)
Numérotation des publications
Depuis le 1er janvier 1997, les publications de la CEI sont numérotées à partir de
60000. Ainsi, la CEI 34-1 devient la CEI 60034-1.
Editions consolidées
Les versions consolidées de certaines publications de la CEI incorporant les
amendements sont disponibles. Par exemple, les numéros d’édition 1.0, 1.1 et 1.2
indiquent respectivement la publication de base, la publication de base incorporant
l’amendement 1, et la publication de base incorporant les amendements 1 et 2
Informations supplémentaires sur les publications de la CEI
Le contenu technique des publications de la CEI est constamment revu par la CEI
afin qu'il reflète l'état actuel de la technique. Des renseignements relatifs à cette
publication, y compris sa validité, sont disponibles dans le Catalogue des
publications de la CEI (voir ci-dessous) en plus des nouvelles éditions, amende-
ments et corrigenda. Des informations sur les sujets à l’étude et l’avancement des
travaux entrepris par le comité d’études qui a élaboré cette publication, ainsi que la
liste des publications parues, sont également disponibles par l’intermédiaire de:
• Site web de la CEI (www.iec.ch)
• Catalogue des publications de la CEI
Le catalogue en ligne sur le site web de la CEI (www.iec.ch/searchpub) vous permet
de faire des recherches en utilisant de nombreux critères, comprenant des
recherches textuelles, par comité d’études ou date de publication. Des informations
en ligne sont également disponibles sur les nouvelles publications, les publications
remplacées ou retirées, ainsi que sur les corrigenda.
• IEC Just Published
Ce résumé des dernières publications parues (www.iec.ch/online_news/justpub)
est aussi disponible par courrier électronique. Veuillez prendre contact avec le
Service client (voir ci-dessous) pour plus d’informations.
• Service clients
Si vous avez des questions au sujet de cette publication ou avez besoin de
renseignements supplémentaires, prenez contact avec le Service clients:
Email: custserv@iec.ch
Tél: +41 22 919 02 11
Fax: +41 22 919 03 00
NORME CEI
INTERNATIONALE 60812
Deuxième édition
2006-01
Techniques d’analyse de la fiabilité du système –
Procédure d’analyse des modes de défaillance
et de leurs effets (AMDE)
© IEC 2006 Droits de reproduction réservés
Aucune partie de cette publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun
procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit de l'éditeur.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
CODE PRIX
X
Commission Electrotechnique Internationale
International Electrotechnical Commission
МеждународнаяЭлектротехническаяКомиссия
Pour prix, voir catalogue en vigueur
– 2 – 60812 CEI:2006
SOMMAIRE
AVANT-PROPOS.6
1 Domaine d'application .10
2 Références normatives.10
3 Termes et définitions .10
4 Vue d’ensemble.14
4.1 Introduction .14
4.2 But et objectifs de l’analyse.16
5 Analyses des modes de défaillance et de leurs effets .18
5.1 Approche générale .18
5.2 Tâches préliminaires .20
5.3 Mode de défaillance, effets, et analyses de criticité (AMDEC) .40
5.4 Rapport d’analyse .54
6 Autres considérations .58
6.1 Défaillances de cause commune .58
6.2 Facteurs humains.58
6.3 Erreurs logicielles.60
6.4 L’AMDE et les conséquences de la défaillance du système .60
7 Applications.60
7.1 Utilisation d’une AMDE/AMDEC .60
7.2 Avantages d’une AMDE.64
7.3 Limitations et inconvénients de l’AMDE .64
7.4 Relations avec les autres méthodes .66
Annexe A (informative) Récapitualtif des procédures pour AMDE et AMDEC .70
Annexe B (informative) Exemples d’analyses.78
Bibliographie.92
Figure 1 – Relation entre les modes de défaillance et les effets de défaillance dans la
hiérarchie d’un système .24
Figure 2 – Schéma fonctionnel d’analyse .38
Figure 3 – Matrice de criticité.46
Figure A.1 – Exemple de formulaire de document AMDE .76
Figure B.1 – FMEA pour une partie de dispositif électronique d’automobile avec calcul
de NPR.80
Figure B.2 – Diagramme des sous-systèmes d’un ensemble générateur-moteur .82
Figure B.3 – Diagramme d’enveloppe chauffante, ventilation et systèmes de
refroidissement .84
Figure B.4 – AMDE pour sous-système 20.86
Figure B.5 – Partie du processus AMDEC pour coulage d’aluminium par machine .90
– 4 – 60812 CEI:2006
Tableau 1 – Exemple d’un ensemble de modes de défaillance généraux .28
Tableau 2 – Exemple illustré de classification de la sévérité pour effets finaux .34
Tableau 3 – Matrice risque/criticité .48
Tableau 4 – Sévérité du mode de défaillance.50
Tableau 5 – Apparition du mode de défaillance reliée à la fréquence et probabilité
d’apparition.50
Tableau 6 – Critère d’évaluation de la détection du mode de défaillance .52
Tableau 7 – Exemple d’un ensemble d’effets de défaillance (pour un démarreur de
véhicule à moteur) .56
Tableau 8 – Exemple de probabilités d’effets de défaillance .56
Tableau B.1 – Définition et classification de la sévérité des effets de défaillance sur le
système G-M complet .82
– 6 – 60812 CEI:2006
COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE
____________
TECHNIQUES D’ANALYSE DE LA FIABILITÉ DU SYSTÈME –
PROCÉDURE D’ANALYSE DES MODES DE DÉFAILLANCE
ET DE LEURS EFFETS (AMDE)
AVANT-PROPOS
1) La Commission Electrotechnique Internationale (CEI) est une organisation mondiale de normalisation
composée de l'ensemble des comités électrotechniques nationaux (Comités nationaux de la CEI). La CEI a
pour objet de favoriser la coopération internationale pour toutes les questions de normalisation dans les
domaines de l'électricité et de l'électronique. A cet effet, la CEI – entre autres activités – publie des Normes
internationales, des Spécifications techniques, des Rapports techniques, des Spécifications accessibles au
public (PAS) et des Guides (ci-après dénommés "Publication(s) de la CEI"). Leur élaboration est confiée à des
comités d'études, aux travaux desquels tout Comité national intéressé par le sujet traité peut participer. Les
organisations internationales, gouvernementales et non gouvernementales, en liaison avec la CEI, participent
également aux travaux. La CEI collabore étroitement avec l'Organisation Internationale de Normalisation (ISO),
selon des conditions fixées par accord entre les deux organisations.
2) Les décisions ou accords officiels de la CEI concernant les questions techniques représentent, dans la mesure
du possible, un accord international sur les sujets étudiés, étant donné que les Comités nationaux de la CEI
intéressés sont représentés dans chaque comité d’études.
3) Les Publications de la CEI se présentent sous la forme de recommandations internationales et sont agréées
comme telles par les Comités nationaux de la CEI. Tous les efforts raisonnables sont entrepris afin que la CEI
s'assure de l'exactitude du contenu technique de ses publications; la CEI ne peut pas être tenue responsable
de l'éventuelle mauvaise utilisation ou interprétation qui en est faite par un quelconque utilisateur final.
4) Dans le but d'encourager l'uniformité internationale, les Comités nationaux de la CEI s'engagent, dans toute la
mesure possible, à appliquer de façon transparente les Publications de la CEI dans leurs publications
nationales et régionales. Toutes divergences entre toutes Publications de la CEI et toutes publications
nationales ou régionales correspondantes doivent être indiquées en termes clairs dans ces dernières.
5) La CEI n’a prévu aucune procédure de marquage valant indication d’approbation et n'engage pas sa
responsabilité pour les équipements déclarés conformes à une de ses Publications.
6) Tous les utilisateurs doivent s'assurer qu'ils sont en possession de la dernière édition de cette publication.
7) Aucune responsabilité ne doit être imputée à la CEI, à ses administrateurs, employés, auxiliaires ou
mandataires, y compris ses experts particuliers et les membres de ses comités d'études et des Comités
nationaux de la CEI, pour tout préjudice causé en cas de dommages corporels et matériels, ou de tout autre
dommage de quelque nature que ce soit, directe ou indirecte, ou pour supporter les coûts (y compris les frais
de justice) et les dépenses découlant de la publication ou de l'utilisation de cette Publication de la CEI ou de
toute autre Publication de la CEI, ou au crédit qui lui est accordé.
8) L'attention est attirée sur les références normatives citées dans cette publication. L'utilisation de publications
référencées est obligatoire pour une application correcte de la présente publication.
9) L’attention est attirée sur le fait que certains des éléments de la présente Publication de la CEI peuvent faire
l’objet de droits de propriété intellectuelle ou de droits analogues. La CEI ne saurait être tenue pour
responsable de ne pas avoir identifié de tels droits de propriété et de ne pas avoir signalé leur existence.
La Norme internationale CEI 60812 a été établie par le comité d’études 56 de la CEI: Sûreté
de fonctionnement.
Cette deuxième édition annule et remplace la première édition publiée en 1985 et constitue
une révision technique.
Les modifications majeures par rapport à l’édition précédente sont les suivantes:
– introduction des concepts d’effets des modes de défaillance et de leur criticité ;
– introduction des méthodes largement utilisées dans l’industrie automobile;
– ajout de références et de relations aux autres méthodes d’analyse des modes de
défaillance;
– ajout d’exemples;
– fourniture de guides sur les avantages et les inconvénients des différentes méthodes
AMDE.
– 8 – 60812 CEI:2006
Le texte de cette norme est issu des documents suivants:
FDIS Rapport de vote
56/1072/FDIS 56/1091/RVD
Le rapport de vote indiqué dans le tableau ci-dessus donne toute information sur le vote ayant
abouti à l'approbation de cette norme.
Cette publication a été rédigée selon les Directives ISO/CEI, Partie 2.
Le comité a décidé que le contenu de cette publication ne sera pas modifié avant la date de
maintenance indiquée sur le site web de la CEI sous «http://webstore.iec.ch» dans les
données relatives à la publication recherchée. A cette date, la publication sera
• reconduite;
• supprimée;
• remplacée par une édition révisée, ou
• amendée.
– 10 – 60812 CEI:2006
TECHNIQUES D’ANALYSE DE LA FIABILITÉ DU SYSTÈME –
PROCÉDURE D’ANALYSE DES MODES DE DÉFAILLANCE
ET DE LEURS EFFETS (AMDE)
1 Domaine d'application
La présente Norme Internationale décrit l’analyse des modes de défaillance et de leurs effets
(AMDE) et l’analyse des modes de défaillance, de leurs effets et de leur criticité (AMDEC), et
apporte des conseils sur l’application de ces méthodes selon les divers objectifs recherchés,
de la façon suivante:
− en fournissant la procédure à suivre pour réaliser une analyse,
− en spécifiant les termes pertinents, les hypothèses, les mesures de criticité, les modes de
défaillance,
− en déterminant les principes de base,
− en fournissant des exemples-types de documents et tableaux.
Etant donné que l’AMDEC est une suite logique de l’AMDE, toutes les remarques générales
d’ordre qualitatif se rapportant à l’une sont applicables à l’autre.
2 Références normatives
Les documents de référence suivants sont indispensables pour l'application du présent
document. Pour les références datées, seule l'édition citée s'applique. Pour les références
non datées, la dernière édition du document de référence s'applique (y compris les éventuels
amendements).
CEI 60300-3-1:2003, Gestion de la sûreté de fonctionnement – Partie 3-1: Guide d’application
– Techniques d’analyse de la sûreté de fonctionnement – Guide méthodologique (disponible
en anglais seulement)
CEI 61025, Analyse par arbre de panne (AAP)
CEI 61078, Techniques d’analyses pour la sûreté de fonctionnement – Méthode du bloc-
diagramme de fiabilité
3 Termes et définitions
Pour les besoins du présent document, les définitions suivantes s’appliquent:
3.1
dispositif / entité
tout élément, composant, sous-système, unité fonctionnelle, équipement ou système que l’on
peut considérer individuellement
NOTE 1 Un dispositif/entité peut être constitué de matériel, de logiciel ou des deux à la fois, et peut aussi dans
certains cas comprendre du personnel.
NOTE 2 Un ensemble déterminé de dispositifs/entités, par exemple une population ou un échantillon, peut lui-
même être considéré comme un dispositif/entité.
[VEI 191-01-01]
– 12 – 60812 CEI:2006
Un procédé peut aussi être considéré comme un dispositif/entité qui accomplit une fonction
prédéterminée et pour lequel un processus AMDE ou AMDEC peut être mené. Normalement,
une AMDE d’un matériel ne traite pas des personnes et de leurs interactions avec les
matériels/logiciels, alors qu’une AMDE portant sur un procédé inclut normalement les actions
des personnes.
3.2
défaillance
cessation de l'aptitude d'une entité à accomplir une fonction requise
[VEI 191-04-01]
3.3
panne
état d'une entité inapte à accomplir une fonction requise, non comprise l'inaptitude due à la
maintenance préventive ou à d’autres actions programmées, ou due à un manque de moyens
extérieurs
NOTE 1 Une panne est souvent le résultat d’une défaillance du dispositif lui-même, mais peut exister sans une
défaillance préalable.
[VEI 191-05-01]
NOTE 2 Pour des raisons historiques, le mot «panne» est aussi utilisé dans ce document à la place du terme
« défaillance ».
3.4
effet de défaillance
conséquence du mode de défaillance en termes de fonctionnement, fonction ou état du
dispositif
3.5
mode de défaillance
manière dont un dispositif tombe en panne
3.6
criticité d’une défaillance
combinaison de la sévérité d’un effet et de la fréquence de son apparition, ou d’autres
attributs d’une défaillance comme une mesure de la nécessité d’un traitement ou d’une
atténuation
3.7
système
ensemble d’éléments interactifs ou reliés entre eux
NOTE 1 Dans un contexte de sûreté de fonctionnement, un système aura
a) divers objectifs exprimés en termes de fonctions requises,
b) l’indication des conditions d’exploitation (voir 191-01-12),
c) une limite définie.
NOTE 2 La structure d’un système est hiérarchique.
[ISO 9000:2000]
3.8
sévérité de la défaillance
signification ou classement de l’effet d’un mode de défaillance sur le fonctionnement du
dispositif, sur l'environnement du dispositif, ou sur l’opérateur du dispositif; la sévérité de
l’effet d’un mode de défaillance est liée aux limites définies pour le système analysé
– 14 – 60812 CEI:2006
4 Vue d’ensemble
4.1 Introduction
L’analyse des modes de défaillance et de leurs effets (AMDE) est une procédure systé-
matique, formelle, d’analyse d’un système pour identifier les modes de défaillance potentiels,
leurs causes et les effets sur l’aptitude à la fonction du système (aptitude à la fonction de
l’assemblage hiérarchiquement au-dessus et du système global ou d’un procédé). Ici, le
terme « système » représente un matériel, un logiciel (avec leurs interactions) ou un procédé.
L’analyse est menée de préférence tôt dans le cycle de développement de sorte que le retrait
ou l’atténuation du mode de défaillance soit le plus efficace. Cette analyse peut être initiée
dès que le système est suffisamment défini pour pouvoir être représenté sous forme d’un
bloc-diagramme fonctionnel dont l’aptitude à la fonction des éléments peut être définie.
Le moment où a lieu l’AMDE est essentiel; si elle n’est pas faite suffisamment tôt dans le
cycle de développement, l’incorporation des modifications de conception pour maîtriser les
déficiences identifiées par l’AMDE peut ne pas être efficace. Par conséquent, il est important
d’inclure l’AMDE et ses conclusions dans le plan et le programme de développement. Ainsi,
l’AMDE est un processus itératif qui est mené conjointement au processus de conception.
L’AMDE est applicable aux différents niveaux de décomposition d’un système, du niveau le
plus haut du bloc-diagramme jusqu’aux fonctions des composants discrets et des instructions
logicielles. L’AMDE est aussi un processus itératif qui est mis à jour au fur et à mesure de la
progression de la conception. Pour les modifications de conception, les parties concernées de
l’AMDE doivent être revues et mises à jour.
Une AMDE menée rigoureusement est le résultat obtenu par une équipe composée
d’individus qualifiés pour identifier et évaluer l’ampleur et les conséquences de types variés
d’inadéquations dans la conception du produit, pouvant conduire à des défaillances. Le travail
en équipe a l’avantage de stimuler les processus de réflexion, et d’assurer l’expertise
nécessaire.
L’AMDE est considérée comme une méthode pour identifier la sévérité de modes de
défaillance potentiels et pour introduire dans la conception des mesures pour réduire les
risques. Cependant, dans certaines applications, l’AMDE inclut également une estimation de
la probabilité d’apparition des modes de défaillance. Cela améliore l’analyse en fournissant
une mesure de la probabilité du mode de défaillance.
L’application de l’AMDE est précédée d’une décomposition hiérarchique du système (matériel
et logiciel, ou un procédé) dans ses moindres éléments de base. L’utilisation de blocs-
diagrammes simples pour illustrer cette décomposition est utile (CEI 61078). L’analyse
débute donc avec les éléments du niveau le plus bas. Un effet du mode de défaillance à bas
niveau peut devenir une cause de défaillance d’un mode de défaillance d’un dispositif du
niveau juste au-dessus. L’analyse est réalisée du bas vers le haut jusqu’à ce que l’effet final
soit identifié sur le système. La Figure 1 illustre ces concepts.
L’AMDEC (Analyses des Modes de Défaillance, de leurs Effets et de leur Criticité) est une
extension de l’AMDE qui comprend un moyen de classer les modes de défaillance par
sévérité pour permettre de donner la priorité aux contre-mesures. Cela est obtenu en
combinant la mesure de la sévérité et la fréquence d’apparition pour fournir une criticité dite
métrique.
Les principes de l’AMDE peuvent s’appliquer en dehors de la conception d’ingénierie. La
procédure AMDE peut s’appliquer à un procédé de fabrication ou à d’autres processus de
travail, telles que dans les hôpitaux, les laboratoires médicaux, les scolarités, ou autres.
– 16 – 60812 CEI:2006
Lorsque l’AMDE est appliquée à un procédé de fabrication, cette procédure est identifiée
comme AMDE de procédé ou PAMDE. Pour qu’une AMDE soit efficace, des ressources
adéquates pour un travail en équipe doivent être attribuées. Une compréhension approfondie
du système sous analyse n’est pas indispensable pour une AMDE préliminaire. Avec le
développement de la conception, l’analyse détaillée d’un mode de défaillance nécessite une
connaissance approfondie de la conception et de ses spécifications. Les conceptions
d’ingénierie complexes nécessitent généralement l’implication de multiples domaines
d’expertise de conception (ex.: ingénierie mécanique, ingénierie électrique, ingénierie des
systèmes, ingénierie logicielle, support de maintenance, etc.).
L’AMDE porte généralement sur les modes de défaillance individuels et les effets de ces
modes de défaillance sur le système. Chaque mode de défaillance est traité en étant
considéré comme indépendant. La procédure n’est donc pas adaptée à la prise en
considération de défaillance dépendant ou résultant d’une suite d’événements. D’autres
méthodes et techniques, telles que l’analyse de Markov (voir CEI 61165) ou Analyse par
Arbre de Panne (voir CEI 61025) peuvent être nécessaires pour analyser ces situations.
Lors de la détermination de l’impact d’une défaillance, il faut considérer le niveau plus élevé
concerné – défaillances résultantes et éventuellement le même niveau de défaillances
induites. Il convient que l’analyse mentionne la combinaison possible de modes de défaillance
ou leur succession qui ont été une cause d’un effet de niveau élevé. Dans ce cas, une
modélisation complémentaire est requise pour estimer l’ampleur ou la probabilité d’apparition
de tels effets.
AMDE est un outil souple qui peut être adapté pour répondre à des besoins spécifiques de
l’industrie ou à des produits. Des documents spécialisés avec des données spécifiques
peuvent être adaptés à certaines applications. Si des niveaux de sévérité des modes de
défaillance sont définis, ils peuvent l’être différemment pour des systèmes différents ou des
niveaux de systèmes différents.
4.2 But et objectifs de l’analyse
Les raisons d’entreprendre l’analyse des modes de défaillance et de leurs effets (AMDE) ou
l’analyse des modes de défaillance, de leurs effets et de leur criticité (AMDEC) peuvent être
les suivantes:
a) identifier les défaillances qui ont des effets non souhaités sur le fonctionnement du
système, ex.: empêcher ou dégrader significativement le fonctionnement ou affecter la
sécurité de l’opérateur;
b) satisfaire aux exigences contractuelles d’un client, si applicable;
c) permettre des améliorations de la fiabilité ou de la sécurité du système (ex. des
modifications de la conception ou des actions d’assurance-qualité);
d) permettre des améliorations de la maintenabilité du système (en mettant en évidence les
zones de risque ou de non-conformité pour la maintenabilité).
Compte tenu des raisons données ci-dessus pour entreprendre une AMDE, les objectifs d’une
AMDE (ou AMDEC) peuvent être les suivants:
a) une évaluation et identification détaillée de tous les effets indésirables dans les limites
définies du système sous analyse, et les séquences d’événements amenées par chaque
mode de défaillance du dispositif identifié, quelle que soit la cause, à divers niveaux de la
hiérarchie fonctionnelle du système,
b) la détermination de la criticité ou de la priorité pour traiter/atténuer (voir Article 6) chaque
mode de défaillance par rapport à la fonction correcte du système ou aptitude et l’impact
sur le processus concerné,
– 18 – 60812 CEI:2006
c) une classification des modes de défaillance identifiés d’après les caractéristiques en
question, comprenant l’aptitude à la détection, au diagnostic, aux essais, au remplace-
ment du dispositif, les provisions de fonctionnement et de compensation (réparation,
maintenance, logistique, etc.),
d) l’identification des défaillances fonctionnelles du système et estimation des mesures de la
sévérité et de la probabilité de défaillance,
e) le développement d’un plan d’amélioration de la conception pour la réduction des modes
de défaillance,
f) le soutien du développement d’un plan de maintenance effectif pour atténuer ou réduire la
probabilité de défaillance (voir CEI 60300-3-11).
NOTE Quand il s’agit de criticité ou probabilité d’apparition, les commentaires concernent la méthodologie
AMDEC.
5 Analyses des modes de défaillance et de leurs effets
5.1 Approche générale
Traditionnellement, la manière de mener et de présenter l’AMDE a subi de grandes
évolutions. L’analyse est généralement faite en identifiant les modes de défaillance, leurs
causes respectives et leurs effets immédiats et finaux. Les résultats analytiques peuvent être
présentés sur un document contenant un noyau d’informations essentielles pour l’intégralité
du système et des éléments détaillés spécifiques à ce système. Ce document expose les
potentialités de tomber en panne, les composants et leurs modes de défaillance à l’origine de
défaillance du système, et la ou les causes d’apparition de chaque mode de défaillance
individuel.
Une AMDE appliquée à des produits complexes peut demander un effort considérable. Cet
effort peut parfois être réduit en considérant que la conception de certains sous-ensembles
ou des parties de ceux-ci n’est pas entièrement nouvelle et en identifiant les parties de la
conception du produit qui sont une répétition ou une modification d’une conception
précédente. Il convient que la nouvelle AMDE construite se serve au maximum des
informations des sous-ensembles existants. Il faut aussi qu’elle indique le besoin éventuel
d’essais ou d’analyse complète des nouveaux dispositifs. Une fois qu’une AMDE détaillée est
créée pour une conception, elle peut être mise à jour et améliorée pour les générations
futures de cette conception, ce qui consiste en un effort nettement moindre que l’analyse
d’origine.
Quand on se sert d’une AMDE d’une version de produit précédente, il est indispensable de
s’assurer que la conception reprise est bien utilisée de la même manière et sous les mêmes
contraintes que précédemment. Les nouvelles contraintes environnementales et opération-
nelles peuvent exiger une révision de l’AMDE précédemment effectuée. Des contraintes
environnementales et opérationnelles différentes peuvent exiger la création d’une AMDE
entièrement nouvelle au vu des nouvelles conditions opérationnelles.
La procédure AMDE consiste en quatre étapes principales:
a) établissement des règles de bases pour l’AMDE, planification et programmation pour
s’assurer que le temps et l’expertise sont disponibles pour mener l’analyse,
b) réaliser l’AMDE en se servant des documents appropriés ou de tout autre moyen tel qu’un
diagramme logique ou un arbre de panne,
c) résumer et établir un rapport de l’analyse incluant les conclusions et recommandations
faites,
d) mettre à jour l’AMDE au fur et à mesure de la progression de l’activité de développement.
– 20 – 60812 CEI:2006
5.2 Tâches préliminaires
5.2.1 Planification des analyses
Il convient que les actions de l’AMDE, les actions en découlant, les procédures, les liens avec
les autres actions relatives à la fiabilité, les processus de gestion des actions correctives et
de leur finalisation, les planning soient intégrés dans le plan global du programme.
Il convient que le plan du programme de fiabilité décrive la méthode d‘AMDE à appliquer.
Cette description peut être un résumé ou une référence à un document source décrivant la
méthode.
Ce plan comporte les points suivants:
− une définition claire des objectifs spécifiques de l’analyse et les résultats attendus;
− le domaine d’application de la présente analyse, c’est-à-dire comment il convient que
l’AMDE se concentre sur certains éléments de conception. Il convient que le domaine
d’application reflète la maturité de la conception et les éléments de celle-ci qui peuvent
présenter des risques car ils accomplissent une fonction critique ou parce que la
technologie est nouvelle;
− la description de comment la présente analyse soutient la sûreté de fonctionnement de
l’ensemble du projet;
− l’identification des mesures prises pour le contrôle des révisions de l’AMDE et de la
documentation s’y rapportant. Il convient que le contrôle de la révision de la
documentation AMDE et des méthodes d’archive soit spécifié;
− la participation d’experts de conception dans l’analyse de façon à ce qu’ils soient
disponibles en cas de besoin;
− les dates-clés de la programmation du projet clairement indiquées pour assurer le délai
d’exécution de l’analyse;
− la manière de clore toutes les actions identifiées dans le processus d’atténuation des
modes de défaillance identifiés qui exigent d’être traités.
Il convient que le plan reflète le consensus de tous les participants et soit approuvé par la
gestion du projet. La revue finale de l’AMDE complète dans la phase finale de la conception
d’un produit ou de son procédé de fabrication (processus AMDE) identifie toutes les actions
enregistrées pour l’atténuation des modes de défaillance posant problème et la manière de
les clore.
5.2.2 Structure du système
5.2.2.1 Information sur la structure du système
Les points suivants doivent être inclus dans l’information sur la structure du système:
a) les différents éléments du système avec leurs caractéristiques, aptitudes, rôles et
fonctions,
b) les liens logiques entre éléments,
c) le niveau de redondance et la nature des redondances,
d) la position et l’importance du système dans l’installation globale (si possible),
e) les entrées et sorties du système,
f) les modifications dans la structure du système pour faire varier les modes opérationnels
variables.
Les données appartenant aux fonctions, les caractéristiques et aptitudes sont requises pour
tous les niveaux considérés, jusqu’au plus haut, de telle sorte que l’AMDE traite correctement
les modes de défaillance qui empêche une de ces fonctions.
– 22 – 60812 CEI:2006
5.2.2.2 Définir la limite du système pour l’analyse
La limite du système constitue l’interface physique et fonctionnelle entre le système et son
environnement, y compris les autres systèmes avec lesquels le système analysé interagit. Il
convient que la définition de la limite du système pour l’analyse corresponde à la limite telle
que définie pour la conception et la maintenance. Il convient que cela s’applique à tous les
niveaux d’un système. Il convient que les systèmes et/ou les composants situés hors des
limites soient explicitement définis pour leur exclusion.
La conception, l’utilisation prévue, la source d’alimentation, ou les critères commerciaux
risquent plus d’influencer la définition de la limite du système que les exigences optimales de
l’AMDE. Cependant, quand cela est possible, il est préférable de définir les limites pour
faciliter l’AMDE du système et son intégration avec les autres études dans le programme.
Cela est particulièrement vrai si le système est fonctionnellement complexe avec de multiples
interconnexions entre éléments dans les limites et les diverses données de sortie dépassant
la limite. Dans de tels cas, il peut être avantageux de définir une limite d’étude d’un point de
vue fonctionnel plutôt que matériel ou logiciel pour réduire le nombre de liens de données
d’entrée ou de sortie aux autres systèmes. Cela tendrait à diminuer le nombre d’effets de
défaillance du système.
Il convient de prendre soin de s’assurer que les autres systèmes ou composants en dehors
des limites du système concerné ne sont pas oubliés, en établissant de façon explicite qu’ils
sont exclus de l’étude en question.
5.2.2.3 Niveaux d’analyse
Il est important de déterminer le découpage en niveaux du système qui sera utilisé pour
l’analyse. Par exemple, les systèmes peuvent être décomposés par fonction ou en sous-
systèmes, en unités remplaçables, ou composants individuels (voir Figure 1). Les règles de
base pour sélectionner le découpage des niveaux du système pour analyse dépendent des
résultats souhaités et de la disponibilité de l’information de conception. Les lignes directrices
suivantes sont utiles.
a) Le plus haut niveau dans le système est sélectionné à partir de la conception et des
exigences des données de sortie indiquées.
b) Le plus bas niveau dans le système auquel l’analyse est effective est celui pour lequel
l’information est disponible pour établir la définition et la description des fonctions. La
sélection du niveau de système approprié est influencée par l’expérience précédente. Des
analyses moins détaillées peuvent être justifiées pour un système fondé sur une
conception mature, ayant une bonne fiabilité, une bonne maintenabilité et un historique de
sécurité. Inversement, plus de détails et un niveau de système correspondant plus bas
sont indiqués pour tout système nouvellement conçu ou un système n’ayant pas
d’historique de fiabilité.
c) La maintenance spécifiée ou prévue et le niveau de réparation peuvent être un guide très
utile pour déterminer les niveaux de système les plus bas.
– 24 – 60812 CEI:2006
Sous-
système 2
Sous- Sous- Sous-
système 1 système 4 système 5
Sous-
système 3 Cause de la défaillance
du système
Système
Modes de défaillance
Effet: défaillance du sous-système 4
Module Module Module Module
1 2 3 4
Cause de la défaillance
Sous-système 4
du sous-système 4
Modes de défaillance
Effet: défaillance du module 3
Module 3
Partie
Partie Partie Partie
1 2 5
Partie
Cause de la défaillance
du module 3
Modes de défaillance
Effet: défaillance la la partie 2
Mode Mode Mode
1 2 3
Causes de la défaillance
Partie 2
de la partie 2
Causes de la défaillance
Effet: occurrence du mode 3 de défaillance
Cause Cause Cause
1 2 3
Partie 2, Causes de défaillance du mode 3
IEC 2640/05
Figure 1 – Relation entre les modes de défaillance et les effets de défaillance
dans la hiérarchie d’un système
– 26 – 60812 CEI:2006
Dans l’AMDE, les définitions des modes de défaillance, causes de défaillance et effets de
défaillance dépendent du niveau d’analyse et des critères de défaillance du système. Au fur
et à mesure de la progression de l’analyse, les effets de défaillance identifiés au plus bas
niveau peuvent devenir des modes de défaillance au niveau le plus haut. Les modes de
défaillance du niveau le plus bas peuvent devenir les causes de défaillance au niveau le plus
haut et ainsi de suite.
Quand un système est découpé en éléments, des effets d’une ou de plusieurs causes de
mode de défaillance constituent un mode de défaillance qui devient la cause de l’effet au
niveau supérieur, une défaillance de pièce. La défaillance d’une pièce est ainsi la cause de la
défaillance d’un module (effet), qui est elle-même une cause de défaillance d’un sous-
système. L’effet d’une cause d’un niveau du système devient donc une cause d’un autre effet
à un niveau plus élevé. Le raisonnement ci-dessus est illustré à la Figure 1.
5.2.2.4 Représentation de la structure d’un système
Des représentations symboliques de la structure et du fonctionnement du système, en
particulier les diagrammes, sont très utiles dans l’analyse.
Il convient de créer des diagrammes simples mettant en lumière toutes les fonctions
essentielles du système. Dans le diagramme, les blocs sont reliés par des lignes qui repré-
sentent les données d’entrée et de sortie pour chaque fonction. Généralement, il est
nécessaire que la nature de chaque fonction et de chaque entrée soit décrite avec précision.
Plusieurs diagrammes peuvent être nécessaires pour couvrir différentes phases du
fonctionnement du système.
Au cours de la progression de la conception du système, un bloc-diagramme des composants
peut être créé avec des blocs représentant les composants ou parties réels. Avec cette
connaissance en plus, une identification plus précise des modes et causes de défaillance
potentielle devient possible.
Il convient que les diagrammes montrent toutes séries et relations redondantes parmi les
éléments et les interdépendances fonctionnelles. Cela permet de traquer les défaillances
fonctionnelles du système. On peut avoir besoin de plus d’un diagramme pour exposer les
modes alternatifs de fonctionnement du système. Des diagrammes séparés peuvent être
nécessaires pour chaque mode opérationnel. Il convient qu’au minimum le diagramme
contienne
a) la décomposition du système en principaux sous-systèmes y compris les relations
fonctionnelles,
b) toutes les entrées et sorties étiquetées et les numéros d’identification par lesquels chaque
sous-système est invariablement référencé,
c) toutes les redondances, chemins de signaux alternatifs et autres caractéristiques
d’ingénierie qui protègent des défaillances du système.
5.2.2.5 Initiation du système, fonctionnement, contrôle et maintenance
Il convient que l’état des différentes conditions de fonctionnement du système soit spécifié,
de même que les modifications dans la configuration ou la position du système et de ses
composants durant les diverses phases de fonctionnement. Il convient que les performances
minimales demandées au système soient définies de façon à ce que les critères de réussite
et/ou d’échec soient clairement compris. Il convient que les exigences spécifiques telles que
la disponibilité ou la sécurité soient considérées en terme de niveaux minimums spécifiés à
atteindre et niveaux maximums de dommages à accepter. Une connaissance précise des
éléments suivants est nécessaire:
a) la durée de chaque fonction que le système peut être amené à remplir,
b) la durée entre intermédiaire entre chaque essai périodique,
– 28 – 60812 CEI:2006
c) le temps disponible pour une action corrective avant de sérieuses conséquences sur le
système,
d) le dispositif global, l’environnement et/ou le personnel, y compris les interfaces et
interactions avec les opérateurs,
e) les procédures de fonctionnement au démarrage du système, arrêt et autres transitions
opérationnelles,
f) le contrôle pendant les phases opérationnelles,
g) la maintenance préventive et/ou corrective,
h) les procédures pour les essais de routine, si utilisés.
Il est établi qu’une des utilités de l’AMDE est l’assistance dans le développement de la
stratégie de maintenance. Cependant, si cette dernière a été prédéterminée, il convient que
l’information relative aux moyens de maintenance, aux équipements et pièces de rechange
soit connue tant pour la maintenance préventive que aussi bien que corrective.
5.2.2.6 Environnement du système
Il convient que les conditions d’environnement du système soient spécifiées, y compris les
conditions ambiantes et celles créées par d’autres systèmes voisins. Il convient que le
système soit tracé en fonction de ses relations, dépendances, ou interconnexions avec les
systèmes auxiliaires ou autres et les interfaces humaines.
Au stade de conception, ces faits ne sont généralement pas tous connus et par conséquent
les approximations et hypothèses seront nécessaires. Au fur et à mesure de l’avancement du
projet, les données devront être augmentées et l’AMDE modifiée pour permettre de nouvelles
informations, hypothèses ou approximations. L’AMDE sera souvent utile pour définir les
conditions requises.
5.2.3 Détermination du mode de défaillance
Le bon fonctionnement réussi d’un système est soumis à l’aptitude à la fonction de certains
éléments critiques du système. La clé pour l’évaluation de l’aptitude à la fonction du système
est l’identification de ces éléments critiques. Les procédures pour l’identification des modes
de défaillance, leurs causes et effets peuvent effectivement être améliorées par la préparation
d’une liste des modes de défaillance anticipés à la lumière de ce qui suit:
a) l’utilisation du système,
b) les éléments du système concerné,
c) le mode de fonctionnement,
d) les spécifications opérationnelles pertinentes,
e) les contraintes de temps,
f) les contraintes d’environnement,
g) les contraintes fonctionnelles.
Un exemple des modes de défaillance généraux est donné dans le Tableau 1.
Tableau 1 – Exemple d’un ensemble de modes de défaillance généraux
1 Défaillance en fonctionnement
2 Défaillance de fonctionnement à un moment prescrit
3 Défaillance d’arrêt du fonctionnement à un moment prescrit
4 Fonctionnement prématuré
NOTE Il ne s’agit que d’un exemple. Des listes différentes peuvent être requises pour des types de systèmes
différents.
– 30 – 60812 CEI:2006
Virtuellement, chaque type de mode de défaillance peut être classé dans une ou plusieurs de
ces catégories. Cependant, ces catégories générales de modes de défaillance couvrent un
domaine trop large pour une analyse définitive; e
...
IEC 60812
Edition 2.0 2006-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Analysis techniques for system reliability – Procedure for failure mode
and effects analysis (FMEA)
Techniques d'analyse de la fiabilité du système – Procédure d'analyse
des modes de défaillance et de leurs effets (AMDE)
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.
IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.
About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.
A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 60812
Edition 2.0 2006-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Analysis techniques for system reliability – Procedure for failure mode
and effects analysis (FMEA)
Techniques d'analyse de la fiabilité du système – Procédure d'analyse
des modes de défaillance et de leurs effets (AMDE)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
X
CODE PRIX
ICS 03.120.01; 03.120.30; 21.020 ISBN 2-8318-8425-X
60812 IEC:2006 –– 2 – 3 – 60812 © IEC:2006
CONTENTS
FOREWORD.4
1 Scope.6
2 Normative references .6
3 Terms and definitions .6
4 Overview .8
4.1 Introduction .8
4.2 Purpose and objectives of the analysis.9
5 Failure modes and effects analysis.10
5.1 General considerations.10
5.2 Preliminary tasks.11
5.3 Failure mode, effects, and criticality analysis (FMECA) .21
5.4 Report of analysis .28
6 Other considerations .30
6.1 Common-cause failures.30
6.2 Human factors.30
6.3 Software errors .31
6.4 FMEA regarding consequences of system failure .31
7 Applications.31
7.1 Use of FMEA/FMECA .31
7.2 Benefits of FMEA .33
7.3 Limitations and deficiencies of FMEA .33
7.4 Relationships with other methods .33
Annex A (informative) Summary of procedures for FMEA and FMECA .36
Annex B (informative) Examples of analyses.40
Bibliography.47
Figure 1 – Relationship between failure modes and failure effects in a system hierarchy .13
Figure 2 – Analysis flowchart .20
Figure 3 – Criticality matrix .24
Figure A.1 – Example of the format of an FMEA worksheet.39
Figure B.1 – FMEA for a part of automotive electronics with RPN calculation.41
Figure B.2 – Diagram of subsystems of a motor generator set .42
Figure B.3 – Diagram of enclosure heating, ventilation and cooling systems .43
Figure B.4 – FMEA for sub-system 20.44
Figure B.5 − Part of a process FMECA for machined aluminium casting.46
60812 © IEC:200660812 IEC:2006 –– 3 – 5 –
Table 1 – Example of a set of general failure modes.15
Table 2 – Illustrative example of a severity classification for end effects .18
Table 3 – Risk/criticality matrix .25
Table 4 – Failure mode severity.26
Table 5 – Failure mode occurrence related to frequency and probability of occurrence .26
Table 6 – Failure mode detection evaluation criteria .27
Table 7 – Example of a set of failure effects (for a motor vehicle starter) .29
Table 8 – Example of a failure effects probability .29
Table B.1 – Definition and classification of the severity of the effects of failures on the
complete M-G system .42
60812 IEC:2006 –– 4 – 7 – 60812 © IEC:2006
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
ANALYSIS TECHNIQUES FOR SYSTEM RELIABILITY –
PROCEDURE FOR FAILURE MODE
AND EFFECTS ANALYSIS (FMEA)
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60812 has been prepared by IEC technical committee 56:
Dependability.
This second edition cancels and replaces the first edition published in 1985 and constitutes a
technical revision.
The main changes from the previous edition are as follows:
– introduction of the failure modes effects and criticality concepts;
– inclusion of the methods used widely in the automotive industry;
– added references and relationships to other failure modes analysis methods;
– added examples;
– provided guidance of advantages and disadvantages of different FMEA methods.
60812 © IEC:200660812 IEC:2006 –– 5 – 9 –
The text of this standard is based on the following documents:
FDIS Report on voting
56/1072/FDIS 56/1091/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
60812 IEC:2006 –– 6 – 11 – 60812 © IEC:2006
ANALYSIS TECHNIQUES FOR SYSTEM RELIABILITY –
PROCEDURE FOR FAILURE MODE
AND EFFECTS ANALYSIS (FMEA)
1 Scope
This International Standard describes Failure Mode and Effects Analysis (FMEA) and Failure
Mode, Effects and Criticality Analysis (FMECA), and gives guidance as to how they may be
applied to achieve various objectives by
− providing the procedural steps necessary to perform an analysis;
− identifying appropriate terms, assumptions, criticality measures, failure modes;
− defining basic principles;
− providing examples of the necessary worksheets or other tabular forms.
All the general qualitative considerations presented for FMEA will apply to FMECA, since the
latter is an extension of the other.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60300-3-1:2003, Dependability management – Part 3-1: Application guide – Analysis
techniques for dependability – Guide on methodology
IEC 61025, Fault tree analysis (FTA)
IEC 61078, Analysis techniques for dependability – Reliability block diagram method
3 Terms and definitions
For the purposes of this document, the following definitions apply.
3.1
item
any part, component, device, subsystem, functional unit, equipment or system that can be
individually considered
NOTE 1 An item may consist of hardware, software or both, and may also in particular cases include people.
NOTE 2 A number of items, e.g. a population of items or a sample, may itself be considered as an item.
[IEV 191-01-01]
60812 © IEC:200660812 IEC:2006 –– 7 – 13 –
A process can also be defined as an item which carries out a predetermined function and for
which a process FMEA or FMECA is carried out. Normally, a hardware FMEA does not
address people and their interactions with hardware/software, while a process FMEA normally
includes actions of people.
3.2
failure
termination of the ability of an item to perform a required function
[IEV 191-04-01]
3.3
fault
state of an item characterized by the inability to perform a required function, excluding the
inability during preventive maintenance or other planned actions, or due to lack of external
resources
NOTE 1 A fault is often the result of a failure of the item itself, but may exist without prior failure.
[IEV 191-05-01]
NOTE 2 In this document “fault” is used interchangeably with the term “failure” for historical reasons.
3.4
failure effect
consequence of a failure mode in terms of the operation, function or status of the item
3.5
failure mode
manner in which an item fails
3.6
failure criticality
combination of the severity of an effect and the frequency of its occurrence or other attributes
of a failure as a measure of the need for addressing and mitigation
3.7
system
set of interrelated or interacting elements
NOTE 1 In the context of dependability, a system will have
a) defined purposes expressed in terms of required functions;
b) stated conditions of operation use (see 191-01-12);
c) a defined boundary.
NOTE 2 The structure of a system is hierarchical.
[ISO 9000:2000]
3.8
failure severity
significance or grading of the failure mode’s effect on item operation, on the item surrounding,
or on the item operator; failure mode effect severity as related to the defined boundaries of
the analysed system
60812 IEC:2006 –– 8 – 15 – 60812 © IEC:2006
4 Overview
4.1 Introduction
Failure Modes and Effect Analysis (FMEA) is a systematic procedure for the analysis of a
system to identify the potential failure modes, their causes and effects on system performance
(performance of the immediate assembly and the entire system or a process). Here, the term
system is used as a representation of hardware, software (with their interaction) or a process.
The analysis is successfully performed preferably early in the development cycle so that
removal or mitigation of the failure mode is most cost effective. This analysis can be initiated
as soon as the system is defined enough to be presented as a functional block diagram where
performance of its elements can be defined.
FMEA timing is essential; if done early enough in the development cycle, then incorporating
the design changes to overcome deficiencies identified by the FMEA may be cost effective. It
is therefore important that the FMEA task and its deliverables be incorporated into the
development plan and schedule. Thus, FMEA is an iterative process that takes place
coincidentally with design process.
FMEA is applicable at various levels of system decomposition from the highest level of block
diagram down to the functions of discrete components or software commands. The FMEA is
also an iterative process that is updated as the design develops. Design changes will require
that relevant parts of the FMEA be reviewed and updated.
A thorough FMEA is a result of a team composed of individuals qualified to recognize and
assess the magnitude and consequences of various types of potential inadequacies in the
product design that might lead to failures. Advantage of the team work is that it stimulates
thought process, and ensures necessary expertise.
FMEA is considered to be a method to identify the severity of potential failure modes and to
provide an input to mitigating measures to reduce risk. In some applications however, FMEA
also includes an estimation of the probability of occurrence of the failure modes. This
enhances the analysis by providing a measure of the failure mode’s likelihood.
Application of FMEA is preceded by a hierarchical decomposition of the system (hardware
with software, or a process) into its more basic elements. It is useful to employ simple block
diagrams to illustrate this decomposition (IEC 61078). The analysis then starts with lowest
level elements. A failure mode effect at a lower level may then become a failure cause of a
failure mode of an item in the next higher level. The analysis proceeds in a bottom-up fashion
until the end effect on the system is identified. Figure 1 illustrates this relationship.
FMECA (Failure Modes, Effects and Criticality Analysis) is an extension to the FMEA to
include a means of ranking the severity of the failure modes to allow prioritization of
countermeasures. This is done by combining the severity measure and frequency of occur-
rence to produce a metric called criticality.
The principles of an FMEA may be applied outside of engineering design. FMEA procedure
can be applied to a manufacturing or any other work process such as in hospitals, medical
laboratories, school systems, or others. When FMEA is applied to a manufacturing process,
60812 © IEC:200660812 IEC:2006 –– 9 – 17 –
this procedure is known in industry as the Process FMEA, or PFMEA. For an FMEA to be
effective, adequate resources for a team work have to be committed. A thorough
understanding of the system under analysis may not be essential for a preliminary FMEA.
With development of design, a detailed failure mode analysis requires thorough knowledge of
the design performance and its specifications. Complex engineering designs usually require
the involvement of multiple areas of design expertise (e.g. mechanical engineering, electrical
engineering, systems engineering, software engineering, maintenance support, etc).
FMEA generally deals with individual failure modes and the effect of these failure modes on
the system. Each failure mode is treated as independent. The procedure is therefore
unsuitable for consideration of dependent failures or failures resulting from a sequence of
events. To analyse these situations other methods and techniques, such as Markov analysis
(see IEC 61165) or fault tree analysis (see IEC 61025), may be required.
In determining the impact of a failure, one must consider higher level induced – resultant
failures and possibly the same level of induced failures. The analysis should indicate,
wherever possible the combination of failure modes or their sequence that was a cause of a
higher level effect. In that case additional modelling is required to estimate the magnitude or
probability of occurrence of such an effect.
FMEA is a flexible tool that can be tailored to meet specific industry or product needs.
Specialized worksheets requiring specific entries may be adapted for certain applications. If
severity levels of failure modes are defined, they may be defined differently for different
systems or different system levels.
4.2 Purpose and objectives of the analysis
The reasons for undertaking Failure Mode Effects Analysis (FMEA) or Failure Mode Effects
and Criticality Analysis (FMECA) may include the following:
a) to identify those failures which have unwanted effects on system operation, e.g. preclude
or significantly degrade operation or affect the safety of the user;
b) to satisfy contractual requirements of a customer, as applicable;
c) to allow improvements of the system’s reliability or safety (e.g. by design modifications or
quality assurance actions);
d) to allow improvement of the system’s maintainability (by highlighting areas of risk or
nonconformity for maintainability).
In view of the above reasons for undertaking a FMEA effort, the objectives of an FMEA (or
FMECA) may include the following:
a) a comprehensive identification and evaluation of all the unwanted effects within the
defined boundaries of the system being analysed, and the sequences of events brought
about by each identified item failure mode, from whatever cause, at various levels of the
system’s functional hierarchy;
b) the determination of the criticality or priority for addressing/mitigation (see Clause 6) of
each failure mode with respect to the system’s correct function or performance and the
impact on the process concerned;
60812 IEC:2006 –– 10 – 19 – 60812 © IEC:2006
c) a classification of identified failure modes according to relevant characteristics, including
their ease of detection, capability to be diagnosed, testability, compensating and operating
provisions (repair, maintenance, logistics, etc.);
d) identification of system functional failures and estimation of measures of the severity and
probability of failure;
e) development of design improvement plan for mitigation of failure modes;
f) support the development of an effective maintenance plan to mitigate or reduce likelihood
of failure (see IEC 60300-3-11).
NOTE When criticality or probability of occurrence is addressed, the comments regard FMECA methodology.
5 Failure modes and effects analysis
5.1 General considerations
Traditionally there have been wide variations in the manner in which FMEA is conducted and
presented. The analysis is usually done by identifying the failure modes, their respective
causes and immediate and final effects. The analytical results can be presented on a
worksheet that contains a core of essential information for entire system and details
developed for that specific system. It shows the ways the system could potentially fail, the
components and their failure modes that would be the cause of system failure, and the
cause(s) of occurrence of each individual failure mode.
The FMEA effort applied to the complex products might be very extensive. This effort may be
sometimes reduced by having in mind that design of some subassemblies or their parts may
not be entirely new and by identifying parts of the product design that are a repetition or a
modification of a previous product design. The newly constructed FMEA should use
information on those existing subassemblies to the highest possible extent. It must also point
to the need for eventual test or full analysis of the new features and items. Once a detailed
FMEA is created for one design, it can be updated and improved for the succeeding
generations of that design, which constitutes a significantly less effort than the entirely new
analysis.
When using an existing FMEA from a previous product version, it is essential to make sure
that the repeated design is indeed used in the same manner and under the same stresses as
the previous design. The new operational or environmental stresses may require review of the
previously completed FMEA. Different environmental and operational stresses may require an
entirely new FMEA to be created in view of the new operational conditions.
The FMEA procedure consists of the following four main stages:
a) establishment of the basic ground rules for the FMEA and planning and scheduling to
ensure that the time and expertise is available to do the analysis;
b) executing the FMEA using the appropriate worksheet or other means such as a logic
diagrams or fault trees;
c) summarizing and reporting of the analysis to include any conclusions and
recommendations made;
d) updating the FMEA as the development activity progresses.
60812 © IEC:200660812 IEC:2006 –– 11 – 21 –
5.2 Preliminary tasks
5.2.1 Planning for the analysis
FMEA activities, follow up activities, procedures, relationship with other reliability activities,
processes for management of corrective actions and for their closure, and milestones, should
be integrated into the overall program plan.
The reliability program plan should describe the FMEA analysis method to be used. This
description may be a summary description or a reference to a source document containing the
method description.
This plan should contain the following points.
− clear definition of the specific purposes of the analysis and expected results;
− the scope of the present analysis in terms of how the FMEA should focus on certain
design elements. The scope should reflect the design maturity, elements of the design
that may be considered to be a risk because they perform a critical function or because of
immaturity of the technology used;
− description of how the present analysis supports the overall project dependability;
− identified measures used for control of the FMEA revisions and the relevant
documentation. Revision control of the analysis documents and worksheets and archive
methods should be specified;
− participation of design experts in the analysis so that they are available when needed;
− key project schedule milestones clearly marked to ensure the analysis is executed in a
timely manner;
− manner of closure of all actions identified in the process of mitigation of identified failure
modes that need to be addressed.
The plan should reflect the consensus of all participants and should be approved by project
management. Final review of the completed FMEA in the final stage of the design of a product
or its manufacturing process (process FMEA) identifies all of the recorded actions for
mitigation of failure modes of concern and the manner of their closure.
5.2.2 System structure
5.2.2.1 Information on system structure
The following items need to be included into the information on system structure:
a) different system elements with their characteristics, performances, roles and functions;
b) logical connections between elements;
c) redundancy level and nature of the redundancies;
d) position and importance of the system within the whole facility (if possible);
e) inputs and outputs of the system;
f) changes in system structure for varying operational modes.
Information pertaining to functions, characteristics and performances are required for all
system levels considered up to the highest level so that FMEA could properly address failure
modes that preclude any of those functions.
60812 IEC:2006 –– 12 – 23 – 60812 © IEC:2006
5.2.2.2 Defining system boundary for the analysis
The system boundary forms the physical and functional interface between the system and its
environment, including other systems with which the analysed system interacts. The definition
of the system boundary for the analysis should correspond to the boundary as defined for
design and maintenance. This should apply to a system at any level. Systems and/or
components outside the boundaries should explicitly be defined for exclusion.
The definition of the system boundary is more likely to be influenced by design, intended use,
source of supply, or commercial criteria rather than the optimum requirements of the FMEA.
However, where it is possible to define the boundaries to facilitate the system FMEA and its
integration with other related studies in the programme, such action is preferable. This is
especially so if the system is functionally complex with multiple interconnections between
items within the boundary and multiple outputs crossing the boundary. In such cases it could
be advantageous to define a study boundary from functional rather than hardware and
software point of view to limit the number of input and output links to other systems. This
would tend to reduce the number of system failure effects.
Care should be taken to ensure that other systems or components outside the boundaries of
the subject system are not forgotten, by explicitly stating that they are excluded from the
particular study.
5.2.2.3 Levels of analysis
It is important to determine the indenture level in the system that will be used for the analysis.
For example, systems can be broken down by function or into subsystems, replaceable units,
or individual components (see Figure 1). Ground rules for selecting the system indenture
levels for analysis depend on the results desired and the availability of design information.
The following guidelines are useful.
a) The highest level within the system is selected from the design concept and specified
output requirements.
b) The lowest level within the system at which the analysis is effective is that level for which
information is available to establish definition and description of functions. The selection
of the appropriate system level is influenced by previous experience. Less detailed
analysis may be justified for a system based on a mature design, with a good reliability,
maintainability and safety record. Conversely, greater details and a correspondingly lower
system level are indicated for any newly designed system or a system with unknown
reliability history.
c) The specified or intended maintenance and repair level may be a valuable guide in
determining lower system levels.
60812 © IEC:200660812 IEC:2006 –– 13 – 25 –
Subsystem
Subsystem Subsystem Subsystem
1 4 5
Subsystem
System failure cause
System
Failure modes
Effect: subsystem 4 failure
Module Module Module Module
1 2 3 4
Subsystem 4 failure cause
Subsystem 4
Failure modes
Effect: module 3 failure
Module 3
Part
Part Part Part
1 2 5
Part
Module 3 failure cause
Failure modes
Effect: part 2 failure
Mode Mode Mode
1 2 3
Part 2 failure cause
Part 2
Failure causes
Effect: failure mode 3 occurrence
Cause Cause Cause
1 2 3
Part 2, Mode 3 failure causes
IEC 2640/05
Figure 1 – Relationship between failure modes and failure effects in a system hierarchy
60812 IEC:2006 –– 14 – 27 – 60812 © IEC:2006
In the FMEA, the definitions of failure modes, failure causes and failure effects depend on the
level of analysis and system failure criteria. As the analysis progresses, the failure effects
identified at the lower level may become failure modes at the higher level. The failure modes
at the lower level may become the failure causes at the higher level, and so on.
When a system is broken down into its elements, effects of one or more of the failure mode
causes make a failure mode, which in turn is a cause of the higher level effect, a part failure.
Part failure is then the cause of a module failure (effect), which in itself is a cause of a
subsystem failure. The effect of a cause of one system level thus becomes a cause of another
effect at a higher level. The above rationale is shown in Figure 1.
5.2.2.4 Representation of system structure
Symbolic representations of the system structure and operation, especially diagrams, are very
useful to aid the analysis.
Simple diagrams should be created, highlighting all the functions essential to the system. In
the diagram, the blocks are linked together by lines that represent the inputs and outputs for
each function. Usually, the nature of each function and each input needs to be precisely
described. There may be several diagrams to cover different phases of system operation.
As the system design progresses, a component block diagram can be created with blocks
representing actual components or parts. With this additional knowledge more precise
identification of potential failure modes and causes becomes possible.
The diagrams should display any series and redundant relationships among the elements and
the functional interdependencies between them. This allows the functional failures to be
tracked through the system. More than one diagram may be needed to display the alternative
modes of system operation. Separate diagrams may be required for each operational mode.
As a minimum, the block diagram should contain the following:
a) breakdown of the system into major subsystems including functional relationships;
b) all appropriately labelled inputs and outputs and identification numbers by which each
subsystem is consistently referenced;
c) all redundancies, alternative signal paths and other engineering features which provide
protection against system failures.
5.2.2.5 System initiation, operation, control and maintenance
The status of the different operating conditions of the system should be specified, as well as
the changes in the configuration or the position of the system and its components during the
different operational phases. The minimum performances demanded of the system should be
defined such that success and/or failure criteria can be clearly understood. Such specific
requirements as availability or safety should be considered in terms of specified minimum
levels of performance to be achieved and maximum levels of damage or harm to be accepted.
It is necessary to have an accurate knowledge of
a) the duration of each function the system may be called upon to perform;
b) the time interval between periodic tests;
60812 © IEC:200660812 IEC:2006 –– 15 – 29 –
c) the time available for corrective action before serious consequences occur to the system;
d) the entire facility, the environment and/or the personnel, including interfaces and
interactions with operators;
e) operating procedures during system start-up, shut-down and other operational transitions;
f) control during the operational phases;
g) preventive and/or corrective maintenance;
h) procedures for routine testing, if employed.
It has been stated that one of the uses of FMEA is to assist in the development of the
maintenance strategy. However, if the latter has been pre-determined, information on
maintenance facilities, equipment and spares should be known for both preventive and
corrective maintenance.
5.2.2.6 System environment
The environmental conditions of the system should be specified, including ambient conditions
and those created by other systems in the vicinity. The system should be delineated with
respect to its relationships, dependencies, or interconnections with auxiliary or other systems
and human interfaces.
At the design stage these facts are usually not all known and therefore approximations and
assumptions will be needed. As the project progresses, the data will have to be augmented
and the FMEA modified to allow for new information or changed assumptions or approxi-
mations. Often the FMEA will be helpful in defining the required conditions.
5.2.3 Failure mode determination
Successful operation of a given system is subject to the performance of certain critical system
elements. The key to evaluation of system performance is the identification of those critical
elements. The procedures for identifying failure modes, their causes and effects can be
effectively enhanced by the preparation of a list of failure modes anticipated in the light of the
following:
a) the use of the system;
b) the particular system element involved;
c) the mode of operation;
d) the pertinent operational specifications;
e) the time constraints;
f) the environmental stresses;
g) the operational stresses.
An example list of general failure modes is given in Table 1.
Table 1 – Example of a set of general failure modes
1 Failure during operation
2 Failure to operate at a prescribed time
3 Failure to cease operation at a prescribed time
4 Premature operation
NOTE This listing is an example only. Different lists would be required for different types of systems.
60812 IEC:2006 –– 16 – 31 – 60812 © IEC:2006
Virtually every type of failure mode can be classified into one or more of these categories.
However, these general failure mode categories are too broad in scope for definitive analysis;
consequently, the list needs to be expanded to make the categories more specific. When used
in conjunction with performance specifications governing the inputs and outputs on the
reliability block diagram, all potential failure modes can be identified and described. It should
be noted that a given failure mode may have several causes.
It is important that evaluation of all items within the system boundaries at the lowest level
commensurately with the objectives of the analysis is undertaken to identify all potential
failure modes. Investigation to determine possible failure causes and also failure effects on
subsystem and system function can then be undertaken.
Item suppliers should identify the potential item failure modes within their products. To assist
this function typical failure mode data can be sought from the following areas:
a) for new items, reference can be made to other items with similar function and structure
and to the results of tests performed on them under appropriate stress levels;
b) for new items, the design intent and detailed functional analysis yields the potential failure
modes and their causes. This method is preferred to the one in a), because the stresses
and the operation itself might be different from the similar items. An example of this
situation may be the use of a signal processor different than the one used in the similar
design;
c) for items in use, in-service records and failure data may be consulted;
d) potential failure modes can be deduced from functional and physical parameters typical of
the operation of the item.
It is important that item failure modes are not omitted for lack of data and that initial estimates
are improved by test results and design progression. The FMEA should record the status of
such estimates.
The identification of failure modes and, where necessary, the determination of remedial
design actions, preventative quality assurance actions or preventative maintenance actions is
of prime importance. It is more important to identify and, if possible, to mitigate the failure
modes effects by design measures, than to know their probability of occurrence. When it is
difficult to assign priorities, criticality analysis may be required.
5.2.4 Failure causes
The most likely causes for each potential failure mode should be identified and described.
Since a failure mode can have more than one cause, the most likely potential independent
causes for each failure mode need to be identified and described.
The identification and description of failure causes is not always necessary for all failure
modes identified in the analysis. Identification and description of failure causes, as well as
suggestions for their mitigation should be done on the basis of the failure effects and their
severity. The more severe the effects of failure modes, the more accurately failure causes
should be identified and described. Otherwise, the analyst may dedicate unnecessary effort
on the identification of failure causes of such failure modes that have no or a very minor effect
on
...
Frequently Asked Questions
IEC 60812:2006 is a standard published by the International Electrotechnical Commission (IEC). Its full title is "Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA)". This standard covers: This International Standard describes Failure Mode and Effects Analysis (FMEA) and Failure Mode, Effects and Criticality Analysis (FMECA), and gives guidance as to how they may be applied to achieve various objectives by: providing the procedural steps necessary to perform analysis; identifying appropriate terms; defining basic principles; providing examples of the necessary worksheets or other tabular forms.
This International Standard describes Failure Mode and Effects Analysis (FMEA) and Failure Mode, Effects and Criticality Analysis (FMECA), and gives guidance as to how they may be applied to achieve various objectives by: providing the procedural steps necessary to perform analysis; identifying appropriate terms; defining basic principles; providing examples of the necessary worksheets or other tabular forms.
IEC 60812:2006 is classified under the following ICS (International Classification for Standards) categories: 03.120.01 - Quality in general; 03.120.30 - Application of statistical methods; 21.020 - Characteristics and design of machines, apparatus, equipment. The ICS classification helps identify the subject area and facilitates finding related standards.
IEC 60812:2006 has the following relationships with other standards: It is inter standard links to IEC 60812:2018. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase IEC 60812:2006 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of IEC standards.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...