VIEWS: 45 PAGES: 5 POSTED ON: 2/22/2010
Guide for Application of Optical Current and Voltage Systems for Protective Relaying Section 8 – Reliability and Failure Mode Overview: An optical current and voltage sensing system provides information for protective relaying to respond during system events. When compared to traditional iron-core voltage and current transformers, the output signals from optical devices are typically generated using electronics operating in both high voltage and low voltage environments. As these signals are conditioned in some manner, the designer has to provide sub-systems containing both electronic and optical components. All control systems are nominally designed to provide long life and to minimize the rate of failure. However, unless a system is designed to military specifications (or other?), there will be a point at which time the system does not perform as originally designed. One method to determine what may happen over time and what steps can be taken to reduce/eliminate the chance that a problem will occur is to perform a Failure Modes and Effects Analysis (FMEA) at the system level. For an optical current and voltage sensing system, there are three main components: Sensor head assembly Interconnection wiring Ground level signal conditioning and output ac driver Each of these components can be assessed for their likelihood of a problem by performing the FMEA on both the individual components and the complete current and voltage sensing system. An example of an FMEA is shown below. Need input from manufacturers regarding the types of failure modes expected and how they are mitigated by using hardware and software in the design. What does the customer see when a failure occurs, how does this change in performance impact system accuracy, protection elements, and power system reliability. Reference Information: Guidelines For Auditing FMEA’S per QS 9000: (Source: Potential Failure Mode and Effects Analysis (FMEA) Reference Manual (AIAG): (Feb, 1996)) Failure Modes and Effects Analysis (FMEA) is a systematic, proactive method of evaluating a process. An FMEA identifies the opportunities for failure, or "failure modes," in each step of the process. Each failure mode gets a numeric score that quantifies (a) likelihood that the failure will occur, (b) likelihood that the failure will be detected, and (c) the amount of harm or damage the failure mode may cause to a person or to equipment. The product of these three scores is the Risk Priority Number (RPN) for that failure mode. The sum of the RPNs for the failure modes is the overall RPN for the process. As an organization works to improve a process, it can anticipate and compare the effects of proposed changes by calculating hypothetical RPNs of different scenarios. The RPN is a measure for comparison within one process only; it is not a measure for comparing risk between processes or organizations. 9 November 2006 Page 1 of 5 B. Mugalian Guide for Application of Optical Current and Voltage Systems for Protective Relaying Section 8 – Reliability and Failure Mode A formula is used to determine what actions are needed. The Risk Priority Number, or RPN, is a numeric assessment of risk assigned to a process, or steps in a process, as part of Failure Modes and Effects Analysis (FMEA), in which a team assigns each failure mode numeric values that quantify likelihood of occurrence, likelihood of detection, and severity of impact. RPN = Risk Priority Number = Severity x Occurrence x Detection. The RPN value should dictate when a company should take corrective action. This depends on business practices, product usage, cost to change, customer acceptance. In most cases, corrective actions should be taken when the RPN is exceeds 50. Severity Evaluation Criteria Effect Criteria: Severity of Effect Rank Very high severity ranking when a potential failure mode affects safe Hazardous - vehicle operation and/or involves noncompliance with government 10 without warning regulation without warning Very high severity ranking when a potential failure mode affects safe Hazardous - with vehicle operation and/or involves noncompliance with government 9 warning regulation with warning Very High Vehicle/item inoperable, with loss of primary function. 8 Vehicle/item operable, but at reduced level of performance. Customer High 7 dissatisfied. Vehicle/item operable, but Comfort/ Convience item(s) inoperable. Moderate 6 Customer experiences discomfort. Vehicle/item operable, but Comfort/ Convience item(s) operable at Low reduced level of performance. Customer experiences some 5 dissatisfaction. Fit & finish/Squeak & Rattle item does not conform. Defect noticed by Very Low 4 average customers. Fit & finish/Squeak & Rattle item does not conform. Defect noticed by Minor 3 most customers. Fit & finish/Squeak & Rattle item does not conform. Defect noticed by Very Minor 2 discriminating customers. None No effect. 1* *Note: Zero (0) rankings for Severity, Occurrence or Detection are not allowed Suggested Occurrence Evaluation Criteria Rank CPK Failure Rates Probability of Failure 10 > 0.33 > 1 in 2 Very High: Failure almost inevitable 9 > 0.33 1 in 3 8 > 0.51 1 in 8 High: Repeated failures 9 November 2006 Page 2 of 5 B. Mugalian Guide for Application of Optical Current and Voltage Systems for Protective Relaying Section 8 – Reliability and Failure Mode 7 > 0.67 1 in 20 6 > 0.83 1 in 80 5 > 1.00 1 in 400 Moderate: Occasional failures 4 > 1.17 1 in 2000 3 > 1.33 1 in 15 000 Low: Relatively few failures 2 > 1.50 1 in 150 000 1* > 1.67 < 1 in 1 500 000 Remote: Failure is unlikely *Note: Zero (0) rankings for Severity, Occurrence or Detection are not allowed Suggested Detection Evaluation Criteria Detection Criteria Rank Design Control will not and/or cannot detect a Absolute potential cause/ mechanism and subsequent 10 Uncertainty failure mode; or there is no Design Control. Very Remote chance the Design Control will Very Remote detect a potential cause/mechanism and 9 subsequent failure mode. Remote chance the Design Control will detect a Remote potential cause/ mechanism and subsequent 8 failure mode. Very Low chance the Design Control will detect a Very Low potential cause/ mechanism and subsequent 7 failure mode. Low chance the Design Control will detect a Low potential cause/mechanism and subsequent 6 failure mode. Moderate chance the Design Control will detect a Moderate potential cause/mechanism and subsequent 5 failure mode. Moderately High chance the Design Control will Moderately detect a potential cause/mechanism and 4 High subsequent failure mode. High chance the Design Control will detect a High potential cause/mechanism and subsequent 3 failure mode. Very High chance the Design Control will detect Very High a potential cause/mechanism and subsequent 2 failure mode. Design Controls will almost certainly detect a Almost potential cause/mechanism and subsequent 1* Certain failure mode. *Note: Zero (0) rankings for Severity, Occurrence or Detection are not allowed 9 November 2006 Page 3 of 5 B. Mugalian Guide for Application of Optical Current and Voltage Systems for Protective Relaying Section 8 – Reliability and Failure Mode Checklist items for review: 1. Is there evidence that a cross-functional team was used to develop the FMEA? 2. Is the FMEA header completely filled out with a tracking number, the component or (sub) system name, design responsible activity, preparer’s name, model year and vehicle (if known), the initial FMEA due date, the date the original FMEA was compiled, the latest revision date and names/departments of team member? 3. Is the FMEA that is being audited the latest revision level? 4. Potential Failure Mode – Is there at least one failure mode listed for every function? 5. Potential Effects of Failure – Are the effects of the failure defined and are they defined in terms of what the internal or vehicle level external customer might notice? 6. Severity – Is the severity (or seriousness) of the potential effect of the failure rated? (See Definitions provided above.) 7. Classification – Are the significant and critical characteristics identified in this column? (blanks are allowed) (See Special Characteristics model on other side) 8. Potential Causes/Mechanisms of Failure – Is there at least one potential cause of failure listed for every failure mode? 9. Occurrence – has an occurrence ranking been assigned to each of the potential causes/mechanisms of failure? (See Definitions provided above.) 10. Current Design Controls – Is there listed a prevention, design validation/verification (DV) or other activities which will maximize design adequacy of the failure mode and or cause mechanism? 11. Detection – Is there a detection ranking that assesses the ability of the design controls to detect a potential cause/mechanism or the ability of the design controls to detect the subsequent failure mode before the component or (sub) system is released for production. (See Definitions provided above.) 12. RPN – Has the RPN been calculated by multiplying S x O x D? 13. Recommended Actions – Have actions been identified for potential significant and critical characteristics and to lower the risk of the higher RPN failure modes? Has “none” been entered in the column if no actions are recommended? 14. Responsibility – Has an individual, SBU and target completion date been entered in columns where an action has been recommended? (Blanks are OK when no action is recommended) 15. Actions Taken – Has a brief description of the actual action and effective date been entered after the action has been taken? (Blanks are OK when no action is recommended) 16. Resulting severity, occurrence, detection and RPN – Have the new severity, occurrence, detection and RPN numbers been entered after an action has been completed and verified? 17. Has the design responsible engineer implemented or adequately addressed the recommended action? 9 November 2006 Page 4 of 5 B. Mugalian Guide for Application of Optical Current and Voltage Systems for Protective Relaying Section 8 – Reliability and Failure Mode Example of an FMEA spreadsheet: Initial Risk Mitigation Residual Risk ID No. Function Failure Mode Cause Effect Current Controls S O D RPN Type Reference S O D RPN 1 Component or Hard- Sensor head output No signal assembly defect Incorrect output ware Add redundant output Power Supply with Low voltage power The supervisor circuit detects loss of regulators including any of the four voltages and resets 5.0V, 3.3V, 2.5V, the CPU. Once all four voltages 1.9V. Voltage Regulator CPU board goes voltage is regained to the proper Including a supervisor Failure or associated into reset and halts level, the CPU is released out of 2 circuit. Loss of power component failure execution reset. 8 2 2 32 a) Watchdog timer b) Flash Checksum c) Power on Self test MCU should test No memory on power on d) I/O pad check Communication Failure in MCU, Bad No External Soft- and test memory as a 3 MCU Processor s Memory, Bad device Communications e) Peripheral/Address Check 5 2 3 30 ware background test 1 1 2 2 4 Bad termination due to contamination, broken Fiber optic cable fiber due to stress or Hard- Include additional interconnection No signal other cause No output ware fiber cable 9 November 2006 Page 5 of 5 B. Mugalian
"Failure Modes and Effects Analysis _FMEA_ is a systematic "