Saturday, November 5, 2011

Why Understanding Annex F and FMECA Is Important

In accordance with NFPA 70E® Section 110.3(F), an electrical safety program should include a hazard identification and risk assessment procedure. This procedure is to be used before work is started within the limited approach boundary or within the arc flash boundary under certain conditions. The conditions are that there are energized electrical conductors and circuit parts operating at 50 volts or more, or that an electrical hazard exists. From the pertinent definition of exposed and of limited approach boundary in Article 100, there is no limited approach boundary if the energized conductors or circuit parts operating at 50 volts or more are suitably guarded, isolated or insulated. The determination of the arc flash boundary is independent of the determination of the shock hazard boundaries. Finally, the electrical safety plan is to identify the process by which an employee can identify hazards and assess risks before work is started, including potential risk mitigation strategies.

Informational Note 2 to 110.3(F) refers to Informative Annex F, Hazard Analysis, Risk Estimation, and Risk Evaluation Procedure. Informative Annex F provides guidance on a qualitative approach to risk assessment – including risk estimation and risk evaluation. This procedure can be seen as being related to the failure mode, effects, and criticality analysis (FMECA) method, which was developed by the U.S. military, described in 1949 in the U.S. Armed Forces Military Procedures document MIL-P-1629[1],and revised in 1980 as MIL-STD-1629A[2]. Having a basic understanding of some of the terms used in FMECA may be helpful in understanding Informative Annex F and the procedures and processes described in that annex. Hazard identification can be seen as a form of failure mode identification, determining the severity of the harm can be seen as a form of effects analysis, and risk determination can be seen as a form of criticality analysis. Following are some terms from FMECA that have been modified or adapted for electrical safety:

Failure (Electrical Safety). For our purposes, a failure is the loss of an intended safety function of the electrical system equipment or components or a failure in the electrical safety procedures or a human error that, under stated conditions, resulted in an electrical safety incident or near miss of an electrical safety incident.

Failure Mode (Electrical Safety). Failure mode is the manner by which the electrical safety failure occurred. (It generally describes the way the safety failure occurred.)

Failure Effect (Electrical Safety). Failure effect is the immediate consequences of an electrical safety failure. It is the result of an electrical safety failure mode on the function of the electrical safety system as perceived by the user.

Failure Cause. The defect or defects which are the underlying cause of the electrical safety failure or which started a process that led to the electrical safety failure.

Severity. Severity is the consequences of a failure mode. Severity considers the worst potential consequences of a failure, determined by the degree of injury, property damage, or system damage that can ultimately occur. For purposes of electrical safety, we are mainly concerned with the degree of injury.

The qualitative determination of risk under the procedures and process described in Informative Annex F uses ordinal numbers, just as under FMECA as modified by the automobile industry[3]. Since ordinal numbers are used to determine risk, the effect or limitations of the use of ordinal numbers in determining risk should be understood. See the related article on necplus, Some Limitations of Using a Qualitative Method to Determine Risk (Risk Priority Number or Risk Priority Ranking), for more information on this subject. Under FMECA as modified by the automotive industry[3] risk is prioritized based on the Risk Priority Number (RPN) determined, which takes into consideration how serious the consequences are, how frequently they occur, and how easily they can be detected. The RPN evaluation approach may be seen as a qualitative method of criticality analysis or as an alternative evaluation approach to criticality analysis. The use of risk priority number evaluation under FMECA as modified by the automotive industry[3] is determined by the following equation:

RPN = SN x ON x DN


SN = Severity number

ON = Occurrence number

DN = Detection number

The RPN technique can be tailored to other types of applications. Under the procedures and processes of Informative Annex F, risk can be determined using the following equation:

Risk = Se x Po


Risk = Risk related to identified hazard/task pair

Se = Severity of the possible harm

Po = Probability of occurrence of that harm

The similarity between FMECA and this RPN technique can be seen by comparing the above equations. The difference is that in RPN, a DN is not considered. The determination of risk under Informative Annex F can be seen as a modification of the RPN technique or criticality analysis.

The purpose of determining risk is the same as the purpose of determining a RPN: to determine a ranking order for taking corrective action. A failure mode and effects analysis documents the current state of knowledge and actions taken regarding the risk of failures.

The results of FMECA and hazard identification and risk assessment should be the same to develop actions to prevent or reduce the severity or likelihood of failures, starting with the highest-priority ones.

Both RPN and FMECA may be used to evaluate risk management priorities (to mitigate known vulnerabilities), and both help select remedial actions to reduce the cumulative impacts of risks (life-cycle consequences) from a fault (system failure). Therefore, one may want to consider using the term risk priority number rather than risk. Regardless of the resulting determined risk or RPN, special attention should be given when a high severity has been determined. The related article on necplus, Risk Assessment (Risk or Risk Priority Number Assessment), will help explain how to determine a risk score or rather a risk priority number for an electrical hazard/task pair.

FMECA and hazard identification and risk assessment are not intended for top-down analysis, since they might only identify the major failure modes in the electrical safety system. Other techniques are available to accomplish those goals. However, FMECA and hazard identification and risk assessment can be used as a bottom-up tool to complement and augment other methods, to identify many more causes and failure modes resulting in top-level symptoms and as a method to evaluate risk.

[1] MIL-P-1629 – Procedures for performing a failure mode and effect and critical analysis. Department of Defense (US). November 9, 1949.

[2] MIL-STD-1629A – Procedures for performing a failure mode and effect and criticality analysis. Department of Defense (USA). November 24, 1980.

[3] SAEJ-1739 – Surface Vehicle Recommended Practice: Potential Failure Mode and Effects Analysis in Design (Design FMEA) and Potential Failure Mode and Effects Analysis in Manufacturing (Process FMEA) Reference Manual, July 1994.

Michael Fontaine currently is a Senior Electrical Engineer with the NFPA. He is a Registered Professional Electrical Engineer and also has licenses in several other areas. He has over thirty five years of electrical experience including over thirty years as a Registered Professional Electrical Engineer. His experience includes engineering, designing, drafting, purchasing, testing and inspecting, writing about, developing training programs, and teaching about electrical systems and electrical safety issues. He is well versed in the requirements of NFPA 70, the National Electrical Code®, and NFPA 70E®, the Standard for Electrical Safety in the Workplace.

No comments: