MPD 575
Design for Failure
Developed By:
Cohort Team 3:
Cathy Campbell
Brandon Johnson
Robbin McDaniel
Britt Scott
Updates by Anita Bersie, Joe Torres,
Beatriz Dhruna, John Haddock, Mac
Lunn
Development History
• Latest updates by many of the following
students in winter of 2014: M.
Freeman, H. Gasahl, R. Glaser, A.
Kammerzell, J. Lambrecht, D. Mincock,
J. Murphy, M. Rockwell, P. Roncier, J.
Salinas, G. Scalcucci, D. Slater
20140426
MPD575 Weaver
Design for Failure
•
•
•
•
•
•
•
Introduction to Design for Failure (DFF)
System Engineering V-Model and DFF
Heuristics
How DFF fits into PD Process
Situation to implement DFF
Examples
Summary
Design for Failure
Definitions of key DFF terms:
Design: Creative process in the Arts, Sciences and Technologies. There are
many design heuristics that are derived from rules, relationships and
experiences.
Failure: A condition in which a system no longer performs its intended function,
or is unable to do so at a level that meets customer satisfaction. Failure can also
result from the emergence of an undesirable function.
System Architecture: The art and science of creating and building complex
systems. That part of systems development most concerned with scoping,
structuring, and certification. [M&R, 1997].
Failure Mode And Effect Analysis (FMEA): Systematic activities intended to:
1) recognize and evaluate potential failure of products/processes and its effects
2) identify actions to eliminate or reduce the chance of the potential failure
occurring
3) document the process
Design for Failure
Definitions (cont’d)
•
Classification of failures:
– Hard failures cause complete loss of function, (ex: Driveline does not
transmit torque to wheels)
– Soft failures cause degraded function, (ex: driveline whines at 45 mph
steady vehicle speed.
• Approach
Design for failures must be approached from a functional perspective as
opposed to a hardware perspective. It is recommended to use a “function tree”
to decompose functions from the system to the subsystems and components.
Design for Failure
Failure, cont’d:
–Failures should be qualified and quantified.
–The results of failure should be taken into account and fed back
into the design process.
–The most important aspect is “proper feedback”.
–Failures are something engineers spend their life trying to avoid.
However, there are times in which a failure is designed into the system as
a function under certain conditions to maintain the integrity of other
functions of the systems.
–The cause of the conditions are uncontrollable by the engineers
but the failure under these conditions can be controlled.
Design for Failure
Team’s definition of DFF:
“A system or component designed to fail under certain
conditions or circumstances”
Design for Failure
•
•
•
•
•
•
•
Introduction to Design for Failure (DFF)
System Engineering V-Model and DFF
Heuristics
How DFF fits into PD Process
Situation to implement DFF
Examples
Summary
Design for Failure
System design has three phases:
1. Design the Product or Component
2. Optimize the Design
3. Validate the Design
Design for Failure
Design the Product or Component
– Complete System Architecture analysis. For DFF specifically, the focus should be
placed on identifying the architecturally significant requirements, tracing the
requirements to their owners, analyzing reusable components at their interfaces,
selecting, assessing and accepting the system architecture. For each tasks, a list of
risks and opportunities must be updated as the architecture is refined. Failure mode
management is a key driver in the selection process of the architectural vision.
– Complete technical concept generation.
- Complete concept DFMEA.
–Complete system and component level Design.
–Complete P-diagrams, identify ideal functions, error states, control factors, noise
factors.
–Conduct system and component DFMEA’s
–Address failure modes in order of severity and then in order of the product of severity
by occurrence.
–Implement actions to reduce severity of failures identified as critical and unavoidable
by altering primary failure modes.
Design for Failure
• Optimize the Design
– Eliminate unacceptable failure modes, including but not limited to high
severity modes. Example: Fuse the front wheel driveline by notching the halfshafts (avoid high cost failures in the front wheel ends).
– Substitute high severity failure modes by lower severity failure mode.
Example: block with soft shackle compared to typical hard block.
Failure of the shackle
or the block leads to
complete loss of
tension in the line
running through the
block
Soft shackle tensile
strength is greater than
block. Failure of the
block will cause loss of
maneuverability but no
loss of tension.
– Document trade-offs.
– Iterate the designs (parallel paths if possible) through CAE and physical testing
using component and system level testing until reliability is established.
Design for Failure
• Validate the Design (Testing)
–Critical noise factors (internal and external) must be included in the
tests.
–Duty cycle must be correlated to real life usage.
–Tests must be run to failure to verify that the system failed as
intended and that the system is able to perform the protected functions
under the test simulated conditions.
–Failure modes (primary, secondary,…) must be analyzed.
–Teardown analysis are too often neglected. All parts must be
inspected to properly assess the failure mechanisms.
–Product validation starts at the component level and ends at the full
system level.
Four Conditions That Can Lead
to Failure
Every system specification must specify
requirements that address four types of
system conditions:
●
●
●
●
Normal Operations (Ideal Conditions)
External System Failures
Degraded Operations
Internal System Failures
Conducting a DFMEA
1.
2.
3.
4.
1.
2.
3.
4.
5.
6.
Review the Design and Interfaces
Brainstorm potential failure modes – Review existing documentation and
data for clues
List potential effects of failure
Assign Severity rankings – What is the severity of the consequences of
failure?
- Failures with severity 9 and 10 are potential critical characteristics.
- Failures with severity 5 thru 8 are potential significant characteristics.
Assign Occurrence rankings – How frequently is the cause of failure likely
to occur?
Assign Detection rankings – What are the chances that the failure will be
detected prior to the customer finding it?
Calculate the RPN – Severity x Occurrence x Detection
Develop the action plan
Take Action
Calculate the resulting RPN
Design for Failure
Definition of failure types:
– Elastic failure: excessive elastic deformation
• Elastic: strain resulting from the load leaves after the load has
been removed
– Slip failure: excessive plastic deformation due to slip.
• Plastic: strain exceeds the elastic limit; a portion of the
deformation remains after the load is removed
• Slip: plastic deformation independent of time duration of the
applied load
– Creep failure: excessive plastic deformation over a long period of
time under constant stress
– Failure by Fracture: complete separation of the material
– Thermal failure of fuse blow
– Corrosion/degradation failures leading to increased resistance
Design for Failure
Two approaches to detect failure:
– Passive: detector monitors the inputs and the outputs of the
system and decides whether (and if possible what kind of) a
failure has occurred. This is done by comparing the
measured input-output behavior with “normal” behavior of
the system.
– Active: The active approach to failure detection consists of
acting upon the system on a periodic basis or at critical
times using a test signal, auxiliary signal, in order to exhibit
abnormal behaviors which would otherwise remain
undetected during normal operation.
Design for Failure
•
•
•
•
•
•
•
Introduction to Design for Failure (DFF)
System Engineering V-Model and DFF
Heuristics
How DFF fits into PD Process
Situation to implement DFF
Examples
Summary
Design for Failure
Heuristics
P = Prescriptive, D = Descriptive
• (D) It is better to be aware of the failures than not.
• (P) You want to design a “less expensive” component to
fail in order to protect a more expensive component.
• (P) Understand planned failures; fail as they are
planned.
• (P) Failure is defined by the beholder, not by the
architect.
(Modification of Maier/Rechtin, 270)
Design for Failure
Heuristics (continued)
• (P) Don’t confuse the functioning of the parts for the
functioning of the system. (Maier/Rechtin, 269)
• (D) Some of the worst failures are system failures.
(Maier/Rechtin, 271)
• (P) Choose the elements so that they are as
independent as possible; that is, elements with low
external complexity (low coupling) and high internal
complexity (high cohesion). (Maier/Rechtin, 273)
• (P) The principles of minimum communications and
proper partitioning are key to system testability and fault
isolation. (Maier/Rechtin, 275)
• (D) Knowing a failure has occurred is more important
than the actual failure. (Maier/Rechtin, 276)
Design for Failure
•
•
•
•
•
•
•
Introduction to Design for Failure (DFF)
System Engineering V-Model and DFF
Heuristics
How DFF fits into PD Process
Situation to implement DFF
Examples
Summary
Design for Failure
How DFF fits into PD Process
1. Gather raw data from the customers
2. Interpret the data in terms of customers needs.
3. Organize and establish the importance
4. Establish target specifications
5. Identify any potential products that require safe
failure modes
6. Determine the strategy
7. Establish warranty guidelines
8. Include the failure strategy in overall system
architecture – boundaries for failure
Design for Failure
How DFF fits into PD Process
9. Set-up design requirements and targets
10. Define validation requirements
11. Establish assembly, service and maintenance
guidelines
Design for Failure
How DFF fits into PD Process
• You can identify potential design for failure opportunities
through multiple ways:
– Upfront Design
• Customer wants and needs (surveys)
• Focus Groups
• Competitive product analysis
• Aftermarket product analysis
• Review product requirements and restrictions
• Review assembly, serviceability and maintenance
requirements
Design for Failure
How DFF fits into PD Process
• You can identify potential design for failure opportunities
through multiple ways:
– Design Phase
• Analyzing overall system architecture
• Conducting DFMEA’s on product or system
• Simulating critical system interactions and
interfaces
• CAE modeling and analysis should be done for
FEA, Electrical fuse blow, Worst Case Circuit
Analysis, voltage drop and resistance change over
time/temp are commonly done to predict and
manage failures
Design for Failure
How DFF fits into PD Process
• You can identify potential design for failure opportunities
through multiple ways:
– Design and Release
• Analyzing a component/system that has failed
• The Product Design and Development team reviews the
data and decides on the overall system architecture.
Design for Failure
•
•
•
•
•
•
•
Introduction to Design for Failure (DFF)
System Engineering V-Model and DFF
Heuristics
How DFF fits into PD Process
Situation to implement DFF
Examples
Summary
Design for Failure
Situations to implement DFF
• The main purpose of designing for failure is the
prevention of injury or harm to a system, component or
person in the event of a potential system or component
failure (either catastrophic or minor).
• Design for failure also used to prevent costly repair. The
fusible component should be the least expensive to
repair (ex: half-shafts).
• These systems were developed to meet this criteria:
– Air Bag Deployment System
– Electrical Circuit Protection
– Whiplash Protection Seating System (WHIPS)
Design for Failure
Situations to implement DFF
– Collapsible Steering Column
– Windshield Breakage
– Run “Flat” Tire
– Paper Shredder
Design for Failure
Concepts in Planning for Failure
• Single Point Failure – Example: If system operations depend on
knowing the time and there is only one watch, it becomes a single
point failure mechanism. (Smead)
• Redundant Systems – Example: Having 2 watches there is a backup
device to tell time. However, you must have a way to resolve
inconsistencies between the two watches to determine the correct
time. (Smead)
• Failsafe – “describes a device which if (or when) it fails, fails in a
way that will cause no harm or at least a minimum of harm to other
devices or danger to personnel.” (Wikipedia)
• Failover / Switchover – a device that takes over for a failed
mechanism only after the point of failure (Smead)
• Ping-pong – devices that take turns operating, so as not to get
overloaded, (beware of inconsistencies) (Smead)
Design for Failure
“Fail-safe” mechanism failure examples
•
Therac 25 – Computerized radiation therapy machine (Leveson)
– 1985-87 Injuries and deaths from radiation overexposure
– Model had replaced several mechanical interlocks for safety with software
algorithms.
– Operators were able to retry administering doses after a dose-rate malfunction
was indicated incorrectly by the software.
– A safety analysis of the device in 1983 by manufacturer excluded software in the
fault tree analysis.
• Christus St. Joseph Hospital – Elevator Decapitation (Greene)
– August 2003, Surgical Intern, Hitoshi Nikaidoh pinned in elevator doors while
closing, decapitated when elevator raised
– Nikaidoh had expected the elevator doors to retract when an obstacle (his body)
was encountered but they did not.
Lesson: Fail safe devices, poke-yokes and safety mechanisms must be fully tested for
proper designed function. Don’t assume they work properly, or will continue to work
properly over time.
Design for Failure
•
•
•
•
•
•
Introduction to Design for Failure (DFF)
System Engineering V-Model and DFF
Heuristics
How DFF fits into PD Process
Examples
Summary
Airbag Deployment System
How does it relate to DFF?
• The air bag system is
designed to deploy in the
event of an accident
(failure of a system or
component).
• Consistent deployment is
vital in airbag designs.
This means consistent
failure of components that
contain airbags is vital.
How does it work?
• Internal seam in steering wheel
covers allows for uniform failure
in order for airbag to inflate in a
consistent time and manner.
• Seats and Headliners
– Some designs have a panel
that opens like a door in
order to have controlled
deployment of the seat side
air bags.
– Headliners typically have a
weak point in the design
that will break during the
deployment.
Electrical Circuit Protection
How does it relate to DFF?
• The electrical circuit system is
designed for …
• One Time Applications
• Once failed the component
cannot be reused.
– Bolt-In Fuse
– J-Case Fuses
– Maxi/Mini Fuses
How does it work?
• The circuit protection system is
designed to fail when the
conditions (listed below) are
over exerted.
• Following parameters are part
of circuit protection selection.
– Ambient Temperature
– Breaking Capacity
– Operating Voltages in Volts
– Operating Current in
Amperes
– Required Failure Time
– Re-settable or One-Time
• Resettable Breakers
– Once the component fails,
it can be manually reset
and used again. Some
reset themselves after
failed condition is stopped.
• Blade Design
• 120/240V AC Single
pole breaker (typically
used in residential
wiring)
• High Speed Fuse Applications
– Used with Allen-Bradley
Controllers and Drivers.
– Manufacturing Equipment
Application
Volvo Whiplash Protection
Seating System (Whips)
How does it relate to DFF?
• The WHIPS system, unique to Volvo, is
designed to provide markedly better protection
from neck and back injuries in the event of a
rear impact
How does it work?
• In the event of a rear impact, the WHIPS seat
responds immediately
• The seatback/headrest assembly moves back
and then tilts down, absorbing the impact
– In laboratory tests acceleration forces on
the neck are reduced by up to 50%.
• Under normal condition this would be a failure of the
seat system
Collapsible Steering Column
NASCAR Steering Column
How does it relate to DFF?
• Volvo has designed a steering column that collapses
down and away from the driver during a severe crash
(system failure).
How does it work?
• Upon impact, the steering column structure fails in order
to protect the customer.
Windshield Breakage
How does it relate to DFF?
• The windshield is designed to
provide a clear and undistorted
view to the driver and passenger
AND minimize danger in the
event of a collision.
• The windshield in a vehicle is
designed to stay in place upon
impact. The glass will not shatter
into a lot of small pieces. This
protects the vehicle occupants
from serious injury.
• The safest place to be during a
car accident is in the car. Your
windshield is an important barrier
that keeps you in the car. A
cracked windshield can fail during
a collision or rollover, allowing you
or your passenger to be ejected. A
passenger ejected from a car or
truck is much more likely to
experience a serious injury or
death.
How does it relate to DFF?
• An automobile's windshield is
designed to prevent the roof
from crushing you in a rollover
accident. A windshield can be
significantly weakened by
cracks and may fail to support
the roof if the car flips over,
causing severe injury or death
to occupants.
How does it work?
• Windshield glass is made by
fabricating ordinary glass (flat) into
high-grade shaped and tempered
glass.
• Two primary types of safety glass:
– Laminated (Front Windshields)
– Tempered (Side/Rear
Windshields)
•
•
Many people don't realize that
front-seat passenger airbags
deploy against the windshield.
In the event of a front-end
collision, a cracked windshield can
fail, allowing passengers who
aren't seat-belted properly to be
ejected from the vehicle through
the windshield.
Run “Flat” Tire
How does it relate to DFF?
– The “run flat tire” is a system that is designed to allow the
driver to continue to drive their vehicle in the event of a tire
blowout (product failure).
How does it work?
– When the tire loses pressure, it rests on a support ring
attached to the wheel.
– Majority of the run-flat capability is on the wheel versus the
tire. The wheel does not “wear out” whereas, the tire does
wear out and require replacement.
– Benefit of Run Flat Tire
• Eliminate the need for spare tire – reduce the weight of
vehicle – increase fuel efficiency
• Allow more luggage space by eliminating the spare tire
• Increase driver security and confidence in their vehicles
• Promise better ride quality because their sidewall's stiffness
can be equivalent to today's standard tires versus the other
technologies that are on the market (self sealing and self
supporting)
Ford AWD System Heat
Management Software
PTU
Includes: Power transfer Unit
(PTU),
Rear Drive Unit (RDU)
AWD Coupling
AWD Coupling
(In RDU)
How does it relate to DFF?
–
The AWD software prevents permanent sump oil and clutch plate damage by predicting
temperatures via modeling techniques. It then takes action by adjusting system behavior to
either prevent or reduce further temperature rise. Actions are unique to which component is
suspect.
How does it work?
–
If the PTU sump approaches 130 Deg C at a minimum rate, the software reduces the
assumed torque level to the rear axle in order to affect the temperature behavior. If
temperature rise remains and exceeds 145 Deg C (The synthetic lube limit), AWD is disabled
until the temperature drops below 130 Deg C again, or 5 minutes have expired. Whichever
comes last. Goal is to provide as much function to the customer as possible before
disabling.
–
If the AWD clutch plate temperature exceeds 210 Deg C, this is due to excess front to rear
slip in severe sand or deep snow conditions. The software responds by sending 3x the
normal duty cycle to the AWD coupling. This essentially “locks” the coupling and prevents
further heat rise. However, if the lock mode cannot prevent slip and the coupling continues
to rise past 240 Deg C, The AWD system is disabled . This prevents permanent damage to
the clutch plates
–
If the RDU sump exceeds a limit of 120 Deg C (natural lube), the AWD software performs
actions similar to that seen on the PTU. In this case, locking up the coupling would typically
make the RDU sump situation worse. Therefore, reduced torque is warranted.
–
The entire system is a balance of tradeoffs. I.E. if the PTU torque level is reduced, this
causes higher risk of clutch plate temperature rise. If the clutch plates are “locked”, this
causes higher risk of PTU temperature rise. A balancing act, indeed, requiring good usage
of systems engineering skills.
–
Benefit of Designing for temperature failures
•
•
•
•
With modern AWD systems, overheating is more a matter of “when” vs. “if” it happens.
Robust software balances performance with durability life to provide customer with best value
Part Failures result in very high warranty or customer costs (Ex. RDU replacement = $3,000)
Damage often seen after warranty is expired, resulting in dissatisfaction
Ford Thermal Management
Fuel Tank Shield
Thermal Sleeving
Air Scoop and
Deflectors
Heat Shield Examples
Mitigation Techniques
Exhaust mounted
Shields
Stamped Shields
Ford Thermal Management
How does it relate to DFF?
–
The Thermal Management techniques are designed in place with the expectation of failure in
the product life cycle.
How does it work?
–
The Heat Management engineer designs mitigation techniques into the product with the
expectation that a failure will take place. The failures considered are misfire and exhaust
failure.
–
Although in majority of the cases the powertrain controls software would recognize that a
misfire or an exhaust failure has occurred and will management the failure according, testing
is conducted with these features turned off.
–
Testing is defined as endurance
• No Ignition of Vehicle or Components
• No Smoke or Noxious Fumes
• No Loss of Fluids
• No Failure of Severity 8,9,10 (FMEA)\
• No System degradation that affects vehicle safe
–
Benefit of Designing for misfire and exhaust failures
• Allows engineer to evaluate Component Maximum Design Temperatures listed in SDS to Ensure
Thermal Robustness
Design for Failure
• Paper Shredder
(Jam Mechanism)
Design for Failure
Paper Shredder (Jam Mechanism)
How does it relate to DFF?
• The paper shredder is designed to shred paper. If too many sheets
or a non-paper object (metal, thick plastic) are fed through it the
failure mode is to jam or stop working before damaging the product.
How does it work?
• There are several shredder designs available (electrical or battery
operated) to accept different quantities ( 1 thru 140 sheets) of paper.
The paper is then fed thru the shredder opening.
• If the quantity or thickness is too great the shredder jams.
• If a non-paper object is placed in the shredder it jams.
• Once the extra sheets or object is removed, the shredder reset
button can be activated.
Design for Failure
•
•
•
•
•
•
•
•
Introduction to Design for Failure (DFF)
System Engineering V-Model and DFF
Heuristics
How DFF fits into PD Process
Situation to implement DFF
Case Study
Examples
Summary
Design for Failure
Summary
• Incorporate the DFF procedures into each design
• Define useful life of product and its failures
• Challenge engineering to develop customer satisfaction
criteria for all types of uses/ misuses (additional failures)
• Develop products or processes that meet the failure
mode and is robust against different sources of variation
• Address new technology or existing technology in new
environments against the failure modes
• Design for failure may prevent more damage by making
the system inoperable.
Design for Failure
Summary
• Gain an understanding of a system’s failure sensitivity
• Meet the global challenge of incorporating product failure
modes on all components or systems
• Look at the big picture, address a component or subcomponent that is part of the product system design
Reference
• The Art of System Architecting, M. Maier &
Rechtin, 2nd edition, CRC Press, 2000
• Systems Architecting of Organizations, CRC
Press, 2000
• Product Design and Development, Karl T. Ulrich
and Steven Eppinger, 2nd edition
• Mechanics of Materials, A. Higdon, E. Ohlsen,
W. Stiles, J. Weese, W. Riley; John Wiley &
Sons, Inc, 4th Edition, 1985
• Mechanical Engineering Design, Joseph Edward
Shigley, Charles Mischke; McGraw-Hill, Inc, 5th
Edition, 1989
References
•
•
•
•
•
•
www.fpds.ford.com/fpds2k/index.html
www.ford.com……
www.destroyit-shredders.com
www.bestbuy.com
www.helmets.org
http://www.be.ford.com/safety/training/general%
20airbags/airbag101/links.htm
• www.ask.com/main/metaAnswer.
References (Cont)
• Smead, David. “Vessel Networking #2.” On-line
posting. 8 May, 2007. Available:
http://www.amplepower.com/dave_blog/2/vessel_networ
king_2.pdf
• Greene M.D., Alan. “A Tragic Lesson.” On-line posting.
20 Aug, 2003. Available:
http://www.drgreene/com/21_1660.html
• “Failsafe.” Wikipedia [On-line]. 26 Oct, 2007. Available:
http://en.wikipedia.org/wiki/Failsafe
• Leveson, Nancy & Clark Turner. “An Investigation of the
Therac-25 Accidents.” IEEE Computer, Vol. 26, No. 7,
July 1993, pp. 18-41.