FMEA-MSR (Monitoring and System Reaction)

Owned by Tino Pförtner
Last updated: Aug 09, 2024
5 min read

The risk analysis activities of a design FMEA usually focus on the design phase in order to achieve a robust and reliable design that meets the requirements specification. System reaction during operation is difficult to model, and is not covered completely.

On the other hand, the FMEA-MSR is used to analyze systems with integrated monitoring functions and system reactions that become effective during operation. Usually, these systems are related to functional safety (ISO 26262) and/or legal requirements. If there are failure effects in DFMEA with severity rating of S=9/10, FMEA-MSR should be considered. The aim of FMEA-MSR is to account for alternative risk scenarios having reduced severity (S<9) accomplished by monitoring and system reaction during operation.

FMEA-MSR is an addition to DFMEA and can be done in a separate FMEA document or integrated into an existing DFMEA document.

The Hybrid Failure Net

In SOX the monitoring and system reaction is modeled by two special types of functions, the diagnosis function and reaction function. The modeling starts with the failure cause that is to be detected by the monitoring function. This is modeled by connecting the diagnosis function to the failure cause and reaction function to the diagnosis function. The reaction function is then connected to a failure on an upper level to model the alternative failure path leading to a failure effect of lower severity. In short, the failure cause is connected to a chain of functions (diagnosis, system reaction) flowing into a chain of malfunctions ending at upper-level failure effect. This structure is called a hybrid chain of effects or hybrid net. Within this hybrid net the chain of functions represent a signal path, whereas the malfunctions belong to the hierarchical structure of the system that is modeled in FMEA as a structure tree.

Creating a Hybrid Net

In the example system the power train of a vehicle consists of the engine, a fuel injector, and a control unit, where the control unit provides monitoring of correct function of the fuel injector. If too much fuel is injected into the engine (cause of failure), the torque provided to the wheels of the vehicle is too great (failure mode) resulting in unintended acceleration (failure effect). This effect may lead to dangerous situation and thus is rated by a severity of S=10. The monitoring function of the control unit should detect the malfunctioning behavior and initiate proper system reaction for risk mitigation.

Example system for FMEA-MSR
Part of failure net

In SOX monitoring and system reaction is represented by a diagnosis function and a reaction function, respectively.

The procedure of adding functions to system elements is described in detail at Adding Functions to a System Element.

 

Adding a diagnosis function:

  1. Right-click on the system element to which you want to add a diagnosis function.

  2. Choose New > Diagnosis Function from context menu. - Outcome: The "Add new function to …" dialog will open:

     

  3. Enter a name and a code.

  4. Enter a description and values for diagnostic coverage (optional).

  5. Click OK.

Outcome: the diagnosis function is added to the system element.

Next link the diagnosis function to the cause of failure by drag and drop as described in Connecting Functions/Malfunctions . The icon next to the diagnosis function name changes to indicate the link. Additionally, the link is listed in "Diagnosis targets" located under the diagnosis function. Click the small triangle to show the content.

 

 

In a similar manner you model the system reaction by adding a reaction function and connecting it to the diagnosis function.

Adding a reaction function:

 

  1. Right-click on the system element containing the diagnosis function.

  2. Choose New > Reaction Function from context menu.- Outcome: the "Add new function to …" dialog will open.

  3. Enter a name.

  4. Enter a description (optional).

  5. Click OK.

Next, you need to link the reaction function to the diagnosis function as well as to the failure effects of reduced severity. These represent the intended behavior in case a failure is detected. As before the connection is done by drag and drop (see section Connecting Functions/Malfunctions on page ). The icon next to the reaction function name changes to indicate the link. Additionally, the links to the failure effects are listed in "Safe paths" located under the reaction function. Click the small triangle to show the content.

The resulting hybrid net is shown in the second figure below. The upper branch represents the failure net without detection, whereas the lower part shows the intended system reaction if the failure cause is detected.

You can add an action group to the failure cause as described on page Adding Action Groups. Operation actions are rated by parameters frequency (H) and monitoring (M). The rating is done in a similar manner as described at Rating Malfunctions and Action Groups.