德国汽车工业质量标准VDA Kapitel 4-04_en
VDA-Volume 4: Fault Tree Analysis 1 We would like to thank all the companies and their staff who have contri- buted to this workgroup: AUDI AG, Ingolstadt BMW AG, Munich Robert Bosch GmbH, Stuttgart Continental AG, Hannover DGQ (Deutsche Gesellschaft für Qualität), Frankfurt Fichtel the output is described in binary: “0“ (intact) “1“ (defective). In the case of the (1 of 2) evaluation, the so-called OR gate, one of two input signals (I1 or I2) is sufficient for determining the corresponding output signal (O). In this case, the non-completion of the output signal is less probable than when there is a one-channel setup. In Figure 5, the (1 of 2) evaluation is shown with the corresponding truth table. I1 I2 O = 1 1 1 1 0 1 I1 I2 0 1 1 0 0 0 Figure 5 (1 of 2) evaluation VDA-Volume 4: Fault Tree Analysis 11 If, for example, the braking action of a winch is triggered by an OR logic operation, braking is even possible if there is a failure in one input signal. In this case, however, it is necessary to accept operating delays caused by incorrect release of the brakes. In the (2 of 2) evaluation (AND gate), both input signals must be present simultaneously in order to generate the output signal. In this case, the completion of output A is less probable than with a one-channel setup. Figure 6 represents the (2 of 2) evaluation. O I1 I2 O consequently, the primary failures should also be analyzed further. VDA-Volume 4: Fault Tree Analysis 14 The branches of the command faults or secondary failures should be developed further, down to the level of the basic events. Figure 10 shows an example of the fault tree where the secondary failures of the motor are developed. Motor does not start 1 Primary failure: motor Secondary failure: motor Command fault: motor 1 External influences Failure of other system components: switches 1 and 2, power source 1 Blocking of the motor caused by impurities Break in motor housing caused by excessive temperatures or vibrations Figure 10 Fault tree for system A with development of secondary failure VDA-Volume 4: Fault Tree Analysis 15 In order to be able to transfer also very complex technical systems into models that are as realistic as possible, the following steps must be per- formed when drawing up the fault tree: Steps for drawing up the fault tree 1st step System analysis 2nd step Definition of the top event and failure criteria 3rd step Determination of reliability parameters and time intervals 4th step Determination of the failure modes for the components 5th step Drawing up the fault tree Figure 11 Steps in drawing up a fault tree VDA-Volume 4: Fault Tree Analysis 16 1st step: System analysis Exact knowledge of the functional sequences in the normally functioning system is necessary in drawing up the fault tree. With the help of the system analysis, the systems method of operation should be made clear, taking into account its interfaces to the environment. - System functions/system requirements To stipulate the system function unambiguously, all required functions are shown and assigned to the elements fulfilling the function (system elements). In this connection, the performance goals and permissible tolerances of the respective system functions must be considered. Generally, this means that it is necessary to have the customary technical documents, such as signal and/or current flow plans, performance specifications and design drawings. So-called function block diagrams (FBD) serve to illustrate system networkings and interface influences. This graphical, two-dimensional depiction of a verbal, one-dimensional approach, as followed in the specifications, is far superior once the functional sequences are no longer purely sequential. - Environmental conditions During the various operating phases, the system must comply with the required functions under the influence of environmental conditions on which the technical system itself has no influence. Both environmental influences and the physical and chemical properties of the system elements need to be considered. - Dependency and behavior In this connection, the system must be examined with an eye to the following criteria: - Interplay of the system elements for generation of the system functions, - Reaction of the system to the environmental conditions, - Behavior of the system in case of internal failures and failures of required auxiliary sources (energy supply, services). VDA-Volume 4: Fault Tree Analysis 17 2nd step: Definition of the top event and the failure criteria The meaningfulness of FTA depends on the description of the top event and the associated boundary conditions. When stipulating the top event, there are two different basic starting points: - Preventive approach If the FTA is performed from a preventive point of view, the top event is defined by non-fulfillment of functions or requirements. When defining top events, product requirements relevant to both the safety and the conven- ience can be ta