In failure modes and effects analysis, a table is constructed in which single failures are paired with their effects and an evaluation of the effects. The design of the system is then corrected, and the table adjusted until the system is not known to have unacceptable problems. Of course, the engineers could make mistakes.
In fault tree analaysis, an undesired effect is taken as the root of a tree of logic. Then, each situation that could cause that effect is added to the tree as a series of logic expressions. When [fault trees]? have real numbers about failure probabilitieis (often unavailable because of testing expense), computer programs can calculate failure probabilities form fault trees. The classic computer program is the Idaho National Engineering Laboratory's SAPHIRE, whcih is used by the U.S. government to design naval nuclear reactors. It seems to work, because they don't fail often.
Fault analysis can be applied by everyday people to planning complex events. Fault analysis is just a way of making plans that cope with failures.
Usually a failure in safety-certified systems is acceptable if less than one life per 30 years of operation (10^9 hours) is lost to mechanical failure. Most Western nuclear reactors, medical equipment and commercial aircraft are certified to this level.
Once a failure mode is identified, usually it can be corrected by adding equipment to the system. For example, nuclear reactors emit dangerous radiation, contain nasty poisons, and nuclear reactions can cause such high heats that no substance can contain them. Therefore reactors have emergency core cooling systems, to keep the heat down, shielding to contain the radiation, and containments (usualling several, nested) to prevent leakage.
For any given failure, a fail-over, or redundancy can almost always be designed and incorporated into a system.
When adding equipment is impractical, (usually because of expense) then the design has to made inherently safe, or "fail safe." The typical approach is to arrange the system so that ordinary single failures cause the mechanism to shut down in a safe way. For example, in an elevator the cable supporting the car pulls spring-loaded brakes open. If the cable breaks, the brakes grab rails, and the car does not fall. Another common fail-safe system is the pilot light sensor in most gas furnaces. If the pilot light is cold, a mechanical arrangement disengages the gas valve, so that the house cannot fill with unburned gas. Fail safes are common in medical equipment, traffic and railway signals, communications equipment and safety equipment.
![[Home]](wikipedia.png)