Q & A: Category 2 and Testing Intervals

This entry is part 1 of 2 in the series Q&A

Dur­ing the Free Safe­ty Talks that we did with Schm­er­sal Cana­da and Franklin Empire, we had a “hot ques­tion” come up regard­ing Cat­e­go­ry 2 archi­tec­ture and the test­ing inter­val require­ment. In the short video below, Doug answers that ques­tion.

If you have more ques­tions or felt some­thing wasn’t clear in the video, leave us a com­ment and we will get back to you!

If you are hav­ing prob­lems with devel­op­ing your safe­ty func­tion, please get in touch with Doug direct­ly.


Email Doug direct­ly.


[1]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO 13849–1. 2015.

[2]     “The Bath­tub Curve and Prod­uct Fail­ure Behav­ior (Part 2 of 2)”, Weibull.com, 2018. [Online]. Avail­able: http://www.weibull.com/hotwire/issue22/hottopics22.htm. [Accessed: 13- May- 2018].

[3]    Ger­man Social Acci­dent Insur­ance (DGUV) — Insti­tute for Occu­pa­tion­al Safe­ty and Health (BGIA), “Func­tion­al safe­ty of machine con­trols — Appli­ca­tion of ISO 13849–1 — Report 2/2008e”, Insti­tute for Occu­pa­tion­al Safe­ty and Health (BGIA), Sankt Augustin, DE, 2008.

[4]     “Safe­ty Cir­cuit Exam­ples of Safe­ty Com­po­nents | Tech­ni­cal Guide | Aus­tralia | Omron IA”, Omron.com.au, 2018. [Online]. Avail­able: http://www.omron.com.au/service_support/technical_guide/safety_component/safety_circuit_example.asp. [Accessed: 14- May- 2018].

Digiprove sealCopy­right secured by Digiprove © 2018
Acknowl­edge­ments: ISO, OMRON, oth­ers as cit­ed.
Some Rights Reserved

Five reasons you should attend our Free Safety Talks

Reason #1 — Free Safety Talks

You can’t argue with Free Stuff! Last week we part­nered with Schm­er­sal Cana­da and Franklin Empire to put on three days of Free Safe­ty Talks. We had full hous­es in all three loca­tions, Wind­sor, Lon­don and Cam­bridge, with near­ly 60 peo­ple par­tic­i­pat­ing.

We had two great pre­sen­ters who helped peo­ple under­stand Pre-Start Health and Safe­ty Reviews (PSRs) [1], CSA Z432-2016 [2], Inter­lock­ing Devices [3] and Fault Mask­ing [4].

Mr Vashi at Franklin Empire Cambridge
Mr Vashi at Franklin Empire Cam­bridge

Franklin Empire pro­vid­ed us with some great facil­i­ties and break­fast to keep our minds work­ing. Thanks, Franklin Empire and Ben Reid who orga­nized all of the reg­is­tra­tions!

Mr Nix discussing injury rates in machine modes of operation
Mr Nix dis­cussing injury rates in machine modes of oper­a­tion

Reason #2 — Understanding Interlocking Devices

A portrait of Mr Kartik Vashi
Mr Kar­tik Vashi, CFSE

Mr Kar­tik Vashi, CFSE, dis­cussed the ISO Inter­lock­ing Device stan­dard, ISO 14119. This stan­dard pro­vides read­ers with guid­ance in the selec­tion and appli­ca­tion of inter­lock­ing devices, includ­ing the four types of inter­lock­ing devices and the var­i­ous cod­ing options for each type. Did you know that ISO 14119 is also direct­ly ref­er­enced in CSA Z432-16 [2]? That means this stan­dard is applic­a­ble to machin­ery built and used in Cana­da as of 2016. If you don’t know what I’m talk­ing about, you can con­tact Mr Vashi to get more infor­ma­tion.

ISO 14119 Fig 2 showing some aspects of different types of interlocking devices.
ISO 14119 Fig 2 show­ing some aspects of dif­fer­ent types of inter­lock­ing devices [3]

Reason #3 — Understanding Fault Masking

Mr Vashi also talked about fault mask­ing, an impor­tant and often mis­un­der­stood sit­u­a­tion that can occur when inter­lock­ing devices or oth­er electro­mechan­i­cal devices, like emer­gency stop but­tons, are daisy-chained into a sin­gle safe­ty relay or safe­ty input on a safe­ty PLC. Mr Vashi drew from ISO/TR 24119 to help explain this phe­nom­e­non. If you don’t under­stand the impact that daisy-chain­ing inter­lock­ing devices can have on the reli­a­bil­i­ty of your inter­lock­ing sys­tems, Mr Vashi can help you get a han­dle on this top­ic.

A part of ISO 24119 Fig 2 showing one method of daisy-chaining interlocking devices.
A part of ISO 24119 Fig 2 show­ing one com­mon method of daisy-chain­ing inter­lock­ing devices [4]

Reason # 4 — Pre-Start Health and Safety Reviews

Portrait of Doug Nix, C.E.T.
Mr Doug Nix, C.E.T.

Mr Nix opened his pre­sen­ta­tion with a dis­cus­sion of some com­mon­ly asked ques­tions about Pre-Start Health and Safe­ty Reviews (PSRs). There are many ways that peo­ple become con­fused about the WHY, WHAT, WHEN, WHERE, WHO and HOW of PSRs, and Mr Nix cov­ered them all. This unique-to-Ontario process requires an employ­er to have machines, equip­ment, rack­ing and process­es reviewed by a Pro­fes­sion­al Engi­neer or anoth­er Qual­i­fied Per­son when cer­tain cir­cum­stances exist (see O. Reg. 851, Sec­tion 7 Table). If you are con­fused by the PSR require­ments, con­tact Mr Nix for help with your ques­tions.

Reason #5 — Understanding the changes to CSA Z432

CSA Z432 [2] was updat­ed in 2016 with many changes. This much-need­ed update came after 12 years expe­ri­ence with the 2004 edi­tion and many changes in machin­ery safe­ty tech­nol­o­gy. Mr Nix briefly explored the many changes that were brought to Cana­di­an machine builders in the new edi­tion, includ­ing the many new ref­er­ences to ISO and IEC stan­dards. These new ref­er­ences will help Euro­pean machine builders get their prod­ucts accept­ed in Cana­di­an mar­kets. Both Mr Vashi and Mr Nix sit on the CSA Tech­ni­cal Com­mit­tee respon­si­ble for CSA Z432.

Reason #6 — Hot Questions

We like to over-deliv­er, so here’s the bonus rea­son!

We had some great ques­tions posed by our atten­dees, two of which we are answer­ing in video posts this week. If you have ever con­sid­ered using a pro­gram­ma­ble safe­ty sys­tem for lock­out, our first video explains why this is not yet a pos­si­bil­i­ty. Mr Nix gets into some of the reli­a­bil­i­ty con­sid­er­a­tions behind the O.Reg. 851 Sec­tions 75 and 76 and CSA Z460 require­ments.

Mr Nix post­ed a sec­ond video dis­cussing ISO 13849–1 [5] Cat­e­go­ry 2 archi­tec­ture require­ments and par­tic­u­lar­ly Test­ing Inter­vals. This video explains why it is not pos­si­ble to meet the test­ing require­ments using a pure­ly electro­mechan­i­cal design solu­tion.

Edit: 16-May-18

A case in the UK illus­trates the dan­gers of bypass­ing inter­lock­ing sys­tems. A work­er was killed by a con­vey­or sys­tem in a pre-cast con­crete plant when he was work­ing in an area nor­mal­ly pro­tect­ed by a key-exchange sys­tem. Here’s the link to the arti­cle on OHSOnline.com. Allow­ing work­ers into the dan­ger zone of a machine with­out oth­er effec­tive risk reduc­tion mea­sures may be a death sen­tence.


[1]     Ontario Reg­u­la­tion 851, Indus­tri­al Estab­lish­ments

[2]     Safe­guard­ing of Machin­ery. CSA Z432. 2016.

[3]     Safe­ty of machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — Prin­ci­ples for design and selec­tion. ISO 14119. 2013.

[4]     Safe­ty of machin­ery — Eval­u­a­tion of fault mask­ing ser­i­al con­nec­tion of inter­lock­ing devices asso­ci­at­ed with guards with poten­tial free con­tacts. ISO/TR 24119. 2015.

[5]     Con­trol of haz­ardous ener­gy — Lock­out and oth­er meth­ods. CSA Z460. 2013.

[6]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO 13849–1. 2015.

Digiprove sealCopy­right secured by Digiprove © 2018
Acknowl­edge­ments: Kar­tik Vashi, ISO, Franklin Empire, S more…
Some Rights Reserved

ISO 13849–1 Analysis — Part 8: Fault Exclusion

This entry is part 9 of 9 in the series How to do a 13849–1 analy­sis

Fault Consideration & Fault Exclusion

ISO 13849–1, Chap­ter 7 [1, 7] dis­cuss­es the need for fault con­sid­er­a­tion and fault exclu­sion. Fault con­sid­er­a­tion is the process of exam­in­ing the com­po­nents and sub-sys­tems used in the safe­ty-relat­ed part of the con­trol sys­tem (SRP/CS) and mak­ing a list of all the faults that could occur in each one. This a def­i­nite­ly non-triv­ial exer­cise!

Think­ing back to some of the ear­li­er arti­cles in this series where I men­tioned the dif­fer­ent types of faults, you may recall that there are detectable and unde­tectable faults, and there are safe and dan­ger­ous faults, lead­ing us to four kinds of fault:

  • Safe unde­tectable faults
  • Dan­ger­ous unde­tectable faults
  • Safe detectable faults
  • Dan­ger­ous detectable faults

For sys­tems where no diag­nos­tics are used, Cat­e­go­ry B and 1, faults need to be elim­i­nat­ed using inher­ent­ly safe design tech­niques. Care needs to be tak­en when clas­si­fy­ing com­po­nents as “well-tried” ver­sus using a fault exclu­sion, as com­po­nents that might nor­mal­ly be con­sid­ered “well-tried” might not meet those require­ments in every appli­ca­tion. [2, Annex A], Val­i­da­tion tools for mechan­i­cal sys­tems, dis­cuss­es the con­cepts of “Basic Safe­ty Prin­ci­ples”, “Well-Tried Safe­ty Prin­ci­ples”, and “Well-tried com­po­nents”.  [2, Annex A] also pro­vides exam­ples of faults and rel­e­vant fault exclu­sion cri­te­ria. There are sim­i­lar Annex­es that cov­er pneu­mat­ic sys­tems [2, Annex B], hydraulic sys­tems [2, Annex C], and elec­tri­cal sys­tems [2, Annex D].

For sys­tems where diag­nos­tics are part of the design, i.e., Cat­e­go­ry 2, 3, and 4, the fault lists are used to eval­u­ate the diag­nos­tic cov­er­age (DC) of the test sys­tems. Depend­ing on the archi­tec­ture, cer­tain lev­els of DC are required to meet the rel­e­vant PL, see [1, Fig. 5]. The fault lists are start­ing point for the deter­mi­na­tion of DC, and are an input into the hard­ware and soft­ware designs. All of the dan­ger­ous detectable faults must be cov­ered by the diag­nos­tics, and the DC must be high enough to meet the PLr for the safe­ty func­tion.

The fault lists and fault exclu­sions are used in the Val­i­da­tion por­tion of this process as well. At the start of the Val­i­da­tion process flow­chart [2, Fig. 1], you can see how the fault lists and the cri­te­ria used for fault exclu­sion are used as inputs to the val­i­da­tion plan.

The diagram shows the first few stages in the ISO 13849-2 Validation process. See ISO 13849-2, Figure 1.
Start of ISO 13849–2 Fig. 1

Faults that can be exclud­ed do not need to val­i­dat­ed, sav­ing time and effort dur­ing the sys­tem ver­i­fi­ca­tion and val­i­da­tion (V & V). How is this done?

Fault Consideration

The first step is to devel­op a list of poten­tial faults that could occur, based on the com­po­nents and sub­sys­tems includ­ed in SRP/CS. ISO 13849–2 [2] includes lists of typ­i­cal faults for var­i­ous tech­nolo­gies. For exam­ple, [2, Table A.4] is the fault list for mechan­i­cal com­po­nents.

Mechanical fault list from ISO 13849-2
Table A.4 — Faults and fault exclu­sions — Mechan­i­cal devices, com­po­nents and ele­ments
(e.g. cam, fol­low­er, chain, clutch, brake, shaft, screw, pin, guide, bear­ing)

[2] con­tains tables sim­i­lar to Table A.4 for:

  • Pres­sure-coil springs
  • Direc­tion­al con­trol valves
  • Stop (shut-off) valves/non-return (check) valves/quick-action vent­ing valves/shuttle valves, etc.
  • Flow valves
  • Pres­sure valves
  • Pipework
  • Hose assem­blies
  • Con­nec­tors
  • Pres­sure trans­mit­ters and pres­sure medi­um trans­duc­ers
  • Com­pressed air treat­ment — Fil­ters
  • Com­pressed-air treat­ment — Oil­ers
  • Com­pressed air treat­ment — Silencers
  • Accu­mu­la­tors and pres­sure ves­sels
  • Sen­sors
  • Flu­idic Infor­ma­tion pro­cess­ing — Log­i­cal ele­ments
  • etc.

As you can see, there are many dif­fer­ent types of faults that need to be con­sid­ered. Keep in mind that I did not give you all of the dif­fer­ent fault lists — this post would be a mile long if I did that! The point is that you need to devel­op a fault list for your sys­tem, and then con­sid­er the impact of each fault on the oper­a­tion of the sys­tem. If you have com­po­nents or sub­sys­tems that are not list­ed in the tables, then you need to devel­op your own fault lists for those items. Fail­ure Modes and Effects Analy­sis (FMEA) is usu­al­ly the best approach for devel­op­ing fault lists for these com­po­nents [23], [24].

When con­sid­er­ing the faults to be includ­ed in the list there are a few things that should be con­sid­ered [1, 7.2]:

  • if after the first fault occurs oth­er faults devel­op due to the first fault, then you can group those faults togeth­er as a sin­gle fault
  • two or more sin­gle faults with a com­mon cause can be con­sid­ered as a sin­gle fault
  • mul­ti­ple faults with dif­fer­ent caus­es but occur­ring simul­ta­ne­ous­ly is con­sid­ered improb­a­ble and does not need to be con­sid­ered


#1 — Voltage Regulator

A volt­age reg­u­la­tor fails in a sys­tem pow­er sup­ply so that the 24 Vdc out­put ris­es to an unreg­u­lat­ed 36 Vdc (the inter­nal pow­er sup­ply bus volt­age), and after some time has passed, two sen­sors fail. All three fail­ures can be grouped and con­sid­ered as a sin­gle fault because they orig­i­nate in a sin­gle fail­ure in the volt­age reg­u­la­tor.

#2 — Lightning Strike

If a light­ning strike occurs on the pow­er line and the result­ing surge volt­age on the 400 V mains caus­es an inter­pos­ing con­tac­tor and the motor dri­ve it con­trols to fail to dan­ger, then these fail­ures may be grouped and con­sid­ered as one. Again, a sin­gle event caus­es all of the sub­se­quent fail­ures.

#3 — Pneumatic System Lubrication

3a — A pneu­mat­ic lubri­ca­tor runs out of lubri­cant and is not refilled, depriv­ing down­stream pneu­mat­ic com­po­nents of lubri­ca­tion.

3b — The spool on the sys­tem dump valve sticks open because it is not cycled often enough.

Nei­ther of these fail­ures has the same cause, so there is no need to con­sid­er them as occur­ring simul­ta­ne­ous­ly because the prob­a­bil­i­ty of both hap­pen­ing con­cur­rent­ly is extreme­ly small. One cau­tion: These two faults MAY have a com­mon cause — poor main­te­nance. If this is true and you decide to con­sid­er them to be two faults with a com­mon cause, they could then be grouped as a sin­gle fault.

Fault Exclusion

Once you have your well-con­sid­ered fault lists togeth­er, the next ques­tion is “Can any of the list­ed faults be exclud­ed?” This is a tricky ques­tion! There are a few points to con­sid­er:

  • Does the sys­tem archi­tec­ture allow for fault exclu­sion?
  • Is the fault tech­ni­cal­ly improb­a­ble, even if it is pos­si­ble?
  • Does expe­ri­ence show that the fault is unlike­ly to occur?*
  • Are there tech­ni­cal require­ments relat­ed to the appli­ca­tion and the haz­ard that might sup­port fault exclu­sion?

BE CAREFUL with this one!

When­ev­er faults are exclud­ed, a detailed jus­ti­fi­ca­tion for the exclu­sion needs to be includ­ed in the sys­tem design doc­u­men­ta­tion. Sim­ply decid­ing that the fault can be exclud­ed is NOT ENOUGH! Con­sid­er the risk a per­son will be exposed to in the event the fault occurs. If the sever­i­ty is very high, i.e., severe per­ma­nent injury or death, you may not want to exclude the fault even if you think you could. Care­ful con­sid­er­a­tion of the result­ing injury sce­nario is need­ed.

Bas­ing a fault exclu­sion on per­son­al expe­ri­ence is sel­dom con­sid­ered ade­quate, which is why I added the aster­isk (*) above. Look for good sta­tis­ti­cal data to sup­port any deci­sion to use a fault exclu­sion.

There is much more infor­ma­tion avail­able in IEC 61508–2 on the sub­ject of fault exclu­sion, and there is good infor­ma­tion in some of the books men­tioned below [0.1], [0.2], and [0.3]. If you know of addi­tion­al resources you would like to share, please post the infor­ma­tion in the com­ments!


3.1.3 fault
state of an item char­ac­ter­ized by the inabil­i­ty to per­form a required func­tion, exclud­ing the inabil­i­ty dur­ing pre­ven­tive main­te­nance or oth­er planned actions, or due to lack of exter­nal resources
Note 1 to entry: A fault is often the result of a fail­ure of the item itself, but may exist with­out pri­or fail­ure.
Note 2 to entry: In this part of ISO 13849, “fault” means ran­dom fault. [SOURCE: IEC 60050?191:1990, 05–01.]

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simp­son, Safe­ty crit­i­cal sys­tems hand­book. Ams­ter­dam: Else­vier/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­i­bil­i­ty for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: The Insti­tu­tion of Engi­neer­ing and Tech­nol­o­gy, 2008.

[0.3]  Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 2013.


Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Includ­ed in the last post of the series is the com­plete ref­er­ence list.

[1]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. 3rd Edi­tion. ISO Stan­dard 13849–1. 2015.

[2]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion. 2nd Edi­tion. ISO Stan­dard 13849–2. 2012.

[3]      Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion. ISO Stan­dard 12100. 2010.

[4]     Safe­guard­ing of Machin­ery. 2nd Edi­tion. CSA Stan­dard Z432. 2004.

[5]     Risk Assess­ment and Risk Reduc­tion- A Guide­line to Esti­mate, Eval­u­ate and Reduce Risks Asso­ci­at­ed with Machine Tools. ANSI Tech­ni­cal Report B11.TR3. 2000.

[6]    Safe­ty of machin­ery — Emer­gency stop func­tion — Prin­ci­ples for design. ISO Stan­dard 13850. 2015.

[7]     Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. 7 parts. IEC Stan­dard 61508. Edi­tion 2. 2010.

[8]     S. Joce­lyn, J. Bau­doin, Y. Chin­ni­ah, and P. Char­p­en­tier, “Fea­si­bil­i­ty study and uncer­tain­ties in the val­i­da­tion of an exist­ing safe­ty-relat­ed con­trol cir­cuit with the ISO 13849–1:2006 design stan­dard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104–112, Jan. 2014.

[9]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report TR 62061–1. 2010.

[10]     Safe­ty of machin­ery — Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC Stan­dard 62061. 2005.

[11]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report 62061–1. 2010.

[12]    D. S. G. Nix, Y. Chin­ni­ah, F. Dosio, M. Fessler, F. Eng, and F. Schr­ev­er, “Link­ing Risk and Reliability—Mapping the out­put of risk assess­ment tools to func­tion­al safe­ty require­ments for safe­ty relat­ed con­trol sys­tems,” 2015.

[13]    Safe­ty of machin­ery. Safe­ty relat­ed parts of con­trol sys­tems. Gen­er­al prin­ci­ples for design. CEN Stan­dard EN 954–1. 1996.

[14]   Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems — Part 2: Require­ments for electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. IEC Stan­dard 61508–2. 2010.

[15]     Reli­a­bil­i­ty Pre­dic­tion of Elec­tron­ic Equip­ment. Mil­i­tary Hand­book MIL-HDBK-217F. 1991.

[16]     “IFA — Prac­ti­cal aids: Soft­ware-Assis­tent SISTEMA: Safe­ty Integri­ty — Soft­ware Tool for the Eval­u­a­tion of Machine Appli­ca­tions”, Dguv.de, 2017. [Online]. Avail­able: http://www.dguv.de/ifa/praxishilfen/practical-solutions-machine-safety/software-sistema/index.jsp. [Accessed: 30- Jan- 2017].

[17]      “fail­ure mode”, 192–03-17, Inter­na­tion­al Elec­trotech­ni­cal Vocab­u­lary. IEC Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion, Gene­va, 2015.

[18]      M. Gen­tile and A. E. Sum­mers, “Com­mon Cause Fail­ure: How Do You Man­age Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331–338, 2006.

[19]     Out of Control—Why con­trol sys­tems go wrong and how to pre­vent fail­ure, 2nd ed. Rich­mond, Sur­rey, UK: HSE Health and Safe­ty Exec­u­tive, 2003.

[20]     Safe­guard­ing of Machin­ery. 3rd Edi­tion. CSA Stan­dard Z432. 2016.

[21]     O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Cana­da, 1990.

[22]     “Field-pro­gram­ma­ble gate array”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Field-programmable_gate_array. [Accessed: 16-Jun-2017].

[23]     Analy­sis tech­niques for sys­tem reli­a­bil­i­ty – Pro­ce­dure for fail­ure mode and effects analy­sis (FMEA). 2nd Ed. IEC Stan­dard 60812. 2006.

[24]     “Fail­ure mode and effects analy­sis”, En.wikipedia.org, 2017. [Online]. Avail­able: https://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis. [Accessed: 16-Jun-2017].