Failure mode effect analysis (FMEA) is done early in the design phase along with root cause analysis. In the example of the ship grounded, not sure why the captain decided to sail closer to the shore, however, auto navigation should have shown the safe level for the correct depth.
Interesting about the operators adding the glove to fool your interlock. Most of the companies purchasing systems from us always mandate "anti-tiedown/ anti-repeat" functionality for the two handed safety system. That means that when the first button is operated there is only a short window of time during which the second button can complete the initiating circuit. Also, after the initiation function is delivered, both buttons must be released in order for another trigger to be generated. So jamming one button down would inhibit all of the machine operation.
@ChasChas: Engineering judgement means knowing what to worry about and what not to worry about. Sometimes, engineers spend an inordinate amount of time and energy worrying about a potential failure mode which is absurdly improbable, while ignoring other failure modes which are much more likely.
Unfortunately, I don't know of any reliable method to judge which failure modes are most likely, other than experience. When in doubt, it's probably better to investigate, rather than brushing off anything lightly.
Although it has been mentioned, FMEA, (failure mode effects analysis), if done adequately, is a very good risk reduction tool. But to be effective it does need to consider every part of the system that could fail in any way, as well as all of the potential modes of failure. So a rigerous FMEA is a big deal, not a small exercise. For the Titanic, evidently there was no anticipation of the possibility of a hull breach in the area of the dividing bulkhead, which lead directly to the sinking. If the same mechanism had been used to divide the ship into three or four segments it would most likely have saved the ship, or at least bought a lot more time.
ON the other side, there is almost no way to prevent a lrge enough human error from causing some kind of failure. I like the saying about the difference between wisdom and stupidity: "there are limits to wisdom, but there are no limits to stupidity". I am certain that it is absolutely correct.
William - I certainly agree with your company's measures. At the time I was working in a test engineering department where we built test sets only for internal customers to test our product lines. Actually, the thumb switches were an innovation that I thought of when trying to brainstorm how to keep our operators safe. As a first rattle out of the box it wasn't a bad idea, but as you mentioned there are additional programming measures that can ensure a more fool proof operation. I guess I was naive as to the extent an operator would go to defeat my "safety feature" at the time...
Your Titanic discussion is relevant as I believe that the threat was thought to have been designed for, a bow collision rather than scrapping along the hull, but even then, the first four bulkheads. It seems from the shows that I've seen, that the engineers' data indicated that most collisions were rammings that required a strong box and compartmentalized bulkheads to control leaks resulting from bow collisions. I would guess that shipbuilder and salvage experience supported this view, but this wasn't discussed to any great extent.
Therefore, the question would be whether the designers data indicated that compartmentalizing the first four bulkheads provided the required protection because water filling at the fifth would result in sinking regardless due to forces that could not be dealt with or that they just didn't consider compartmentalizing past the fourth.
My point is more about what the thought process was behind the design and what testing was possible at the time of design. The designers of the Titanic had the history of shipping and sinkings to consider and probably little in the way of actual testing. This contrasts to Ford and the Pinto in which Ford engineers uncovered the gas tank rupture problem in pre-production crash testing and management chose to ignore their concerns and design changes, for profit motives. Of course, White Star Line management chose to reduce the number of life boats for cosmetic reasons.
Interesting comment about the Ford Pinto gas tanks. I can tell you for certain that Ford now takes fuel tank integrity very seriously. I have watched a lot of their crash testing and the very first thing checked after a crash is fuel tank integrity. Also, even in a higher speed crash, 45 MPH or so, their fuel tanks don't even leak, let alone rupture. So it appears that they did learn a lot from their experience.
Anticipating failures and preventing them is obviously one of the design goals of the conscientious engineer. This is not always possible, however. When exploring unknown territory, one must assume that not all failure modes can be, or have been, be anticipated. An engineer I worked with about 40 years ago coined the phrase "fail graceful" as an alternative to "fail safe." In other words, regardless of whatever causes a failure, try to design the system so that the results of the failure will be as benign as possible.
Truchard will be presented the award at the 2014 Golden Mousetrap Awards ceremony during the co-located events Pacific Design & Manufacturing, MD&M West, WestPack, PLASTEC West, Electronics West, ATX West, and AeroCon.
In a bid to boost the viability of lithium-based electric car batteries, a team at Lawrence Berkeley National Laboratory has developed a chemistry that could possibly double an EV’s driving range while cutting its battery cost in half.
For industrial control applications, or even a simple assembly line, that machine can go almost 24/7 without a break. But what happens when the task is a little more complex? That’s where the “smart” machine would come in. The smart machine is one that has some simple (or complex in some cases) processing capability to be able to adapt to changing conditions. Such machines are suited for a host of applications, including automotive, aerospace, defense, medical, computers and electronics, telecommunications, consumer goods, and so on. This discussion will examine what’s possible with smart machines, and what tradeoffs need to be made to implement such a solution.