The FMEA is not only about preventing failures, it is primarily about making the system avoid a disaster when something fails. It goes right along with Fudds Third Law of Opposition: "If you push anything hard enough, it will fall down". Comonents will fail, the goal is to avoid injury and minimize damage.
As a former Ford Pinto owner, it's good to know Ford is putting that emphasis on gad tank integrity. I was in a rear-end collision in my Pinto. I was fortunate the gas tank was OK. Ford seem to have a pretty good safet run, that is until its Firestone problem.
Anticipating failures and preventing them is obviously one of the design goals of the conscientious engineer. This is not always possible, however. When exploring unknown territory, one must assume that not all failure modes can be, or have been, be anticipated. An engineer I worked with about 40 years ago coined the phrase "fail graceful" as an alternative to "fail safe." In other words, regardless of whatever causes a failure, try to design the system so that the results of the failure will be as benign as possible.
Interesting comment about the Ford Pinto gas tanks. I can tell you for certain that Ford now takes fuel tank integrity very seriously. I have watched a lot of their crash testing and the very first thing checked after a crash is fuel tank integrity. Also, even in a higher speed crash, 45 MPH or so, their fuel tanks don't even leak, let alone rupture. So it appears that they did learn a lot from their experience.
Your Titanic discussion is relevant as I believe that the threat was thought to have been designed for, a bow collision rather than scrapping along the hull, but even then, the first four bulkheads. It seems from the shows that I've seen, that the engineers' data indicated that most collisions were rammings that required a strong box and compartmentalized bulkheads to control leaks resulting from bow collisions. I would guess that shipbuilder and salvage experience supported this view, but this wasn't discussed to any great extent.
Therefore, the question would be whether the designers data indicated that compartmentalizing the first four bulkheads provided the required protection because water filling at the fifth would result in sinking regardless due to forces that could not be dealt with or that they just didn't consider compartmentalizing past the fourth.
My point is more about what the thought process was behind the design and what testing was possible at the time of design. The designers of the Titanic had the history of shipping and sinkings to consider and probably little in the way of actual testing. This contrasts to Ford and the Pinto in which Ford engineers uncovered the gas tank rupture problem in pre-production crash testing and management chose to ignore their concerns and design changes, for profit motives. Of course, White Star Line management chose to reduce the number of life boats for cosmetic reasons.
William - I certainly agree with your company's measures. At the time I was working in a test engineering department where we built test sets only for internal customers to test our product lines. Actually, the thumb switches were an innovation that I thought of when trying to brainstorm how to keep our operators safe. As a first rattle out of the box it wasn't a bad idea, but as you mentioned there are additional programming measures that can ensure a more fool proof operation. I guess I was naive as to the extent an operator would go to defeat my "safety feature" at the time...
Although it has been mentioned, FMEA, (failure mode effects analysis), if done adequately, is a very good risk reduction tool. But to be effective it does need to consider every part of the system that could fail in any way, as well as all of the potential modes of failure. So a rigerous FMEA is a big deal, not a small exercise. For the Titanic, evidently there was no anticipation of the possibility of a hull breach in the area of the dividing bulkhead, which lead directly to the sinking. If the same mechanism had been used to divide the ship into three or four segments it would most likely have saved the ship, or at least bought a lot more time.
ON the other side, there is almost no way to prevent a lrge enough human error from causing some kind of failure. I like the saying about the difference between wisdom and stupidity: "there are limits to wisdom, but there are no limits to stupidity". I am certain that it is absolutely correct.
@ChasChas: Engineering judgement means knowing what to worry about and what not to worry about. Sometimes, engineers spend an inordinate amount of time and energy worrying about a potential failure mode which is absurdly improbable, while ignoring other failure modes which are much more likely.
Unfortunately, I don't know of any reliable method to judge which failure modes are most likely, other than experience. When in doubt, it's probably better to investigate, rather than brushing off anything lightly.
Interesting about the operators adding the glove to fool your interlock. Most of the companies purchasing systems from us always mandate "anti-tiedown/ anti-repeat" functionality for the two handed safety system. That means that when the first button is operated there is only a short window of time during which the second button can complete the initiating circuit. Also, after the initiation function is delivered, both buttons must be released in order for another trigger to be generated. So jamming one button down would inhibit all of the machine operation.
Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.