FMECA
Technical Manual
Failure Mode, Effects and Criticality Analysis — A complete reference for reliability engineers
Scope & Purpose
This manual provides a comprehensive technical reference for the application of Failure Mode, Effects and Criticality Analysis (FMECA). It is addressed to reliability engineers, design engineers, maintenance managers, safety practitioners, and quality professionals who require a consolidated reference covering both foundational theory and practical implementation.
The content integrates the requirements and procedures established in the U.S. military standard MIL-STD-1629A — which remains the most widely cited normative document for FMECA — and supplements them with concepts from the civil standard IEC 60812 and the automotive standard SAE J1739 / AIAG-VDA FMEA Handbook.
FMECA is a bottom-up, inductive analysis: it starts from individual component failure modes and traces their effects upward through the system hierarchy. This makes it complementary to top-down, deductive techniques such as Fault Tree Analysis (FTA).
Per MIL-STD-1629A §1.1, the standard establishes requirements and procedures for performing a FMECA to systematically evaluate and document, by item failure mode analysis, the potential impact of each functional or hardware failure on mission success, personnel and system safety, system performance, maintainability, and maintenance requirements. Each potential failure is ranked by the severity of its effect so that appropriate corrective actions may be taken to eliminate or control high-risk items.
Fundamentals
Definition & Historical Background
FMECA is a systematic reliability analysis methodology that identifies and documents all probable ways in which a component, assembly, or system can fail, evaluates the effects of each failure mode on system performance and safety, and assigns a quantitative criticality measure to each failure mode to support design decisions and risk prioritization.
The roots of the technique trace to the early 1950s, when the U.S. aviation industry developed it to improve airframe and propulsion reliability. The U.S. Navy formalized the first military standard version as MIL-STD-1629 (SHIPS) in November 1974. The definitive revision — MIL-STD-1629A, issued 24 November 1980 — superseded both MIL-STD-1629 (SHIPS) and MIL-STD-2070 (AS), the aviation-sector predecessor, and remains the primary normative reference to this day.
Per the MIL-STD-1629A foreword, the FMECA is an essential function in design — from concept through development. To be effective, the FMECA must be iterative to correspond with the nature of the design process itself. Timeliness is perhaps the most important factor distinguishing effective from ineffective FMECA implementation: its first purpose is the early identification of all catastrophic and critical failure possibilities so they can be eliminated or minimized through design correction at the earliest possible time.
FMEA vs. FMECA — Key distinctions
The two acronyms are often used interchangeably, but they refer to technically distinct analytical products:
| Dimension | FMEA | FMECA |
|---|---|---|
| Full name | Failure Mode and Effects Analysis | Failure Mode, Effects and Criticality Analysis |
| Approach | Qualitative | Quantitative (FMEA extended with CA) |
| Criticality | No numerical criticality computed | Criticality number Cm calculated per failure mode |
| Primary output | Failure mode and effects list | Failure mode list + criticality matrix |
| Data required | Design data, functions | Design data + failure rates λ, mode ratios α, β |
| Typical users | NASA, automotive (AIAG), medical devices | Defense, aerospace, nuclear, complex systems |
| Standard | IEC 60812, SAE J1739, AIAG-VDA | MIL-STD-1629A, IEC 60812 (both tasks) |
FMECA is in essence an FMEA to which the Criticality Analysis (CA) — MIL-STD-1629A Task 102 — has been appended. The CA quantifies the probability of occurrence and the severity of each failure mode to enable priority ranking and to support design corrective action decisions.
Standards & normative references
| Standard | Full title | Sector | Year |
|---|---|---|---|
MIL-STD-1629A | Procedures for Performing a FMECA | Defense / General | 1980 |
IEC 60812:2018 | Failure Modes and Effects Analysis (FMEA and FMECA) | Civil / Industrial | 2018 |
SAE J1739 | Potential Failure Mode and Effects Analysis | Automotive | 2009 |
AIAG-VDA FMEA | FMEA Handbook, 1st Edition | Automotive | 2019 |
NASA-HDBK-1002 | Fault Tree and FMEA Handbook | Space / Aerospace | 2012 |
MIL-HDBK-338B | Electronic Reliability Design Handbook | Defense | 1998 |
MIL-STD-882E | Standard Practice for System Safety | Defense / Safety | 2012 |
ARP 4761 | Guidelines and Methods for the Safety Assessment Process | Civil Aviation | 1996 |
Terminology
Key definitions (MIL-STD-1629A §3)
| Term | Definition |
|---|---|
| Failure mode | The observable manner in which an item fails to perform its required function. Examples: open circuit, short circuit, fracture, seizure, leakage. A single item may have multiple failure modes. |
| Failure cause | The physical or chemical processes, design defects, quality defects, part misapplication, or other processes that initiate the physical deterioration leading to failure. Examples: fatigue, corrosion, insulation breakdown, wear. |
| Failure effect | The consequence(s) a failure mode has on the operation, function, or status of an item. Classified as local effect, next higher level effect, and end effect. |
| Criticality | A relative measure of the consequences of a failure mode and its frequency of occurrence. Quantified by the criticality number Cm. |
| Single failure point (SFP) | A failure of an item, without redundancy or compensating provision, that would result in a mission failure or a Category I / II end effect on the system. |
| Compensating provision | Actions available to an operator to negate or mitigate the effect of a failure, including redundancy, safety devices, and alternative operating procedures. |
| Detection mechanism | The means or methods by which a failure can be discovered by an operator under normal system operation, or by maintenance crew through diagnostic action. |
| Undetectable failure | A failure mode for which no means of detection currently exists during normal system operation, presenting a latent hazard. |
| Corrective action | A documented design, process, procedure, or materials change implemented and validated to correct the cause of a failure or design deficiency. |
| Indenture level | The relative level of a hardware item within the system hierarchical structure. The initial indenture level is the highest level at which the FMECA is applied. |
Indenture levels
The FMECA is organized hierarchically by indenture levels, which represent the functional and physical decomposition of the system. The depth of analysis at each level is determined by the program objectives, safety requirements, and the complexity of the system:
The initial indenture level is the highest level at which the analysis begins — typically the system interface with the customer or the end-item boundary. The analysis may descend to the piece-part level when safety-critical circuits or pyrotechnic devices are involved, as specified in MIL-STD-1629A §4.3.3.
Types of failure effects
Each failure mode is evaluated at three hierarchical levels of effect, as defined in MIL-STD-1629A §3.1.13:
FMECA Methodology
Step-by-step process
An effective FMECA follows a structured sequence of activities, as outlined in MIL-STD-1629A §4:
- Plan and scope the analysis. Define objectives, system boundaries, mission phases, and the indenture level to be analyzed. Establish ground rules and assumptions to ensure consistent treatment of failure modes across the worksheet.
- Define the system and its functions. Develop the Functional Block Diagram (FBD) and Reliability Block Diagram (RBD). Understand the functional and physical hierarchy and identify interfaces between items.
- Gather design information. Collect technical specifications, engineering drawings, trade-study reports, parts lists, and reliability data (failure rates from MIL-HDBK-217, OREDA, NPRD, or manufacturer data sheets).
- Identify all failure modes. For each item at the selected indenture level, list all probable failure modes. Multiple failure modes per item are expected. Do not assume a single failure mode per component.
- Analyze the effects of each failure mode. Determine the local effect, next higher level effect, and end effect on mission success and safety.
- Classify severity. Assign the severity category (I–IV) to each failure mode based on its worst-case end effect, per MIL-STD-1629A §4.4.3.
- Identify detection and isolation methods. Document how each failure mode is detected by the operator and isolated by the maintenance technician.
- Identify compensating provisions. Document any redundancy, safety devices, or alternative procedures that mitigate the failure effect.
- Perform the Criticality Analysis (CA) — Task 102. Calculate the failure mode criticality number Cm and element criticality number Cr for each severity category.
- Construct the criticality matrix. Plot results to visually prioritize failure modes requiring corrective action.
- Document the FMECA report. Consolidate findings, recommendations, and the Single Failure Point list in the formal report per §4.5.
Per MIL-STD-1629A foreword: "The FMECA should be initiated as soon as preliminary design information is available at the higher system levels and extended to the lower levels as more information becomes available." An FMECA performed after design is frozen provides little value for corrective action.
FMEA worksheet — Column definitions
The worksheet is the primary documentation instrument. The following defines each standard column per MIL-STD-1629A Task 101:
| # | Column | Description |
|---|---|---|
| 1 | Sequence number | Unique serial reference identifying each row of the analysis for traceability. |
| 2 | Item name & function | Hardware designator (relay, valve, electronic module) or functional element under analysis and a concise statement of its required function. |
| 3 | Mission phase / operational mode | Phase of the mission or operational mode during which the failure mode is postulated (start-up, cruise, standby, shutdown). |
| 4 | Failure modes | All probable failure modes for the item under analysis. Each mode is assessed on a separate row. |
| 5 | Failure causes | Physical, chemical, or process mechanisms that initiate or contribute to the failure mode. |
| 6 | Local effect | Consequence of the failure mode on the item being analyzed (MIL-STD-1629A §3.1.13.1). |
| 7 | Next higher level effect | Consequence as seen at the next higher indenture level (§3.1.13.2). |
| 8 | End effect | Ultimate consequence on mission success, system availability, or safety (§3.1.13.3). |
| 9 | Severity classification | Category I (Catastrophic) through IV (Minor), assigned based on worst-case end effect. |
| 10 | Failure detection method | Means by which the operator detects the failure: visual alarm, audible warning, built-in test (BIT), instrumentation, or none. |
| 11 | Failure isolation | Procedure allowing the operator or maintainer to isolate the failure to the LRU/SRU level for corrective maintenance. |
| 12 | Compensating provisions | Redundancy, safety devices, or operational procedures that mitigate the failure effect. |
| 13 | Remarks | Pertinent clarifications, design improvement recommendations, or references to supporting analyses. |
Severity classification
MIL-STD-1629A §4.4.3 defines four severity categories, aligned with MIL-STD-882 system safety classification:
| Category | Name | Criterion | Illustrative examples |
|---|---|---|---|
| CAT I | Catastrophic | May cause death or loss of the weapon system (aircraft, ship, missile). | Loss of flight control; reactor control failure; structural collapse under load. |
| CAT II | Critical | May cause severe injury, major property damage, or mission loss. | Loss of main propulsion; brake system failure; uncontrolled fire. |
| CAT III | Marginal | May cause minor injury, minor property damage, or mission degradation. | Loss of secondary navigation; speed reduction; reduced communications. |
| CAT IV | Minor | Not serious enough to cause injury or system damage; results in unscheduled maintenance. | Cockpit indicator failure; HVAC malfunction; non-mission-critical sensor fault. |
The severity definitions above are oriented toward defense applications. In civil industries (process, railway, oil & gas), the categories are adapted by replacing military references with impacts on business continuity, environmental damage, personnel safety, and asset loss, while preserving the same four-category structure and boundary logic.
Typical failure modes by component type
| Component | Failure mode | Typical cause |
|---|---|---|
| Relay | Contacts fail shorted | Contacts welded by arc discharge |
| Contacts fail open | Dirty or corroded contacts | |
| Coil fails open | Open-circuit winding | |
| Transformer | Coil shorts | Insulation breakdown |
| Coil fails open | Open-circuit winding | |
| Electric motor | Bearings fail | Wear, lubrication failure |
| Brushes fail open | Worn or contaminated brushes | |
| Coil fails shorted | Insulation breakdown | |
| Hydraulic actuator | Leaks externally | Worn seals |
| Fails to return to position | Blocked return lines | |
| Power supply (DC) | Loss of output | Internal component failure |
| Unregulated output | Internal rectifier or capacitor failure | |
| Incorrect voltage level | Internal regulator failure | |
| Switch (SPDT) | Contacts fail shorted | Contacts welded |
| Fails to activate | Mechanism failure or contamination | |
| Control valve | Fails to open on command | Actuator solenoid failure; seized mechanism |
| Fails to close on command | Seat deformation; debris obstruction |
Criticality Analysis
Purpose of the Criticality Analysis
The Criticality Analysis (CA) is the quantitative component that transforms a qualitative FMEA into a full FMECA. Its purpose is to rank and prioritize each failure mode according to the combined influence of its severity classification and its probability of occurrence during a defined mission phase.
The primary deliverable is the criticality matrix — a graphical tool that enables the engineering team to focus corrective action resources on the highest-risk failure modes and to identify single failure points requiring design attention.
Criticality number formula & parameters
Per MIL-STD-1629A Task 102, the failure mode criticality number is calculated as follows:
| Parameter | Symbol | Definition | Source |
|---|---|---|---|
| Conditional probability of loss | β | Probability that the failure mode will result in the identified severity classification end effect, given that the failure mode occurs. Range 0–1. Guidance values: Actual loss: β = 1.00 Probable loss: 0.10 ≤ β < 1.00 Possible loss: 0 < β < 0.10 No effect: β = 0 |
Engineering judgment |
| Failure mode ratio | α | The fraction of the item's total failure rate attributable to this specific failure mode. Σα = 1.00 across all failure modes of a given item. | MIL-HDBK-338B, NPRD, manufacturer data |
| Part failure rate | λp | Total failure rate of the item under its specified operating environment (failures/hour or failures/cycle). | MIL-HDBK-217F, OREDA, NPRD-2016 |
| Mission operating time | t | Duration of the mission phase during which the item is operating, in hours (or consistent units with λp). | Mission specification |
The item criticality number Cr for a given severity category is the sum of all failure mode criticality numbers belonging to that category for the same item:
A relay has a part failure rate λp = 2.0×10⁻⁵ failures/hour. For the failure mode "contacts fail shorted": α = 0.40, β = 1.00 (actual loss of protection), mission time t = 20 hours.
Cm = 1.00 × 0.40 × 2.0×10⁻⁵ × 20 = 1.6×10⁻⁴
Probability of occurrence levels
MIL-STD-1629A defines five qualitative probability levels for the vertical axis of the criticality matrix:
| Level | Name | Probability (p) — relative to total system failure probability |
|---|---|---|
| A | Frequent | p ≥ 0.20 — High probability of occurrence during system operating life. |
| B | Reasonably probable | 0.10 ≤ p < 0.20 — Moderate probability of occurrence. |
| C | Occasional | 0.01 ≤ p < 0.10 — Likely to occur sometime in the system life. |
| D | Remote | 0.001 ≤ p < 0.01 — Unlikely but possible over system life. |
| E | Extremely unlikely | p < 0.001 — So unlikely it can be assumed occurrence will not be experienced. |
Criticality matrix
The criticality matrix is the graphical product of the CA. Each failure mode is plotted at the intersection of its probability level (Y-axis) and its severity category (X-axis). The zone color guides corrective action priority:
Related Engineering Disciplines
System safety — FTA interface
The FMECA is a primary input to Fault Tree Analysis (FTA). Category I and II failure modes identified with their associated probabilities become the basic events in the fault tree model. This synergy is required by MIL-STD-882E (Standard Practice for System Safety) and IEC 61025 (Fault Tree Analysis).
All failure modes without a compensating provision that produce Category I or II end effects must be documented in the Single Failure Point List (per MIL-STD-1629A §4.5.2.2). Each entry requires a design action, further analysis, or formal risk acceptance by the responsible authority. The SFP list is a mandatory deliverable of the FMECA report.
In civil aviation, the FMECA integrates into the ARP 4761 safety assessment process: the Functional Hazard Assessment (FHA) identifies failure conditions; the Preliminary System Safety Assessment (PSSA) uses the FMECA to verify design against safety requirements; and the System Safety Assessment (SSA) provides final evidence of compliance.
Maintainability engineering
MIL-STD-1629A Task 103 (FMECA — Maintainability Information) extends the standard FMEA worksheet with maintainability-specific columns for each failure mode:
- Estimated Mean Time To Repair (MTTR)
- Required skill level and personnel category
- Special tools and test equipment required
- Line Replaceable Unit (LRU) or Shop Replaceable Unit (SRU) identifier
- Logistic support: spare parts, technical manuals, support equipment
The fault detection and isolation times documented in the Task 101 FMEA worksheet are direct inputs to the MTTR calculation, making the FMECA foundational to the maintainability analysis program.
Logistics & Reliability-Centered Maintenance (RCM)
RCM, as defined in SAE JA1011 (Evaluation Criteria for RCM Processes), uses the FMECA as its analytical cornerstone. The failure modes and their causes — particularly those attributable to wear-out characteristics — provide the basis for determining appropriate maintenance task types and intervals.
Failure modes with wear-out causes and high criticality drive scheduled preventive maintenance tasks and component replacement intervals. Randomly distributed (exponential) failure modes, regardless of maintenance frequency, are better addressed by condition-monitoring (predictive maintenance) or redundancy in design. The distinction is made explicit in the FMECA failure cause documentation.
Additionally, the FMECA supports the Logistics Support Analysis (LSA) process required by MIL-STD-1388. Every failure mode occurrence implies a corrective maintenance action — the FMECA provides the failure mode-level detail needed to size spare parts inventories, define maintenance procedures, and specify support equipment.
Industrial Applications
Sectors of application
| Sector | Standard / Framework | Key characteristics |
|---|---|---|
| Defense & naval | MIL-STD-1629A | Analysis to piece-part level for safety-critical items. Mandatory SFP list. Task 101–105 all applicable. |
| Civil aviation | ARP 4761, CS-25, DO-178C | FHA → PSSA → FMECA → SSA cycle. Design Assurance Level (DAL) classification per DO-178C/DO-254. |
| Automotive | AIAG-VDA FMEA (2019) | Design FMEA + Process FMEA + FMEA-MSR. Action Priority (AP) replaces RPN in 2019 handbook. |
| Nuclear | IEC 60812, NUREG-0492 | FMEA complements FTA. High independence requirements. Safety classification per RG 1.200. |
| Oil & gas | IEC 60812, API RP 14C, IEC 61511 | HAZOP + FMECA. Layer of Protection Analysis (LOPA). SIL verification per IEC 61511. |
| Railway | EN 50126, EN 50129, CENELEC | RAMS lifecycle integration. Safety Integrity Levels SIL 1–4. Common Cause Failure (CCF) analysis. |
| Medical devices | ISO 14971, IEC 62304, IEC 60601 | Risk management process. FMEA of design, process, and use. Essential Performance classification. |
Worked example — DC power distribution system
The following excerpt shows a simplified FMEA worksheet for a DC power distribution system aboard an industrial platform. The system supplies 28 V DC control power to multiple motor starters:
| Seq. | Item & function | Failure mode | Local effect | End effect | Sev. | Detection | β | α |
|---|---|---|---|---|---|---|---|---|
| 1.1 | Protection relay K1 — overcurrent protection for motor M1 | Contacts fail shorted | Unable to de-energize circuit | Loss of M1 overcurrent protection — catastrophic motor damage on fault | II | BIT alarm on panel | 0.50 | 0.30 |
| 1.2 | Protection relay K1 | Coil fails open | Relay fails to energize | Motor M1 inoperative — mission degradation, unscheduled maintenance | III | Panel indicator | 1.00 | 0.50 |
| 2.1 | 28 V DC power supply — control voltage for all motor starters | Loss of output | No control voltage available | Loss of all logic controls — complete mission loss | I | Supervisory alarm | 1.00 | 0.20 |
| 2.2 | 28 V DC power supply | Incorrect voltage level | Out-of-spec control voltage | Erratic control operation — possible mission loss | II | Panel voltmeter | 0.70 | 0.15 |
Failure mode 2.1 (loss of 28 V DC power supply output, Category I, no compensating provision identified) constitutes a single failure point and must be entered in the SFP list. The recommended design action is to incorporate a redundant power supply with automatic switchover, eliminating the SFP before design is frozen.
Criticality calculation — Item 2.1
Assume λp = 5.0×10⁻⁵ failures/hour (24 V DC supply, industrial grade), α = 0.20 (loss of output mode), β = 1.00, mission time t = 100 hours:
Cm = 1.00 × 0.20 × 5.0×10⁻⁵ × 100 = 1.0×10⁻³ → Category I, probability level C (Occasional)
This failure mode plots in the CRITICAL zone of the criticality matrix (Cat I / Level C), requiring immediate design corrective action.
Glossary
Key FMECA terms, standard abbreviations, and concise technical definitions:
Design feature, redundancy, safety device, or operator action that negates or mitigates the effect of a failure mode, per MIL-STD-1629A §3.1.3.
A validated change in design, process, procedure, or materials implemented to eliminate the cause of a failure or design deficiency.
A relative measure of the consequences of a failure mode and its frequency of occurrence, quantified by the criticality number Cm.
The quantitative procedure by which each potential failure mode is ranked according to the combined influence of severity and probability of occurrence. Defined in MIL-STD-1629A Task 102.
A two-dimensional graph plotting each failure mode at the intersection of its severity category (X-axis) and probability level (Y-axis), used to prioritize corrective action.
Analysis of a system to determine the extent of damage sustained from hostile weapon effects and the impact on continued system operation. Defined as MIL-STD-1629A Task 104.
The means by which a failure is discovered by an operator during normal operation, or by maintenance personnel through diagnostic action (built-in test, instrumentation, visual inspection, or none).
The ultimate consequence of a failure mode on mission success, system availability, or safety. Determines the severity category assignment. Defined in MIL-STD-1629A §3.1.13.3.
The physical or chemical processes, design defects, quality defects, or other mechanisms that initiate the physical deterioration leading to a failure mode (§3.1.12).
Qualitative analysis identifying and evaluating each failure mode and its effects. The foundation of FMECA. When extended with quantitative criticality analysis it becomes FMECA.
Systematic reliability methodology combining qualitative failure mode and effects analysis (FMEA) with quantitative criticality ranking (CA) to prioritize design corrective actions.
The observable manner in which an item fails to perform its required function. A single item may exhibit multiple failure modes, each analyzed separately.
The fraction of an item's total failure rate attributed to a specific failure mode. The sum of all α values for a given item equals 1.00.
A top-down, deductive analysis that models combinations of events leading to an undesired top-level event. Complementary to FMECA; uses FMECA failure modes as basic events.
The relative position of an item within the system hierarchy (system → subsystem → assembly → component → piece-part). The FMECA planning specifies the initial and lowest indenture levels.
A module or component designed for removal and replacement at the operational site (line maintenance) without specialized shop-level disassembly.
The consequence of a failure mode on the operation or function of the specific item being analyzed, without reference to its effects at higher levels (§3.1.13.1).
The expected operating time between successive failures for a repairable item. MTBF = 1/λ, where λ is the failure rate. A key input to the criticality calculation.
The average time required to restore a failed item to operational status. Determined by detection time, isolation time, access time, repair time, and verification time documented in Task 103.
The consequence of a failure mode on the operation, function, or status of the next higher assembly or subsystem in the indenture hierarchy (§3.1.13.2).
A graphical representation of the reliability relationships between system elements, showing series and parallel (redundant) configurations. Required input to FMECA planning.
A systematic process for determining maintenance requirements of physical assets in their operating context (SAE JA1011). Uses the FMECA as its primary analytical input.
Automotive-sector metric (AIAG, legacy SAE J1739) calculated as Severity × Occurrence × Detection (each 1–10). Distinct from the MIL-STD-1629A criticality number Cm. Replaced by Action Priority (AP) in AIAG-VDA 2019.
The consequences of a failure mode; considers the worst potential consequence determined by the degree of injury, property damage, or system damage that could ultimately occur (§3.1.6).
A failure of a single item that, without redundancy or compensating provision, results in mission failure or a Category I / II end effect. Must be listed in the mandatory SFP list.
A failure mode for which no detection means is available during normal system operation, creating a latent hazard that may only manifest upon demand or during maintenance checks.
Bibliography
The following primary and secondary sources form the normative, technical, and academic basis of this manual:
- U.S. Department of Defense. MIL-STD-1629A: Procedures for Performing a Failure Mode, Effects and Criticality Analysis. Naval Air Engineering Center, Lakehurst, NJ. 24 November 1980.
- International Electrotechnical Commission. IEC 60812:2018 — Failure modes and effects analysis (FMEA and FMECA). 3rd ed. Geneva: IEC, 2018. (Supersedes IEC 60812:2006.)
- SAE International. SAE J1739:2009 — Potential Failure Mode and Effects Analysis in Design (Design FMEA), Potential Failure Mode and Effects Analysis in Manufacturing and Assembly Processes (Process FMEA), and Potential Failure Mode and Effects Analysis for Machinery (Machinery FMEA). Warrendale, PA: SAE, 2009.
- Automotive Industry Action Group (AIAG) & Verband der Automobilindustrie (VDA). Failure Mode and Effects Analysis: FMEA Handbook — 1st Edition. Southfield, MI: AIAG, 2019.
- U.S. Department of Defense. MIL-HDBK-338B: Electronic Reliability Design Handbook. 1 October 1998.
- U.S. Department of Defense. MIL-STD-882E: Standard Practice for System Safety. 11 May 2012.
- SAE International. ARP 4761: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Warrendale, PA: SAE, 1996.
- NASA Office of Safety and Mission Assurance. NASA-HDBK-1002: Fault Tree Analysis Handbook. Washington, DC: NASA, 2012.
- Stamatis, D. H. Failure Mode and Effect Analysis: FMEA from Theory to Execution. 2nd ed. Milwaukee, WI: ASQ Quality Press, 2003.
- Blanchard, B. S., & Fabrycky, W. J. Systems Engineering and Analysis. 5th ed. Upper Saddle River, NJ: Prentice Hall, 2011.
- Moubray, J. Reliability-Centered Maintenance. 2nd ed. New York: Industrial Press, 1997.
- SAE International. SAE JA1011: Evaluation Criteria for Reliability-Centered Maintenance (RCM) Processes. Warrendale, PA: SAE, 1999.
- International Electrotechnical Commission. IEC 61025:2006 — Fault Tree Analysis (FTA). Geneva: IEC, 2006.
- MTain Reliability Resources. Reliability FMECA — Failure Mode Effects and Criticality Analysis [online]. mtain.com/relia/relfmeca.htm. Last updated: November 2006.
- CENELEC. EN 50126-1:2017 — Railway Applications: The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) — Part 1: Generic RAMS Process. Brussels: CENELEC, 2017.
- International Electrotechnical Commission. IEC 61511-1:2016 — Functional Safety: Safety Instrumented Systems for the Process Industry Sector. Geneva: IEC, 2016.