PFMEA Severity (9-1) mitigation needed?

kenb

Starting to get Involved
We are working on a PFMEA where there is a potential failure mode than can expose operators to a hazard and it currently has severity of 9. The cause is identified as "equipment failure" and preventive maintenance is current control prevention, with occurrence = 2. If the equipment fails, the entire system shuts down to protect the operators, so we gave detection a 1.

We've debated internally on whether 9 is correct or if we even need this failure mode because in reality this is extremely unlikely to happen due to system shutdown if equipment fails.

Do we still need an action plan or can we accept this risk, knowing that the interlock will shut down the system?

Thanks.
 

Tagin

Trusted Information Resource
Do we still need an action plan or can we accept this risk, knowing that the interlock will shut down the system?

Is there a practical way to test the interlocks regularly (e.g., at the beginning of a shift) to verify it shuts down the equipment?
 

Ron Rompen

Trusted Information Resource
The severity of a failure mode has no relationship to the likelihood of it happening, or the controls for detection or prevention. You have identified a possible failure mode and determined that the effect is Failure to Meet Safety and/or Regulatory Requirements (including your own internal requirements), which may endanger an operator WITH WARNING. If this can happen then it is definitely a 9.
 

kenb

Starting to get Involved
The severity of a failure mode has no relationship to the likelihood of it happening, or the controls for detection or prevention. You have identified a possible failure mode and determined that the effect is Failure to Meet Safety and/or Regulatory Requirements (including your own internal requirements), which may endanger an operator WITH WARNING. If this can happen then it is definitely a 9.

Is there a requirement that we MUST put action plan in place?
 

Johnnymo62

Haste Makes Waste
First, you have already an action in place. Whatever shuts the system down to protect the operator is a detection control. Now you just need to be able to test it and prove it will always function to protect the operator.

The Ford PPAP Handbook, in the PFEMA section, requires consideration for elimination or mitigation of severities of 9 or 10 during the process design phase. If it's not possible, there are other steps to take.
 
M

malasuerte

First, you have already an action in place. Whatever shuts the system down to protect the operator is a detection control. Now you just need to be able to test it and prove it will always function to protect the operator.

The Ford PPAP Handbook, in the PFEMA section, requires consideration for elimination or mitigation of severities of 9 or 10 during the process design phase. If it's not possible, there are other steps to take.

Couple of comments:

  • the shut down is not "detection". As described, your Detection should be how likely you can detect the failure. So basically, you are saying the only way you can detect this failure is after the tool shuts down. Just something to think about slightly unrelated to your op.
  • Johnny's point is the main answer to your question: In order to change from 9-10; You have to design out the risk completely. So in your instance, you would have to design out whatever can cause the hazard - so there is no hazard due to this failure.

Side note: if we even need this failure mode because in reality this is extremely unlikely to happen due to system shutdown if equipment fails.
  • The PFMEA is a tool to present possible risks. Just because it is unlikely, does not mean it is not worthy of being in the PFMEA. It is also a learning tool for the future. Maybe this risk increases years from now because of a new tool, or process or location - it will help to have it identified so others can learn from your experience/assessment.
  • Secondly, It feels like you are going about this particular failure mode from the wrong direction. From what I read, you have a 'Failure mode'; but you go on to say that the tool shuts down after the failure mode occurs. Is that correct? If I read that right, you have an FMEA line item addressing the Potential outcome of the failure (the hazard), but not the failure mode itself. Your FMEA should be addressing the failure mode. The tool shutting down is not addressing the failure mode. It is the prevention of the hazard.
Sorry for the wordy response.

But I think you should keep the item and revisit it to possibly split it into 2 line items. That is my opinion.


As for the requirement to put an action plan in place, I will say - Any failure modes with Severity, Occurrence or Detection Ranking of 9 or 10 require improvement to reduce the risk, regardless of the RPN value.
 

kenb

Starting to get Involved
Couple of comments:

  • the shut down is not "detection". As described, your Detection should be how likely you can detect the failure. So basically, you are saying the only way you can detect this failure is after the tool shuts down. Just something to think about slightly unrelated to your op.
  • Johnny's point is the main answer to your question: In order to change from 9-10; You have to design out the risk completely. So in your instance, you would have to design out whatever can cause the hazard - so there is no hazard due to this failure.

Side note: if we even need this failure mode because in reality this is extremely unlikely to happen due to system shutdown if equipment fails.
  • The PFMEA is a tool to present possible risks. Just because it is unlikely, does not mean it is not worthy of being in the PFMEA. It is also a learning tool for the future. Maybe this risk increases years from now because of a new tool, or process or location - it will help to have it identified so others can learn from your experience/assessment.
  • Secondly, It feels like you are going about this particular failure mode from the wrong direction. From what I read, you have a 'Failure mode'; but you go on to say that the tool shuts down after the failure mode occurs. Is that correct? If I read that right, you have an FMEA line item addressing the Potential outcome of the failure (the hazard), but not the failure mode itself. Your FMEA should be addressing the failure mode. The tool shutting down is not addressing the failure mode. It is the prevention of the hazard.
Sorry for the wordy response.

But I think you should keep the item and revisit it to possibly split it into 2 line items. That is my opinion.


As for the requirement to put an action plan in place, I will say - Any failure modes with Severity, Occurrence or Detection Ranking of 9 or 10 require improvement to reduce the risk, regardless of the RPN value.

I appreciate wordy responses such as this.

We realize that shutdown is a bit of a stretch for detection, but this is indeed how we'd know the equipment failed. As far as timing, my understanding is that if the equipment fails the interlock will shut it down quickly if not immediately. So you are technically correct that it happens after the failure mode occurs.

If we were to split this into 2 line items, are you suggesting one for the equipment failure and one for the interlock failure? If this is the case, our detection would likely be visual and drive our RPN way up to where we are forced to mitigate risk but there is no practicable solution.
 
M

malasuerte

I appreciate wordy responses such as this.

We realize that shutdown is a bit of a stretch for detection, but this is indeed how we'd know the equipment failed. As far as timing, my understanding is that if the equipment fails the interlock will shut it down quickly if not immediately. So you are technically correct that it happens after the failure mode occurs.

If we were to split this into 2 line items, are you suggesting one for the equipment failure and one for the interlock failure? If this is the case, our detection would likely be visual and drive our RPN way up to where we are forced to mitigate risk but there is no practicable solution.


Obviously, we could have plenty of chatter about this :) (i think this is a fun scenario, yes sick).

I am going to throw you a curveball, (and I say this from my perspective of a larger company), your FMEA should have a scope or perspective when you start. In our case, our PFMEA is built from the perspective of the quality/reliability of the outgoing product. In our case, the Safety items are handled separately.

If you don't have separate FMEAs (scopes), then to me it could be 2 lines. I would want to prevent the equipment failure and prevent the interlock failure. But as per above, at some point, you have to scope the FMEA. So maybe the equipment failure is not even called out and only the interlock failure?? But, what if the tool is running its process, this equipment failure occurs, it shuts down the tool, the product is ruined because it stopped mid-process and can't be recovered? So one line is Equipment Failure to prevent the misprocessing; one line for the interlock failure to prevent injury to the operator/s.

We could go round and round if we wanted to. I'm sure :) I certainly don't want to suggest doing more work, just for the sake of it.

But to the main question - for those 9/10 Sev scores, you should, in theory, still have an action plan. But that action plan could be "ask/recommend that future tool build design see if they can remove the risk of injury when the interlock fails."

Disclaimer: I think about things differently than most....and ask a lot of questions....My views are notfor everyone. :ROFLMAO::ROFLMAO:
 

Jim Wynne

Leader
Admin
It occurs to me that it's possible, and perhaps likely, that this situation should never have made it to the PFMEA form to begin with. Things that are possibly hazardous but extremely unlikely should be weeded out in the first step of the PFMEA process, which should be some form of brainstorming. We could, to use an extreme example, rule out asteroid strikes and machines blowing up if there's no good reason to suspect that either is likely to happen.
 
Top Bottom