The FMEA Mini-Series: Using an FMEA vs. SxO for Prioritizing


Fully vaccinated are you?
Parachute: Design Intent is to reduce descent speed to survivable rate. The slower, the better.

Device failure mode: Chute does not open.
Device failure effect: Probable death.
Design change: Add small extra parachute so if main chute fails, the small chute can be deployed.

New failure effect: Probable broken leg bones.


Example of 'severity of failure' change as a result of a design change.

[This message has been edited by Marc Smith (edited 17 April 2001).]

Help Me

My point is that then the small chute design has to be addressed. And the severity of the second chute failing to deploy is every bit as severe as a failure of the main chute to deploy.

If you get to the point where this chute is required and it, too, doesn't deploy, how have you reduced the overall severity? I don't think you have.

Sure, you have reduced the severity of the main chute not deploying (Assuming that the secondary chute deploys). If anything, the addition of the second chute has reduced the occurrence of the catastrophic failure (my earlier contention). But, the same severity exists no matter how many redundant chutes fail. Though, the occurrence will hopefully improve (eventually, one of the dang chutes will probably deploy).

I guess I am still missing something.

I'll keep thinking about it if you will.

Kevin Mader

One of THE Original Covers!
I design a facial razor. It is rather crude and has no guard of any type (a razor blade on an old tooth brush). I can cut myself pretty good with this thing. Heck, I might be able to cut my jugular vein and die. Severity: 10

Now I like living. I like my customers to live to, so I design a safety razor. Pretty slick, but I can still cut myself. At present, my design will cut, but it would take great effort to kill myself. Severity: 9

This is a pretty extreme example, but with some time, we could all come up with things in our lives/work that if the design is changed, will result in a lower severity rating.




Fully vaccinated are you?
->My point is that then the small chute design has to be
->addressed. And the severity of the second chute failing to
->deploy is every bit as severe as a failure of the main
->chute to deploy.

Assuming a design FMEA, the DFMEA is about a product. A parachute. In the 'old days' it was nothing more than a half a bag with strings. As the design evolved different things happened. But the point is you take possible failures (e.g.: chute does not deploy) and rate them. Yes - if the main chute doesn't deploy and the small chute doesn't deploy you're still up s__t creek. But the probably of both failing is small compared to only 1 not deploying.

And, we're rating each failure mode individually. If you decide you want to assess what will happen if multiple failures occurr simultaneously you're going to be getting into a more complicated analysis.

->If you get to the point where this chute is required and
->it, too, doesn't deploy, how have you reduced the overall
->severity? I don't think you have.

The second chute is like adding a safety to a gun. It's not specifically required (or wasn't long ago). It's an enhancement of the gun design.

You should stop thinking about each possible individual failure mode as a catastrophic failure which causes the whole device (the product as a whole) to fail. This can happen but not always.

Just some thoughts.

Al Dyer

Just to add,

Severity applies to Effect and there can be multiple Modes which have their own Severity which can be internal or external customers.

If need be for internal Severity, we can, and should define our own evaluation and ranking criteria.

Back to real life, Severity is defined by the customer and can be influenced by our suggestions to improve their processes. We all realize that during a PFMEA we have to "assume" that the DFMEA is viable.

MHO and waiting for more responses!


Help Me

I still hold that all you are really doing by adding safety chutes is favorably affecting the occurrence, therefore the overall RPN.

It is quite possible that the designer/manufacturer of the safety chute is not the same party that is designing/manufacturing the safety chute (remember, the chute example is hypothetical).

Since this forum is heavily automotive, I will try to use an automotive example:

The function of the wheels on the car are to provide directional stability. If a wheel falls off because the one and only lug nut included in the design falls off, the result is loss of vehicle control, possible injury/death.

Through analysis it is determined that three lug nuts are sufficient to retain the wheel in any real world situation. Being a very safety concious engineer (btw, I might want to drive one of these things) I decide that if three is sufficient, I will add three more to my design. This is kind of like replacing the razor blade on a stick into a safety razor (whchh, btw doesn't eliminate the potential for cutting the jugular. It just reduces the occurrence to nil).

Now I have 6 lug nuts in my design.

DOES THIS REDUCE THE SEVERITY OF THE FAILURE MODE: LOSING A WHEEL? Absolutely not. If the wheel falls off, I still have the potential of injury/death. Yes, this is another catastrophic event. But, by definition, that is what a severity 9-10 is.

Now, is the 6 lug wheel going to fall off? Very unlikely. But that doesn't change the severity the failure effect should it happen.

Isn't that what a design FMEA does? Take into consideration the:
Severity X Occurrence X Detection = RPN

From a design standpoint I have to appreciate a high severity. That high severity makes me pay particular attention to occurrence and detection factors.

The essence of a Design FMEA is, as it should be, to "What if" the design to death.


Fully vaccinated are you?
You contiinue to equate this to a catestrophic failure of the entire product. FMEAs look at one potential failure at a time. Just because you can cite one failure for which the severity may not change does not mean the severity of all possible failure modes are not changable. If you design in 6 lugs because 3 are deemed to be the least necessary to ensure against catestrophic failure (a common practice is to over-design) and your potential failure mode is lug nut or stud failure, it's severity rating will indeed be lowered from what the severity would be if you only had 1 lug nut and the nut or stud failed. If 1 lug nut or stud fails and there are 6 total, the severity of the failure of a lugnut or stud is next to nothing. Technically your FMEA could include line items (potential failure modes) for each - 1 lug fails, 2 lugs fail, 3 lugs fail, etc., but that is a bit much. If more than 3 lugs fail it is probably in response to an accident, hitting a high curb or other significant event.

You also have to look at the wording of your DFMEA. If the potential failure mode is lug nut failure, the potential effect will probably not be that the whole wheel will fall off if one fails (if you have 6 lug nuts). If you have only 1 lug nut then the potential effect of the failure mode would undoubtedly be that the wheel will fall off. So - by changing the design you have also changed the potential effect(s) of the failure.

So - with 1 lug nut the potential effect of the failure of a lug / stud is very serious. With a re-design to include 6 lug nuts total, the potential effect of a lug / stud failure isn't very significant. If you now take it to the extreme and say "...I want to address the issue of all studs failing simultaneously..." you have to put that in as a line item in and of its self as a potential failure mode.

Part of the mis-conception here may be from the fact that in a process FMEA the ONLY way to reduce severity is through a design change. This is typically true of Design FMEAs as well.

Another possible source of confusion here is that it is NOT necessarily true that every severity rating CAN be reduced. For SOME failure modes there is very little you can do to reduce severity of the potential effects. If your DFMEA line item for a Potential Failure Mode reads 'Failure of all lugs / studs simultaneously ' there is not much you can do to address severity.

Then again, with all the new electronics coming into play, this, too, may be reduced in the future (if it is not already) by recognition of the loss of traction, car body position, etc. So - you may, through a design change where a computer helps maintain control, in fact reduce the severity of all lugs / studs failing at the same time. The reduction in severity may be small, but it is there. It may be that loosing a tire in and of its self, for any reason, is not so much a problem because the computer helps maintain lateral stability.

BTW - I have had tires fall off of a car I was driving twice. Once with while pulling a loaded horse trailer a rear drive wheel of my van fell off (someone stole 3 of 5 lugs off each wheel the night before but I didn;t notice them missing) and once a front tire on a car I had (it had mags and like with the van someone decided they wanted my lugnuts late at night). Neither time did I loose control nor did I really feel I had lost control. Luckily I was on an expressway both times (and I won't begin to get into the flats I've had in my life).

To go to the extreme, you could put in a DFMEA a line item for a Potential Failure Mode of all lugs / studs on all wheels simultaneously failing with the Potential Effect being all wheels fall off of the car at the same time.

Bottom line is you miss the step where your design change (1 nut to 6) changes the effect of the failure.

With only 1 nut, the effect of the failure of 1 nut is the wheel falls off. With 6 nuts, the effect of the failure of 1 nut is not very severe at all. To addess the failure of all 6 simultaneously a new Potential Failure Mode line item has to be added.

Help Me

Wellll, Mark and others,

The point I have been trying to make (unsuccessfully) is that the severity of the POTENTIAL effect of a failure cannot be reduced with a design change to that system in question. The anecdotal evidence of maintaining control of one vehicle after losing a wheel is, indeed, good news! Though, a less skilled driver, in different conditions, may not have been so lucky. But, maybe I made a mistake by choosing a bad HYPOTHETICAL (I wish I could make that word boldface and about 14 font sizes larger). So, I will refrain from trying to use any aditional hypotheticals.
I also agree that the switch to 6 lugnuts would drive new line items. One of which would have to be all 6 lugnuts failing simultaneously. High severity/extremely low occurrence (where have I heard this before?) Likewise, for the secondary, tertiary, nth chute. Severity for the main chute not deploying reduces because the high severity ranking trickles down to the nth chute. Though, eventually, you would run out of altitude before you run out of chutes, I suppose(HYYYYYYPOTHHHHETTTTTTTTTTICALLLLLLLLL).
The bottom line is that our ISO team where I work have picked up on the verbage in the FMEA manual that says that severity rankings can only be reduced by design changes. Therefore, in their minds, any severity ranking of 9-10 is not acceptable and must be reduced by way of design changes.

It is encouraging that you have stated that not all severity rankings can be reduced through design change. Unfortunately, they do not share your interpretation. In their minds, if any severity rankings can be addressed (Lowered) with a design change, then, all severity rankings can.

I know I am going to tick you all off again. But, I still think in the design changes you have suggested in your responses to my hypothetical cases only serve to shift the high severity rankings to another component/system.

I am going to quit posting on this subject as I cannot seem to make my point clear.


Fully vaccinated are you?
You're not 'ticking off' anyone.

On 17 April 2001 you said:

-> I would suggest that there is NO way to
->lower a severity rating with a design change.

If you approach it from the point of view of a system FMEA (as you now are) and your line item for the potential failure is a wheel falling off (due to whatever reason), you can change the design so that the severity of the effect of the failure (the wheel falling off) can be reduced. I can think of lots of ways - some of which would be pretty far fetched, but none the less...

[This message has been edited by Marc Smith (edited 18 April 2001).]
Top Bottom