Every month in FMEA Corner, join Carl Carlson, a noted expert in the field of FMEAs and facilitation, as he addresses a different FMEA theme (based on his book Effective FMEAs) and also answers your questions.
Questions and answers are a great way to learn about FMEAs, for both experienced and less experienced FMEA practitioners. Please feel free to ask any question about any aspect of FMEAs. Send your questions to Carl.Carlson@ReliaSoft.com, and your contact information will be kept anonymous. All questions will be answered, even if they are not included in the FMEA Corner.
con·trol [kuhn-trōl, noun]
In an FMEA, controls are the methods or actions currently planned or already in place to reduce or eliminate risk. Controls can be the methods to prevent or detect the cause during product development, or can be actions to detect a problem during service before it becomes catastrophic. There can be many controls for each cause.
Prevention-type design controls describe how a cause, failure mode or effect in the product design is prevented, based on current or planned actions. They are intended to reduce the likelihood that the problem will occur, and are used as input to the occurrence ranking.
Detection-type design controls describe how a failure mode or cause in the product design is detected, based on current or planned actions, before the product design is released to production, and are used as input to the detection ranking. Detection controls are intended to increase the likelihood that the problem will be detected before it reaches the end user.
Prevention-type process controls describe how a cause, failure mode or effect in the manufacturing or assembly process is prevented, based on current or planned actions. They are intended to reduce the likelihood that the problem will occur, and are used as input to the occurrence ranking.
Detection-type process controls describe how a failure mode or cause in the manufacturing or assembly process is detected, based on current or planned actions, before the item is shipped from the manufacturing or assembly plant, and are used as an input to the detection ranking.
FMEA Tip of the Month
When identifying controls to enter into your FMEA, it is important to realize that these are the currently planned controls, not controls that have yet to be established or that will be changed. The idea is to list the controls that are in place or will be used if no changes are made to current program plans. If the FMEA team wishes to add, modify or delete design or process controls, they should use the recommended action column.
If no prevention or detection controls are applicable for a given failure mode/cause, the FMEA team should leave the corresponding column blank.
In an FMEA, which of the following is true about a "control"? (Select all that apply) [Show/Hide Answers]
1. A "control" is the specific recommendation by the FMEA team to control the risk associated with the cause of failure.
(False. Controls are the methods or actions that are planned or currently in place to reduce or eliminate the design-related risk associated with the cause of failure. Recommendations need to be in the Recommended Actions column of the FMEA.)
2. A "control" needs to be taken to the level of root cause of the failure.
(False. Causes in the FMEA need to be taken to the level of root cause, not controls.)
3. There are often two types of controls identified in an FMEA: prevention-type controls and detection-type controls.
4. "Controls" are the methods or actions that are not currently planned, but need to be done to reduce or eliminate the design-related risk associated with the cause of failure.
(False. Controls are methods or actions that are planned or currently in place.)
5. "Controls" are the methods or actions that are planned or currently in place to reduce or eliminate the design-related risk associated with the cause of failure.
October Beginner’s Solution
In an FMEA, which of the following is true about a “function”? (Select all that apply)
1. A “function” is what the item is intended to do, and can be listed with or without respect to any standard of performance. (False. A function description needs to include the standard of performance. It is the function statement including the standard of performance that allows the FMEA team to determine the failure modes.)
2. A “function” is what the item is intended to do, usually to a given standard of performance. (True)
3. There is always one function for each item in an FMEA. (False. There can be many functions for an item.)
4. The function description in an FMEA must include the consequence or impact on the end user. (False. An effect must include the consequence or impact on the end user, not a function.)
[The intermediate problem repeats the scenario from previous months. This month, readers will be asked to continue the analysis by identification of a control.]
Scenario: On June 12, 1972 an American Airlines DC-10 aircraft lost its aft cargo door soon after taking off from Detroit. We'll use this incident to practice identifying the elements of an FMEA. Here is the background to the FMEA problem.
McDonnell Douglas learned from cabin pressure testing that an improperly closed cargo door could burst open due to loss of cabin pressure, potentially resulting in the floor of the passenger compartment crashing down into the cargo compartment. The temporary solution was to put a vent flap in the door that would close by the same linkage that shut the cargo door, which would keep the airliner from holding pressure unless the cargo door was safely latched, thereby alerting the pilot to the problem. However, a bit of excessive force by a baggage handler shutting the door could make the vent flap close even though the cargo door was not fully latched.
The DC-10 with the cargo door vent flap was put back in service. On a brief layover before the Flight 96 leg to Detroit, a cargo handler had trouble shutting the rear cargo door, but managed to get it shut with a little extra force. Since the door-latch signaled "closed," the warning light in the cockpit did not show a problem. However, the force the cargo handler used to shut the door bent a metal linkage on the inside of the door, preventing it from closing properly. The air pressure during ascent generated too much force on the bent door linkage. It sheared off the pins, releasing the door. The cabin near the door collapsed and jammed the control cables to the tail. The rest is tragic history.
The probable failure sequence of the DC-10 cargo door is:
- Airline cargo handler uses extra force to close rear door, bending door pin. Door does not securely close.
- The door vent flap does not trigger the electronic alarm, and the pilot is not notified the cargo door failed to lock securely.
- The air pressure outside the cargo door drops during ascent, until pressure on the door from the inside causes the door-latch pin to shear. The cargo door blows out.
- High-pressure air inside the cabin collapses the floor, resulting in hydraulic lines and cables becoming non-functional.
We'll use the door latch-pin failure on DC cargo door latching subsystem as an example to practice identifying functions, failure modes, effects, causes and controls, based on the cargo door latch-pin failure history.
In previous months, we focused on one possible function, one possible failure mode for the identified function, and one possible effect of the failure. The answer for the function of the door latch-pin was something similar to "fully secure the cargo door in the closed position during all operating loads and environmental conditions without allowing the door to close unless fully latched;" for the failure mode, it was something similar to "Door latch pin bends under maximum stress loading;" and for the effect of the failure it was something similar to "bent latch pin allows the door to appear to be closed when it is not fully secure, thus failing to abort airplane takeoff, potentially creating a pressure differential between inside and outside air, with the possibility of catastrophic cargo door blowout during flight."
This month we’ll focus on controls for the failure of the door latch-pin of the DC-10 cargo door.
Problem: Use the door latch-pin failure of the DC-10 cargo door latching subsystem as an example to identify one prevention-type control and one detection-type control for the cause "specification of pin material has inadequate hardness." [Show/Hide Answer]
Answer: For the prevention-type control, your answer could be something like "Latching material selection based on ANSI standard #XYZ." For the detection-type control, your answer could be something like "Cargo door slam test #123."
Note, these are not necessarily the best controls for this failure mode/cause. The controls are what is currently planned or in place. The FMEA team should review the risk associated with this failure mode/cause and make recommendations to not only improve the robustness of the design, but also improve the effecteness of the controls. All recommendations will go in the Recommended Actions column of the FMEA.
Scenario: You’ve been hired into the ABC Snowblower Company to assist with FMEAs. One of the problems you have been told to address is the problem where snow can build up in the auger, jamming it and stalling the motor. Under the current design, it is possible for users to reach into the auger area to unjam the auger. The marketing department wanted users to unjam the auger easily, as part of the new drive to increase customer satisfaction. However, this is complicated by the fact that the auger could deform before applying enough resistance to the motor to turn it off. If the jam is cleared by hand, it is possible for the auger to return to its natural shape suddenly and with great force, possibly injuring the user. There have been reports of injuries when users tried to clear the jammed auger by hand. The ABC Snowblower management wants you to address this problem by putting verbiage into the snowblower user’s manual warning against reaching into a jammed auger and telling users to instead use a broom handle.
Problem: You are doing a System FMEA on the snowblower. Assuming one of the functions of the snowblower is to throw snow safely and smoothly without jamming, answer the following questions:
1: How would you describe one potential failure mode and effect for this problem? [Show/Hide Answer]
Answer: One of the potential failure modes of the function "to throw snow safely and smoothly without jamming" could be "auger jamming," which is the manner in which the item does not perform the intended function.
One potential effect of "auger jamming" could be "snowblower stops running; user reaches into the auger area to unjam the auger, resulting in the blower resuming operation, with potential for serious injury."
2: Is it possible to reduce the severity of the effect? If so, what might you recommend? If not, why not? [Show/Hide Answer]
Answer: It is theoretically possible to reduce the severity of effect. This would require a design change making it impossible for a user to reach into the auger area while the snowblower is capable of operating. As long as it is possible for a user to reach into the auger area while the snowblower is capable of operating, the severity of the effect of the failure mode remains very high.
3: Does an entry in the user’s manual warning against reaching into a jammed auger reduce the severity of the effect? Why? [Show/Hide Answer]
Answer: A user manual entry may satisfy a legal requirement, but by itself, it does not reduce the severity of the effect. Only a design change making it impossible for a user to reach into the auger area while the snowblower is capable of operating will reduce the severity of the effect.
4: Assuming jamming can occur when a foreign object becomes lodged in the auger, is this a root cause? Why? [Show/Hide Answer]
Answer: A foreign object becoming lodged in the auger area may be one of the events that precipitates a failure, but it is not a root cause. A root cause is the underlying reason for the failure mode, discovered by asking why until the team is satisfied that the progression of cause-and-effect relationships behind a problem is fully understood. For example, the snowblower may be designed to cease operating in a safe manner if a large foreign object is encountered. Other than a designed-in safe cessation, jamming may be brought about by auger deformation, underpowered motor, or other reasons. The team would need to examine all the potential causes of jamming and be sure each potential cause is taken to root cause.
I’ve always wanted to know about FMEAs
"A prudent question is one-half of wisdom." Francis Bacon
A HotWire reader submitted the following question to Carl Carlson. To submit your own question about any aspect of FMEA theory or application, e-mail Carl at Carl.Carlson@ReliaSoft.com.
Reader: First, let me say I am enjoying your book. We are looking at doing a DFMEA on wire harnesses for a combine. We would like to do one generic FMEA on harnesses and use it as a reference for other FMEAs, since we typically cover the signal requirements for control and feedback in the different system FMEAs. What are your thoughts?
Carl: I'm glad you are enjoying the book. Regarding your question on wiring harnesses, here are my thoughts. As you suggest, it may be possible to develop a generic wiring harness Design FMEA, which can be the repository for the functions, failure modes, effects, causes and controls for a generic wiring harness. This is provided the various wiring harnesses are similar enough to be represented in one FMEA. The generic FMEA can then be used as a starting point for application FMEAs, and can save time and improve effectiveness. The signal communications can be included (as you say) in a properly done System FMEA, or in a separate Software FMEA. Don’t forget to consider the interfaces between the wiring harnesses and other components and subsystems, both software and hardware. The interfaces must be included somewhere, either in the System FMEA, Subsystem FMEAs or in other FMEAs. The key is to "make it visible" with the use of FMEA block diagrams and other visual depictions, such as p-diagrams, functional block diagrams and FMEA interface diagrams, as covered in chapter 5 of my book. With visible diagrams, you can be sure that all interfaces and functions are properly covered. Let me know if you have any other questions. And best of luck to you!
About the Author
Carl S. Carlson is a consultant and instructor in the areas of FMEA, reliability program planning and other reliability engineering disciplines. He has 30 years of experience in reliability testing, engineering and management positions, and is currently supporting clients of ReliaSoft Corporation with reliability and FMEA training and consulting. Previous to ReliaSoft, he worked at General Motors, most recently senior manager for the Advanced Reliability Group. His responsibilities included FMEAs for North American operations, developing and implementing advanced reliability methods and managing teams of reliability engineers. Previous to General Motors, he worked as a Research and Development Engineer for Litton Systems, Inertial Navigation Division. Mr. Carlson co-chaired the cross-industry team that developed the commercial FMEA standard (SAE J1739, 2002 version), participated in the development of SAE JA 1000/1 Reliability Program Standard Implementation Guide, served for five years as Vice Chair for the SAE's G-11 Reliability Division and was a four-year member of the Reliability and Maintainability Symposium (RAMS) Advisory Board. He holds a B.S. in Mechanical Engineering from the University of Michigan and completed the 2-course Reliability Engineering sequence from the University of Maryland's Masters in Reliability Engineering program. He is a Senior Member of ASQ and a Certified Reliability Engineer.
Material for the FMEA tips, problems and solutions is excerpted from the book Effective FMEAs, published by John Wiley & Sons, ©2012. Information about the book Effective FMEAs, along with useful FMEA aids, links and checklists can be found on www.effectivefmeas.com.