FMEA

Severity, Occurrence, & Detection (SOD)

Training
June 2008

TRW Automotive Inc. 2008

SOD Rankings
Expectations From MCG
Vehicle level effects flow from System-FMEA to D-FMEA and P-FMEA
Occurrence rankings (when using PPM style rankings) same for all 3
types of FMEAs (modified VDA)
Detection rankings
System level: based on time to detect in field
Design level: based on ability to detect in development process
Process level: ok as is

TRW Automotive Inc. 2008

SOD Rankings
S

System Level
FMEA

To be reviewed
and agreed upon

OK as is (more
stringent than
modified VDA)

Based on Time to
detect and react in
field.

Design Level
FMEA

Inherited

Use modified VDA

rankings
12, 23, 34,
45

Modify rankings to
VDA levels

OK as is

Inherited

Same

Process Level
FMEA

TRW Automotive Inc. 2008

Severity Chart
Rating

10

Effect (per VDA

1. Edition 1996,
part 2)

Effect per
SAE J1739
Aug 2002

Provide Vehicle
Service Baking

Very Large

Very high
severity
ranking when
a potential
failure mode
affects safe
operation
and/or
involves
noncomplian
ce with
government
regulation
with warning.

Average decel
capability (on
high mu surface)
< 1.7 m/s^2
For short
duration loss of
decel capability
multiply severity
by factor from
graph 1.

Provide
vehicle
acceleration
capability homogeneo
us mu
surface.

Provide
enhanced
vehicle
acceleration
capability Traction
Control on
split mu
surfaces

Provide
Enhanced
Vehicle
Stability and
Steer-ability
(via regulation
of wheel slip
and engine
torque)
- System
Induced Path
Deviation:
Critical
(PLD/PPD >
50%)

-Both rear
wheels locked
during braking
with no front
wheels locked
(ABS system
partially
available)

Safety risk
non compliance
with statutory
provisions.
Stalled out
vehicle.

Provide
Divergent
Roll

Provide Static
Park Brake
Functionality

System
availability and
notification of
status

Other

Brake torque
reduction during
parking event
allows vehicle
movement within
5 minutes after
applying the
parking brake
(grade and apply
condition as
specified by
applicable
regulatory
standard) or
allows more than
0.5m total
movement during
any time
beginning 5
minutes after
applying the
parking brake.

-DRP ,
ABS, or YSC
system not
available and
driver not notified
(note that YSC
detection time of 2
minutes is allowed
by regulation)MCyl reservoir
low on fluid and
driver not notified
no warning lamp)

-High current draw / wire

damage

-Thermal event

-Unintended
vehicle decel > 0.5g

-Failure to request
illumination of stop lamps
when service brake
autonomously applied with
vehicle decel intended.

Very high
severity
ranking when
a potential
failure mode
affects safe
vehicle
operation
and/or
involves
noncomplian
ce with a
government
regulation
with warning.

Average decel
capability < 2.8
m/s^2
For short
duration loss of
decel capability
multiply severity
by factor from
graph 1.

- System
Induced Path
Deviation:
Severe (5 <
PLD/PPD <
50%)

TRW Automotive Inc. 2008

- Unintended vehicle decel

0.4-0.5g
-Low Tire Fail to
determine

Severity Chart
8

Large

Vehicle
inoperable
(loss of
primary
function)

Average decel
capability < 3.8
m/s^2. For short
duration loss of
decel capability
multiply severity by
factor from graph
1.

Operability of
vehicle
considerably
impaired.
Immediate service
urgently required.
Restricted
functioning of
important
subsystems.

Average
acceleration
capability <
20% of
"design
capability."
For short
duration loss of
accel
capability
multiply
severity by
factor from
graph 1.

Enhnaced
accleration
capbility
<^10% of
design
capability (no
driver
notification).
For short
duration loss
of accel
capability
multiply
severity by
factor from
graph 1.

- System Induced
Path Deviation:
Moderate (0 <
PLD/PPD < 5%)

- Control <
desired No
Control
Delivered

Braking system
performance
degradation
significant
noticeable by
average driver.

High

- - DRP system not

available and driver
notified (warning
lamp illuminated)

- Fail OEM end of line rolls

test

- Unable to release
parking brake such
that vehicle can not
be moved.

- - No antilock
wheel control on
one diagonal and no
warning..

- Unintended vehicle decel

0.3-0.4g

Vehicle movement
of up to 0.5 meters
starting any time
after 5 minutes of
applying the
parking brake.

- - TC system not
available and driver
not notified.

-- Unable to release one or

more service brakes so at
brake overheating will occur
with normal vehicle operation
th

Unable to release
parking brake
sufficiently so that
residual drag
causes rear brake
to over heat and
loose functionality.

- Low Tire False determine

-
-

Vehicle/item
operable, but
at a reduced
level of
performance.
Customer very
dissatisfied.

Average decel
capability < 4.9
m/s^2
For
short duration loss
of decel capability
multiply severity by
factor from graph
1.

Average
acceleration
capability <
50% of
"design
capability."
For short
duration loss of
accel
capability
multiply
severity by
factor from
graph 1.

- System Induced
Path Deviation:
Minor (PLD/PPD =
0%, Rotation >
15)

TRW

- One rear wheel

locked during
braking with no
front wheels
locked (ABS
Automotive
Inc. 2008
system partially
available)

- Control <
desired
Slight Control

Unable to apply
parking brake
where in vehicle
operator is warned
ie., vehicle moves
when service brake
is released (failure
with warning).

- ABS ; or YSC
system not available
and driver notified.

- Unacceptable NVH outside

slip control

Severity Chart
6

Moderate

Vehciel/item
operable, but
Comfort/Conve
nience item(s)
inoperable.
Customer
dissatisfied.

Average decel
capability < 5.9
m/s^2
For short
duration loss of
decel capability
multiply severity
by factor from
graph 1.

Average
acceleration
capability <
60% of
"design
capability."
For short
duration loss
of accel
capability
multiply
severity by
factor from
graph 1.

Enhnaced
accleration
capbility
<^30% of
design
capability .
For short
duration loss
of accel
capability
multiply
severity by
factor from
graph 1

- System Induced
Path Deviation:
Negligible
(PLD/PPD = 0%,
Rotation 15).

- Control <
desired
Moderate
Control

-One front wheel

locked during
braking (ABS
system partially
available)

- Unable to release
parking brake
completely so that
residual torque has
a detrimental effect
on fuel economy
and or excessive
wear of brake
linings.

Operability of
vehicle is
impaired.
Immediate
service is not
urgently required.
Restricted
functioning of
important comfort
and convenience
systems.

ABS; TCS; or YSC

system warning
lamp illuminated but
system available.

-Unacceptable NVH content

during slip control

TCS system not

available and driver
notified.

-Unacceptable NVH during

system checks/startups

- - MCyl reservoir
not low on fluid and
driver notified that
fluid is low

-Fail to meet label

requirements of customer
assembly plant

-Unacceptable pedal feel

OUTSIDE Slip Control
-Brake drag impacts fuel
economy but does not result
in brake overheating during
everyday driving.
- - Incorrect (misleading)
diagnostic trouble code
indicated

Vehicle
operable, but
Comfort/Conve
nience item(s)
operable at a
reduced level
of
performance.
Customer
somewhat

Average decel
capability < 64%
of "design
capability"
For
short duration loss
of decel capability
multiply severity
by factor from
graph 1.

Average
acceleration
capability <
67% of
"design
capability."
For short
duration loss
of accel
capability

Enhnaced
-System Path
accleration
Deviation <
capbility
surface allows
<^37% of
Slight
design
capability .
-Brake system
For short
performance

TRWloss
Automotive
Inc. 2008
duration
degradation minor
of accel

noticeable
by
capability

- Control <
desired
Significant
Control

-Design does not satisfy

assembly plant requirements
for handling

Severity
- Severity definition The rank associated with the most serious

effect for a given failure mode. Severity is a relative ranking within the
scope of the individual FMEA.
- Severities cascade from the system FMEA to the subsystem and

component FMEAs
- Use the Severity Table and the team to CONSENSE on the severity
rating for each effect
- Identify the Severity of each Effect from the Severity Rating Table
- Note - Only a design change which mitigates the effect of the failure
or eliminates the failure/function can reduce a severity rating.

TRW Automotive Inc. 2008

Severity Critical Characteristics

- Potential Critical Characteristics (YC) If the Severity rating 9 or 10

occurs, then a potential Critical Characteristic exits

- A severity of 9 or 10 is identified where injury or noncompliance with
a government regulation may occur
- Considering appropriate recommended actions to
Eliminate the failure modes
Mitigate the effects

TRW Automotive Inc. 2008

Severity Critical Characteristics

TRW Automotive Inc. 2008

Severity Critical Characteristics

TRW Automotive Inc. 2008

Severity Critical Characteristics

TRW Automotive Inc. 2008

Occurrence Ranking for FMEAs

TRW Automotive Inc. 2008

Occurrence Ranking for FMEAs

TRW Automotive Inc. 2008

Occurrence Table
- The table reflects the product maturity phases of the
Design/Development process with corresponding ratings.
- The table is used from right to left with experience increasing as
you move to the left. The chart usage is defined at the bottom as:
Note: Development columns are intended for use with new
product or features that do not have sufficient Field Experience
data to establish an actual Failure Rate
When using the Development Lab and Development
Vehicle columns use the higher of the two ratings, which is no
smaller than a 3.
Do not use ratings in the shaded sections of the columns.

TRW Automotive Inc. 2008

FMEA Occurrence
OCCURENCE in a component DFMEA refers to the likelihood that the
failure will occur during the design life of the product.
Preventative Actions are used to reduce the occurrence
Occurrence can also be lowered by:
Hardware design change
Example: Choose different component with higher
temperature rating
Software design change
Example: Change software operating limits to reduce power
dissipation
Change in requirements
Example: Customer confirms actual operating temperature
requirements are lower than originally specified
Design process change
Example: Perform worst case analysis which shows that
component has more margin than originally believed
TRW Automotive Inc. 2008

FMEA Occurrence
- Occurrence is the likelihood that a specific Cause/Mechanism will
occur during the design life.
- The likelihood of Occurrence ranking number is a projection that
uses statistics, rather than an absolute value.
- During development you can reduce the occurrence ranking by
reusing known components and systems, and by accumulating
development experience and lab data on the parts.
- Preventing or controlling the causes/ Mechanisms of the Failure
Mode through a design change or design process change (e.g. design
checklist, design review, design guide) will also reduce the
Occurrence ranking.

TRW Automotive Inc. 2008

Unibody Workshop System FMEA

Detection Criteria

Rating

Detection

Product In-field
Detection (Diagnostic tested and verified)

During Development Process

Quality of Detection of Algorithm/Software

Diagnostics (time to detect and initiate failsafe strategy)

Initiation begins within 1 functional loop
(<30 msec or CAN message period)

Testing (Unit, DV/Simulation, Vehicle)

10

Absolute
Impossible

-No detection of fault

-No testing: defined as not even been driven in vehicle.

Remote

-Faults will be detected at > 1750 msec of initial occurrence

-General Driving Usage: defined as no documentation available, no specific tests run,

but it is in the software and being driven.

Very Slight

-Faults will be detected within 1750 msec of initial

occurrence

-Informal testing: defined as no documentation available but testing was done.

Slight

Low

Medium

Moderately High

High

Very High

-Faults will be detected within 250 msec of initial occurrence

Almost Certain

-Faults will be detected within 225 msec of initial occurrence

Reach a number from 7 to 1 based on testing and prior experience using the following
formula:
-Faults will be detected within 1000 msec of initial
occurrence

Specific Testing (With report): rating = 10 - value

-Unit (-2)
-DV/Simulation (-3 specific signal observed, -2 general DV)
-Vehicle (-3 one vehicle, -5 two vehicles)
Note: Vehicle means one vehicle application, not an individual development vehicle.

-Faults will be detected within 500 msec of initial occurrence

TRW Automotive Inc. 2008

Unibody Workshop Design FMEA

Detection Criteria
During Development Process

Rank

Likelihood
of Detection

10

Absolute
Uncertainty

NoCurrentDesignControl;Cannotdetectorisnotanalyzed

VeryRemote

Designanalysis/detectioncontrolshaveaweakdetectioncapability;VirtualAnalysis(e.g.
CAE,FEA,etc.)isnotcorrelatedtoexpectedactualoperatingconditions.

Remote

Failuremaybedetectedonlyduringvehicleoroperationaltesting

Productverification/validationafterdesignphaseandpriortolaunchwithpass/fail
testing(e.g.Sub-systemorsystemtestingwithacceptancecriteriasuchasride&
handling,shippingevaluation,etc.)

VeryLow

Failurelikelytobedetectedonlyduringvehcileoroperationaltesting

Productverification/validationafterdesignphaseandpriortolaunchwithtest to failure
testing(e.g.Sub-systemorsystemtestinguntilfailureoccurs,testingofsystem
interactions,etc.)

Low

Failuremaybedetectedonlyduringassembly

Productverification/validationafterdesignphaseandpriortolaunchwithdegradation
testing(e.g.Sub-systemorsystemtestingafterdurabilitytest;functioncheck)

Moderate

Failuredetectedonlywhenaspecificmeasurementismadeoronlyunderlabtype
conditions;Failureonlydetectedduringassembly.

DesignVerification(reliabilitytesting,labtesting,environmentaltesting,etc.)using
pass/failtesting(e.g.acceptancecriteriaforperformance,functionchecks,etc.)

Moderately
High

Failuredetectedbydiagnosticsonlyundersomeoperationalconditionsthenexttimethe
circuitisactivated;Erraticoperationorresetthatisnotautomaticallydetectedbutmakes
aslightchangeintheoperationoftheunitsuchthatitmaynotbeeasilydetected.

DesignVerification(reliabilitytesting,labtesting,environmentaltesting,etc.)usingtest
to failuretesting(e.g.untilleaks,yields,cracks,etc.)

High

Failuredetectedbydiagnosticsonlyundersomeoperationconditionswhenithappens;
Erraticoperationorresetthatisnotautomaticallydetectedbutmakesanoticeablechange
intheoperationoftheunit;Failuredetectedbyautomatictesterbeforeandaftertesting.

DesignVerification(reliabilitytesting,labtesting,environmentaltesting,etc.)using
degradationtesting(e.g.datatrends,before/aftervalues,etc.)

VeryHigh

Failuredetectedbydiagnosticsthenexttimethecircuitisactivated;Partiallossof
operation

Designanalysis/detectioncontrolshaveastrongdetectioncapability.VirtualAnalysis
(e.g.CAE,FEA,etc.)ishighlycorrelatedwithactualand/orexpectedoperating
conditionspriortodesignfreeze.

Certain

Failuredetectedbydiagnosticswhenithappens;Totallossofoperation;Failuredetected
byautomatictestingduringtesting.

Failurecauseorfailuremodecannotoccurbecauseitisfullypreventedthroughdesign
solutions(e.g.provendesignstandard/bestpracticeorcommonmaterial,etc.)

TRW Automotive Inc. 2008

Detection Ranking Summary - Design

10 Absolute Uncertainty
Certain not to detect or unknown; further analysis required.
9 Very Remote
Virtual Analysis performed with weak correlation
8 not used
7 not used
6 not used
5 Moderate
Using Pass/Fail criteria (e.g. acceptance criteria for performance,
function checks, etc.)
Detected only when a specific measurement is made
Detected only under lab type conditions
Detected only during assembly
4 Moderately High
Using Test to Failure testing (e.g. until leaks, yields, cracks,etc.)
Detected by diagnostics only under some operational conditions the
next time the circuit is used
Erratic operation or reset that is not automatically detected but makes a
slight change in the operation of the unit
TRW Automotive Inc. 2008

Detection Ranking Summary - Design

3 High
Using Degradation testing (e.g. data trends, before/after values, etc.)
Detected by diagnostics only under some operational conditions when it
happens
Erratic operation or reset that is not automatically detected but makes a
noticeable change in the operation of the unit
Detected by automatic tester after testing.
2 Very High
Analysis/Detection controls have a strong detection correlation with
actual and/or expected operating conditions
Detected by diagnostics the next time the circuit is activated
Partial loss of operation
1 Certain
Fully prevented through design solutions
Detected by diagnostics when it happens
Total loss of operation
Detected by automatic testing during testing.

TRW Automotive Inc. 2008

DFMEA Detection
DETECTION in a component DFMEA refers to the ability of the design and
validation process to detect a design fault prior to production.
Detection Actions are used for three distinctly different purposes:
Detection Actions

Used to give confidence that the design is robust. Examples include:

Environmental testing
Electrical/ EMC/ESD testing
These are the primary means of detection and are normally present.

Diagnostic Actions

Used to determine if and/or when the failure has occurred

Software diagnostics
Parametric/ functional test
Post test inspection
By themselves, these actions generally do not prove that the design is robust, but
are usually required in conjunction with Detection Actions

Failure Effect Confirmation Actions

Used to establish that the stated effect of failure is correct when it is not obvious.
Example:
DFMEA fault insertion testing
Results of these actions may be used to confirm that the appropriate Diagnostic
Actions are in place

Combinations of the above are almost always necessary in order to get a low
detection ranking
TRW Automotive Inc. 2008

TRW Documentation of Design Controls

for Preventative and Detection Actions
June 18, 2008

TRW Automotive Inc. 2008

DFMEA Design Controls**

Design Controls are activities that are completed or committed
to assure design adequacy for the failure mode under
consideration.
There are two types of design controls:
Type 1 Prevention
Directed at reducing the occurrence ranking (i.e.
controlling the inputs of the design)
Type 2 Detection
Directed at reducing the detection ranking (i.e. testing
the outputs of the design)
**Adopted from the TRW global standard FMEA guideline group

TRW Automotive Inc. 2008

Goals for Design Controls

1) Initial states should represent the assessment that is
to be the baseline (i.e. before any additional program
specific work is planned to be done on the component in
question)
2) Revision states should represent the assessment that
will result from doing work (tests, reviews, use of
standards, etc.)
3) All Revision states should have an engineer
responsible for getting the work done, and a due date.
4) All Revision states should be tracked to completion.

TRW Automotive Inc. 2008

Goals for Design Controls

Expectations of Design Controls
1) Preventative and Detection Actions should be
documented and tracked whenever an action needs to
take place. Period.
2) In general, actions are a result of unacceptable RPNs
3) Actions are also a result of unknown circumstances
Not sure what exact effect is
Not sure of design capability
Not sure of test capability
Not sure of design sensitivity
Unexpected non-conformance during testing
4) Actions can also be called out for other groups
Software diagnostic needs to be created
Customer requirements need to be revised
TRW Automotive Inc. 2008

Preventative Design Controls

Preventative Actions have 2 distinct categories:
In production use reliability data mapped to VDA
failure rate table.
New component use Occurrence table
Occurrence rankings for initial states of new components
cannot be less than 7 and through actions can be lowered
to no less than 3.
Initial states assume either work has been completed, or
data already exists.
Revision states are necessary when tangible work will be
done to lower the Occurrence rating.

TRW Automotive Inc. 2008

DFMEA Preventative Action Examples

ECU List

HCU List

Design: PCB Layout Guidelines

Design: Thermal Analysis
Design: Supplier Review
Design: Peer Review
Design: DFM/DFA
Design: Component Specifications
Library Circuit: Complete
Library Circuit: In process
Library Circuit: Customer Directed

Tolerance Stacks & Analysis

Previous Design Experience
Print: Material Call-out
Print: Cleanliness Call-out
Print: Surface Finish Call-out
Print: Workmanship
Specification
Print: Corrosion Spec
Print: Dimensional Control

TRW Automotive Inc. 2008

Detection Design Controls

Detection Actions must have 2 distinct elements:
Test must be capable of producing a failure if a design
issues exists (i.e. exercise the part in a manner
representative of in field exposure).
Test must be able to detect if a failure occurred during
testing (i.e. parts that fail a test must be noticeable in
some manner either during or after the test has been
completed).
Detection rankings for initial states are either 10
(uncertain of capability or data doesnt exist yet) or the
rating according to actual test data available.
Action items reduce Detection rating according to
Detection table.
TRW Automotive Inc. 2008

DFMEA Detection Action Examples

ECU list

HCU List

CV Testing
DV Testing: Connector Test
DV Testing: Environmental Test
DV Testing: Electrical/EMC Test
DV Testing: Parametric Test (Pre-post)
DV Testing: Post Test Inspection
Testing: Vehicle
Testing: Software
Testing: Hydraulic
D-FMEA Fault Insertion Testing

Lab Testing: Vibration

Lab Testing: Performance Plots &
Testing
Lab Testing: Durability (Temperature)
Lab Testing: Corrosion
Lab Testing: High Pressure Strength
Lab Testing: Dust Test
Lab Testing: Alternate Immersion
Lab Testing: Salt Spray
Lab Testing: High Pressure Spray
Lab Testing: Burst
Lab Testing: Pressure Vessel Fatigue
Lab Testing: Durability
Inspection: X-ray analysis
Inspection: Visual

TRW Automotive Inc. 2008

Goals for Design Controls Action Items

Action items:
Need to have a realistic due date (used for project
management)
Need to have a person responsible for action
Need to have tangible evidence to be referenced,
stored, and controlled when action completed
Need to be on EVERY line item that will have some
work being done, particularly in this order:
the top RPNs (attention to > 120)
the top S (attention to > 8)
the top O (attention to > 3)
the top D (attention to > 5)

TRW Automotive Inc. 2008

Goals for Design Controls Action Items

1) Actions items (also known as Open Issues) can be
compiled together through IQ
2) Lists should be managed (evidence!) on monthly basis
to ensure work is getting completed.
3) Use following pages to obtain OI list

TRW Automotive Inc. 2008

Directions to get lists of Open Action Items

1) Open the FMEA file (*.fme).

2) Click the menu Editors : Statistics (or press Shift+Cntl+W) to
open the Statistics Editor.
3) Click the Pareto Icon indicated below to create a Pareto Analysis:

TRW Automotive Inc. 2008

Directions to get lists of Open Action Items

4. Select Responsibility
Analysis from the Analysis
Type: pulldown box. Also
select which structure(s)
you wish to analyze in the
Data Selection box. Then
click the Open button.

TRW Automotive Inc. 2008

Directions to get lists of Open Action Items

5. Right-Click on the Pareto graph

at the top and click Display
Options. Check the Hide
responsibility without actions
checkbox on the Axes tab to
clean up the graph.

TRW Automotive Inc. 2008