dFMEA 2014

Re-shaping Design

M. Schneider-Scheyer, V. Ackermann, S. Sarkic

Nov-2014
V1.13
Integrity: http://skobde-mks.kobde.trw.com:7001/si/viewrevision?
projectName=/SCS/SysE/13%5fMethod%5fand
%5fTools/07%5fFMEA/project.pj&selection=FMEA2014.pptx

TRW Automotive 2014

dFMEA 2014

References (TBD)
Deductive Analysis ref ISO18
C_044_BRK_3_001_289_EN
QS-9000: FMEA Fehler-Mglichkeits- und -Einfluss-Analyse,
VDA: VDA-Band 4 Sicherung der Qualitt vor Serieneinsatz Produkt- und Prozess-FMEA, 2. Auflage, 2006
DIN EN 60812
DGQ: Band 1311 FMEA Fehlermglichkeits- und
Einflussanalyse, 3. Aufl. 2004,

TRW Automotive 2014

dFMEA 2014

dFMEA in BRK Electronics

Structure

Functions

Failures

Actions

FMEA is an integrated method for systematic risk analysis during the

product development.
It is used to identify weaknesses in the design and to adress risk
reduction measures to avoid or reduce those potential failures and faults
in an early project phase.
It is a preventive method for systematic design failure risk mitigation.
It shall be integrated in the design phase and adresses all areas:

Specification weaknesses and completeness

Susceptibility to envirnomental conditions
Interface weaknesses
Architecture weaknesses
Severity and impact to customer functions
Component and materials selection
Test Coverage
and many more

TRW Automotive 2014

dFMEA 2014

dFMEA and SPFM/LFM Integration

System Design (SCS)

ECU Requirements

ECU Architecture

RANDOM COMPONENT
FAILURE RISK
REDUCTION
SYSTEMATIC
DESIGN FAILURE
RISK REDUCTION

SPFM/LFM
ECU Schematics & Layout
dFMEA

See also slide 25 ff. for more information

TRW Automotive 2014

dFMEA 2014

dFMEA and SPFM/LFM Analysis

Occurrence (O)

Severity (s)
Detection(D)
D-FMEA shall reduce the risk for
systematic failures (design failures, Risk Priority Number (RPN
Experience
tests
e.g. wrong component selected,
simulation
tolerances not considered,
Worst case analysis
temperature influence not considered)

/ Drift
Its NOT required to use the D-FMEA Open / Short Pin-to-Pin
failures
for random failures, e.g. resistor open
FIT-RATE
due to random failures. Use the SPFMSingle Point Fault Metric (SP
LFM analysis to reduce the risk for Latent Fault Metric (LFM )
random failures and to ensure that the
FRC Criteria
Diagnostic Coverage is high enough.

DC

TRW Automotive 2014

dFMEA 2014

Element Structure
Structure

Functions

Failures

Actions

Elements are structure in the following basic layers:

1
2

Function according to Specification (SEVERITY is inherited from sFMEA)

Main Architectural Elements Used to achieve the function
This layer can be extended if it makes sense to group elements further (see examples below)

Component folder to support linking to pFMEA (not necessary for completion of dFMEA)

Example 1)

Example 2)

2
2

TRW Automotive 2014

dFMEA 2014

Structure: Functions according Specification

Structure

Functions

Failures

Actions

The first Element lists the functions required

Defines the What-To-Do
Defines which faults to detect

All Information shall be retrieved from the Specification

Gaps in the specification get visible
Consistency between Design and FMEA is generated
Example 1)
1

The required failures to be

detected are listed as single
FUNCTIONs!

TRW Automotive 2014

dFMEA 2014

a)

This drives the design

b)

This allows direct linking

to the Fault DB
7

Structure: Main Architectural Elements

Structure

Functions

Failures

Actions

The Architecture2 Elements are the main aspect of the analysis

Shows the How the Function will be implemented
The elements can be grouped further to achieve better granularity to the design (Components) and actions

All Information shall be consistent to the architecture

Gaps in the architecture get visible
Consistency between Design and FMEA is generated
ibd [View] ActuationView [EpbActuationIbd]

Example 2)
Block,hardware,physical

Block,hardware

O urECU

PowerSupplyInterfaceHw
Operations
ProvideEpbSupplyVoltage

KL30_P

KL30_V

PumpMotSupVoltSig

ProvideSupplyGndVoltage

PumpMotSupGndSig

GND_V

GndSupVoltSig

EpbSupVolt
GndSupVolt

SolSupVoltSig

GND_P

Block,hardware

Block,hardware

EpbMotorInterfaceHw

Block,hardware

EpbSecondMicro

MicroController

Operations
DriveEpbMotor
ProvideEpbMotorVoltFeedback

GndSupVolt

ProvideEpbMotorElecCurrFeedback
EpbSupVolt

1
1

hardware,ASI L Bof D

EpbHbridgeDrvSig

EpbHbridgeDrvSig

EpbHbridgeDrvSig

software,ASI L Bof D

itsEpbControlSw

itsInOutControllerHw

EpbMotHbridgeDrvCtrl

ProvideEpbMotActuation

software,ASI L Bof D

itsSpiControllerSw

Operations
M anageEpbFailSafe
M onitorEpbMotorCurrent

Operations
ActuateEpbMotHbridgeDrvSig

EpbActuCmd

SpiData

EpbMotStateExtended

SpiCtrl

hardware,ASI L Bof D

itsSpiControllerHw

hardware,ASI L Bof D

itsSpiControllerHw

Operations
HandleEpbActuCmd
HandleEpbMotStateExtendedVal

Operations

SendSpiSignal

Operations

software,ASIL BofD

software

itsSpiDriverSw

itsApplicationSw

Operations

Operations

HandleEpbActuCmd

ReceiveSpiSignal

SendSpiSignal
ReceiveSpiSignal
SpiSig

SpiSig SpiSig

SpiSig

SpiData

EpbActuCmd
ParkBrake

SpiC trl

EpbMot1ActuSig

Reliability and Robustness as

non-functional Requirements
shall be shown as ELEMENT
a)

This drives the design

b)

Dedicated Actions can be

mapped

TRW Automotive 2014

EpbActuatorHs
EpbMotVoltFbkSig

EpbMotVoltFbkSig

EpbMotVoltFbkSig

EpbElecCurFbkSig

EpbElecCurFbkSig

EpbElecCurFbkSig

hardware,ASI L Bof D

itsADSignalConversionEpbHw
Operations
SampleEpbM otorFeedback
SampleEpbElecCurrentFeedback

EpbMotVoltFbk

EpbMot2ActuSig
EpbElecCurFbk

EpbActuatorLs

dFMEA 2014

Structure: Component Groups

Structure

Functions

Failures

Actions

The Components3 are the link to the pFMEA (not necessary for completion of dFMEA)
Shows WHICH components PROVIDE the function
A failure of the components leads to a failure in the function.

A further break down to single component failures is not necessary as the Engineering detection actions verify the
function
Mission Critical elements (shunts, processors) shall be treated as Main Architecture elements
100% component failure break down is analysed during the SPFM/LFM

All Information shall be taken from the released ECL

Consistency between Design and FMEA is generated
Automated update of ECL and easy grouping allows quick update of changes
3

Example 2)

The architecture blocks are further

splitted to achieve better granularity
to the design (Components) and
actions to be assigned.
Mission Critical components are main
Architecture elements and therefore
single entities in the Elements

TRW Automotive 2014

dFMEA 2014

Function and Failures

Structure

Functions

Failures

Actions

The first Element lists the functions required

List of functions as described in previous slides

Failure are a negation of the function

Example 1)
1
1

TRW Automotive 2014

dFMEA 2014

10

Failure Nets
Structure

Functions

Failures

Actions

The Architecture2 Elements are the main aspect of the analysis

Function of the Architecture Elements as described in previous slides

Failures are negation of the function

plus additional risks out of team discussion / brain storming
It is allowed to pull the failure nets on the same level
(see example below: a wrong dimensioning leads to a false detection, but both are single valid faults)

Actions can be grouped by the faults and failures

Example 1)
2

TRW Automotive 2014

dFMEA 2014

11

Failure Nets to Components

Structure

Functions

Failures

Actions

The Components3 are the link to the pFMEA

as described in previous slides

A failure of the components leads to a failure in the function

Top Down Approach of the design FMEA ends here
Detailed Bottom Up Approach is given by SPFM/LFM
Highest Severy out of Design analysis is given to the component
3

Example 1)

TRW Automotive 2014

dFMEA 2014

12

Actions
Structure

Functions

Failures Actions

Actions are assigned to Architecture Elements / Groups

Testing strategy to achiev high validation coverage by standard tests

Actions are assigned on Core and specific Applications

Symbolic Teams: CL Team, Integration Team, Application Team
Symbolic Dates: Gerber release, DV Test Start, Application PV completed

Example 1)

TRW Automotive 2014

dFMEA 2014

13

Severity Rating
Structure

Rank
10

Criteria

Failure to meet safety and/ or

regulatory requirements

Potential failure mode affects safe vehicle operations without warning.

Non-compliance with government regulations.

Same as criteria for 10 but with warning

Loss or degradation of
primary function

Loss or degradation of
Secondary function

5
4

Loss of primary function (Vehicle inoperable Stopper, does not affect safe
vehicle operation, vehicle needs direct service).
Degradation of primary function (Vehicle operable, but at a reduced level of
performance).
End-user very dissatisfied.
Unable to assemble or parametric reject at Vehicle Manufacturer (VM) or VM's
module sub-contractor.

Loss of secondary function (vehicle operable, but comfort/convenience function

inoperable. Appearance or Audible Noise (Squeak and Rattle)
End-user dissatisfied.
Degradation of secondary function

Annoyance

some defects, Vehicle operable (Fit and Finish)

Appearance or Audible Noise (Squeak and Rattle)
Defect noticed by most customers (greater than 75%).

Defect noticed by most customers (greater than 50%).

Defect noticed by most customers (greater than 25%).

Failures Actions

Effect

9
8

Functions

No effect

TRW Automotive 2014

No discernible effect

dFMEA 2014

14

Occurrence rating 10-7

Structure

Rank

Functions

Failures Actions

Likelihood

Description

Example

10

Very Persistent
failures (Almost)

History of many failures with previous, similar

design and used environment extremely
harsh or unknown OR New concepts with no
past design experience and no analytical
methods available to evaluate.

Complexity: For example the new design BLA

circuit (59321904_M.008) with no analytical
methods used.

Very Persistent
failures (High)

Design is radical with many unknown risks

and environment is harsh/unknown OR New
concept evaluated only via analytical
techniques or modeling.

Complexity: For example the new design BLA

circuit (59321904_M.008)

Frequent failures
(High)

Design is significantly different from previous

or environment is harsh/unknown OR New
concept with some prototype experience on
similar applications with good results.
No explicit HW requirements defined.

Complexity: For example the new current

control solenoid circuit (59322272_M.008)

Moderately changed design with only fair

reliability record used in slightly harsher
environment OR Concept exists widely in
other industries in similar applications with
unknown results.
Explicit HW requirements defined (e.g.
operational profiles)

Complexity: For example the digital clutch

sensor interface (59323004_008)

TRW Automotive 2014

dFMEA 2014

Requirements defined for a circuit but no

documented traceability to verification and
test.

15

Occurrence rating 6-1

Structure

Rank
6

Description

Example

Occasional failures
(moderate)

Electronic worst case analysis or simulation

is performed which considers supply voltage
and temperature variation as well as expected
component drifts
Hardware design walk-trough (for ASIL A,B
circuits)
Hardware design inspection (for ASIL C,D
circuits)
Consideration of design guideline
/recommended component usage
Design according HW requirements
Description of specific section in ICD

Moderately changed design with good

reliability record used in current environment

If the results of the

-worst case analysis AND simulation or
-worst case analysis AND Development test
are comparable
OR
All HW Requirement traceable to released
ICD
OR
Carry-over including same component but
value change

Carry-over example for value change: Digital

Switch inputs (59315724_M.008)

Simulation based on related component

models and PCB impedance consideration.
OR
DV/PV samples (statistical testing) passed the
related tests

Design analysis/detection controls have a strong

detection capability. Virtual Analysis (e.g. CAE,
FEA, etc.) is highly correlated with actual and/or
expected operating conditions prior to design
freeze.

Relatively few (low)

Failures Actions

Likelihood

Functions

Unlikely

TRW Automotive 2014

Part/assembly similar to previous design with

only fair reliability record used in slightly
harsher environment
Part/assembly similar to previous design with
only fair reliability record used in current
environment

All Hardware Requirements, either from

customer or from TRW (e.g. sensor supply
accuracy =0,5V), related to the analyzed
circuit library needs to be traced to the
released ICD.

Carry-over part/assembly with good reliability

record ppm <1
dFMEA 2014

16

Detection rating 10-6

Structure

Rank

Functions

Failures Actions

Likelihood

Description

Example

10

Absolute
Uncertainty

Failure may be detected during long term vehicle

operation.

Failure will not be detected before end-user detection

(including fleet users).
No test method available.

Very
Remote

Failure may be detected during vehicle production.

Failure will not be detected before automotive customer

process (plant or proving grounds).
Unproven or unreliable method available.

Remote

Failure may be detected only during vehicle or

operational testing.

Vehicle Product verification/validation after design phase and

prior to launch with pass/fail testing (e.g. Sub-system or
system testing with acceptance criteria such as ride &
handling, shipping evaluation, etc.)

Very Low

Failure likely to be detected only during vehicle or

operational testing.

Product verification/validation after design phase and prior to

launch with test to failure testing (e.g. Sub-system or system
testing until failure occurs, testing of system interactions, etc.)

Low

Failure may be detected only during ECU assembly.

Product verification/validation after design phase and prior to

launch with degradation testing (e.g. Sub-system or system
testing after durability test; function check)

TRW Automotive 2014

dFMEA 2014

17

Detection rating 5-1

Structure

Functions

Failures Actions

Rank

Likelihood

Description

Example

Moderate

Failure detected only when a specific

measurement is made or only under lab type
conditions; Failure only detected during
assembly.

Design Verification (reliability testing, lab testing, environmental testing,

etc.) using pass/fail testing (e.g. acceptance criteria for performance,
function checks, etc.)

Moderately
High

Failure detected by diagnostics only under

some operational conditions the next time
the circuit is activated; Erratic operation or
reset that is not automatically detected but
makes a slight change in the operation of the
unit such that it may not be easily detected.

Design Verification (reliability testing, lab testing, environmental testing,

etc.) using test to failure testing (e.g. until leaks, yields, cracks, etc.)

High

Failure detected by diagnostics only under

some operation conditions when it happens;
Erratic operation or reset that is not
automatically detected but makes a
noticeable change in the operation of the
unit; Failure detected by automatic tester
before and after testing.

Design Verification (reliability testing, lab testing, environmental testing,

etc.) using degradation testing (e.g. data trends, before/after values,
etc.)

Very High

Failure detected by diagnostics the next time

the circuit is activated; Partial loss of
operation

Test in related operating modes and temperature to circuit focus with

pass/fail criteria for multiple samples.

Certain

Failure detected by diagnostics when it

happens; Total loss of operation; Failure
detected by automatic testing during testing.

Failure cause or failure mode can not occur because it is fully

prevented through design solutions (e.g. proven design standard/best
practice or common material, etc.)

TRW Automotive 2014

dFMEA 2014

18

Finalization of preventive and detection actions

The action groups shall be finalized after each other
So start with the occurrence reduction (e.g. requirements
definition and review)
Then close the detection related risk reduction (e.g. tests)
Only if the related risk reduction measure is performed,
documented and does NOT contain any not justified deviation
the measure can be marked as completed in the DFMEA.

TRW Automotive 2014

dFMEA 2014

19

Walkthrugh vs. Inspection

ISO26262 Part 5 / Table 3 requires that for ASIL A/B a HW design walkthrough is performed and for ASIL C/D a inspection.
Walk-through is defined as
systematic examination of work products in order to detect anomalies
EXAMPLE During a walk-through, the developer explains the work product
step-by-step to one or more assessors. The objective is to create a common
understanding of the work product and to identify any anomalies within the
work product.
Inspection is defined as
examination of work products, following a formal procedure, in order to detect
anomalies
NOTE: A formal procedure normally includes a previously defined procedure,
checklist, moderator and review of the results.
Note: Both inspections and walk-throughs are types of peer review, where
a walk-through is a less stringent form of peer review than an inspection.
What does that mean for the design team See next page:

TRW Automotive 2014

dFMEA 2014

20

Walkthrough vs. Inspection

What does that mean for the electronics design:

1. Reviews have to be documented, schematics id, participants,

findings (see review template[1])
2. Review documentation shall also describe which points have been
checked during the review, e.g. its not sufficient to check if the formal
points are covered sufficiently (schematics ID, date, reference
designators etc.), the main target of the review is to find design and
layout failures (is the particular circuit fulfilling the requirements).
3. Reviews shall be based on a check-list for potential design failures.
TBD add link

[1] http://skobde-mks.kobde.trw.com:7001/si/viewrevision?
projectName=/CircuitLibraryRepositories/59322912%5fCircuitLibraryDevelopmentFram
ework/03%5fTemplates/10%5fReviewTemplates/project.pj&selection=593XXXXX
%5fCLICDApprovalReviewNIssueM.docx

TRW Automotive 2014

dFMEA 2014

21

Preventive vs. Detection Actions

Schematic

PREVENTION
(reduce Occurrence)
GEE SysE
HW Requir.

ECU Electronics
Design FMEA

Structure

Functions

Failures Actions

DETECTION
Dedicated Reliability
Tests

ECU Architecture
Description incl. Safety

CL Fault injection test

CL interface definition /
requirements / profiles

Circuit Library
Tests

CL Electrical Test

CL Design Spec.

CL Functional Test

Design Rules
ECU Fault Injection Tests
for ECU internal failures

Worst Case Analysis

Report

Circuit
Library
Req.
& Analysis

ECU Fault Injection Tests

for ECU external failures

Simulation Report
Review Report

Prove Out Testing

High. temp. test

SW Interface Control
Document (ICD)

EMC Test

Test Requirements
Document for
Production Tests

Thermal shock
xxx

(TRD)

Application
DV/PV
LV124 Tests for
Electronic &
Hydraulic

xxx
TRW Automotive 2014

dFMEA 2014

22

Statistics
Structure

Functions

Failures Actions

Formsheets and Risk Matrix is generated on Functional level

Example 1)

10
9
8
7
6
5
4

4/4

3
2
1
O/D

TRW Automotive 2014

dFMEA 2014

23

Re-use / Variant Management

Structure

Functions

Failures Actions

Variant Matrix used to switch OFF / ON full structures

Example 1)

TRW Automotive 2014

dFMEA 2014

24

Attachment
D-FMEA vs. SPFM/LFM

TRW Automotive 2014

dFMEA 2014

25

ffeecctt
f
f
e
e
d
l
rr ffiieeld 266226622
o
f
o
f

w
O2
IIS
SO
nneew
o
t
o
t
g
rdiinng
aaccccoord

D-FMEA vs. SPFM/LFM

D-FMEA

SPFM/LFM

RANDOM FAILURE which

depends on the
technology, load, self
heating, etc. of individual
components

DESIGN FAILURE, Ciruit

design, wrong selection
of components /
electronic parts. Parts not
suitable for this purpose.
Example failure mode

Example failure mode

- Coil driver (FET) damage, due to

electrical overstress (device not
suitable for the specified current)
Example for risk mitigation

Example for risk mitigation

-Worst Case analysis shows that

device is suitable for the specific
purpose
-Electrical fault injection test shows
that device does not fail under
overstress conditions.
TRW Automotive 2014

Open, due to random failures

dFMEA 2014

- Safety Mechanism detects the

failure and brings the system in a
safe state

26

D-FMEA vs. SPFM/LFM

D-FMEA

SPFM/LFM

Failure mode distribution

Example failure mode distribution according to MIL HBK 338B

If the D-FMEA is based on systematic

failures its NOT required to apply a
formal failure mode distribution. DFMEA is a brainstorming method so the
D-FMEA team has to decide which
failure modes are considered for a
component in the D-FMEA. D-FMEA
plan is used as checklist which is
supporting the consistency and
completeness of the D-FMEA.

D-FMEA
Plan

TRW Automotive 2014

SPFM-LFM is focusing on random failures

so the distribution has to be defined. At
TRW we are using MIL HBK338 to define
the failure mode distribution.
Short
Output Low
Parameter
Transistor,
Change
FET
Open
Output High

51,00%
22,00%
17,00%
5,00%
5,00%

MIL HBK
338B

dFMEA 2014

27

D-FMEA vs. SPFM/LFM

D-FMEA

SPFM/LFM

TRW

APIS IQ FMEA

TRW Automotive 2014

.xls Template

dFMEA 2014

28