roots of most of today’s quality principles can project...

1

Steiner Consulting Paul A. Steiner, PhD

1

Project Elements

of Design Control, Design of

Experiment (DOE) and Risk Analysis

(FMECA)


2

Outline

History of “Quality” and roots of Design Control and

Risk analysis

Failure Mode and Effects Analysis

What is it?

Motivation

FMEA/FEMCA Methods

Example

FMECA in-class exercise


3

History of Quality

Roots of most of today’s Quality Principles can be traced back to Deming, and others like Taguchi in Post WWII.

Deming was pioneer of quality management processes in post war Japan.

Build quality into the system

Do not test in quality at the end of the process

Japanese auto industry embraced the quality principles for the improvement and development of cars in the 20th century.


4

Why a Systematic Approach to Quality?


5

US vs. Japanese Patterns of Design Changes

Japanese automakers focused more time on making

design revisions.

Early on in the prototype stage

“Bugs” worked out by start of the production

US Invested:

Less time exploring alternatives early in the cycle and

Thus major changes just before production,

Continuing making costly engineering changes after the start of production, and

Overall cycle was slower and more costly.


6

Product Development Process

It has major impact on cost, quality and overall time.

Quality depends on design; it is built into it

Cost and time needed for production depends on

factors related to product design

Is it easy to make?

Is it easy to assemble?

2


7

Adoption and Spread of Quality Systems

Early adoption By US (Military) Aerospace: MIL STDS

Mil Std-882B: Safety System Program Requirements

(Risk Analysis, 1977)

Mil Std-1629A: Procedures for Performing A Failure

Mode, Effects and Criticality Analysis (FMECA, 1974)

International Organization for Standardization (ISO):

ISO 13485: Medical Devices Quality Management

Systems (Design Control, 1996)

ISO 14971: Medical devices Application of risk

Management (2000)


8

FDA Quality System Regulations (QSR)

Quality System Regulation

820.30(c): “manufacturer…. shall establish and

maintain procedures to control the design of the

device…”

(g): “….Design validation shall include software

val. and risk analysis, where appropriate.”

Medical Device Directive 93/42/EEC

Essential Requirements – Design so as not to

compromise patient safety

In-Vitro Medical Device Directive 98/79/EEC


9

Design Control and Design of Experiments

(DOE)

Early application in ancient agricultural sciences

Inputs: Irrigation, fertilization, crop rotation, etc.

A technique was needed to model all inputs, how they interact – DOE was born!

Wanted to get it right 1st time as one experiment took an entire growing season.

Full factorial, all-interaction DOE, tests are performed for all possible combinations of all inputs.

i.e. 3 inputs, each with two possible settings

23 = 8 tests

DOE allows for determination of critical inputs and interactions


10

Risk Analysis: Why is it Important?

Provides a basis for identifying root failure causes and developing effective corrective actions.

Identifies reliability/safety critical components.

Facilitates investigation of design alternatives at all stages of the design

Provides a foundation for other maintainability, safety, testability, and logistics analyses


11

What is an FMEA?

Description:

A procedure that examines each item in a system, considers how that item can fail and then determines how that failure will affect (or cascade through) the system

Acronyms

FMEA: Failure Modes and Effects Analysis

FMECA: Failure Modes and Effects and Criticality Analysis


12

Definitions

FMECA - Failure Mode, Effects, and Criticality

Analysis.

FMEA - Failure Mode and Effects Analysis.

Compensating Provisions - Actions available or that

can be taken to lessen or eliminate the effect of a

failure on a system.

Next Higher Effect - The consequence a failure mode

has upon the operation, function, or status at the

next higher level of assembly.

End Effect - The consequence a failure mode has

upon the operation, function, or status at the highest

level of indenture.

3


13

FMECA Facts and Tips

FMECAs should begin as early as possible

This allows the analyst to affect the design before

it is set in stone.

If you start early, expect to have to redo portions

as the design is modified – a continuous loop

FMECAs take a lot of time to complete.

FMECAs require considerable knowledge of system

operation necessitating extensive discussions with

all affected groups: Design, Chemistry, System

Engineering.

Spend time developing ground rules with your

customer up front – another internal group, FDA, etc.


14

When to Perform FMEA/FMECA?

Risk Analysis is performed throughout the design

process.

Design might change as you learn more about the

inputs.

As design changes so does risk

Repeat Risk Analysis up to point design is “fixed”

(validation)

If done correctly, Risk should decrease


15

Motivation for Conducting a FMEA

Improves design by discovering unanticipated

failures

Enables robust design

Highlights the impact of the failures (reliability,

patient safety)

Potentially helpful during legal actions

Provides a method to characterize product safety

Often required (e.g. FDA and DOD procurement)


16

Methods to Conduct a FMEA (taken from ASM Handbook Vol. 11)

Identify all components or systems at given level of

the design hierarchy.

List the function of each identified component or

system.

Identify failure modes for each component/system.

Typically there will be several ways in which a

component can fail.

Determine the effect (both locally and globally) on the

system.


17

System Structure Analysis

The system is divided into different functional levels

and components


18

How is it Done?

What are the effects

of part failures on

the board?


of board failures on

the box?


of box failures on

the system?

Note: This is a bottoms up example.

Top down examples are possible.

4


19

Methods to Conduct a FMEA (taken from ASM Handbook Vol. 11)

Classify the failure by its effects on the system

operation.

How critical is the failure?

Determine the failure’s probability of occurrence.

Identify how the failure mode can be detected

Point out what needs to be inspected on a regular

basis

What needs in-process testing

Identify any compensating provisions or design

changes to mitigate the failure effects.


20

DESIGN FMEA (DFMEA)

The Design FMEA is used to analyze products before they are released to production.

It focuses on potential failure modes of products caused by design deficiencies.

Design FMEAs are normally done at three levels:

System

Subsystem

Component levels

This type of FMEA is used to analyze hardware, functions or a combination


21

PROCESS FMEA (PFMEA)

The Process FMEA is normally used to analyze

manufacturing and assembly processes at the

system, subsystem or component levels.

This type of FMEA focuses on potential failure

modes of the process that are caused by

manufacturing or assembly process deficiencies.


22

ISO 13485 Risk Management Flow Chart


23

Sample FMEA Table: Mil Std-1629A


24

Sample FMECA Table: Mil Std-1629A

5


25

Worksheet Preparation: Sample FMECA

Worksheet


26

Worksheet Preparation

For each system element or subsystem, the analyst must consider all the functions in all its operational modes, and ask if any failure modes may result in any unacceptable system effect.

No, stop

Yes, further examination

Discuss the various columns in the FEMCA worksheet

A unique reference to an element or subsystem is given in the first column

All the functions of the element are listed in the second column. A checklist may be useful to secure that all functions are covered.


27


The various operational modes for the element are listed

in column 3. Example of operational modes are: idle,

standby and running.

For each function and/or operational mode of an

element, the potential failure modes have to be identified

and listed in column 4.

The failure modes identified in column 4 are studied one-

by-one. The failure mechanism (e.g. corrosion, erosion,

fatigue) that may produce a failure mode are identified

and listed.


28


The possibilities for detecting the various failure modes

should be listed.

In some applications an extra column is added to rank

the likelihood that the failure will be detected. The

following detection ranking may be used:


29


The effects of each failure mode may have on other components in the same subsystem (local effects) are listed.

The effects each failure mode may have on the whole system (global effects) are listed. The operational status of the system after the failure should also be recorded:

In some applications it may be beneficial to consider each category of effects separately, like: safety effects, environmental effects, production availability effects, economic effects, etc.

In some applications it may be relevant to include separate columns in a worksheet for Effects on safety, Effects on reliability, etc.


30


Assesses probability that the failure mode will occur

Over the “design life of the product”

Assesses seriousness of the effects of a failure mode

Deriving effects for failure modes

Severity can be changed by a design change or other

implementations

6


31


Actions to correct the failure and restore the function or

prevent serious consequences are listed in column 11.

Actions that are likely to reduce the frequency of the

failure modes should also be recorded in column 11.

The last column may be used to record information not

included in the other columns.


32

Risk Ranking and Team Review

The risk related to the various failure modes can be

presented either by:

Risk matrix

Risk priority number (RPN)


33

Risk Ranking: Hazard Matrix

ALARP: Recognizes that most risks cannot be

eliminated


38

ISO 14971, Risk Analysis for Medical Devices

3-Region Risk Chart


39

Risk Ranking: Risk Priority Number

Assign values to Severity, Occurrence/probability, and

Detection using the tables on the next 3 pages.

SN = Severity number

Quantifies the severity of the effect, given that the

failure mode occurs in the design process.

PN = Probability Number

Quantifies probability that the failure mode occurs.

DN = Detection Number

Quantifies probability that the failure mode will be

detected by the design process.


40

Risk Ranking: Risk Priority Number

Determine the Risk Priority Number (RPN): Severity

(SN) x Probability (PN) x Detection (DN)

RPN = SN x PN x DN

The smaller the RPN the better (and the larger the

worse)

Develop an action plan

Implement an action plan

7


41

Risk Severity Guidelines

Effect Rank Criteria

None 1 No effect

Very Slight 2 Negligible effect on Performance. Some users may

notice.

Slight 3 Slight effect on performance. Non vital faults will be

noticed by many users

Minor 4 Minor effect on performance. User is slightly

dissatisfied.

Moderate 5 Reduced performance with gradual performance

degradation. User dissatisfied.

Severe 6 Degraded performance, but safe and usable. User

dissatisfied.

High Severity 7 Very poor performance. Very dissatisfied user.

Very High Severity 8 Inoperable but safe.

Extreme Severity 9 Probable failure with hazardous effects. Compliance

with regulation is unlikely.

Maximum Severity 10 Unpredictable failure with hazardous effects almost

certain. Non-compliant with regulations. Steiner Consulting Paul A. Steiner, PhD

42

Frequency or Probability/Occurrence Ranking

Probability or

Occurrence

Rank Criteria

Extremely Unlikely 1 Less than 0.01 per thousand

Remote Likelihood 2 0.1 per thousand rate of occurrence

Very Low Likelihood 3 0.5 per thousand rate of occurrence

Low Likelihood 4 1 per thousand rate of occurrence

Moderately Low

Likelihood

5 2 per thousand rate of occurrence

Medium Likelihood 6 5 per thousand rate of occurrence

Moderately High

Likelihood

7 10 per thousand rate of occurrence

Very High Likelihood 8 20 per thousand rate of occurrence

Extreme Likelihood 9 50 per thousand rate of occurrence

Maximum Likelihood 10 100 per thousand rate of occurrence


43

Detection Ranking

Detection Rank Criteria

Extremely Likely 1 Can be corrected prior to prototype/ Controls will almost

certainly detect

Very High

Likelihood

2 Can be corrected prior to design release/Very High

probability of detection

High Likelihood 3 Likely to be corrected/High probability of detection

Moderately High

Likelihood

4 Design controls are moderately effective

Medium Likelihood 5 Design controls have an even chance of working

Moderately Low

Likelihood

6 Design controls may miss the problem

Low Likelihood 7 Design controls are likely to miss the problem

Very Low Likelihood

8 Design controls have a poor chance of detection

Remote Likelihood 9 Unproven, unreliable design/poor chance for detection

Extremely Unlikely

10 No design technique available/Controls will not detect


44


Do some brainstorming

Goal: Get “all” possible failure modes

Ideas should be encouraged

Get all ideas written down

Things that have gone wrong in the past

Concerns of designers

Chemistry process related: purity, reaction parameters, etc.

Do your homework

Get data needed to evaluate and simulate all ideas

Histories, testing, analyses, simulations, etc.

Safety and regulation noncompliance are critical issues


45


Evaluate and rank potential failure modes

Use available information

Assign RPN on risk matrix for all failure modes


Define actions to correct the problems identified

Design controls: inspections, testing (IPC), etc.

Follow up

Document all corrective actions

Re-evaluate RPN or risk matrix after corrective

action


46

Corrective Actions

The risk can be reduced by introducing:

Changing designs

Introducing safety features

Warning devices

Procedures/training

8


47

Summary


48

To Learn More

A collection of information including links to

examples, guides, standards, etc. http://www.fmeainfocentre.com/index.htm

A training company with good overview material http://www.qualitytrainingportal.com/resources/fmea/index.htm

Another company http://www.fmea-fmeca.com/index.html

Other Variations of FEMA/FEMCA

Mil-STD-1629A, Fig 101.3

http://www.fmea-fmeca.com/milstd1629.pdf

SAE J1739

http://www.fmea-fmeca.com/fmea-examples.html


49

FMECA Example: Hot Water Heater


50

Constructing the FMECA Worksheet

List the various components and their function

What are the operational modes of the components

listed?

Let’s focus in on the Stop Valve

List the failure modes?

Is the failure acceptable? Yes – finished, No –

continue

What is the failure cause or mechanism?

What is the possibility of detecting the failure?

How detected?


51

Constructing the FMECA Worksheet: Stop

Valve

What are the affects on the sub-system (local

affects)?

What are the affects on the System (global effects)?

What is the probability of occurrence (1-10 scale)?

What is the severity?

FEMA Ranking (PN X SN = ?)

RPN? (PN X SN X DN = ?)

How can we reduce risk?

Suggest methods: brainstorm, etc

Redo RPN?

New RPN should be smaller


52


http://www.fmeainfocentre.com/index.htm

http://www.qualitytrainingportal.com/resources/fmea/index.htm

http://www.fmea-fmeca.com/index.html











9


53

Diasorin: Process 3. Conjugate Concentration

Sub-steps 1 – 4

1. Prepare Amino Dextran PN 25238

2. Prepare Vitamin D NHS Ester PN25205

3. Prepare ABEI Ester PN25207

4. Preparation of Vitamin D Aminodextran

conjugate concentrate PN25206


54

What to Do

Potential Causes of failure should be engineering

related such as incorrect material, corrosion, wear

and human related such as inexperience, misuse,

etc.

Current Design Controls are things like inspections,

testing, poke yoke, and other design checks that are

intended to prevent the problem.


55

What to Do

Assign values to Severity, Occurrence, and

Detection using the tables on the next three pages.

Determine the Risk Priority Number (Severity*

Occurrence * Detection)


Implement an action plan


56


Possible failure modes?


57

In-Class Problem 1

Most cars have a fuel filter between the fuel tank and

the engine.

Consider the consequences of:

Anti-function (opposite of filtering)

Partial function

Intermittent function

Excess function


58

In-Class Problem 2

You were the designer of cars before air bags and

seat belts.

Suppose your function is “Protect occupants during

head-on collision at less than 40 mph.”

Estimate numbers for Severity, Occurrence, and

Detection for the “before airbag/seatbelts” and

after “airbags/seatbelts” cases

10


59

In-Class Problem 3

For a cordless a screwdriver generate a partial

FEMCA

List the three most significant functions of the

case.

For most potentially troublesome function,

name Potential Failure Modes

For each Potential Failure Mode, name Potential

Effects.

For each Potential Failure Mode, name Potential

Causes.

For each Potential Failure Mode, assign

Severity, Occurrence, and Detection values


60

Application of FMEA to a Medication

Reconciliation Process Upon Hospital

Admission


61

Failure Modes Identified

Inaccurate , incomplete and/or missing information on

patients’ admission medication histories

No formalized approach for obtaining and documenting

medication histories within patients’ medical records

Inconsistencies between histories obtained by various

disciplines and documented throughout patients’ medical

records


62

Examples of Rating Failure Modes

Failure Mode: Independent medication histories throughout medical record with conflicting information about patient’s medication history

10 (SN) x 10 (PN) x 7 (DN) = 700 RPN

Failure Mode: Inaccurate medication history obtained

10 (SN) x 8 (PN) x 7 (DN) = 560 RPN

Failure Mode: Incomplete and/or incorrect medication orders upon admission

10 (SN) x 9 (PN) x 8 (DN) = 720 RPN


63

Medication Reconciliation Upon Admission:

Recommendations made by FMEA team:

Create single, shared medication list accessible to all authorized health care providers

Obtain an accurate and complete medication list upon admission

Consider use of pharmacy resources for obtaining medication histories in appropriate cases (pharmacy consult)

Develop a formalized process for medication reconciliation

Incorporate medication reconciliation into an advanced clinical information system


64

Simple Example: Flashlight

This flashlight is for use by special operations forces involved in

close combat missions (especially hostage rescue) during low

visibility conditions in urban areas. The light is to mounted coaxially

with the individual's personal weapon to momentarily illuminate

and positively identify targets before they are engaged. The exterior

casing including the transparent light aperture are from an existing

ruggidized design and can be considered immune to failure.

11


65

Simple Example: Flashlight (cont.) How can it fail?

What is the effect? Note

that Next Higher Effect =

End Effect in this case.

Part


66

Simple Example: Flashlight (cont.)

Severity

Severity I Light stuck in the “on” condition

Severity II Light will not turn on

Severity III Degraded operation

Severity IV No effect


67


Item Failure Mode End Effect Severity bulb dim light flashlight output dim III no light no flashlight output II switch stuck closed constant flashlight output I stuck open no flashlight output II intermittent flashlight sometimes will not turn on III contact poor contact flashlight output dim III no contact no flashlight output II intermittent flashlight sometimes will not turn on III battery low power flashlight output dim III

no power no flashlight output II


68

Criticality

CRITICALITY is a measure of the frequency of

occurrence of an effect.

May be based on qualitative judgement or

May be based on failure rate data


69


Can circled items be designed out or mitigated?

(There may be others that need to addressed also.)

roots of most of today’s quality principles can project...

Documents