The primary core use of a pFMEA is to analyze a new process to identify potential failures within the process and evaluate the planned prevention & detection controls to determine the degree of risk (see Table 1).
Unfortunately, once the FMEA is complete the document often just sits “on the shelf” until the next major revision to the process, when it is hopefully used to analyze the planned changes. There are, however, many other potential uses for the FMEA that can leverage the information gained from the analysis. Here are five examples:
1. Use the document for training employees who carry out the process. Too often training tells people what to do, but not why (typical of both procedures and control plans). Exposing employees to the portion of the FMEA related to their specific process step(s) will help them understand the risks related to noncompliance, such as the potential impact on customers. Knowing these before carrying out the activities is a lot better than learning about them after a customer complaint and subsequent root cause analysis!
2. Use the FMEA to plan audits of the process. After all, the purpose of audits is to evaluate the degree to which controls are in place and are working. Additionally, ISO 9001 and other QMS standards require using a risk-based approach to audits, and the risk rankings in an FMEA indicated which controls are perhaps more important to evaluate.
3. Look at aggregated rather than just individual risks. For example, throughout the FMEA it is likely that the same impact/effect will show up for several failure modes, so the total risk probability of that effect is the sum of them. Likewise, the same controls are likely used multiple times and a weakness of a specific type of control will then have a potential larger effect.
4. Use the FMEA to help identify possible causes when performing a root cause analysis. Failure modes at the step where the failure was found, as well as at previous steps where the same effect is identified, is a logical place to start.
5. The FMEA should be revised when new causes are found that were not in the FMEA, and risk ratings modified based on actual performance (e.g., a higher occurrence than predicted, less effective detection than predicted).
While the ISO 31000 risk management model explicitly defines the steps in Table 1,
- Risk Identification – first column in Table 1
- Risk Analyze – columns 2, 3 & 4
- Risk Evaluation – column 5 (but should also include action example #3)
- Risk Treatment – not shown, but would involve adding another column listing any planned actions to reduce risk, if desired, such as acquiring a backup computer or other means of being notified of the bill
it also includes
- Communication – Action examples 1, 2 & 4
- Monitoring – Action example 5
The problem is that once the analysis is done (filling in all the blanks in the pFMEA form) people get the feeling they’ve accomplished the task. Instead, risk management is a dynamic process that happens at multiple levels of an organization, and like any process should continually iterate thru the PDCA cycle.
PS: How often have you seen an organization use pFMEAs to analyze administrative processes such as hiring, training, order entry or corrective action processes? No risks there, huh?
© 2023 Duke Okes
Duke Okes is a writer, speaker, trainer and consultant or quality management.
His presentation on some risks related to risk assessment is available here: https://www.youtube.com/watch?v=gpPYshVMcq0&t=11s
His presentation on Bowtie risk assessment is available at: https://www.youtube.com/watch?v=pxo3qlJpRFU&t=2s
His book on Root Cause Analysis is available at: https://tinyurl.com/bdfnwcv7
His online Root Cause Analysis course is available at: https://www.jprlearning.com/course/root-cause-analysis-20m-ed/