1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Practical Quality Engineering Resources FMEA and the RPN 2016-01-20

RPNs are mathematically incorrect, diversionary and subject to gamesmanship

  1. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    605
    Likes Received:
    663
    Trophy Points:
    92
    Location:
    Maine
    Bev D submitted a new resource:

    FMEA and the RPN - RPNs are mathematically incorrect, diversionary and subject to gamesmanship

    Read more about this resource...
     
  2. MarkMeer

    MarkMeer Well-Known Member

    Joined:
    Dec 3, 2015
    Messages:
    138
    Likes Received:
    62
    Trophy Points:
    27
    Good analysis!

    One thing I don't know if I fully grasp, however, is your assertion that "severity never changes".

    For example, suppose I have a potential electrical hazard, with the worst-case being death. If I then introduce current-limiting circuitry, so that in the same situation, the worst-case is now just a painful shock, have I not decreased the severity of harm?

    You say "Since no mitigation is perfect, we keep the severity at the effect with the highest severity rating", but it seems that this approach would necessarily result in grossly over-stated severities because you are always assuming that any mitigation measures applied might not be effective...

    ----
    Also, I think the current model is just a trade-off between the thoroughness of risk-management and logistical business economics.

    It almost seems that it'd be worthwhile to suggest different variations based on the nature/classification/intended-use of the device in question...
    - "low risk" device? Using the status quo is probably adequate.
    - "high risk" device? Perhaps additional testing to arrive at quantitative values is appropriate.
     
  3. Miner

    Miner Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    576
    Likes Received:
    492
    Trophy Points:
    62
    Location:
    Greater Milwaukee USA
    As Bev stated in the article, the only way to reduce Severity is to change the design. By introducing current limiting circuitry, you have changed the design and lowered the Severity.
     
  4. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    605
    Likes Received:
    663
    Trophy Points:
    92
    Location:
    Maine
    Not so sure the design has been changed. Current limiting circuitry is a mitigation. If the board is still dealing with high current to function then the primary design hasn't changed. It's like an airbag in car. The circuitry can still fail and then the death hazard will be back. The circuitry reduces the probability of occurrence of death but not it's severity. To do that you would have to eliminate the need for such high current on the design. You have added a new severity of a shock with current limiting circuitry. A question to consider is why we feel the need to change a number instead of using science validation data logic and reason to understand that appropriate mitigation was taken?
     
    Last edited: Jan 21, 2016
  5. MarkMeer

    MarkMeer Well-Known Member

    Joined:
    Dec 3, 2015
    Messages:
    138
    Likes Received:
    62
    Trophy Points:
    27
    Of course nothing reduces the severity of death. But with the current-limiter, perhaps shock is still possible, albeit less severe. If we simply say that the current-limiter reduces the probability of death to (virtually) zero, and hence the risk is acceptable, then how would the risk-file show that there is still a chance to get shocked, albeit less severely?

    If we're analyzing risk under normal and single fault conditions, then we have to take into account mitigating measures under the presumption that they work as intended. ...are you suggesting that the severity for all electrical hazards for, say, devices that plug into the supply-mains always have a highest severity rating (i.e. death)? With this approach (static severities), then probability scales become critical if the analysis is to be useful, as they are the only thing distinguishing the risk of one hazard from another. If mitigating measures only affect probability, then I could see a risk-analysis table (post mitigating measures) for a supply-mains electrical unit reading simply as a bunch of highest severities and lowest probabilities.
     
  6. Bev D

    Bev D Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    605
    Likes Received:
    663
    Trophy Points:
    92
    Location:
    Maine
    And what is wrong with that? Are you trying to report a number that will make your management or auditor happy? do they not understand the English language or results of validation testing? (not trying to be combative, I really want to understand)

    Probability scales are still fuzzy as they are still guesses and do not take into account future manufacturing problems (yours or your suppliers) that can cause the mitigation to fail. Your validation data can show that if the mitigation is applied as intended a death level shock will not occur. (we do this with centrifuges all of the time - it's in the centrifuge testing standard that. Even a metal rotor that is highly unlikely to disrupt must have it's containment tested by forcing the rotor to disrupt. If the containment mechanism works then the centrifuge is acceptable even tho the severity of the unlikely event (disruption and lack of containment) are low.

    I'm not saying we shouldn't take mitigating factors into account. we absolutely should. When my organization applies mitigation we asses the severity of the mitigation if it provides residual or additional failure modes, we validate that it will work and we control it. Then we move on to the next thing...
    I have seen current limiting circuitry fail due to component issues and assembly problems. when they fail, the original risk comes back. There is no way to quantitatively assess that probability.

    Here's my larger point:

    I suggest that our fixation on quantifying things is related to our need for a score. Our lives are surrounded by scores. Who won the super bowl? The score will tell you. Should I wear a coat or a jacket? The temperature will tell you. Who’s going to win the election? The poll numbers will tell you. Am I healthy? My blood pressure, heart rate, weight, and cholesterol numbers will tell me. Scores are simple. They are easy to communicate and easy to understand. We are told that we need data to make decisions. We accept a number at face value because we want a simple direct fast easy to understand answer. Unfortunately we accept numbers at face value. We don’t probe into the test structure; we don’t try to understand the ‘scoring method’ (formula), we don’t even look to ensure that the number wasn’t just randomly selected. It’s data; it must be correct, right? The cognitive dissonance is that even when we know the scoring method is fundamentally flawed and the resulting number has no reliable meaning we persist in calculating it, reporting it and making decisions based on it. Because it’s a number. And we want it to work. Because it’s a number. Numbers aren’t subjective right? They are precise. They are exact. They are data. Deming said: Some things that can be counted don’t matter and some things that matter can’t be counted. We need to learn that difference.
     
  7. MarkMeer

    MarkMeer Well-Known Member

    Joined:
    Dec 3, 2015
    Messages:
    138
    Likes Received:
    62
    Trophy Points:
    27
    Sure, validation data will show that the mitigating measure will prevent death-level shock. So the residual RPN is calculated as (unchanged) highest severity and (now, with mitigation) lowest probability. ...risk acceptable, right?

    ...but this does not capture that now, in the exact same hazardous situation, there is still a risk of shock, albeit non-lethal. Perhaps the risk is actually still unacceptable because the shock, although non-lethal, could still be harmful.

    I think we're in agreement here.

    Ultimately, probability of any given harm will be a compounding of the probabilities of various factors, most of which (practically speaking) must be best-guess estimations...and the reliability of compounded guesswork is no doubt questionable - which calls the entire framework into question!

    ...but I don't see any (practical) way around this and, although I agree with your larger point, as far a development tool, I still think the current approach to risk-analysis is a useful framework in most cases. (inherently high-risk products perhaps being the exception..)