Why Link to Risk Controls
Risk controls represent the design features, protective mechanisms, or information measures that reduce risk after FMEA analysis identifies unacceptable failure modes. Linking controls to their associated failure modes or causes:
- Creates bidirectional traceability from risk identification to mitigation
- Enables post-mitigation risk rating calculations
- Supports ISO 26262 Part 9 safety case evidence
- Allows automatic verification coverage tracking (controls → requirements → test cases)
Link Controls in Risksheet
Step 1: Open the FMEA Document
Navigate to Risks space and open your FMEA document in Risksheet (System SFMEA, Component DFMEA, or PFMEA).
Step 2: Identify the Failure Mode or Cause Row
Locate the failure mode (Level 2) or cause (Level 3) that requires mitigation. Risk controls typically link to Level 3 (causes) in the FMEA hierarchy, since controls target specific root causes rather than general failure modes.
Step 3: Create or Link Risk Control
In the Risk Controls column (usually visible in “Define Mitigations” or “Full View”):
- Click the cell for the cause row
- Select Add New to create a new
riskControl work item, or Link Existing to reuse a control
- If creating new:
- Title: Describe the control measure (e.g., “Redundant power supply monitoring”)
- Control Type: Select Design, Protective, or Information (see warning below)
- Description: Detail how this control mitigates the cause
The risksheet configuration automatically creates a mitigates link from the risk control back to the failure mode cause.
ISO 26262 prefers Design controls (eliminate hazard) over Protective controls (detect and mitigate) over Information controls (warn user). Always select the highest-tier control type that applies. Auditors may challenge excessive use of Information controls for high-ASIL risks.
Step 4: Verify the Link
The risk control now appears as an expandable sub-row under the cause:
Click the ▼ icon to expand and view control details inline.
Track Verification Traceability
Once risk controls are linked, extend traceability to requirements and test cases:
Requirements Linkage
- Open the risk control work item (click its ID)
- In the Links section, add
verifiedBy links to system or design requirements that implement this control
- Example:
riskControl-42 → verifiedBy → sysReq-87 "Voltage monitoring circuit shall detect supply drop <10.5V"
Test Case Linkage
Requirements should already link to verification test cases. The Risksheet “Requirements Verification Traceability” column automatically displays:
This server-rendered column traverses the full chain using Velocity templates, showing all requirements linked to the control and all test cases verifying those requirements.
Use the Risk Control Effectiveness Report (Risks space) to identify controls missing requirement or test case links. The report highlights controls with incomplete verification chains.
Update Post-Mitigation Ratings
After linking controls, reassess risk:
- Switch to the Final Risk Evaluation view in Risksheet
- Update Occurrence (Post) and Detection (Post) columns reflecting control effectiveness
- The Action Priority (Post) formula recalculates automatically
- Target: All High (H) priorities should reduce to Medium (M) or Low (L) after mitigation
Example:
| Rating | Pre-Mitigation | Post-Mitigation |
|---|
| Severity | 9 | 9 (unchanged) |
| Occurrence | 6 | 3 (reduced by redundancy) |
| Detection | 8 | 4 (improved monitoring) |
| Action Priority | H | M |
Verification Steps
You should now see:
- ✓ Risk control sub-rows nested under each cause in Risksheet hierarchy
- ✓ Post-mitigation Action Priority values recalculated (view row header color: red → orange/green)
- ✓ Requirements Verification Traceability column populated with linked requirements and test cases
- ✓ Risk Control Effectiveness Report showing 100% control linkage for analyzed failure modes
Common Pitfalls
Creating risk controls without linking them to failure modes breaks traceability. Always create controls from within Risksheet using the Risk Controls column picker, not standalone in the work item grid.
Common controls (e.g., “CRC check on CAN messages”) may mitigate causes in multiple FMEAs. Use Link Existing to reuse the same riskControl work item across documents, avoiding duplicate effort and ensuring consistent verification.
See Also
