Skip to main content

Overview

The System FMEA Risksheet provides a structured analysis framework for identifying how system-level failures can occur, assessing their initial risk severity, and tracking mitigation effectiveness. It bridges upstream HARA (Hazard Analysis and Risk Assessment) results to downstream DFMEA (Design FMEA) failure modes and manufacturing Process FMEA, creating a complete safety analysis chain across the V-Model. Key characteristics:
  • Three-level hierarchical analysis (System Item → Failure Mode → Cause)
  • Nine progressive workflow views guiding users through FMEA stages
  • AIAG-VDA Action Priority (H/M/L) calculation with severity/occurrence/detection thresholds
  • Automatic post-mitigation risk assessment
  • Traceability to downstream DFMEA failure modes via the causes link
  • Risk control assignment and verification tracking
  • Safety-critical (SC) and critical characteristic (CC) classification

Hierarchical Structure

The System FMEA organizes data in three collapsible levels:
LevelElementPurpose
Level 1System Item / Customer RequirementTop-level subject of analysis (e.g., “AEB System Sensor Unit”)
Level 2Failure ModeHow the item could fail (e.g., “No output signal from sensor”)
Level 3CauseWhy the failure mode occurs (e.g., “Sensor power supply failure”)
Each level can be expanded or collapsed to navigate the risk tree. Level aggregation (e.g., summing RPN or AP values up from causes to failure modes) is controlled by the collapseTo property: 
{
  "hierarchy": [
    {
      "level": 1,
      "controlColumn": "item",
      "zoomColumn": "item"
    },
    {
      "level": 2,
      "controlColumn": "failureMode",
      "zoomColumn": "failureMode"
    },
    {
      "level": 3,
      "controlColumn": "cause",
      "zoomColumn": "cause"
    }
  ],
  "collapseTo": [
    { "from": 3, "to": 2, "aggregateBy": "failureMode" },
    { "from": 2, "to": 1, "aggregateBy": "item" }
  ]
}
Users drill down by clicking expand arrows next to item names, revealing failure modes for that item, then causes for each failure mode.

Progressive Workflow Views

System FMEA analysis follows a structured 7-step process. The risksheet provides nine named views to support this workflow, each showing only the columns relevant to that analysis stage:
View NameStepPurposeKey Columns Visible
DefaultN/AComplete view without traceability columnsAll except upstream/downstream risk links
No Up/Down RisksN/ASimplified view without external risk traceabilityAll except multiItemLink columns
1. Identify Failure Modes1Define failure modes for each system itemItem, Failure Mode, Effect of Failure
2. Initial Risk Ranking2Assess initial Severity, Occurrence, Detection and calculate pre-mitigation APSeverity, Occurrence, Detection, premitigation AP
3. Link Downstream DFMEA3Trace failure modes to downstream Design FMEADownstream DFMEA failures (causes link), system element context
4. Define Mitigations4Assign risk controls and prevention/detection measuresRisk Control (task link), Prevention Control, Detection Control
5. Verify Controls5Review control effectiveness and verify completenessRisk Control Status, Requirements Traceability (control → requirement → test)
6. Final Risk Evaluation6Reassess Occurrence and Detection post-mitigation, calculate post-mitigation APOccurrence (updated), Detection (updated), postmitigation AP
7. Risk Summary7Review residual risk and document closure statuspostmitigation AP, Risk Summary Notes, Follow-up Status
Full ViewN/AAll columns including full traceabilityComplete column set
Progressive disclosure prevents overwhelming users with hundreds of columns. Each view focuses on a single analysis phase, reducing cognitive load and improving data quality. diagram
Use the progressive views in order (Steps 1–7) to guide your analysis team through the SFMEA workflow. Views enforce discipline by showing only relevant data at each stage, reducing decision-making complexity.

Action Priority Calculation

Action Priority (AP) is calculated using the AIAG-VDA 2019 FMEA methodology, which classifies risks as High (H), Medium (M), or Low (L) based on Severity, Occurrence, and Detection ratings. Unlike traditional RPN (Risk Priority Number, which multiplies S×O×D), AP uses threshold-based decision logic.

Pre-Mitigation Action Priority (Initial Risk)

The pre-mitigation AP formula evaluates initial Severity, Occurrence, and Detection before any risk controls are implemented: 
function calculateAP(severity, occurrence, detection) {
  // High (H) conditions (any one met):
  if (severity >= 9) return 'H';                           // Severity critical
  if (severity >= 5 && occurrence >= 4) return 'H';       // High sev + moderate freq
  if (severity >= 6 && occurrence >= 4 && detection >= 5) return 'H'; // High sev + detectable
  
  // Medium (M) conditions (any one met):
  if (severity >= 5 || occurrence >= 4 || detection >= 6) return 'M';
  
  // Low (L) - default
  return 'L';
}
Decision Logic:
  • High (H): Assigned when severity is critical (≥9), or severity is high (≥5) with detectable failure modes (occurrence ≥4), or when all three ratings exceed minimum thresholds
  • Medium (M): Assigned when at least one factor (severity, occurrence, or detection) reaches moderate level without triggering High
  • Low (L): All factors are below medium thresholds

Post-Mitigation Action Priority (Residual Risk)

After risk controls are implemented, the post-mitigation AP uses the original Severity but updated Occurrence and Detection ratings: 
function calculateAPNew(severity, occurrenceNew, detectionNew) {
  // Same threshold logic, but uses updated Occ/Det values
  if (severity >= 9) return 'H';
  if (severity >= 5 && occurrenceNew >= 4) return 'H';
  if (severity >= 6 && occurrenceNew >= 4 && detectionNew >= 5) return 'H';
  
  if (severity >= 5 || occurrenceNew >= 4 || detectionNew >= 6) return 'M';
  
  return 'L';
}
Key Principle: Severity does not change post-mitigation because it represents the inherent consequence of the failure mode—controls cannot reduce the severity of the effect, only prevent occurrence or detect before impact. Occurrence decreases through prevention controls; detection improves through better monitoring.
If post-mitigation AP remains High (H), the failure mode requires additional risk controls or acceptance justification. ISO 26262 and AIAG-VDA require residual risk to be at acceptable levels (typically Low or justified Medium). See Risk Control Types for mitigation strategies.

Configuration Schema

Metadata

PropertyTypeDefaultDescription
namestring”System FMEA”Display name of the risksheet
descriptionstring”ISO 26262 / AIAG-VDA System Level Failure Mode and Effects Analysis”User-facing description
documentTypestring”risksheet”Risksheet identifier
dataSourceIdstringRequiredPolarion module ID containing FMEA work items
versionstring”1.0”Configuration version for change tracking

Hierarchy Definition

PropertyTypeDefaultDescription
hierarchy[].levelintegerRequiredNesting depth (1=top, 2=middle, 3=bottom)
hierarchy[].controlColumnstringRequiredColumn name that uniquely identifies items at this level
hierarchy[].zoomColumnstringRequiredColumn to focus on when user clicks expand in navigator
collapseTo[].fromintegerRequiredSource level for aggregation
collapseTo[].tointegerRequiredTarget level for aggregation
collapseTo[].aggregateBystring”groupBy”Grouping column name for hierarchy navigation
Example: 
{
  "hierarchy": [
    { "level": 1, "controlColumn": "item", "zoomColumn": "item" },
    { "level": 2, "controlColumn": "failureMode", "zoomColumn": "failureMode" },
    { "level": 3, "controlColumn": "cause", "zoomColumn": "cause" }
  ],
  "collapseTo": [
    { "from": 3, "to": 2, "aggregateBy": "failureMode" },
    { "from": 2, "to": 1, "aggregateBy": "item" }
  ]
}

Column Groups

Columns are organized into semantic groups that appear together in related views:
Group NamePurposeTypical Columns
ContextSystem context and item identitySystem Element, Item, Function
Failure DefinitionHow the item could failFailure Mode, Effect of Failure, Effect Description
Set Ranking (Pre-Mit)Initial risk assessmentSeverity, Occurrence, Detection, premitigation AP
Mitigation StrategyRisk control assignmentRisk Control, Prevention Control, Detection Control
Control VerificationEffectiveness assessmentControl Status, Requirements Traceability, Verification Evidence
Final Ranking (Post-Mit)Residual risk assessmentOccurrence (updated), Detection (updated), postmitigation AP
TraceabilityUpstream/downstream linksUpstream SFMEA, Downstream DFMEA, Safety Goals
ClosureStatus trackingFollow-up Status, Risk Summary Notes, Closure Date

Column Definitions

Each column maps to a work item field or link type:
ColumnField/LinkTypeEditableDescription
item(itemLink “assesses”)itemLinkNoSystem Item being analyzed; links to systemElement or customerRequirement
failureModefailureModetextYesDescription of how the item could fail
effectOfFailureeffectOfFailuretextYesConsequence visible to customer or downstream system
severityseverityenumYesInitial severity rating (1–10 scale); see FMEA Severity
occurrenceoccurrenceenumYesInitial occurrence/frequency rating (0–10 scale); see FMEA Occurrence
detectiondetectionenumYesInitial detection rating (0–10 scale); see FMEA Detection
premitigation_appremitigationAPformulaNoCalculated initial Action Priority (H/M/L) from S/O/D
causecauseOfFailuretextYesRoot cause description for the failure mode
preventionControlpreventionControltextYesControl that prevents the cause from occurring
detectionControldetectionControltextYesControl that detects the failure before impact
riskControl(taskLink “mitigates”)taskLinkYesRisk control work item assigned to address this cause
controlStatus(task status)read-onlyNoStatus of linked risk control task
requirementsTraceability(server-rendered)computedNoAll Requirements linked back via Risk Control; shows verification chain
occurrenceNewoccurrenceNewenumYesUpdated occurrence rating post-mitigation (should decrease with controls)
detectionNewdetectionNewenumYesUpdated detection rating post-mitigation (should improve with controls)
postmitigation_appostmitigationAPformulaNoCalculated residual Action Priority using original Severity and new O/D
downstreamDFMEA(multiItemLink “causes”)multiItemLinkYesDownstream Design FMEA failure modes traced from this cause
sccc_classificationscccClassificationenumNoSafety Critical (SC) or Critical Characteristic (CC) badge

Cell Decorators (Visual Renderers)

Risksheet uses custom JavaScript cell renderers to apply visual styling:
DecoratorApplies ToRendering
APFormatterpremitigation_ap, postmitigation_apLarge colored letter (H/M/L) with full label below; background color: red (#DC143C) for H, orange (#FF8C00) for M, green (#4CAF50) for L
SCCCBadgesccc_classificationInline badge: orange background (#ff8c00) for SC, red (#c62828) for CC; rounded corners; uppercase text
RowHeaderAPColor(row header)Background color inherited from postmitigation_ap value; enables visual scanning of residual risk levels

Views Configuration

{
  "views": [
    {
      "name": "1. Identify Failure Modes",
      "columnGroups": ["Context", "Failure Definition"]
    },
    {
      "name": "2. Initial Risk Ranking",
      "columnGroups": ["Context", "Failure Definition", "Set Ranking"]
    },
    {
      "name": "3. Link Downstream DFMEA",
      "columnGroups": ["Context", "Failure Definition", "Traceability"]
    },
    {
      "name": "4. Define Mitigations",
      "columnGroups": ["Context", "Failure Definition", "Mitigation Strategy"]
    },
    {
      "name": "5. Verify Controls",
      "columnGroups": ["Mitigation Strategy", "Control Verification"]
    },
    {
      "name": "6. Final Risk Evaluation",
      "columnGroups": ["Set Ranking", "Final Ranking"]
    },
    {
      "name": "7. Risk Summary",
      "columnGroups": ["Final Ranking", "Closure"]
    }
  ]
}

Formulas and Calculations

Pre-Mitigation Action Priority Formula

Property: premitigationAP 
// Evaluate initial Severity, Occurrence, Detection
var sev = parseInt(row.severity);
var occ = parseInt(row.occurrence);
var det = parseInt(row.detection);

// High threshold checks (any one match = High)
if (sev >= 9) return 'H';                           // Critical severity
if (sev >= 5 && occ >= 4) return 'H';              // High sev + frequent
if (sev >= 6 && occ >= 4 && det >= 5) return 'H'; // Detectable high risk

// Medium threshold checks
if (sev >= 5 || occ >= 4 || det >= 6) return 'M';

// Low (default)
return 'L';

Post-Mitigation Action Priority Formula

Property: postmitigationAP 
// Use ORIGINAL severity, but UPDATED occurrence and detection
var sev = parseInt(row.severity);
var occNew = parseInt(row.occurrenceNew) || parseInt(row.occurrence);
var detNew = parseInt(row.detectionNew) || parseInt(row.detection);

// High checks
if (sev >= 9) return 'H';
if (sev >= 5 && occNew >= 4) return 'H';
if (sev >= 6 && occNew >= 4 && detNew >= 5) return 'H';

// Medium checks
if (sev >= 5 || occNew >= 4 || detNew >= 6) return 'M';

return 'L';
Link RoleSourceTargetDirectionPurpose
assessesfailureModesystemElementoutgoingDefines which system element the failure mode applies to
causesfailureMode (SFMEA)failureMode (DFMEA)outgoingTraces System FMEA failure modes to Design FMEA failure modes
mitigatesriskControlfailureMode (SFMEA cause)outgoingAssigns risk control task to address this cause
refinessystemElementsystemElementhierarchicalLinks subsystems to system or components to subsystem

Traceability Chain: SFMEA → Risk Control → Requirements → Tests

Server-rendered columns traverse this chain to show verification evidence.
Downstream DFMEA traceability (via causes link) must be established manually during Step 3 of the workflow. System FMEA team members link each cause to the corresponding Design FMEA failure modes they could trigger in subsystems or components.

Configuration Property Table

CategoryPropertyTypeDefaultEditableDescription
Metadatanamestring”System FMEA”NoConfiguration display name
descriptionstring”ISO 26262 / AIAG-VDA System FMEA”NoPurpose and standards compliance
dataSourceIdstringRequiredNoPolarion module containing SFMEA work items
versionstring”1.0”NoConfiguration version for tracking changes
Hierarchyhierarchy[].levelintegerRequiredNoNesting depth (1, 2, or 3)
hierarchy[].controlColumnstringRequiredNoColumn name that identifies items at this level
collapseTo[].fromintegerRequiredNoSource level for aggregation
collapseTo[].tointegerRequiredNoTarget level for aggregation
ColumnscolumnGroups[].namestringRequiredNoSemantic group name (Context, Failure Definition, etc.)
columns[].idstringRequiredNoUnique column identifier
columns[].fieldstringRequiredNoWork item field or link role name
columns[].labelstringRequiredNoUser-facing column header text
columns[].editablebooleanfalseNoWhether users can modify cell values
Viewsviews[].namestringRequiredNoProgressive workflow stage name
views[].columnGroups[]arrayRequiredNoColumn group names to display in this view
Formulasformulas.premitigationAPstringRequiredNoJavaScript function to calculate initial AP
formulas.postmitigationAPstringRequiredNoJavaScript function to calculate residual AP
DecoratorscellDecorators[].fieldstringRequiredNoColumn to style
cellDecorators[].rendererstringRequiredNoRenderer function (APFormatter, SCCCBadge, etc.)

Integration Points

Upstream: HARA and Safety Goals

System FMEA typically starts after HARA (Hazard Analysis and Risk Assessment) is complete. SFMEA failure modes should contribute to or validate HARA results:
  • HARA identifies system hazards (malfunctions that could harm users)
  • SFMEA identifies failure modes that could cause those hazards
  • Safety goals from HARA provide context for which SFMEA failure modes are safety-critical
Reference: ISO 26262 Functional Safety

Downstream: Design FMEA

During Step 3 of the SFMEA workflow, causes are traced to Design FMEA failure modes via the causes link. This establishes a design decomposition chain:
  • SFMEA: “Sensor signal loss” ↓ causes
  • DFMEA: “Sensor power supply failure” (Component DFMEA)
  • DFMEA: “Sensor communication line open circuit” (Component DFMEA)
Reference: Design FMEA Risksheet Configuration

Manufacturing: Process FMEA

System FMEA design controls are eventually handed off to Process FMEA, which identifies manufacturing failure modes that could prevent controls from working. PFMEA typically includes control plan items that implement SFMEA risk controls in production. Reference: Process FMEA Risksheet Configuration, Process FMEA

Supporting Standards

System FMEA configuration implements:
  • ISO 26262-5 (hardware design) — system-level risk analysis context
  • AIAG-VDA FMEA 2019 — Action Priority methodology and severity/occurrence/detection rating scales
  • IATF 16949 / APQP — SC/CC classification linking failure modes to characteristics requiring control
  • ISO 21448 (SOTIF) — intended functionality and foreseeable misuse scenarios

Common Configuration Patterns

Pattern: Enabling Safety-Critical Filtering

To show only High post-mitigation AP failures: 
{
  "columnGroups": [
    {
      "name": "Risk Filter",
      "columns": [
        {
          "id": "filter_high_ap",
          "label": "High Residual Risk Only",
          "type": "filter",
          "filterExpression": "postmitigationAP == 'H'"
        }
      ]
    }
  ]
}

Pattern: Custom Severity Scale

To use a different severity scale (e.g., 1–5 instead of 1–10): 
{
  "enumerations": {
    "severity": {
      "1": "Negligible",
      "2": "Minor",
      "3": "Moderate",
      "4": "Major",
      "5": "Critical"
    }
  },
  "formulas": {
    "premitigationAP": "if (sev >= 5) return 'H'; if (sev >= 3) return 'M'; return 'L';"
  }
}

Pattern: Automatic Risk Control Creation

To auto-generate risk control work items for High AP failures: 
{
  "automations": [
    {
      "trigger": "cellChange",
      "condition": "premitigation_ap == 'H' && riskControl == null",
      "action": "createRiskControl",
      "template": "HighAPMitigation"
    }
  ]
}

Best Practices

Use the progressive views in sequence (1–7). Do not jump to Step 6 before completing Steps 1–5. Early completion of mitigations prevents rushing through verification.
Severity should be assessed from the customer/user perspective. Ask: “If this failure occurred in the field, what is the worst-case consequence?” Reference FMEA Severity for scale definitions.
Occurrence and Detection should change post-mitigation. If they remain the same, the risk control is not effective. If only occurrence improves, you have a prevention control. If only detection improves, you have a detection control. Best controls improve both.
Do not accept unmitigated High post-mitigation AP without documented justification. Work with Safety and Quality to determine acceptable residual risk levels for each ASIL classification. See ASIL Classification System.
Complete columns left-to-right in each view: Define failure modes → Assess initial risk → Link downstream risks → Assign controls → Verify → Reassess → Close. This order matches the logical workflow and reduces rework.