ECSS-Q-ST-30-02C: FMEA/FMECA
This section is the library reference for the Derisker ECSS SysML v2 library, based on the ECSS-Q-ST-30-02C standard “Failure modes, effects (and criticality) analysis (FMEA/FMECA)” (6 March 2009). The library supports Design FMEA, Design FMECA, and Process FMECA, plus optional Hardware-Software Interaction Analysis (HSIA) extensions.
For step-by-step modelling guidance, see ECSS-Q-ST-30-02C: FMEA/FMECA. For a complete worked example, see ECSS DFMECA: Drone Hardware. For Derisker UI features, see Features.
File Layout
models/ecss/
├── lib/
│ └── Derisker_ECSS.sysml # Core library
├── templates/
│ ├── design-fmea/
│ │ ├── Derisker_ECSS_TemplateDFMEA.sysml # Analysis worksheet
│ │ └── Derisker_ECSS_TemplateDFMEA_Design.sysml # System architecture
│ ├── design-fmeca/
│ │ ├── Derisker_ECSS_TemplateDFMECA.sysml # Analysis worksheet
│ │ └── Derisker_ECSS_TemplateDFMECA_Design.sysml # System architecture
│ ├── process-fmeca/
│ │ ├── Derisker_ECSS_TemplatePFMECA.sysml # Analysis worksheet
│ │ └── Derisker_ECSS_TemplatePFMECA_Process.sysml # Process architecture
│ └── customizations/
│ └── Derisker_ECSS_TemplateCustomizations.sysml # Optional extensions
└── examples/
├── example-design-fmea/ # EV Design FMEA
├── example-design-fmeca/ # Satellite Design FMECA
├── example-process-fmeca/ # Vehicle Assembly Process FMECA
└── demo-drone/ # Drone Hardware FMECA
Quick Reference
This section provides quick lookup tables for ECSS library elements and ratings. For detailed SysML definitions, see the sections below.
System Architecture Elements
For Design FMEA/FMECA:
Element |
Usage |
|---|---|
|
Top-level system (highest hierarchy) |
|
Major subdivisions |
|
Lowest-level items (components, piece-parts) |
|
Actions performed by elements |
Process Architecture Elements
For Process FMECA:
Element |
Usage |
|---|---|
|
Overall process (e.g., vehicle assembly) |
|
Process areas (e.g., body shop, paint shop) |
|
Individual operations (e.g., welding, painting) |
|
Process activities |
Failure Mode Attributes by Analysis Type
Attribute |
Design FMEA |
Design FMECA |
Process FMECA |
|---|---|---|---|
|
Required |
Required |
Required |
|
Required |
Required |
Required |
|
Required |
Required |
Required |
|
Required |
Required |
Required |
|
Required |
Required |
Required |
|
N/A |
Additional only |
Required |
|
N/A |
N/A |
Required |
|
Additional only |
Additional only |
Additional only |
|
Sub/Comp |
Sub/Comp |
N/A |
|
Required |
Required |
Required |
|
N/A |
Additional only |
Required |
|
N/A |
N/A |
Required |
Severity Ratings (SN)
Category |
SN |
Criteria (Dependability) |
|---|---|---|
Catastrophic |
4 |
Mission failure, system loss |
Critical |
3 |
Mission loss |
Major |
2 |
Major mission degradation |
Minor/Negligible |
1 |
Minor impact |
Suffix meanings:
_SP: Single-Point failure (no redundancy)_R: Redundant (backup exists)_SH_SPor_SH_R: Safety Hazard variants available
Probability Ratings (PN)
Category |
PN |
Criteria |
|---|---|---|
Probable |
4 |
Multiple occurrences during mission (>0.1) |
Occasional |
3 |
Once during mission (0.001 to 0.1) |
Remote |
2 |
Not expected; no heritage (10⁻⁵ to 0.001) |
Extremely Remote |
1 |
Not expected; heritage exists (0 to 10⁻⁵) |
Detection Ratings (DN) - Process FMECA Only
Category |
DN |
Criteria |
|---|---|---|
Very Unlikely |
4 |
Very low probability of detection before impact |
Unlikely |
3 |
Low probability of detection |
Likely |
2 |
Good probability of detection |
Very Likely |
1 |
High probability of detection |
Criticality Calculation
Analysis Type |
Criticality Number (CN) |
Critical If |
|---|---|---|
Design FMEA |
N/A |
SN=4 OR Single-Point |
Design FMECA |
CN = SN × PN |
SN=4 OR CN ≥ 6 |
Process FMECA |
CN = SN × PN × DN |
SN≥3 OR PN=4 OR DN=4 OR CN≥12 |
Importing
Add the following import at the top of your analysis file:
private import Derisker_ECSS::ReliabilityAnalyses::*;
Add the following import at the top of your design/process architecture file:
private import Derisker_ECSS::SystemAnalyses::*;
The ReliabilityAnalyses package exposes all failure mode types, rating enumerations,
and causation definitions. The SystemAnalyses package exposes the physical
architecture hierarchy types (TopLevelSystem, Subsystem, Component,
Function, etc.).
FMEA Project & Cover/Work Sheets
occurrence def FmeaProjectDef {
part fmeaCover defined by FmeaCoverDef {
doc /* FMEA/FMECA cover sheet instance */
}
part fmeaWorksheet defined by FmeaWorksheetDef {
doc /* FMEA/FMECA work sheet instance */
}
}
part def FmeaWorksheetDef {
doc /* FMEA/FMECA project work sheet definition (empty - no generic attributes) */
}
FmeaProjectDef - FMEA project consists of FMEA/FMECA cover and work sheets.
FmeaWorksheetDef - FMEA Work sheet definition itself has no generic attributes, but fmeaWorksheet (usage) is purposed to contain all Failure Mode instances when performing reliability analysis.
// FMEA/FMECA Cover sheet (Planning data)
part def FmeaCoverDef {
doc /* FMEA/FMECA project cover sheet definition */
attribute fmeaTitle defined by ScalarValues::String default "TBD" {
doc /* Title name of FMEA/FMECA Project */
}
attribute fmeaRefNo defined by ScalarValues::String default "N/A" {
doc /* FMEA/FMECA Reference number */
}
attribute fmeaIssue defined by ScalarValues::String default "N/A" {
doc /* FMEA/FMECA Issue number */
}
attribute fmeaRev defined by ScalarValues::String default "N/A" {
doc /* FMEA/FMECA Revision number */
}
attribute companyName defined by ScalarValues::String default "TBD" {
doc /* Name of Company Responsible for FMEA/FMECA */
}
attribute customerName defined by ScalarValues::String default "TBD" {
doc /* Name of a Customer(s) or Product Family */
}
attribute fmeaType defined by fmeaType_e default fmeaType_e::TBD {
doc /* Title name of FMEA/FMECA Project */
}
attribute fmeaStartDate defined by DateDef [0..1] {
:>> val default new Time::Iso8601DateTime::val(date + "T00:00:00Z");
doc /* FMEA/FMECA Start Date. "YYYY-MM-DD" format */
}
attribute fmeaRevisionDate defined by DateDef [0..1] {
:>> val default new Time::Iso8601DateTime::val(date + "T00:00:00Z");
doc /* FMEA/FMECA Latest revision date. "YYYY-MM-DD" format */
}
attribute fmeaSignOffDate defined by DateDef [0..1] {
:>> val default new Time::Iso8601DateTime::val(date + "T00:00:00Z");
doc /* Supplier's FMEA/FMECA sign-off date. "YYYY-MM-DD" format */
}
attribute crossFunctionalTeam defined by ScalarValues::String default "TBD" {
doc /* Team Roster needed */
}
attribute approvalAuthority defined by ScalarValues::String default "TBD" {
doc /* Name of FMEA/FMECA owner */
}
attribute confidentialityLevel defined by confidentiality_e default confidentiality_e::TBD {
doc /* Confidentiality level (business use, proprietary, confidential etc.) */
}
attribute fmeaDefsCustom defined by ScalarValues::Boolean default false {
doc /* Defines if custom FMEA definitions are used in a project (y/n) */
}
}
attribute def DateDef :> Time::Iso8601DateTime {
attribute date defined by ScalarValues::String default "1970-01-01";
} // default value for date only (string)
FmeaCoverDef - FMEA Cover sheet definition, consisting of a variety attributes defining project’s configuration.
fmeaStartDate, fmeaRevisionDate, fmeaSignOffDate - defined by a subset of Time library to have date-only expression.
fmeaType determines the selected method of reliability analysis - whether design FMEA, design FMECA or process FMECA is being performed. This impacts the criticality rating’s formula.
fmeaDefsCustom the ECSS standard allows tailoring a selection of attributes and scoring to user’s own needs. This attribute provides a status, whether the project follows standard-only definitions or if custom fmea definitions have been added to the project as well.
Failure Mode (Main attributes)
// Failure Mode data entry definition
occurrence def FailureModeDef {
doc /* Failure Mode data entry definition (represents a row of data in
* tabular FMEA/FMECA worksheet) */
ref focusItem defined by PhysArchDefs::PhysArchElement [1] {
doc /* Reference to a physical/logical subsystem or component of
* specific focus level, for which failure mode is specified */
}
ref focusFunction defined by PhysArchDefs::Function [1] {
doc /* Reference to a single function of physical/logical subsystem
* or component, for which failure mode is specified */
}
// Failure Mode description
attribute description defined by ScalarValues::String [1] default "" {
doc /* A Failure Mode (FM) is the mechanism through which a failure
* occurs (ECSS-S-ST-00-01C #2.3.89) */
}
attribute origin defined by FailureModeOrigin_e default FailureModeOrigin_e::TBD {
doc /* Failure mode origin (enum). "From Integration" if lower focus
* level Failure modes are defined, "Additional" if not defined */
}
attribute missionPhaseOpMode defined by ScalarValues::String default "" {
doc /* Mission/System phase or operational mode, where Failure Mode
* is relevant */
}
<...>
FailureModeDef - definition for each Failure Mode. Contains a variety of attributes, most notably focus item, function, FM description and risk ratings.
focusItem - a reference part usage to the element of physical architecture (component, subsystem etc.). Mandatory value (multiplicity 1).
focusFunction - a reference action usage to the single function of the focus item. Mandatory value (multiplicity 1).
description - a formulation of failure mode (text), describing a loss/degradation of a function. Mandatory value (multiplicity 1).
Risk ratings
// Failure Mode data entry definition
occurrence def FailureModeDef {
<...>
// Risk ratings
attribute rating_Severity_TOP defined by Severity_TOP_e default Severity_TOP_e::TBD {
doc
/* The highest focus level (0) severity rating (SN)
* USED IN: design FMEA/FMECA, process FMECA.
*/
}
attribute rating_Probability defined by ProbabilityLevel_e default
// Auto-set to 'Not Applicable' for Design FMEA; TBD otherwise
ProbabilityLevel_e::TBD {
doc
/* Probability of Occurrence rating of Failure Mode (enum)
* USED IN: design FMECA, process FMECA. NOT USED IN: design FMEA.
*/
}
attribute rating_Detection defined by Detection_e default
// Auto-set to 'Not Applicable' for Design FMEA/FMECA; TBD otherwise
Detection_e::TBD {
doc
/* Detection rating DN of Failure Mode (enum), used in process FMECA method.
* USED IN: process FMECA. NOT USED IN: design FMEA/FMECA.
*/
}
derived attribute rating_Criticality defined by CriticalityCategory_e default
CriticalityCategory_e::TBD {
doc
/* Criticality category (enum) based on criticality number */
}
<...>
rating_Severity_TOP - definition for severity rating, uses enumerator Severity_TOP_e values. Only TOP focus level failure modes are required to assign severity rating, lower failure modes can derive it through causation connections.
rating_Probability - definition for probability rating, uses enumerator ProbabilityLevel_e values. Only the lowest focus level failure modes are required to assign probability rating, higher level failure modes can derive it through causation connections. Default value contains conditional statement, that determines whether the rating is needed, based on FMEA analysis type (design/process FMEA/FMECA).
rating_Detection - definition for detection rating, uses enumerator Detection_e values. Each focus level failure mode can be assigned with the value of detection rating (or default value will be used if not assigned). Default value contains conditional statement, that determines whether the rating is needed, based on FMEA analysis type (design/process FMEA/FMECA).
rating_Criticality - definition for detection rating, derived attribute (by a formula C = S * P * D), determines whether priority actions need to be taken to address this failure mode.
Failure Mode (Secondary attributes)
// Failure Mode data entry definition
occurrence def FailureModeDef {
<...>
// Detection
attribute detection_ObservableSymptoms defined by ScalarValues::String default "" {
doc /* Failure detection method or observable symptoms. */
}
attribute detection_ExistingMethods defined by ScalarValues::String default "" {
doc /* Existing methods for preventing or compensating Failure Effects. */
}
attribute detection_EffectivenessOfRecovMethod defined by ScalarValues::String default "" {
doc /* Verification of the effectiveness of the recovery methods or proposal of alternative method. */
}
// Dependability
ref recommendations defined by CompensatingProvision [1..*] {
doc /* Recommendations (compensating provisions) to mitigate the Severity of Failure Effects */
}
attribute remarks defined by ScalarValues::String default "" {
doc /* Remarks or any other comments */
}
attribute documentation defined by ScalarValues::String default "" {
doc /* Relevant documentation sources or info */
}
<...>
}
// ACTION DEFINITIONS
action def CompensatingProvision {
attribute description : ScalarValues::String [1] default "";
ref InheritedFrom : CompensatingProvision [*] {
comment
/* Defined a reference "InheritedFrom" in case the same
* compensating provision propagates to higher focus level */
}
}
recommendations is a reference action usage, defined by CompensatingProvision action definition. The purpose of it is to reuse any recommendation for risk prevention or mitigation, that might be applicable to more than one failure mode.
There are also several detection attributes, that document monitoring capabilities of a failure mode.
Failure Mode (HSIA extension)
// Failure Mode data entry definition
occurrence def FailureModeDef {
<...>
// HSIA Extension
attribute software_Trigger_Params defined by ScalarValues::String default "" {
doc /* What parameters are used to trigger software action? */
}
attribute software_Actions defined by ScalarValues::String default "" {
doc /* What are the software actions? */
}
attribute software_Requirements defined by ScalarValues::String default "" {
doc /* What are the requirements and their identifiers for software
* triggering and for action itself? */
}
attribute effect_On_Hardware defined by ScalarValues::String default "" {
doc /* What are the effects of the software action on the hardware?
* What (if any) are the adverse effects? */
}
attribute recommendations_HSIA defined by ScalarValues::String default "" {
doc /* What are the recommended changes? */
}
}
The FailureModeDef definition also contains optional attributes for performing Hardware-Software Interaction Analysis (HSIA).
Failure Cause & Effect (Causation connection)
#causation connection def CausalLinkDef {
doc
/* Focus level N view: connects Failure Cause to Failure Mode;
* Focus level N-1 view: connects Failure Mode to Failure Effect
*/
end #cause cause_end : FailureModeDef;
end #effect effect_end : FailureModeDef;
}
The CausalLinkDef definition is used to establish a connection between two unique failure modes, of which focus items are at different levels of abstraction. The connection ends have metadata #cause & #effect from “CauseAndEffect” library, which enables determination whether failure mode is a cause or effect from a given viewpoint (Failure Cause is a Failure Mode, just on a N-1 lower level of abstraction; Failure Effect is also a Failure Mode, just on a N+1 higher level of abstraction). This connection allows formation of Failure Chains and Failure Network graphs, propagation of severity and probability scores and is a foundation for FMEA/FMECA reliability analysis.
Severity categorization
// FMECA ratings definition
attribute def SeverityDef {
doc
/* Severity category definition - generic attributes.
* Used in design FMEA/FMECA & process FMECA */
attribute <SN> severityNumber defined by ScalarValues::Natural default 0;
attribute severityLevel defined by ScalarValues::Natural default 0;
}
enum def Severity_TOP_e specializes SeverityDef {
doc
/* Specialization of Severity attributes based on category
* (for mission/system focus level 0) */
SN4SH_Catastrophic {
doc Description
/* Catastrophic severity, safety hazards (SL=1, SN=4) */
doc Category
/* Catastrophic */
doc 'Safety Effects'
/* As specified in ECSS-Q-ST-40:
* - Loss of life, life‐threatening or permanently disabling injury or occupational illness.
* - Loss of an interfacing manned flight system.
* - Severe detrimental environmental effects.
* - Loss of site facilities.
* - Loss of system.";
*/
attribute redefines severityLevel = 1;
attribute redefines severityNumber = 4;
}
SN4SP_Catastrophic {
doc Description
/* Catastrophic severity, single-point (SL=1, SN=4) */
doc Category
/* Catastrophic */
doc 'Dependability effects'
/* Loss of system. Failure propagation to higher-level system */
doc 'Programmatic effects'
/* Financial loss > 50% of overall programme cost; schedule impact > 4 weeks */
attribute redefines severityLevel = 1;
attribute redefines severityNumber = 4;
}
<...>
SeverityDef - severity definition has severity level and number generic attributes.
Severity_TOP_e - definition for enumerator, that provides each severity category (catastrophic, critical, major, minor/negligible) enumerations. Each of them also has a suffix according to ECSS, which provides more detailed selection of severity category (SH - safety hazard, SP - single point FM, R - redundancy).
SN4SP_Catastrophic - enumeration representing actual severity category. Inside, the effects can be tailored to the user needs. Note: The effects, such as “Process”, “Process Results”, “Programmatic” are relevant only if process FMECA is performed.
Probability categorization
// Probability Ratings
attribute def ProbabilityDef {
doc /* Probability levels definition - generic attributes. Used in design & process FMECA */
attribute probLow defined by ScalarValues::Real default 0 {
doc /* Lower Bound of failure Occurrence probability (exclusive), specified by Probability Category (enum) */
}
attribute probUp defined by ScalarValues::Real default 1 {
doc /* Upper Bound of failure Occurrence probability (inclusive), specified by Probability Category (enum) */
}
attribute <PN> probabilityNum defined by ScalarValues::Natural default 1 {
doc /* Probability number (PN), that corresponds with Probability Category (enum) */
}
attribute probability_Value defined by ScalarValues::Real default 0 {
doc /* Probability quantification (numeric value), when data is available. */
}
}
enum def ProbabilityLevel_e specializes ProbabilityDef {
doc
/* Selection options for FMECA Probability level */
PN4_Probable {
doc 'Tailored Criteria'
/* (PN=4) Failure mode expected to happen multiple times during mission. */
attribute redefines probLow = 1E-1;
attribute redefines probUp = 1;
attribute redefines probabilityNum = 4;
assert constraint { probability_Value > probLow and probability_Value <= probUp }
}
<...>
ProbabilityDef - probability of FM occurrence definition has probability number generic attribute for categorization and several attributes for quantification - Upper & Lower boundaries, probability value.
ProbabilityLevel_e - definition for enumerator, that provides each probability level (probable, occasional, remote, extremely remote) enumerations.
PN4_Probable - enumeration representing actual probability level (range). Inside, the upper and lower boundaries are defined for a range, as well as constraint for exclusivity/inclusivity signs.
Detection categorization
// Detection Ratings
attribute def DetectionDef {
doc /* Detection category definition - generic attributes. Used in process FMECA */
attribute <DN> detectionNum defined by ScalarValues::Natural default 1 {
doc /* Detection number (DN), that corresponds with Detection Category (enum).
* Default value DN = 1 if unused, e.g. if hardware FMEA/FMECA is performed
*/
}
}
enum def Detection_e specializes DetectionDef {
doc /* Selection options for process FMECA Detection category (agreed with the customer) */
DN4_VeryUnlikely {
doc 'Tailored Criteria'
/* The probability of detection of failure mode is very unlikely */
attribute redefines detectionNum = 4;
}
<...>
DetectionDef - probability of FM detection definition has detection number generic attribute for categorization.
Detection_e - definition for enumerator, that provides each detection category (very unlikely, unlikely, likely, very likely) enumerations, which are agreed with customer.
DN4_VeryUnlikely - enumeration representing actual detection category. Inside, boundaries are not quantified into a range, but could be tailored to user needs.
Criticality categorization
// Criticality (Risk Priority Number) Ratings
attribute def CriticalityDef {
doc /* Criticality category definition - generic attributes. */
derived attribute <CN> criticalityNum defined by ScalarValues::Natural default
FailureModeDef::rating_Severity_TOP.SN *
FailureModeDef::rating_Probability.PN *
FailureModeDef::rating_Detection.DN {
doc
/* Criticality number (DN), that corresponds with Criticality Category (enum). */
doc
/* For CN used in process FMECA method, default is CN = SN * PN * DN;
* For CN used in design FMECA method, default is CN = SN * PN (DN by default is "1";
* For CN used in FMEA method, default is CN = SN (PN & DN by default are "1")
*/
}
}
enum def CriticalityCategory_e specializes CriticalityDef {
doc
/* Selection options for FMEA/FMECA Criticality category */
Critical {
doc Priority
/* Critical */
doc Description
/* FM is "critical" if Severity is Catastrophic (SN=4) OR CN >= 6. */
}
<...>
CriticalityDef - criticality definition has Criticality number derived attribute for categorization.
CriticalityCategory_e - definition for enumerator, that provides each criticality category (critical, not critical) enumerations. “Critical” indicates, that action priority should given to the prevention and mitigation actions of a failure mode, that it rates.
Critical - enumeration representing actual criticality category. FM is “critical” if Severity is Catastrophic (SN=4) OR CN >= 6.
Note
Most of the enums also have “TBD” category as a default placeholder enum value before any value is selected by a user performing FMEA reliability analysis.