ECSS DFMEA: Electric Vehicle
This example demonstrates a qualitative Design FMEA for an electric vehicle system using the ECSS library. Design FMEA identifies failure modes and their effects without probability ratings — it is used for early-phase analysis or when quantitative data is not yet available.
The model covers three major EV subsystems: Electrical Powertrain, Autonomous Driving, and Infotainment, analysed at three hierarchy levels (vehicle → subsystem → component).
Model Structure
The example consists of three SysML v2 model files:
Derisker_ECSS_ExampleDFMEA_Design.sysml— Electric vehicle system architectureDerisker_ECSS_ExampleDFMEA.sysml— Design FMEA analysis worksheetDerisker_ECSS_ExampleDFMEA_Customizations.sysml— Project-specific extensions
System Architecture
The EV follows a three-tier hierarchy: TopLevelSystem → Subsystem → Component.
part def DesignContext {
part electricVehicle : TopLevelSystem {
action provideVehiclePropulsion subsets functions;
action provideAutonomousDriving subsets functions;
action provideUserInterface subsets functions;
part electricalPowertrain : Subsystem {
action manageEnergyStorage subsets functions;
action convertElectricalToMechanicalPower subsets functions;
action chargeVehicleBattery subsets functions;
part batterySystem : Subsystem { /* ... */ }
part motorDriveSystem : Subsystem { /* ... */ }
part chargingSystem : Subsystem { /* ... */ }
}
part autonomousDrivingSystem : Subsystem {
part perceptionSystem : Subsystem { /* cameras, lidar, radar */ }
part computePlatform : Subsystem { /* autonomy ECU, processors */ }
part vehicleControlActuation : Subsystem { /* ... */ }
}
part infotainmentSystem : Subsystem {
part userInterfaceSubsystem : Subsystem { /* displays */ }
part connectivitySubsystem : Subsystem { /* telematics, BT, WiFi */ }
part audioVisualSubsystem : Subsystem { /* amplifier, speakers */ }
}
}
}
Analysis Setup
Cover Sheet
part analysisProject subsets ECSS_ProjectTypes::DesignFMEA {
alias TopLevelSystem for DesignContext::electricVehicle;
occurrence failureModeInitial : FailureModeExtension subsets ECSS_FailureMode;
part redefines coverSheet {
attribute :>> fmeaTitle = "Electric Vehicle System Design FMEA";
attribute :>> fmeaRefNo = "EV-DFMEA-001";
attribute :>> companyName = "Example EV Manufacturer";
attribute :>> customerName = "General Market";
attribute :>> fmeaStartDate.date = "2026-01-15";
attribute :>> crossFunctionalTeam =
"Powertrain Engineering, Autonomy Systems, Infotainment, Safety, Quality";
attribute :>> approvalAuthority = "Chief Vehicle Architect";
attribute :>> confidentialityLevel = ConfidentialityLevels::BusinessUse;
}
}
Failure Mode Organization
Failure modes are grouped by system element using 'FMs: <Name>' parts. Each part
declares an alias SOI pointing to the system element under analysis.
workSheet
├── 'FMs: ElectricVehicle' ← 3 top-level FMs
├── 'FMs: BatterySystem' ← subsystem FMs (FromIntegration)
├── 'FMs: MotorDriveSystem'
├── 'FMs: PerceptionSystem'
├── 'FMs: ComputePlatform'
├── 'FMs: UserInterfaceSubsystem'
├── 'FMs: BatteryManagementSystem' ← component FMs (Additional)
├── 'FMs: BatteryPack'
├── 'FMs: Inverter'
├── 'FMs: TractionMotor'
└── ... (47 failure modes total)
Failure Mode Examples
Top-Level FM (FromIntegration)
Top-level FMs have an explicit rating_Severity_TOP, no probability (Design FMEA is
qualitative), and causal links to subsystem-level FMs.
occurrence ElectricVehicle_Propulsion_FM1 subsets failureModeInitial {
ref part :>> focusItem = SOI;
ref action :>> focusFunction = SOI.provideVehiclePropulsion;
attribute :>> origin = FailureModeOrigins::FromIntegration;
attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
attribute :>> description = "Complete loss of vehicle propulsion power";
attribute :>> missionPhaseOpMode = "Driving";
#causation connection : CausalLinkDef connect
'FMs: BatterySystem'::BatterySystem_Power_FM1 to this;
#causation connection : CausalLinkDef connect
'FMs: MotorDriveSystem'::MotorDrive_Power_FM1 to this;
attribute :>> failureCauses_Comments =
"High-voltage battery disconnect OR motor drive system failure";
attribute :>> rating_Severity_TOP = Severity::Catastrophic_1_SH_SP;
attribute :>> failureEffects_TOP_Comments =
"Safety: Vehicle stranded in traffic; Product: Mission failure; " +
"Customer: Towing required";
// Design FMEA: rating_Probability NOT set — qualitative analysis only
attribute :>> detection_ObservableSymptoms =
"All propulsion power lost; dashboard 'Propulsion System Fault'";
attribute :>> detection_ExistingMethods =
"HV system monitoring; motor controller diagnostics";
attribute :>> documentation = "Powertrain Safety Requirements PSR-001";
ref action :>> recommendations = compensatingProvisions::CP_002;
}
Subsystem FM (FromIntegration, no top-level severity)
Intermediate-level FMs inherit severity from above and link downward to components.
occurrence BatterySystem_Power_FM1 subsets failureModeInitial {
ref part :>> focusItem = SOI;
ref action :>> focusFunction = SOI.storeElectricalEnergy;
attribute :>> origin = FailureModeOrigins::FromIntegration;
attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
attribute :>> description = "High-voltage battery system emergency disconnect";
#causation connection : CausalLinkDef connect
'FMs: BatteryManagementSystem'::BMS_Safety_FM1 to this;
#causation connection : CausalLinkDef connect
'FMs: BatteryPack'::BatteryPack_Thermal_FM1 to this;
attribute :>> failureCauses_Comments =
"BMS safety disconnect triggered OR thermal runaway protection activated";
attribute :>> failureEffects_Local_Comments =
"All HV power cut; vehicle loses all drive capability";
// rating_Severity_TOP and failureEffects_TOP_Comments inherited from top-level
}
Component FM (Additional)
Component-level Additional FMs are root causes — no downward causal links, and they
carry failureCauses_Comments explaining the physical cause.
occurrence BMS_Safety_FM1 subsets failureModeInitial {
ref part :>> focusItem = SOI_BMS;
ref action :>> focusFunction = SOI_BMS.monitorBatterySafety;
attribute :>> origin = FailureModeOrigins::Additional;
attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
attribute :>> description = "BMS nuisance safety disconnect triggered by sensor error";
attribute :>> failureCauses_Comments =
"Voltage sensor drift causing false over-voltage detection; " +
"temperature sensor failure triggering thermal protection";
attribute :>> failureEffects_Local_Comments =
"BMS commands emergency HV disconnect; vehicle loses propulsion";
// rating_Severity_TOP inherited from top level via causation chain
// Design FMEA: no rating_Probability
attribute :>> detection_ObservableSymptoms =
"Sudden propulsion loss; BMS fault code logged";
attribute :>> detection_ExistingMethods =
"BMS self-diagnostics; sensor cross-validation logic";
ref action :>> recommendations = compensatingProvisions::CP_001;
}
Notable Features
- Qualitative analysis only
Design FMEA does not use
rating_Probability. Criticality is determined solely byrating_Severity_TOPand whether the FM is a single-point failure (_SPor_SH_SPsuffix).- Three-domain coverage
A single analysis covers powertrain (safety-critical), autonomy (functional safety), and infotainment (user experience) systems, demonstrating how one ECSS Design FMEA can span multiple engineering domains.
- Compensating provisions library
Eight reusable
CompensatingProvisionactions are defined once and referenced across multiple failure modes, avoiding description duplication.- Clear severity assignment
Only top-level FMs assign
rating_Severity_TOPexplicitly; intermediate and component-level FMs inherit severity downward through causal links.