ECSS PFMECA: Vehicle Assembly
This example demonstrates a Process FMECA for a vehicle manufacturing process using the ECSS library. Process FMECA adds a Detection rating (DN) to the standard Severity × Probability analysis, making the criticality number CN = SN × PN × DN (range 1–64).
The model covers three production areas — Body Shop, Paint Shop, and Final Assembly — organized as a three-level process hierarchy (top-level process → station → step).
Model Structure
The example consists of three SysML v2 model files:
Derisker_ECSS_ExamplePFMECA_Process.sysml— Manufacturing process architectureDerisker_ECSS_ExamplePFMECA.sysml— Process FMECA analysis worksheetDerisker_ECSS_ExamplePFMECA_Customizations.sysml— Project-specific extensions
Process Architecture
The process follows a three-tier hierarchy: TopLevelProcess → ProcessStation → ProcessStep.
The process architecture file imports Derisker_ECSS::ProcessAnalyses::* (not
SystemAnalyses).
part def VehicleManufacturingContext {
part vehicleAssemblyProcess : TopLevelProcess {
action overallProduction subsets functions;
part bodyShop : ProcessStation {
action bodyFabrication subsets functions;
action qualityCheck subsets functions;
part frameWeldingStation : ProcessStation {
action frameAssembly subsets functions;
part tackWelding : ProcessStep {
action performTackWelds subsets functions;
}
part seamWelding : ProcessStep {
action performSeamWelds subsets functions;
}
part weldInspection : ProcessStep {
action inspectWelds subsets functions;
}
}
}
part paintShop : ProcessStation {
part surfacePreparation : ProcessStation {
part cleaning : ProcessStep { /* chemical cleaning */ }
part sanding : ProcessStep { /* surface sanding */ }
part priming : ProcessStep { /* primer application */ }
}
}
part finalAssembly : ProcessStation {
part powertrainInstallation : ProcessStation {
part engineMounting : ProcessStep { /* ... */ }
part transmissionInstallation: ProcessStep { /* ... */ }
part connectionVerification : ProcessStep { /* ... */ }
}
}
}
}
Analysis Setup
Cover Sheet
part analysisProject subsets ECSS_ProjectTypes::ProcessFMECA {
alias TopLevelSystem for VehicleManufacturingContext::vehicleAssemblyProcess;
occurrence failureModeInitial : FailureModeExtension subsets ECSS_FailureMode;
part redefines coverSheet {
attribute :>> fmeaTitle = "Vehicle Assembly Process FMECA";
attribute :>> fmeaRefNo = "EX-PROC-FMECA-001";
attribute :>> companyName = "Example Automotive Company";
attribute :>> customerName = "Example Customer";
attribute :>> fmeaStartDate.date = "2026-01-15";
attribute :>> crossFunctionalTeam =
"Manufacturing Engineering, Quality, Safety";
attribute :>> approvalAuthority = "Manufacturing Director";
attribute :>> confidentialityLevel = ConfidentialityLevels::BusinessUse;
}
}
Failure Mode Organization
workSheet
├── 'FMs: VehicleAssemblyProcess' ← 3 top-level FMs
│ ├── VehicleAssembly_FM1 (FromIntegration — line stoppage)
│ ├── VehicleAssembly_FM2 (FromIntegration — reduced production rate)
│ └── VehicleAssembly_FM3 (Additional — facility power outage)
├── 'FMs: BodyShop' ← station-level FMs (FromIntegration)
├── 'FMs: SurfacePrep'
├── 'FMs: PowertrainInstallation'
├── 'FMs: TackWelding' ← step-level FMs (Additional — carry PN)
├── 'FMs: SeamWelding'
└── ... (18+ failure modes total)
Failure Mode Examples
Top-Level FM (FromIntegration)
Top-level FMs set rating_Severity_TOP and rating_Detection. Probability is
inherited from lower-level Additional causes.
occurrence VehicleAssembly_FM1 subsets failureModeInitial {
ref part :>> focusItem = SOI;
ref action :>> focusFunction = SOI.overallProduction;
attribute :>> origin = FailureModeOrigins::FromIntegration;
attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
attribute :>> description =
"Complete production line stoppage due to critical station failure";
#causation connection : CausalLinkDef connect
'FMs: BodyShop'::BodyShop_FM1 to this;
attribute :>> failureCauses_Comments =
"Critical welding equipment failure at body shop station";
attribute :>> failureEffects_LOCAL_Comments =
"Safety: Injury risk during emergency shutdown; " +
"Product: Incomplete vehicles require rework; " +
"Process: Not recoverable without repair";
attribute :>> failureEffects_TOP_Comments =
"Major schedule delay (> 1 week), significant cost impact";
attribute :>> rating_Severity_TOP = Severity::Critical_2_SP;
// DO NOT SET: rating_Probability — inherited from SeamWelding_FM1
attribute :>> rating_Detection = Detection::DN2_Likely;
attribute :>> rating_Detection_Comments =
"Production line monitoring provides immediate detection";
attribute :>> detection_ObservableSymptoms =
"Line stops; equipment alarms sound; welding equipment fault codes";
ref action :>> recommendations = compensatingProvisions::CP_003;
}
Top-Level FM (Additional — facility-level cause)
A top-level Additional FM models a root cause that exists at the top level itself
(not caused by station failures). It must set both rating_Probability and
rating_Detection.
occurrence VehicleAssembly_FM3 subsets failureModeInitial {
ref part :>> focusItem = SOI;
ref action :>> focusFunction = SOI.overallProduction;
attribute :>> origin = FailureModeOrigins::Additional;
attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
attribute :>> description = "Facility-wide power outage affecting all production stations";
attribute :>> failureCauses_Comments =
"External power grid failure, facility electrical fault, or severe weather";
attribute :>> failureEffects_TOP_Comments =
"Schedule 1-7 days depending on outage duration, cost 10-50%";
attribute :>> rating_Severity_TOP = Severity::Critical_2_SP;
attribute :>> rating_Probability = Probability::PN1_ExtremelyRemote;
attribute :>> rating_Probability_Comments =
"Backup power and grid redundancy in place; no extended outages in 10 years";
attribute :>> rating_Detection = Detection::DN1_VeryLikely;
attribute :>> rating_Detection_Comments =
"Immediate detection via loss of power and facility-wide alarms";
ref action :>> recommendations = compensatingProvisions::CP_003;
}
Process Step FM (Additional — leaf cause)
Step-level Additional FMs are the root causes in the chain. All three ratings (SN
inherited, PN set here, DN set here) drive the criticality number CN = SN × PN × DN.
occurrence SeamWelding_FM1 subsets failureModeInitial {
ref part :>> focusItem = SOI_SeamWelding;
ref action :>> focusFunction = SOI_SeamWelding.performSeamWelds;
attribute :>> origin = FailureModeOrigins::Additional;
attribute :>> failureModeType = FailureModeTypes::SuddenLossOfFunction;
attribute :>> description = "Robotic welding system complete mechanical failure";
attribute :>> failureCauses_Comments =
"Robot arm mechanical failure (motor, gearbox, joint) causing complete stoppage";
attribute :>> failureEffects_LOCAL_Comments =
"Safety: Injury risk from unexpected robot movement; " +
"Product: Incomplete welds — bodies scrapped; " +
"Process: Station not recoverable without repair team";
// rating_Severity_TOP inherited from top level via causal chain
attribute :>> rating_Probability = Probability::PN2_Remote;
attribute :>> rating_Probability_Comments =
"MTBF data for robotic welding systems: ~5000 hours; " +
"preventive maintenance every 1000 hours; historical data shows 0.3 failures/year";
attribute :>> rating_Detection = Detection::DN2_Likely;
attribute :>> rating_Detection_Comments =
"Robot controller fault codes immediately detected; sensor feedback loop monitors motion";
attribute :>> detection_ObservableSymptoms =
"Robot stops mid-cycle; fault code displayed; production count stops";
attribute :>> detection_ExistingMethods =
"Real-time robot controller monitoring; motion sensors; production MES";
ref action :>> recommendations = compensatingProvisions::CP_003;
}
Criticality Summary
Failure Mode |
SN |
PN |
DN |
CN |
Critical? |
|---|---|---|---|---|---|
Production line stoppage |
3 |
2 |
2 |
12 |
Yes (CN≥12) |
Facility power outage |
3 |
1 |
1 |
3 |
Yes (SN≥3) |
Seam welding failure |
3 |
2 |
2 |
12 |
Yes (CN≥12) |
Surface prep quality issue |
2 |
3 |
2 |
12 |
Yes (CN≥12) |
Critical threshold: SN ≥ 3, OR PN = 4, OR DN = 4, OR CN ≥ 12.
Notable Features
- Process hierarchy replaces system hierarchy
TopLevelProcess,ProcessStation, andProcessStepmap to the same three-tier analysis structure asTopLevelSystem,Subsystem, andComponentin Design FMEA/FMECA. The import changes toDerisker_ECSS::ProcessAnalyses::*in the process architecture file.- Detection rating on every FM
Unlike Design FMEA/FMECA, every Process FMECA failure mode must set
rating_Detectionandrating_Detection_Comments— includingFromIntegrationFMs.- Effects describe 4M and operational impacts
failureEffects_Local_Commentsdocuments Safety, Product, Process, and Programmatic impacts rather than hierarchical local/top-level hardware effects.- Top-level Additional FMs
Process FMECA can have
Additional-origin FMs at any level including the top level (e.g., facility power outage is not caused by station failures).