Electric Vehicle DFMEA

This example demonstrates a complete Design FMEA (DFMEA) for an electric vehicle (EV) using the AIAG & VDA FMEA library. The model decomposes the vehicle into a three-level hierarchy (system → 13 subsystems → ~50 components) with 163 failure modes, full causation chains, prevention/detection controls, and Step 6 optimization data.

Model Structure

The example is organized into packages by hierarchy level:

package AIAG_VDA_FMEA_Example_DFMEA_ElectricVeh {
    package <LVL0> LVL0_System { ... }        // Vehicle-level functions and FMs
    package <LVL1> LVL1_Subsystems { ... }    // 13 subsystem part/function defs
    package <LVL2> LVL2_Components { ... }    // ~50 component part/function defs
    package Defs { ... }                       // Project-level helpers, items, ports
    package SubsystemConnections { ... }       // Optional inter-subsystem flows
    analysis EVDFMEAAnalysis : FMEA_Design { } // Analysis case with header
}

Scale:

Metric

Count

LVL0 system functions

8

LVL0 failure modes

18

LVL1 failure modes (with LVL2 causes)

33

LVL1 failure modes (terminal — direct O/D, no LVL2)

7

LVL2 component failure modes

105

Shared FMs (cause for 2+ LVL0 effects)

4

Total failure modes

163

Analysis Case (Step 1)

The analysis case declares the DFMEA header and subject:

DFMEA analysis case with header
private import Derisker_AIAG_VDA_FMEA::DFMEA::*;

analysis EVDFMEAAnalysis : FMEA_Design {
    doc /* DFMEA for Electric Vehicle — demonstrates full AIAG & VDA 7-step DFMEA. */

    subject evSystem : LVL0::ElectricVehicle;

    part redefines header {
        attribute :>> companyName          = "Sensmetry";
        attribute :>> subjectName          = "Electric Vehicle";
        attribute :>> fmeaStartDate        = "2026-01-15";
        attribute :>> crossFunctionalTeam  = "Systems, Safety, Powertrain, Battery";
        attribute :>> fmeaID               = "DFMEA-EV-001";
        attribute :>> confidentialityLevel = Confidentiality::proprietary;
    }
}

LVL0 System Functions and Failures

The ElectricVehicle part defines 8 system-level functions, each with multiple LVL0 failure modes. LVL0 FMs carry manually assigned Severity (S); Occurrence and Detection are inherited from LVL1 causes below.

LVL0 Functions Overview

Function

Description

generateTractiveForce

Convert stored electrical energy into tractive force at the wheels

controlVehicleDynamics

Control vehicle motion through steering, braking, and stability

maintainThermalBalance

Keep powertrain, battery, and cabin within thermal operating limits

manageElectricalPower

Distribute and manage LV/HV electrical power for all vehicle systems

ensureOccupantSafety

Protect occupants through structural integrity, airbags, and seatbelts

maintainVehicleStructure

Maintain vehicle structural integrity and chassis integrity

sustainDrivingRange

Maximise and communicate remaining driving range

provideDriverInformation

Provide accurate, timely information to the driver

LVL0 Failure Modes for generateTractiveForce

LVL0 failure modes for the tractive force function
part def <EV> ElectricVehicle specializes Defs::SystemType {

    action generateTractiveForce : Defs::Function {
        doc /* Convert stored electrical energy into tractive force at the wheels. */

        perform action supplyTractionEnergy references batterySystem.supplyTractionEnergy;
        perform action propelVehicle        references powertrain.propelVehicle;

        @Pdiagram {
            controlFactors    = "Battery voltage; inverter current limit; motor torque curve; gear ratio";
            unintendedOutput  = "EMI; drivetrain NVH; excess heat; torsional vibration";
            noiseFactors {
                pieceToPieceVariation = "Cell capacity spread; motor magnet flux tolerance";
                changeOverTime        = "Battery fade; bearing wear; solder fatigue";
                customerUsage         = "Sustained high-speed driving; towing near rated payload";
                externalEnvironment   = "Temperature extremes; road salt ingress";
                systemInteractions    = "Battery voltage sag; coolant flow competition";
            }
        }

        // FM1 — Complete propulsion loss (S8, safety-relevant)
        #failureMode <FM1> inabilityToGenerateTractiveForce {
            attribute :>> failureModeType = FMType::lossOfFunction;
            ref occurrence :>> FEs = ();   // LVL0: no higher-level effect

            #failureCause <FC1> powertrainPropelVehLossOfFunction {
                end [1] occurrence :>> FC references propelVehicle.powertrainInoperative;
                end [1] occurrence :>> FM references FM1;
                attribute :>> currentPreventionControls =
                    "Inverter ASIL-D safe-state design; motor winding insulation class H";
                attribute :>> currentDetectionControls =
                    "Phase-current plausibility monitor; resolver signal-loss detection within 10 ms";
            }
            #failureCause <FC2> batterySupplyLossOfEnergy {
                end [1] occurrence :>> FC references supplyTractionEnergy.lossofTractionEnergy;
                end [1] occurrence :>> FM references FM1;
                attribute :>> currentPreventionControls =
                    "Contactor weld-detection feedback; BMS voltage-plausibility check";
                attribute :>> currentDetectionControls =
                    "HV bus voltage monitoring with 50 ms fault reaction; BMS self-test at key-on";
            }

            attribute :>> preventionControls    = "Redundant HV contactor path; inverter safe-state torque-zero command";
            attribute :>> detectionControls = "Full-vehicle propulsion loss test on chassis dynamometer";

            attribute :>> S = SR::S8_High;
            attribute :>> O = InheritOccurrenceRating(FCs.O.value);
            attribute :>> D = InheritDetectionRating(FCs.D.value);

            attribute :>> preventiveAction    = "Add pre-drive HV bus health check";
            attribute :>> detectionAction     = "Implement powertrain limp-home diagnostic with DTC logging";
            attribute :>> reponsiblePersonName = "Powertrain Integration Lead";
            attribute :>> targetDate          = "2026-Q3";
            attribute :>> status              = Status::decisionPending;
            attribute :>> remarks             = "Safety-relevant: feeds into ISO 26262 HARA";
        }

        // FM3 — Unintended traction (S10, highest severity)
        #failureMode <FM3> unintendedTractiveForce {
            attribute :>> failureModeType = FMType::unintendedFunction;
            ref occurrence :>> FEs = ();

            #failureCause <FC1> powertrainUnintendedPropulsion {
                end [1] occurrence :>> FC references propelVehicle.unintendedPropulsion;
                end [1] occurrence :>> FM references FM3;
                attribute :>> currentPreventionControls =
                    "Inverter independent hardware torque monitor; gate-driver desaturation detection <10 us";
                attribute :>> currentDetectionControls =
                    "Motor phase current vs. torque command; VCU torque-plausibility watchdog";
            }

            attribute :>> preventionControls    = "Accelerator pedal plausibility check; torque request rate limiter";
            attribute :>> detectionControls = "HIL fault injection for phantom torque scenarios";

            attribute :>> S = SR::S10_VeryHigh;
            attribute :>> O = InheritOccurrenceRating(FCs.O.value);
            attribute :>> D = InheritDetectionRating(FCs.D.value);

            attribute :>> status  = Status::open;
            attribute :>> remarks = "Safety-critical: unintended acceleration is a high-profile safety hazard";
        }
    }
}

LVL1 → LVL2 Failure Chain

LVL1 Subsystem: Powertrain

The Powertrain subsystem’s propelVehicle function has LVL1 FMs that link to LVL0 FMs above and LVL2 component FMs below.

LVL1 FM with causation links to LVL2 and LVL0
action propelVehicle : Defs::Function {
    doc /* Convert HV DC power to mechanical torque at the drive shaft. */

    perform action convertDCtoAC    references inverter.convertDCtoAC;
    perform action generateTorque   references electricMotor.generateTorque;
    perform action reduceSpeed      references reducer.reduceSpeed;
    perform action transmitTorque   references driveShaft.transmitTorque;

    #failureMode <FM1> powertrainInoperative {
        attribute :>> failureModeType = FMType::lossOfFunction;

        // Links upward to LVL0
        ref occurrence :>> FEs = LVL0::EV::generateTractiveForce.inabilityToGenerateTractiveForce;

        attribute :>> preventionControls    = "ASIL-D inverter safe-state; dual-resolver sensing";
        attribute :>> detectionControls = "EDU torque verification on dynamometer";

        attribute :>> S = InheritSeverityRating(FEs.S.value);
        attribute :>> O = InheritOccurrenceRating(FCs.O.value);
        attribute :>> D = InheritDetectionRating(FCs.D.value);

        // Causation links down to LVL2 component FMs
        #failureCause <FC1> inverterNoACOutput {
            end [1] occurrence :>> FC references convertDCtoAC.noACOutput;
            end [1] occurrence :>> FM references FM1;
            attribute :>> currentPreventionControls = "IGBT desat detection with <5 us shutdown";
            attribute :>> currentDetectionControls  = "Phase-current check at EOL";
        }
        #failureCause <FC2> motorNoTorque {
            end [1] occurrence :>> FC references generateTorque.noTorqueOutput;
            end [1] occurrence :>> FM references FM1;
            attribute :>> currentPreventionControls = "Winding insulation class H; bearing pre-load spec";
            attribute :>> currentDetectionControls  = "Phase impedance at EOL; vibration analysis";
        }
        // ... FC3 (reducer jam), FC4 (drive shaft fracture) also present

        attribute :>> status = Status::open;
    }
}

LVL2 Component: Inverter

LVL2 component FMs are leaf nodes — they carry actual O and D ratings (not inherited).

LVL2 leaf failure mode on Inverter component
action convertDCtoAC : Defs::Function {
    doc /* Convert HV DC input to 3-phase AC output to drive the motor. */

    #failureMode <FM1> noACOutput {
        doc /* IGBT module failure stops all AC output; zero motor drive. */
        attribute :>> failureModeType = FMType::lossOfFunction;

        // Links upward to LVL1
        ref occurrence :>> FEs = LVL0::EV::powertrain.propelVehicle.powertrainInoperative;

        attribute :>> preventionControls    = "IGBT desat detection; DC-link fuse coordination";
        attribute :>> detectionControls = "Phase-current check at EOL; HIL fault injection";

        // Leaf FM: actual O and D ratings
        attribute :>> S = InheritSeverityRating(FEs.S.value);
        attribute :>> O = OR::O3_Low;
        attribute :>> D = DR::D4_High;

        attribute :>> preventiveAction    = "Add pre-drive inverter health check";
        attribute :>> detectionAction     = "Implement torque-zero fault DTC logging";
        attribute :>> reponsiblePersonName = "Powertrain Integration Lead";
        attribute :>> targetDate          = "2026-Q3";
        attribute :>> status              = Status::implementationPending;
    }
}

Shared Failure Modes (Pattern C)

Four LVL1 failure modes are referenced as a cause by two different LVL0 failure modes, modelling common-cause failure paths:

Shared LVL1 FM

LVL0 Effect 1

LVL0 Effect 2

Chassis: lossOfStructuralIntegrity

maintainVehicleStructure.FM1 (S10)

ensureOccupantSafety.FM1 (S10)

Braking: lossOfBraking

controlVehicleDynamics.FM1 (S10)

ensureOccupantSafety.FM2 (S9)

BatterySystem: lossofTractionEnergy

generateTractiveForce.FM1 (S8)

sustainDrivingRange.FM1 (S8)

BatterySystem: degradedTractionEnergy

generateTractiveForce.FM2 (S7)

sustainDrivingRange.FM2 (S6)

The shared FM uses tuple syntax for FEs:

Shared FM with tuple FEs
#failureMode <FM1> lossofTractionEnergy {
    attribute :>> failureModeType = FMType::lossOfFunction;

    // Tuple: this FM feeds into two different LVL0 effects
    ref occurrence :>> FEs = (
        LVL0::EV::generateTractiveForce.inabilityToGenerateTractiveForce,
        LVL0::EV::sustainDrivingRange.inabilityToSustainDrivingRange
    );

    attribute :>> S = InheritSeverityRating(FEs.S.value);  // inherits max(S8, S8) = S8
    attribute :>> O = InheritOccurrenceRating(FCs.O.value);
    attribute :>> D = InheritDetectionRating(FCs.D.value);
    // ... causes, controls, optimization
}

Terminal LVL1 FMs (Direct O/D)

Seven LVL1 failure modes carry direct O and D ratings without LVL2 decomposition. These act as leaf nodes at LVL1, demonstrating that the hierarchy can terminate at any level when further decomposition is not warranted:

Subsystem

Terminal LVL1 FMs

ThermalManagement

degradedComponentTempRegulation, degradedCabinConditioning

ElectricalSystem

intermittentAuxiliaryPower, intermittentVehicleCommunication

BodyExterior

degradedCabinEnclosure

Lighting

degradedIntentSignalling

ADAS

delayedAssistance
Terminal LVL1 FM with direct O and D ratings
#failureMode <FM2> degradedCabinConditioning {
    attribute :>> failureModeType = FMType::degradationOfFunction;

    ref occurrence :>> FEs = LVL0::EV::maintainThermalBalance.degradedThermalBalance;

    attribute :>> preventionControls    = "Dual-loop HVAC architecture; thermal model calibration";
    attribute :>> detectionControls = "Cabin temperature sensor monitoring; EOL HVAC performance test";

    // Terminal at LVL1: actual O and D (no LVL2 decomposition)
    attribute :>> S = InheritSeverityRating(FEs.S.value);
    attribute :>> O = OR::O5_Moderate;
    attribute :>> D = DR::D5_Moderate;

    attribute :>> status = Status::open;
}

LVL2 Coverage Summary

Subsystem

Components

LVL2 FMs

Notable Step 6 Statuses

Powertrain

Inverter, Motor, Reducer, DriveShaft

12

1 implementationPending, 1 decisionPending

BatterySystem

BatteryPack, BMS, BatteryHousing, HVCabling

13

1 completed, 1 decisionPending

Chassis

BodyFrame, FrontSubframe, RearSubframe, CrashStructure

12

1 completed, 1 decisionPending

Suspension

CoilSpring, ShockAbsorber, ControlArm, AntiRollBar

11

1 completed, 1 implementationPending

Steering

SteeringColumn, SteeringRack, EPSMotor, TieRod

12

3 completed, 1 implementationPending

Braking

BrakeDisc, BrakeCaliper, BrakePad, ABSModule, RegenBrakingUnit

16

3 completed, 2 implementationPending, 1 decisionPending

ThermalManagement

BatteryCoolingLoop, Radiator, CoolantPump, HeatPump, CabinHVACUnit

5

1 implementationPending, 1 decisionPending

ElectricalSystem

DCDCConverter, LVBattery, WiringHarness, CentralGateway, OnboardCharger, ChargingPort

9

2 completed, 1 implementationPending, 1 decisionPending

BodyExterior

Windshield, Door

2

1 decisionPending

Interior

Airbag, SeatBelt

4

1 completed, 1 implementationPending

Infotainment

CentralDisplay, InstrumentCluster

2

1 implementationPending

Lighting

Headlamp

2

1 completed

ADAS

FrontRadar, FrontCamera, ADASControlUnit

5

1 completed, 1 implementationPending, 1 decisionPending

Total

38 components

105

14 completed, 10 implementationPending, 8 decisionPending, 73 open

Notable Modelling Features

Full 3-level failure chain

Complete traceability from 18 LVL0 system FMs through 40 LVL1 subsystem FMs down to 105 LVL2 component FMs with FEs / #failureCause links at every level.

P-diagrams on critical functions

All 8 LVL0 system functions carry @Pdiagram annotations documenting control factors, noise factors, and unintended outputs for each function.

Common-cause paths modelled

Four shared LVL1 FMs (Pattern C) appear as causes in multiple LVL0 effects, demonstrating real-world design interdependencies.

Mixed Step 6 status

The example deliberately mixes open, decisionPending, implementationPending, completed, and notImplemented statuses to illustrate a realistic analysis in progress.

Severity diversity

LVL0 FMs range from S6 (secondary function loss) to S10 (potential injury / safety hazard), reflecting the full severity spectrum.

Port and flow modeling

LVL0 system functions define ports and flows (e.g. HVDCPower, MechanicalTorque, DataSignal) — optional but valuable for documenting system interfaces and detecting architectural gaps.