Understanding FMEA Controls – Part 2

Problems and Solutions

In this article, we use problems and solutions to learn about FMEA controls. In the intermediate problem, we continue examining the door latch-pin failure of the DC-10 cargo door, as an example to identify FMEA controls. In the advanced problem, we analyze a fictitious FMEA relating to potential safety of someone trying to unjam a snowblower.

If you haven’t yet read the article “Understanding FMEA Controls – Part 1“, this would be a good time, as it presents fundamental information about design and process controls in an FMEA.

Beginner’s Problem

In an FMEA, which of the following is true about a “control”? (Select all that apply)

1. A “control” is the specific recommendation by the FMEA team to control the risk associated with the cause of failure.
2. A “control” needs to be taken to the level of root cause of the failure.
3. There are often two types of controls identified in an FMEA: prevention-type controls and detection-type controls.
4. “Controls” are the methods or actions that are not currently planned, but need to be done to reduce or eliminate the design-related risk associated with the cause of failure.
5. “Controls” are the methods or actions that are planned or currently in place to reduce or eliminate the design-related risk associated with the cause of failure.

Intermediate Problem

[The intermediate problem repeats the scenario from previous months. This month, readers will be asked to continue the analysis by identification of a control.]

Scenario: On June 12, 1972 an American Airlines DC-10 aircraft lost its aft cargo door soon after taking off from Detroit. We’ll use this incident to practice identifying the elements of an FMEA. Here is the background to the FMEA problem.

McDonnell Douglas learned from cabin pressure testing that an improperly closed cargo door could burst open due to loss of cabin pressure, potentially resulting in the floor of the passenger compartment crashing down into the cargo compartment. The temporary solution was to put a vent flap in the door that would close by the same linkage that shut the cargo door, which would keep the airliner from holding pressure unless the cargo door was safely latched, thereby alerting the pilot to the problem. However, a bit of excessive force by a baggage handler shutting the door could make the vent flap close even though the cargo door was not fully latched.

The DC-10 with the cargo door vent flap was put back in service. On a brief layover before the Flight 96 leg to Detroit, a cargo handler had trouble shutting the rear cargo door, but managed to get it shut with a little extra force. Since the door-latch signaled “closed,” the warning light in the cockpit did not show a problem. However, the force the cargo handler used to shut the door bent a metal linkage on the inside of the door, preventing it from closing properly. The air pressure during ascent generated too much force on the bent door linkage. It sheared off the pins, releasing the door. The cabin near the door collapsed and jammed the control cables to the tail. The rest is tragic history.

The probable failure sequence of the DC-10 cargo door is:

1. Airline cargo handler uses extra force to close rear door, bending door pin. Door does not securely close.
2. The door vent flap does not trigger the electronic alarm, and the pilot is not notified the cargo door failed to lock securely.
3. The air pressure outside the cargo door drops during ascent, until pressure on the door from the inside causes the door-latch pin to shear. The cargo door blows out.
4. High-pressure air inside the cabin collapses the floor, resulting in hydraulic lines and cables becoming non-functional.

We’ll use the door latch-pin failure on DC cargo door latching subsystem as an example to practice identifying functions, failure modes, effects, causes and controls, based on the cargo door latch-pin failure history.

In previous months, we focused on one possible function, and one possible failure mode for the identified function and one possible effect of the failure. The previous month’s answer for the function of the door latch-pin was something similar to “fully secure the cargo door in the closed position during all operating loads and environmental conditions without allowing the door to close unless fully latched,” and for the failure mode, it was something similar to “Door latch pin bends under maximum stress loading,” and for the effect of the failure it was something similar to “bent latch pin allows the door to appear to be closed when it is not fully secure, thus failing to abort airplane takeoff, potentially creating a pressure differential between inside and outside air, with the possibility of catastrophic cargo door blowout during flight.”

This month we’ll focus on controls for the failure of the door latch-pin of the DC-10 cargo door.

Problem: Use the door latch-pin failure of the DC-10 cargo door latching subsystem as an example to identify one prevention-type control and one detection-type control for the cause “specification of pin material has inadequate hardness.”

Advanced Problem

Scenario: You’ve been hired into the ABC Snowblower Company to assist with FMEAs. One of the problems you have been told to address is the problem where snow can build up in the auger, jamming it and stalling the motor. Under the current design, it is possible for users to reach into the auger area to unjam the auger. The marketing department wanted users to unjam the auger easily, as part of the new drive to increase customer satisfaction. However, this is complicated by the fact that the auger could deform before applying enough resistance to the motor to turn it off. If the jam is cleared by hand, it is possible for the auger to return to its natural shape suddenly and with great force, possibly injuring the user. There have been reports of injuries when users try to clear the jammed auger by hand. The ABC Snowblower management wants you to address this problem by putting verbiage into the snowblower user’s manual warning against reaching into a jammed auger and telling users to use a broom handle.

Problem: You are doing a System FMEA on the snowblower. Assuming one of the functions of the snowblower is to throw snow safely and smoothly without jamming, answer the following questions:

1. How would you describe one potential failure mode and effect for this problem?
2. Is it possible to reduce the severity of the effect? If so, what might you recommend? If not, why not?
3. Does an entry in the user’s manual warning against reaching into a jammed auger reduce the severity of the effect? Why?
4. Assuming jamming can occur when a foreign object becomes lodged in the auger, is this a root cause? Why?

Next Article

One of the more important topics in the FMEA body of knowledge is how to audit the effectiveness of FMEAs. Performing FMEAs properly and to a high quality standard is essential to obtaining the best possible results. The next article discusses and answers a reader question about auditing FMEA effectiveness.