Gefährdungsanalyse vs Risikominderung

Gefährdungs-Analyse vs. Risiko-Minderung

A blog by Dr. Uwe-Klaus Jarosch, April 2026

Both in quality management and among developers, there is a persistent misconception that an FMEA is a risk analysis for the product or its manufacturing process.

That is exactly what an FMEA is not.

But what is it, then?

And where can the development team learn about the product’s risks in the field?

The goal of this blog post is to answer these questions.

This question is by no means new.

My colleague Martin Werdich addressed this topic two years ago in an article in his magazine “FMEA-Konkret”[1].

[1] FMEA Konkret 24-13   p5ff  „Die FMEA ist keine Risikoanalyse“

Since engineering, QM, and management consistently view FMEA as a risk analysis, this topic was revisited and presented online in April 2026 as part of the DGQ FMEA Circle of the East Westphalia-Lippe Regional Group[2].

[2] DGQ = German Quality Federation
For members of DGQ a video recording of the presentation and the set of slides is available for download in the DGQ Plus Mediathek (www.DGQ.de) verfügbar.

This blog post is a summary of that presentation.

First, I would like to explain a few key terms that are relevant in this context

Hazard     

describes the potential of a situation, a substance, or a device  (source of hazard) to cause harm to the affected person in terms of health, the performance of an activity, assets, etc.

Danger        

is a condition or situation in which there is a possibility of harm occurring.

Harm          

is an involuntary disadvantage, a loss, or an impairment.

Risk               

describes the combination of the probability of occurrence  together with the severity of the consequences of a potential harm.

Risk Mitigation   

describes a targetted analysis of causes jointly with measures for prevention and/or detection in order to fully avoid the harm or reduce its probability.

If I can mitigate something then I should know what it is and how it can be measured.

There are different definitions of „Risk“.

In our technical environment the definitions are applicable as listed above.
But in our technical environment we need to distinguish how consequences between technology and society are rated.
End oft he 1990s, Professor Ortwin Renn[3] has created an analogy between types of risks and creatures in Greek mythology. He has places these types of risks in a diagram of the two factors probability of occurrence (vertical axis) and extent of hazard (horizontal axis).  

[3] Source: Scientific consultancy of the Federal Government – Global Environmental Changes (WBGU)
Annual Report 1998, chap. C 1.5 S45
Welt im Wandel: Strategien zur Bewältigung globaler Umweltrisiken — Jahresgutachten 1998

In this diagram the risk types are placed over the zones of accepted risks (green, normal range), over the borderline range in yellow until the red range indicating the forbidden zone  that is unacceptable.

As less risks are accepted the more intensive the preventions by risk mitigation must be.

The phrases hazard and risk only differ by nuances.
Therefore, every method handling hazard and risk is expected to create a risc assessment.

In both, hazard analysis and risk mitigation, there is a portion of analysis and of actions.
This makes it even more likely to mix them.

Further more there are expectations: If a company is investing so much time and effort in a FMEA then there is the (wrong) expection to derive  a risk assessment fort he product towards the customer.

Hazard & Risk Analysis

The task to do a risk assessment of the product towards the customer is up to the hazard and risk analysis:
What can happen with this product, this service at the customer?

Methods like HARA – Hazard and Risk Analysis or the determination of SIL categories [4]  for the product tasks at the customer are designed for this purpose. They are able to find and level the consequences for the customer including the boundary conditions for the occurrence.

Measures typically focus on the application of methods rather than dedicated actions.
The hazard analysis derives the needed intensity of measures.

[4] SIL = Safety – Integrity -Level.  This rating is related to Functional Safety. It looks how strong functions refer to danger for life and limb of the customer. In automotive industry the categories are called ASIL for Automotive Safety Integrity Level.

A hazard analysis acc to ISO 26262 for Functional Safety not only looks on the potential harm (S1-S3) but as well on the level of exposure and on the controlabiliy of the rated scenario. All three influence the level of harm.

In a very similar way, hazards and risks are rated by several factors for military applications according to MIL Std 882E.

Tasks of the Risk Mitigation 

To keep the hazard and risk – that meens the combination of potential harm and its probability of occurrence on a low level current insights in science and technology most frequently take the path to investigate the causes and to systematically and in detail mitigate the risk of these causes to become effective.

This is the approach of risk mitigation promoted by the FMEA method.

For automotive industry, the AIAG VDA FMEA handbook from 2019 is listing 4 different risks that are relevant in project work.
According to this manual the risk mitigating effect of design and process FMEA should only focus on the mitigation of technical risks.

For me  – with respect – this is jumping too short.
Just a reasonable and honest rating and tracking of actions with respect to a timely finish will cover reduce timeline risks.
To include the feasibility of the design for a manufacturing as planned will strongly influence the cost-effeciveness oft he process and therefore the financial risks.

Only the point if the company will earn money with this product and if is cost-effective over all is not a result of the FMEA. This needs strategic thoughts and decisions transfered into design targets which then need to be realized technically.
FMEA will reduce such risks via the analysis and mitigation of details.

Finally, a profit-oriented company will define risk only indirectly by customer satisfactoin and safety but directly by the potential loss of win = money.   

 

Which Risks are Rated by the FMEA?

The approach to do an analysis of structure, functions and failures is organized in process steps.

A System FMEA will list the functions of the product in total and then dispatch them to subsystems and units. The design of such subsystems and subunits is clearly ordered but not done in detail.

The Design FMEA then is responsible for the next level design. As a result, product characteristics need to be defined as they will appear on the drawing to clearly advise the manufacturing of the component.

The Process FMEA takes a given concept of the workflow , of equipment and tooling and it will analyze the process controls to achieve a safe and steady production of the product. Influences come from the state of equipment and tooling, from human influences in the process, from the used material and from the environmental conditions influencing the process[5]. These process parameters need to be stable and under control in predefined ranges.

[5] typical 4M- cause categories:  Man -Machine – Material – Millieu

To keep risks for the „product to the customer“ on a low level we need to raise critical questions for all decisions taken in all steps of the process preparation. All decisions need to be respected to keep the consequences upwards and in total small and under control. I like to talk about a „Brute Force“ Method: Only a complete analysis will result in an effective and safe risk mitigation.

In the picture: just the cells on the far bottom right side will create the risk mitigation.

What cannot be derived from the FMEA is an overall risk analysis of the final and overall product. Neither the completness of analysis nor any real difference in upward cause to effect relations in the failure tree is ensured by this model.
No quantified rating as e.g. performed for some few failure modes in a quantitative failure tree analysis [6] is possible in a FMEA.

[6] Failure Tree Analysis – logical links will be combined with values of probability for occurence of causes and result in a numerical value for the resulting occurrence of a failure mode

How to connect HARA and Risk Mitigation?

In case a hazard and risk analysis has been done it can be used to categorize consequences. This will result in reasonable severity ratings. The „but“ is: not all such categories are available in a „traditional“ FMEA. Therefore, the transfer is object of discussion.

When both types of analysis shall be used commonly then the hazard analysis must be done firstly. Otherwise, the risk mitigation could use wrong rating of consequences = the rating of severity in FMEA.

I like to refer to a method proposal given by Prof. Alexander Schloske: He has proposed to use criteria from HARA and/or ASIL to add further levels of severity in final consequences list.

In the picture top left the SIL / ASIL ratings are shown, below similar ratings used in the military sector. The results from hazard & risk analysis mainly focus on what is collected in FMEA severity S=10 „Danger for life and limb“.
The squeezed finger will mend in a few days. To my view this needs to be rated in a different manner than the potentially mortal accident. And it needs to have different reactions in the product and process design.

The proposal ist o change the scale of severity S. This can be either by staying with 10 levels and make a new distribution which will narrow the lower and mid criteria or the scale is enlarged and nowadays S=10 is split up in e.g. 5 levels.

Alignment of the Rating Systems

Independent from the previous proposal to split up the severity rating for S=10 there ist he need for each company to arrange the catalogues for severity, occurrence and detection in the FMEA rating catalogue in an appropriate way.

If S=6 has a company specific meaning, the same for O = 3 and D = 7 then the matrix needs to be aligned as well which decides about next steps. What are the needed actions for risk mitigation depending on a dedicated combination of S, O and D?

Which level of risk is acceptable on cause level for the team, for the company?

Conclusions: 

  • Hazard and Risk Analysis and FMEA complement each other.
    • Hazard and Risk Analysis looks on the interface to the user / customer.
    • FMEA is focussing on the detection of causes and their control
  • A Hazard and Risk Analysis finds out which hazards may result from a given situation.
    And it will define and track measures in development to reduce these risks.
  • Such measures may be anticipating FMEAs applied on systems, products and processes during development, before use.
  • FMEAs a looking into the details, into causes and should prevent and/or detect the risks at its roots.
  • FMEAs do not measure the remaining risk of the product or the process towards the final customer.

Stay curious

Yours 
Uwe Jarosch

Kleine Ergänzung:

Hier noch der Link zum Vortrags-Mitschnitt in deutscher Sprache.

Leave a Reply

Your email address will not be published. Required fields are marked *

Tagged , , , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *