Failure mode effect analysis, FMEA, calculates a risk priority number, RPN, multiplying the severity of an effect of the failure mode by the probability of occurrence of the cause of the failure mode by the capacity of detection of the current controls in place. It is known for its powerful risk prevention management. In September 2015, ISO 9001 the quality system management standards made drastic changes to its norm introduce various new concepts into the requirements and one of these is risk management. By mapping process criticality and feeding the FMEA from the critical inputs ranged into six categories, man, machine, materials, measurement, methods, and mother nature, of the process maps, FMEA is the perfect tool to use in the new ISO 9001:2015 and probably all newer revisions as well in the future. We have been implementing FMEA as risk management in all quality system sin September 2015 and many many times it has been mentioned as a best practice during Certification and/or recertification audits.

However one thing FMEA does not do when used as a risk prevention management tools rather than a process improvement tools based on failure prevention, is to set a base line for different levels of risk mitigation and residuals. Mitigation can be to assume risk, to reduce or eliminate, to transfer to a third party or simply to seek more understandings. Basically there three major directions:

1- assume the effects of the risk because it is not significant after quantifying it,

2- take action against the potential risk because it may affect the business or process continuity for instance

3- acquire an insurance against the risk effect because it is of significant economic, environmental or human magnitude.

The FMEA will quantify any risk associated to the failure of a critical process input, but it will not guide you as to what level should you set as an acceptable or assumable risk. The following procedure can help you do that and finalize your FMEA as a risk management system for the ISO 9001:2015.

Instead of setting acceptance level and transfer level in the conventional subjective way, we proposes a scientific objective method based on descriptive statistics, particularly quartiles. There are three steps (after realizing the FMEA) in our proposed method:

Step 1- From all calculated risk priority numbers, RPN, calculate their first quartile, median and third quartile. Use a software or apply the formulas: First quartile: Q1 = (n+1)/4 where n is the number of RPNs you have in the FMEA, median = data in the center if you have unpaired number of RPNs, or the average of the two centered data if you have paired number of RPNs, third quartile Q3 = 3(n+1)/4. The following figure shows a partial section of the RPN column and the descriptive statistics with highlighted quartiles.

Step 2- Construct a three way rank matrix by putting severity scale from 1 to 10 on the vertical y axis, occurrence scaled from 1 to10 on the bottom X axis, and detection from 1 to 10 on the upper x axis. Then multiply all three at the cells intersection, to obtain the possible RPN values. See next figure.

Step 3- The above calculated first quartile means that 25% of the risks (RPNs) are below this value. Therefore we should set the Q1 value as the acceptance level of risk in our mitigation and colored those cells as green, The third quartile Q3 means that 25% of the risk are above this value, and thus we may consider those as high risks and decide to transfer them if we deem so. Those cells should be colored as red. Anything in the inter quartile range represents then the risk we should act upon internally and we shall colored them

However there is a strong exception for the numbers in the lower left hand corner representing a risk where the effect was 9 or 10, simply because in the standardized scale 9 is a violation of regulations or laws, and 10 is a potential human accident, injury and death. Therefore even if this numbers had fallen in the green first quartile space, it is strongly recommended to put them in yellow, a different shade of yellow if wished, so that actions can be taken against them to avoid further legal complications and implications.

Once you completed step three you then have a conventional risk matrix but scientifically designed with objective levels of mitigation. You have transformed your process improvement prevention failure analysis into a risk matrix and risk mitigation levels, ready to be used in ISO 9001:2015 quality management system.

However one thing FMEA does not do when used as a risk prevention management tools rather than a process improvement tools based on failure prevention, is to set a base line for different levels of risk mitigation and residuals. Mitigation can be to assume risk, to reduce or eliminate, to transfer to a third party or simply to seek more understandings. Basically there three major directions:

1- assume the effects of the risk because it is not significant after quantifying it,

2- take action against the potential risk because it may affect the business or process continuity for instance

3- acquire an insurance against the risk effect because it is of significant economic, environmental or human magnitude.

The FMEA will quantify any risk associated to the failure of a critical process input, but it will not guide you as to what level should you set as an acceptable or assumable risk. The following procedure can help you do that and finalize your FMEA as a risk management system for the ISO 9001:2015.

Instead of setting acceptance level and transfer level in the conventional subjective way, we proposes a scientific objective method based on descriptive statistics, particularly quartiles. There are three steps (after realizing the FMEA) in our proposed method:

Step 1- From all calculated risk priority numbers, RPN, calculate their first quartile, median and third quartile. Use a software or apply the formulas: First quartile: Q1 = (n+1)/4 where n is the number of RPNs you have in the FMEA, median = data in the center if you have unpaired number of RPNs, or the average of the two centered data if you have paired number of RPNs, third quartile Q3 = 3(n+1)/4. The following figure shows a partial section of the RPN column and the descriptive statistics with highlighted quartiles.

Step 2- Construct a three way rank matrix by putting severity scale from 1 to 10 on the vertical y axis, occurrence scaled from 1 to10 on the bottom X axis, and detection from 1 to 10 on the upper x axis. Then multiply all three at the cells intersection, to obtain the possible RPN values. See next figure.

Step 3- The above calculated first quartile means that 25% of the risks (RPNs) are below this value. Therefore we should set the Q1 value as the acceptance level of risk in our mitigation and colored those cells as green, The third quartile Q3 means that 25% of the risk are above this value, and thus we may consider those as high risks and decide to transfer them if we deem so. Those cells should be colored as red. Anything in the inter quartile range represents then the risk we should act upon internally and we shall colored them

However there is a strong exception for the numbers in the lower left hand corner representing a risk where the effect was 9 or 10, simply because in the standardized scale 9 is a violation of regulations or laws, and 10 is a potential human accident, injury and death. Therefore even if this numbers had fallen in the green first quartile space, it is strongly recommended to put them in yellow, a different shade of yellow if wished, so that actions can be taken against them to avoid further legal complications and implications.

Once you completed step three you then have a conventional risk matrix but scientifically designed with objective levels of mitigation. You have transformed your process improvement prevention failure analysis into a risk matrix and risk mitigation levels, ready to be used in ISO 9001:2015 quality management system.