FMEA Risk Assessment: 9 Blind Spots Before Controls

FMEA risk assessment becomes dangerous when the team believes the worksheet is more precise than the operation it describes. The method can expose weak controls, but only when people slow down enough to define credible failure modes, challenge assumed safeguards, and verify whether the selected controls still exist in the work area. This is the same discipline behind critical control registers and Bow-Tie analysis, where risk logic has to survive field evidence.

The common market advice says FMEA works because it ranks risk through severity, occurrence, and detection. That is partly true. The hole is that a neat risk priority number can hide fragile assumptions when supervisors, engineers, and EHS managers score a failure mode before they understand how the work is actually performed on night shift, during maintenance backlog, or under contractor turnover.

Across 25+ years leading EHS in multinationals, Andreza Araujo has seen that serious exposure often survives inside disciplined-looking systems. In risk management, the problem is rarely the absence of a form. It is the gap between declared control and operated control, a distinction that also appears in her book A Ilusao da Conformidade, translated as The Illusion of Compliance.

This diagnostic article uses F1 because the topic needs a critical lens rather than a step-by-step recipe. The title uses 9 blind spots, not 7, to avoid the saturated numbered pattern and because FMEA has more than a handful of failure points before control selection becomes reliable.

Why FMEA fails before the first score.

FMEA fails early when the team treats failure modes as labels rather than causal descriptions. "Guard fails" is not enough. The useful version asks how the guard fails, under which task condition, who is exposed, what energy reaches the person, and which control would interrupt that path before injury occurs.

IEC 60812, the international standard associated with FMEA and FMECA methods, frames the technique around failure modes, effects, causes, and criticality. That structure matters because the method is not a scoring game. It is a disciplined way to make failure visible before the organization accepts risk.

In safety work, the weakness appears when the team borrows a reliability method from engineering and then compresses it into a meeting where everyone wants a number by noon. The result may satisfy the project file, although the field team still lacks a control it can recognize, maintain, and challenge.

1. Blind spot one: writing failure modes too broadly

A broad failure mode gives the group a false sense of agreement. "Operator error," "equipment failure," and "procedure not followed" sound familiar, but they do not say what can fail in a way that allows prevention. The broader the phrase, the easier it becomes to assign generic training as the action.

James Reason's work on organizational accidents is useful here because it separates active errors from latent conditions that sit upstream in design, supervision, maintenance, and management choices. An FMEA that records only the visible error misses the conditions whose correction would reduce recurrence.

For an EHS manager, the practical test is whether the failure mode can be observed or tested. "Worker bypasses interlock to clear jam" is stronger than "unsafe act" because it names the task, the control, the behavior, and the exposure. It also forces the team to ask why the jam exists, how often it happens, and whether production pressure makes the bypass predictable.

Teams should rewrite any failure mode that could fit 20 different events. If the sentence does not identify the energy source, task condition, affected control, and exposed person, it is not ready for scoring.

2. Blind spot two: downgrading severity because a safeguard exists

Severity should describe the credible consequence if the failure reaches the person, not the consequence after everyone assumes the control works perfectly. When teams lower severity because a guard, alarm, permit, or PPE requirement exists, they blur consequence with control confidence.

This blind spot matters most for SIF exposure. A fall from height, uncontrolled release of energy, vehicle strike, chemical exposure, or confined-space atmosphere does not become minor because the procedure says the safeguard is present. The safeguard may reduce likelihood or improve detection, but it should not erase the consequence that would occur if the safeguard fails.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture appears in repeated decisions, including the decision to look directly at serious risk rather than polish indicators. FMEA should protect that discipline by keeping high-severity scenarios visible until control verification proves that exposure is credibly reduced.

A simple rule helps: score severity before crediting the control, then document which control changes occurrence or detection. If the same safeguard is used to lower every dimension, the worksheet is probably double-counting protection.

3. Blind spot three: confusing detection with prevention

Detection does not prevent harm by itself. An alarm, inspection, checklist, or operator observation may reveal a weak condition, but prevention depends on whether someone can act in time, with authority, resources, and a control that interrupts the hazard path.

Many FMEA sessions overvalue detection because it is easier to add an inspection than to redesign a process. The worksheet then shows improvement because the detection score changes, while the physical exposure remains almost identical. That pattern is especially weak when the time between detection and harm is short.

In a machine intervention, for example, a visual check before restart may detect a person in the hazard zone only if lighting, line of sight, noise, and supervision all cooperate. A fixed interlock, energy isolation, or physical exclusion system creates a different quality of control because it does not depend on perfect attention at the exact moment of exposure.

EHS managers should ask one question after every detection control: what prevents the event if detection is late, ignored, or unavailable? If the answer is another human check, the team has not yet built a strong prevention layer.

4. Blind spot four: hiding contractor and maintenance conditions

FMEA often describes the normal operating process but ignores the maintenance, cleaning, changeover, and contractor conditions where exposure is sharper. That omission creates a clean analysis of the easiest version of the work, while the riskiest version happens outside the table.

This is where field interviews matter. Operators can tell the team where jams occur, mechanics can describe awkward isolation points, and contractors can explain which drawings or permits do not match the job. Without that input, the analysis stays loyal to the procedure rather than the work.

Andreza Araujo's experience in more than 250 cultural-transformation projects shows a recurring pattern: leaders believe a system is understood because the procedure is available, while frontline teams have already created workarounds to survive production, access, staffing, or time pressure. FMEA can surface those workarounds only if the workshop includes the people who know them.

The fix is to add a task-condition column before scoring. Separate normal operation, startup, shutdown, cleaning, maintenance, emergency response, and contractor intervention, because each condition may create a different failure mode and a different control need.

5. Blind spot five: letting RPN arithmetic outrank consequence

Risk priority number can be useful for sorting actions, but it becomes misleading when a moderate number hides a severe credible outcome. A failure mode with catastrophic severity and low estimated occurrence may rank below a frequent minor defect, although the organization would never accept both decisions with the same urgency.

ISO 31000:2018 describes risk management as a process that includes identifying, analyzing, evaluating, treating, monitoring, and communicating risk. That sequence includes judgment. It does not require leaders to surrender high-consequence decisions to multiplication.

The trap is easy to see in serious injury and fatality prevention. A rare crane failure, isolation bypass, gas-test miss, or vehicle-pedestrian interface can produce an outcome that demands escalation even if the numeric score is not the highest in the file. Arithmetic should not make leaders comfortable with irreversible harm, which is why the risk matrix distortions that hide fatal exposure should be reviewed beside every high-severity FMEA line.

Use RPN as one input, then add a severity override. Any failure mode with fatality or permanent-disability potential should enter a separate review stream where critical controls, ownership, and field verification are mandatory.

6. Blind spot six: treating administrative controls as equal to engineering controls

A procedure, sign, training record, or toolbox talk is not equal to an engineering control that removes exposure or makes the hazardous state difficult to reach. FMEA loses power when every action looks equivalent because the table only says "control implemented."

The hierarchy of controls exists precisely because controls differ in strength. Elimination, substitution, and engineering controls change the system around the worker, while administrative controls and PPE often depend on memory, attention, supervision, and behavior under pressure.

During Andreza Araujo's tenure in multinational operations, including the PepsiCo South America period where the accident ratio dropped 50% in six months according to her public professional profile, the practical lesson was that leadership attention has to move from recorded intent to operated discipline. In FMEA language, that means action closure must ask what changed physically or organizationally, not only what was communicated.

The table below gives a sharper way to challenge control quality.

7. Blind spot seven: assigning actions without risk ownership

An FMEA action without a risk owner becomes a line in a spreadsheet. The owner should have authority to change the control, secure resources, and verify field implementation. If the owner can only send reminders, the failure mode has not been governed.

This blind spot appears when EHS receives every action by default. EHS can coordinate risk management, but it cannot own engineering design, maintenance priorities, procurement rules, or production staffing alone. The right owner is the role that controls the decision creating or reducing the exposure.

For high-consequence failure modes, owner selection should be based on consequence and control type. Engineering owns design changes, maintenance owns reliability tasks, operations owns supervision and execution discipline, procurement owns supplier requirements, and senior leadership owns risk acceptance when budget or shutdown time is the barrier. The same governance question appears in the risk owner critical-control plan, because weak ownership leaves critical exposure unmanaged.

The FMEA record should show owner, decision authority, due date, verification method, and escalation trigger. Without those fields, action closure can become polite administration rather than risk reduction.

8. Blind spot eight: skipping field verification after closure

Action closure is not the same as control effectiveness. A purchase order, training roster, revised procedure, or completed maintenance ticket proves that something happened. It does not prove that the failure mode is now less likely in the field.

This is why FMEA should connect to critical control verification. If the action claims to reduce a severe failure mode, the team should verify whether the control is available, understood, used correctly, and still effective after normal operating pressure returns.

Andreza Araujo's book Safety Culture Diagnosis: Learn how to do your own is relevant because diagnosis asks whether the organization can see the gap between declared systems and daily execution. FMEA needs the same habit. The question is not only whether the spreadsheet changed, but whether the work changed.

A practical verification rhythm is 30 to 60 days for high-consequence actions. The reviewer should observe the task, interview the exposed worker, check maintenance or inspection evidence, and confirm that supervisors know the escalation rule when the control is missing.

9. Blind spot nine: leaving FMEA disconnected from change management

FMEA becomes stale when management of change does not trigger a review. New equipment, staffing changes, supplier substitutions, software updates, production targets, and maintenance deferrals can all create failure modes that were not credible when the original analysis was written.

The danger is not only technical. A control can degrade because the organization changes around it. A new contractor may not understand a permit dependency, a leaner crew may skip a second-person check, or a production increase may turn a rare intervention into a weekly exposure.

Link FMEA to change triggers, including process redesign, new materials, new vendors, critical equipment modification, incident learning, repeated near misses, and overdue maintenance on safeguards. When those triggers occur, the team should review the affected failure modes rather than wait for the next annual cycle.

In Make The Difference: Be a Leader in Health & Safety, Andreza Araujo emphasizes leadership routines that keep safety present in operational decisions. FMEA belongs inside that routine because every meaningful change tests whether old controls still match new work.

FMEA that ranks risk vs FMEA that changes controls.

The difference between weak and useful FMEA is not the software, template, or color scale. It is whether the organization uses the method to make control decisions visible before exposure becomes an incident.

Each month that FMEA stays disconnected from field verification, the organization accumulates confident scores around controls that may not survive real work.

What EHS managers should do next.

EHS managers should start with the 10 highest-severity failure modes in the current FMEA file and audit them against 4 questions: is the failure mode specific, is severity protected from false downgrades, is the control strong enough, and has the field evidence been checked within the last 60 days?

That first review does not require a full rebuild. It requires discipline around the few failure modes that could cause fatality, permanent disability, major release, or serious operational loss. Because those events are rare, they are also easier to hide behind low occurrence scores and clean dashboards. When uncertainty is broader than one failure mode, pair FMEA with a 60-minute What-If field review before the team accepts the control set.

If your organization needs to turn FMEA from a scoring exercise into a control-verification rhythm, Andreza Araujo's team can help connect risk assessment, safety culture, and critical-control governance. Start the conversation through Andreza Araujo.