Category Archives: Risk Assessment
Van Brollini’s new book is an essential addition to the test engineer’s library, as well as the library of any product manager.
The Handbook contains practical advice that is based on Mr. Brollini’s extensive experience with test development, including unique insights that I have not seen elsewhere, insights that will provide the test engineer with a quantum leap in productivity.
The test engineer will also appreciate the fact that Brollini’s methods — clearly presented as a series of rules, tips, and straightforward equations — are practical and cost-effective, illustrated by real-world examples throughout.
The Handbook’s teachings can be applied with basic math and spreadsheet tools, although Brollini does recommend Design Master™ for best efficiency, particularly for more advanced applications.
(I have known Van for many years, as he was one of the first engineers to adopt our Design Master software. From time to time he has offered suggestions for improvements, which were incorporated into the software.)
The Test Engineer’s Measurement Handbook is available through the DACI website.
Excerpts from “Lithium Battery Shipments On Passenger Planes ‘An Unacceptable Risk,’ Say Aircraft Makers,” by Suman Varandani, 10 March 2015 International Business Times:
“Aircraft makers and pilot unions are calling for a ban on the transport of lithium battery shipments aboard passenger planes following fears of fires that could prove difficult for aircraft fire protection systems to contain. An industry paper obtained by The Associated Press (AP) cited recent tests conducted by the Federal Aviation Administration (FAA) that showed overheating of the batteries could result in explosions.”
“The FAA tests revealed that batteries emit explosive gases when overheated, and that aircraft fire protection systems ‘are unable to suppress or extinguish a fire involving significant quantities of lithium batteries, resulting in reduced time available for safe flight and landing of an aircraft to a diversion airport,’ according to AP. ‘Therefore, continuing to allow the carriage of lithium batteries within today’s transport category aircraft cargo compartments is an unacceptable risk to the air transport industry.'”
Note that charging of the lithium batteries is not required to initiate a fire; a fire can start with the batteries sitting unconnected in their shipping containers. Triggers can include a manufacturing fault (short) in a single battery cell, a short caused by mechanical puncture during rough handling or travel, shorted terminals due to improper packaging, external overheating, or battery gas emissions that can be ignited by electrostatic discharge.
Update 3-21-15: I guess the word is spreading about lithium batteries and aircraft safety. A reader sent in this pix of a warning label that was on his recently purchased lithium batteries:
Please see “JAL reports problem with 787 battery on Helsinki-Tokyo flight,” 9 Nov 2013 Reuters, and “Battery Problems on Boeing’s 787 Dreamliner Are Back” by Meghan Foley, 11 Nov 2013 WallStCheatSheet
As mentioned previously (e.g., “Boeing’s Fix for its Flaming Lithium Batteries: Is There A Fatal Flaw?“), until Boeing digs down to the root cause of their lithium battery problems, they — and those who fly on the Dreamliner — will continue to be exposed to undefined risk.
(Note: Boeing provided a report, “Certification of 787 Battery Solution,” back in April, which lists “improvements” and “enhancements,” but makes no mention of a root cause.)
(Photo from “Oklahoma Jury Finds Toyota Liable For Sudden Acceleration Fault; Awards $3M In Damages,” by Arjun Kashyap, 25 Oct 2013)
Back in 2009 this newsletter started to express skepticism about Toyota’s insistence that unintended acceleration in their vehicles — in some cases resulting in fatalities — was due to a floor mat that could cause the accelerator pedal to stick. (Those earlier posts are listed at the bottom of this post.)
The reasons for the skepticism were (a) the number of reported cases was relatively high compared to other non-Toyota models, (b) there was at least one case where it was clear that a stuck pedal could not be the cause, and (c) the investigation by the National Highway Traffic Safety Administration (NHTSA) appeared to have some major flaws. Also, DACI’s own experience in investigating several low-probability events has convinced us that customers who report such problems tend to be too easily dismissed, rather than receiving the respectful assumption that they are honest and observant and reporting the problems carefully; i.e. the sudden acceleration stories related by some Toyota owners were not consistent with the floor mat hypothesis. Finally, it didn’t help Toyota’s credibility when Toyota employees were caught congratulating themselves on how they had slowed and limited the accident investigation.
Despite the above reservations, the official report by the NHTSA was that the root cause was the floor mat. Well, after several years it turns out that a detailed analysis of the electronics, as brought out during a recent trial, has confirmed that it was not just the floor mat. Key trial results are detailed in “Toyota Case: Vehicle Testing Confirms Fatal Flaws,” by Junko Yoshida in the 31 October 2013 EETimes. Here’s an excerpted summary of the problems identified:
• Software bugs that specifically can cause memory corruption
• Unmaintainable code complexity in Toyota’s software
• A multifunction kitchen-sink Task X designed to execute everything from throttle control to cruise control and many of the fail-safes
• That all Task X functions, including fail-safes, are designed to run on the main CPU in the Camry’s electronic control module
• That the brake override that is supposed to save the day when there is an unintended acceleration is also in Task X
• The use of an operating system in which there is no protection against hardware or software faults
• A number of other problems
The deficiencies in the throttle design are shocking, because good rules exist for the design of safety-critical electronics (e.g., Chapter 4, “Safety Analyses,” in The Design Analysis Handbook).
The Toyota case makes one wonder how many other possibly-catastrophic flaws are lurking within the cars we drive, or in other electronics-guided machinery, due to poorly-designed safety-related systems.
Prior Toyota Unintended Acceleration Posts:
3 Feb 2010
Stop Driving Recalled Toyotas
21 Feb 2010
Toyota Joins The Gallery Of Shame
A Tesla Model S electric vehicle, which uses lithium batteries, burst into flames after supposedly running over a road obstruction. The state trooper who investigated the event did not find evidence of an obstruction.
The car’s battery pack is located in the floor, so it is possible that an obstruction ruptured the pack. But without confirmation, it is also possible that the battery pack erupted in flames due to an internal defect, similar to the Boeing incidents. Low-probability incidents by their very nature will occur rarely, but when they do occur they can be deadly when associated with high energy storage system, such as battery packs.
Photo above from the USA Today report: http://www.usatoday.com/story/money/cars/2013/10/02/tesla-fire-stock-falls-analyst-downgrade/2911345/
MicroViews: Electric Vehicles Are Not Greener and Cleaner / Dreamliner Batteries Still Misbehaving? / Robot Boogie Time
Recommended Reading: “Unclean at Any Speed“
“Electric cars don’t solve the automobile’s environmental problems,” by Ozzie Zehner, 30 June 2013 IEEE Spectrum. A standout example of scientific journalism. Mr. Zehner provides a remarkably thorough and balanced review of the overall relative pollution impact of electric vehicles.
Is The Boeing Dreamliner Lithium Battery Issue Really Solved?
From “Technical glitches delay two Dreamliner flights from Poland,” 4 July 2013, Reuters:
“A flight from Warsaw to Chicago that was scheduled to fly on Wednesday was canceled because the aircraft had “problems with the power supply…” “The spokeswoman would not say if the latest technical problems were related to over-heating batteries which forced the grounding of all Dreamliners for over three months.”
The Robots Are Coming! The Robots Are Coming!
And wow, can they dance!
“Boeing’s fix includes more insulation between each of the eight cells in the batteries. The batteries will also be encased in a new steel box designed to contain any fire and vent possible smoke or hazardous gases out of the planes.
“…both the F.A.A. administrator, Michael P. Huerta, and Transportation Secretary Ray LaHood said they were are satisfied that the proposed changes would eliminate concerns that the plane’s two lithium-ion batteries could erupt in smoke or fire.”
-“F.A.A. Endorses Boeing Remedy for 787 Battery” by C. Drew and J. Mouawad, 19 April 2013 New York Times
Conspicuously absent from this pronouncement is a definitive identification of the root cause of the lithium battery fires. Therefore Boeing, the FAA, and the Department of Transportation are all guessing that the stated modifications will fix the problem. I hope they are correct. But if they are it will be a matter of luck, not engineering diligence. The dissembling of the FAA and Department of Transportation are clearly evident in their own words: they say that they are “…satisfied that the proposed changes would eliminate concerns that the plane’s two lithium-ion batteries could erupt in smoke or fire.” If they are so satisfied, then why is it necessary to have a steel box to contain a fire? If they are so satisfied, then why did they not provide the supporting evidence to support their conclusions?
Also, Boeing and these government agencies have touted a few test flights as being of particular significance in proving the safety of the batteries. This is nonsense. The battery fires are low probability events, occurring only once for thousands of hours of operation. This implies that there are subtle variables in the battery construction, chemistry, and/or operation, which when combined worst case will cause the batteries to overheat. This combination may only occur for a small number of manufactured batteries, and fires may occur only when those particular batteries are exposed to a worst case combination of stresses (temperature, charge currents, etc.).
Therefore a handful of test flights, of a few dozen hours or so total, are not nearly sufficient to empirically identify a low-probability event. The identification of such an event would require hundred or even thousands of test flights, which is obviously not practical. Therefore the only alternative is an investigation that drills down and positively identifies the true underlying failure mechanism (as recommended here: “Flying the Flaming Skies: Should You Trust the Boeing Dreamliner?“). It is my opinion that this has not been done, because if it had, this knowledge would be trumpeted by Boeing.
I’m not flying the Boeing Dreamliner until I see the evidence that supports the optimistic conclusions of Boeing, the FAA, and the Department of Transportation.
“The unfortunate reality is that lithium-ion batteries were not ready for prime time four years ago and they’re not ready for prime time today.”
-from “Are EV Dreams Going Up In Smoke?” by John Petersen, 28 Mar 2013, Seeking Alpha
Despite claims that lithium battery technology is improving, lithium batteries continue to catch on fire. See the article above for some recent Mitsubishi examples.
The continued widespread use of a product that poses a serious and thus far unresolvable safety hazard is apparently based on the unfortunate business practice of balancing the costs of jury awards against the competitive advantage of using a dangerous product (lithium batteries have smaller size/weight for energy stored, compared to much safer types). Is there a CEO out there who is willing to forfeit some profits by discontinuing the use of lithium batteries? If so, please speak up.
Michael Sinnett, Boeing’s chief project engineer, said in a recent briefing that “Boeing is redesigning its batteries to ensure a fire isn’t possible. Among the new features will be a fire-resistant stainless steel case that will prevent oxygen from reaching the cells so fire can’t erupt.” (from “NTSB Contradicts Boeing Claim of No Fire in 787 Battery,” by Alan Levin , 15 Mar 2013 Bloomberg).
The problem with that statement is that once a lithium battery is heated sufficiently, it releases its own oxygen to fuel continued burning/explosion. That’s why lithium fires are extremely difficult to extinguish, and why an outer case, although it may keep a fire from spreading, will not prevent a fire from erupting.
“Boeing Co. is confident that proposed changes to the 787 Dreamliner will provide a permanent solution to battery problems that grounded its newest jet, a senior executive said Monday.” –Reuters, 11 March 2013
The reported changes include “adding ceramic insulation between the cells of the battery and a stronger stainless steel box with a venting tube to contain a fire and expel fumes from the aircraft.” –Reuters, Alwyn Scott and Tim Hepher and Peter Henderson, 5 Mar 2013
Why is Boeing confident? This is a mystery because, based on available published data, it does not appear that Boeing has positively determined the root cause of the battery fires. Furthermore, as for all safety-critical applications, the certainty of the cause should be determined beyond a reasonable doubt. This stringent requirement would be certified by a panel of independent experts of unquestioned expertise and integrity, who have no financial interest in the outcome of their review.
Without positive identification of the root cause, Boeing may be indulging in a logical fallacy that I have seen employed before, with very bad results. The fallacy is in trying to fix what is assumed to be the problem (e.g. inadequate thermal insulation between battery cells). But what if the assumption is wrong? If so, the “fix” could be ineffective, or even make things worse. For example, improving cell insulation will trap more heat within the cells, raising the cell temperature. If the true root cause is related to higher cell temperature, the added insulation could make cell failure more likely, not less.
There are many other troubling scenarios that can be hypothesized, and the only way to disprove them is to dig in and find the true root cause, beyond a reasonable doubt (including rigorous validation as discussed here: “Flying the Flaming Skies: Should You Trust the Boeing Dreamliner?“)
P.S. A good review of the genesis of the Boeing battery problem can be found here: “NTSB report shows Boeing’s battery analysis fell short,” Dominic Gates, Seattle Times