Category Archives: Safety Analysis
PART 1: DON’T MAKE THIS FATAL MISTAKE
Low-cost electronics modules and “how-to” design guides for hobbyists have made it easy to pop together working prototypes. That’s fine for hobbyists, but if you are planning on selling your creation to the masses, you need to be sure you understanding the following:
There is a HUGE difference between
a prototype and a production-ready design
If your prototype design was generated by experienced senior engineers, then they are likely to be aware of the many additional challenges that must be overcome in moving that design into production.
However, if your prototype design was based on cut/paste “reference designs,” pre-packaged modules, or hobbyist schematics, then you may not even be aware that there is a difficult path forward. In fact, you may make this fatal assumption: The prototype works, therefore let’s build a million of them and get rich!
Unfortunately, that fatal assumption will probably not lead you to wealth, but instead will create excruciating anxiety as you watch your new product crash when it exhibits one or more of the following problems:
- intermittent performance
- inexplicable shutdowns
- excessive power drain (e.g. frequent battery replacement or recharging)
- errors or even total failure due to normal variations in power source or environmental factors such as temperature and humidity
- failure to properly operate over the device’s warranty period
- breakage when being normally shipped and handled
- customer frustration due to a poor user interface
- errors when operating near other electronic devices
- other electronic devices malfunctioning when near your device
- failure due to common levels of electrostatic discharge
and this biggie:
- customer injury or death
In future newsletters we’ll provide some tips on how to minimize the risks listed above. In the meantime, if you think that you need some guidance in moving from prototype to production, please contact me. We enjoy helping startup firms achieve their dreams.
Excerpts from “Lithium Battery Shipments On Passenger Planes ‘An Unacceptable Risk,’ Say Aircraft Makers,” by Suman Varandani, 10 March 2015 International Business Times:
“Aircraft makers and pilot unions are calling for a ban on the transport of lithium battery shipments aboard passenger planes following fears of fires that could prove difficult for aircraft fire protection systems to contain. An industry paper obtained by The Associated Press (AP) cited recent tests conducted by the Federal Aviation Administration (FAA) that showed overheating of the batteries could result in explosions.”
“The FAA tests revealed that batteries emit explosive gases when overheated, and that aircraft fire protection systems ‘are unable to suppress or extinguish a fire involving significant quantities of lithium batteries, resulting in reduced time available for safe flight and landing of an aircraft to a diversion airport,’ according to AP. ‘Therefore, continuing to allow the carriage of lithium batteries within today’s transport category aircraft cargo compartments is an unacceptable risk to the air transport industry.'”
Note that charging of the lithium batteries is not required to initiate a fire; a fire can start with the batteries sitting unconnected in their shipping containers. Triggers can include a manufacturing fault (short) in a single battery cell, a short caused by mechanical puncture during rough handling or travel, shorted terminals due to improper packaging, external overheating, or battery gas emissions that can be ignited by electrostatic discharge.
Update 3-21-15: I guess the word is spreading about lithium batteries and aircraft safety. A reader sent in this pix of a warning label that was on his recently purchased lithium batteries:
The cargo fire hypothesized by Canadian pilot Chris Goodfellow to explain the disappearance of Malaysian Flight 370 (see “Malaysian Flight 370: Canadian pilot’s analysis goes viral“) is a reasonable one.
According to Malaysian officials, the plane was carrying 440 pounds of lithium batteries. Lithium batteries, sitting inert (not being charged or discharged), were identified as the cause of the fire and resultant 2010 crash of a UPS 747 flight at Dubai. Ironically, even though “improper storage” in that case was determined to be the cause of the fire, I have never read any explanation of how improper storage can ignite a lithium battery. It appears more likely that lithium batteries, under certain conditions not completely understood (e.g. a combination of battery construction and chemistry, heat, vibration, and/or shock) can spontaneously ignite, albeit very rarely.
In addition to pilot Goodfellow’s comments, an added interesting point is that Flight 370 also gained very high altitude shortly after communications ceased. It could be that the pilots, upon becoming aware of the fire at that time, tried to quickly elevate the plane to quell the fire by starving it of oxygen. This might have been an excellent maneuver for most fires, but lithium batteries, once ignited, create their own oxygen and will continue to burn at high altitude.
Bottom Line: Until the cause of the disappearance of Flight 370 is positively determined, the possibility of a lithium battery fire is a reasonable hypothesis, and worth investigating.
Please see “JAL reports problem with 787 battery on Helsinki-Tokyo flight,” 9 Nov 2013 Reuters, and “Battery Problems on Boeing’s 787 Dreamliner Are Back” by Meghan Foley, 11 Nov 2013 WallStCheatSheet
As mentioned previously (e.g., “Boeing’s Fix for its Flaming Lithium Batteries: Is There A Fatal Flaw?“), until Boeing digs down to the root cause of their lithium battery problems, they — and those who fly on the Dreamliner — will continue to be exposed to undefined risk.
(Note: Boeing provided a report, “Certification of 787 Battery Solution,” back in April, which lists “improvements” and “enhancements,” but makes no mention of a root cause.)
(Photo from “Oklahoma Jury Finds Toyota Liable For Sudden Acceleration Fault; Awards $3M In Damages,” by Arjun Kashyap, 25 Oct 2013)
Back in 2009 this newsletter started to express skepticism about Toyota’s insistence that unintended acceleration in their vehicles — in some cases resulting in fatalities — was due to a floor mat that could cause the accelerator pedal to stick. (Those earlier posts are listed at the bottom of this post.)
The reasons for the skepticism were (a) the number of reported cases was relatively high compared to other non-Toyota models, (b) there was at least one case where it was clear that a stuck pedal could not be the cause, and (c) the investigation by the National Highway Traffic Safety Administration (NHTSA) appeared to have some major flaws. Also, DACI’s own experience in investigating several low-probability events has convinced us that customers who report such problems tend to be too easily dismissed, rather than receiving the respectful assumption that they are honest and observant and reporting the problems carefully; i.e. the sudden acceleration stories related by some Toyota owners were not consistent with the floor mat hypothesis. Finally, it didn’t help Toyota’s credibility when Toyota employees were caught congratulating themselves on how they had slowed and limited the accident investigation.
Despite the above reservations, the official report by the NHTSA was that the root cause was the floor mat. Well, after several years it turns out that a detailed analysis of the electronics, as brought out during a recent trial, has confirmed that it was not just the floor mat. Key trial results are detailed in “Toyota Case: Vehicle Testing Confirms Fatal Flaws,” by Junko Yoshida in the 31 October 2013 EETimes. Here’s an excerpted summary of the problems identified:
• Software bugs that specifically can cause memory corruption
• Unmaintainable code complexity in Toyota’s software
• A multifunction kitchen-sink Task X designed to execute everything from throttle control to cruise control and many of the fail-safes
• That all Task X functions, including fail-safes, are designed to run on the main CPU in the Camry’s electronic control module
• That the brake override that is supposed to save the day when there is an unintended acceleration is also in Task X
• The use of an operating system in which there is no protection against hardware or software faults
• A number of other problems
The deficiencies in the throttle design are shocking, because good rules exist for the design of safety-critical electronics (e.g., Chapter 4, “Safety Analyses,” in The Design Analysis Handbook).
The Toyota case makes one wonder how many other possibly-catastrophic flaws are lurking within the cars we drive, or in other electronics-guided machinery, due to poorly-designed safety-related systems.
Prior Toyota Unintended Acceleration Posts:
3 Feb 2010
Stop Driving Recalled Toyotas
21 Feb 2010
Toyota Joins The Gallery Of Shame