RAISING THE LIMIT: THE DESIGN OR THE DESIGNER? · RAISING THE LIMIT: THE DESIGN OR THE DESIGNER?...

RAISING THE LIMIT:

THE DESIGN OR

THE DESIGNER?

Stephen Norton

Global Competence Center Functional Safety

SGS-TÜV Saar

© 2011 SGS-TÜV GmbH – All rights reserved 2 www.sgs-tuv-saar.com/fs

AGENDA

1. 12 month Review of Safety

2. The disconnect between the Designer

and the Operator

3. Improving Safety Culture

4. Conclusions – The future

Functional Safety - Raising the Limit: The Design or the Designer?


AGENDA


Airline Industry

• Tu-154 power loss

• Crash Recorder Data from AF447

Automotive Industry

• NASA engineers found no electronic flaws

• Recalls: ECU software & Cruise Control

Rail Industry

• Shanghai Subway Crash September 2011


and the Operator





TU-154 POWER LOSS

Tu-154 crew battled power loss after

switching off fuel pump

Fuel-flow fluctuations in all 3 engines

Flame-out in engines 1 & 3

The crew did not identify the mistake

Thrust was not restored in engines 1 & 3

Emergency landing overrun led to break-up

2 fatalities and 78 injured

Similar errors have occurred in the past

Is the design robust to human failure?

What can we learn from this incident?


Sources: aviation-safety.net/database/record.php?id=20101204-0

Source: © Pavel Adzhigildaev www.airliners.net/photo/South-East-Airlines/Tupolev-Tu-154M/1644319/L/


AF447 CRASH: A330-203

Aircraft F-GZCP crashed 1st June 2009

228 killed

Wreckage found 3rd April 2011

Data from Flight recorders 15th May 2011

The crew did not identify the stall

Pitch-down inputs led to stall-warning

On pitch-up input, stall-warning stopped

Angle of Attack (when valid) > 35°

After 4 minutes the aircraft hit the ocean

Groundspeed 107kt

Vertical Speed -10912 ft/min


Source: www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp090601e3.en.pdf

Source: © Pawel Kierzkowski http://en.wikipedia.org/wiki/File:PKIERZKOWSKI_070328_FGZCP_CDG.jpg


NASA FOUND NO ELECTRONIC FLAWS

NASA Engineering and Safety Center

Technical Assessment Report

“…the testing and analysis described in this

report did NOT find that […] electronics are

a likely cause of the large throttle openings

as described…”

Functional Safety focus on E/E systems

Mechanical failures not considered

Driver error not considered


Source: www.nhtsa.gov


RECOMMENDATIONS BY NHTSA

Propose rules to

require brake override systems

standardize operation of keyless ignition

systems

require the installation of event data

recorders in all passenger vehicles

Begin broad research on the reliability and

security of electronic control systems

Research the placement and design of

accelerator and brake pedals, as well as

driver usage of pedals, to determine

whether design and placement can be

improved to reduce pedal misapplication


Source: www.nhtsa.gov


RECALL: ECU SOFTWARE

Engine ECU could cause unexpected

vehicle movement

engine stall while the brake pedal is not

pressed

engine control unit (ECU) software may

cause the electric motor of the hybrid

system to move the vehicle unexpectedly in

the OPPOSITE direction of the selected

gear


Source: www-odi.nhtsa.dot.gov/recalls/recallsearch.cfm


RECALL: CRUISE CONTROL

Cruise Control cannot be disengaged

Jaguar X-type

> 17000 vehicles affected

Diesel engines from 2006-2010

Software code error

Engine must be switched off to cancel!

Cruise Control not deactivated by pressing

brake pedal

Brake switch failure – MB Australia

Detection of brake pedal – Spartan USA



SHANGHAI SUBWAY CRASH

September 2011

Maintenance works on the line

Signalling system lost power

Trains continued to be operated

Directed by telephone

Signaller made a mistake

One train was directed into another

Hundreds injured

Fail-Safe?


Source: © Baycrest – License CC-BY-SA-2.5 en.wikipedia.org/wiki/

File:Shanghai_metro_line_2_people%27s_square_station.jpg


AGENDA



and the Operator

Sao Paulo A320 Crash:

7 seconds between life and death

How do we change ourselves?





SAO PAULO A320 CRASH

Aircraft PR-MBK crashed 17th July 2007

187 onboard and 12 on the ground killed

7 seconds between life and death

Time from touch-down to inevitable crash

Spoilers did not deploy

No reverse thrust

No “auto-brake” wheel braking

Pilots focused on loss of braking

Did not initiate a go-around

Could not stop the aircraft

The reason:

Incorrect position of one of the throttles


Source: © Luis Argerich de.wikipedia.org/wiki/Datei:TAM_Airbus_A320.jpg

Source: www.cenipa.aer.mil.br/cenipa/paginas/relatorios/pdf/3054ing.pdf


SAO PAULO A320 CRASH

Operator Error - Old View:

Operator error is cause of incidents

Increase automation

Create more rules and procedures

Operator Error - Nancy Leveson:

“To do something about error, must look at

system in which people work or operate

machines:

– Design of equipment

– Usefulness of procedures

– Existence of goal conflicts and production

pressures”


Source” A Systems Approach to Safety Engineering”, Nancy G. Leveson

Source: © Luis Argerich de.wikipedia.org/wiki/Datei:TAM_Airbus_A320.jpg


OPERATOR ERROR - MY VIEW

Automation has contributed to a massive

improvement in flight safety

Automation is now past the “human” limit

Accidents caused by pilot error due to

“misunderstanding” the automation are

increasing

Design environment at Tier N suppliers

The electronic engineer analyses hardware

and system failures relative to the

specification

Supplier considers what pilot “should” do

The designer has no feel for what pilots

intuitively or actually do in emergencies


Source: www.cenipa.aer.mil.br/cenipa/paginas/relatorios/pdf/3054ing.pdf

Source: © Airbus www.airbus.com/galleries/photo-gallery/


TRENDS IN MODERN COCKPIT DESIGN

FAA recognises automation issues

Human Factors Team

The Interfaces Between Flightcrews and

Modern Flight Deck Systems

How many Engineers at Suppliers have

studied Human Factors?


studied Cockpit Design?


actually talked to a real pilot about their

work?



Source: www.flightdeckautomation.com/fdai.aspx


HOW DO WE CHANGE OURSELVES?

Feedback after production

Engineering teams at suppliers disbanded

Disconnect between operational

experience and product design

Example: Tailstrike protection

Engineer assumption is low usage:

– low probability of failure during take-off

– pilot controls aircraft to avoid tailstrike

Pilot training for certain runways:

– always pull-back stick to limit

– rely on tailstrike-protection for every take-off

Latent System failure will always lead to

tail-strike

– Severity increased by pilot reliance on

automation




CAN WE EXPLAIN OURSELVES?

Can you explain your job to your children?

Can you explain a (client) system to

someone unrelated?

In what level of complexity?

Communication Theory

Important is what is received,

not what is sent

Understanding complex systems

Important is what knowledge can be

applied under stress conditions,

not what is provided in the classroom



WHO ARE THE STAKEHOLDERS?

Operator

Driver, Pilot, Co-pilot, (Flight Engineer)

Passengers

Company / airline

Operations / Training / Maintenance

Sales / Marketing / Management

Aircraft / car / train manufacturer (OEM)


Design / Engineering

Suppliers (Tier 1 … Tier N)


Design / Engineering



DIFFERENCE BETWEEN SALES /

ENGINEERS, OEM AND SUPPLIERS

Who talks to the Customer (Airline)?

The OEM Sales Team

Who talks to the Pilots?

The Trainers (Airline)

OEM

Who talks to the Engineers?



AGENDA



and the Operator


Example: Automotive Standard ISO 26262 Challenging previous business practices

Demonstration of Competence

Improving the Safety Culture along the supply

chain

The impact of legal practice relating to product

liability

Lessons-Learned: Liability Risk

Working across International boundaries

The consequences of Non-Disclosure-Agreements




NEW AUTOMOTIVE STANDARD:

ISO 26262

Safety-relevant systems

one or several E/E systems

production passenger cars (up to 3,500kg)

excluding vehicles for disabled persons

Deals with possible risks

emanating from the malfunction of E/E

systems

caused by the respective E/E system itself

Commercial vehicles and motorcycles

have not (yet) been included in the scope

but have not been explicitly excluded

either



CHALLENGING PREVIOUS BUSINESS

PRACTICES

ISO 26262 is

an automotive industry application standard

based on IEC 61508

applicable world-wide

affects all OEMs and Suppliers

the new “state-of-the-art”

ISO 26262 requires

demonstration of competence

new organisational structures to manage

functional safety (independence)

Development Interface Agreements (DIA)

Functional Safety Assessment to verify that

products are “functionally safe”



DEMONSTRATION OF COMPETENCE

Suppliers have to demonstrate their

competence to the OEMs

OEMs have to formally confirm the

competence of the Suppliers

Suppliers have to formally confirm the

competence of Sub-Suppliers

Competence is to be assured in

accordance with the corresponding

responsibility

Training, education

Qualification programmes are

recommended



IMPROVING THE SAFETY CULTURE

ALONG THE SUPPLY CHAIN


Abstraction

level Vehicle

E/E

Total system

E/E

sub-system HW SW

Development

phase

Concept

(part 3)

System

(part 4)

System

(part 4)

Hardware

(part 5)

Software

(part 6)

Information flow • Safety

objectives

• ASIL

• Funct. safety

concept

• Funct. safety

requirements

• Techn. safety

Concept

• Techn. safety

requirements

• Techn. safety

concept

• Techn. safety

requirements

• HW design

• HW safety

requirements

• SW design

• SW safety

requirements

Typically

responsible

OEM OEM

or

Tier1

Tier1

or

Tier 2..n

HW supplier (complex

function,

e.g. µC or ECU)

SW supplier (application)


CREATING THE COMPANY SAFETY

CULTURE

Functional safety as a company objective

Company-specific policies and processes

Introduction of a generic safety process

Process descriptions for safety

management and development activities

Introduction of a safety management

organisational structure

Safety managers and their task profiles

Authority of safety managers (veto rights!)

Resource management

Continuous Improvement Process

Escalation process for Functional Safety


Reference: ISO 26262-2, §5.4.2


CREATING THE COMPANY SAFETY

CULTURE

Poor examples

Accountability is not

traceable

Cost and schedule

always take precedence

over safety and quality

Passive attitude towards

safety

Heavy dependence on

testing at the end of the

product development

cycle

Management reacts only

when there is a problem

in the field

Good examples

The process assures that

accountability for

decisions related to

functional safety is

traceable

Safety is the highest

priority

Proactive attitude

towards safety

Safety and quality issues

are discovered and

resolved from the earliest

stage in the product

lifecycle


Source: ISO 26262-2, Annex B


THE IMPACT OF LEGAL PRACTICE

RELATING TO PRODUCT LIABILITY

ISO 26262 is applicable as of the date of

its publication, particularly since ISO

standards do not provide for an explicit

transition period

Therefore, implementation is required as

of 2011, meaning that all products put

into circulation as of this point in time

must implement ISO 26262!

It is not enough to only start implementing

ISO 26262 as of the date of its publication



LESSONS-LEARNED:

LIABILITY RISK

What is the position of European OEMs?

Some OEMs have been trying to keep the

assessments in-house

Some OEMs have already started requiring

suppliers to have assessments performed

by an ISO/IEC 17025 accredited body

What is the conclusion by legal experts?

With respect to the obligation of exercising

due care, the performance of the

“Assessment of Functional Safety“

portion of the product validation by testing

bodies accredited for this purpose

according to ISO/IEC 17025 (or ISO/IEC

17020) is to be regarded as the [current]

state of the art in science & technology



WORKING ACROSS INTERNATIONAL

BOUNDARIES

International Supply Chain

Demonstration of competence

Proof of compliance

How can you be sure?

Assessment

Self-Assessment by Supplier?

Fly-in Assessment by OEM?

Independent Assessment?

– Local assessment reduces cost

– Accredited bodies

– Dealing with different interpretations



THE CONSEQUENCES OF

NON-DISCLOSURE-AGREEMENTS

OEMs do not disclose fully to Suppliers

Suppliers only admit as much as they

absolutely must to their customers

Typical Example:

OEM selects Tier 1 for valve actuation

Tier 1 is already preferred supplier

Tier 1 experience is mechanical systems

New requirement – “SMART” actuator

Tier 1 sub-contracts electronics to Tier 2

– Tier 2 contractually cannot talk to OEM

– Electronics Interface (HW & SW) is

OEM Tier 2

Development Interface Agreement needed



AGENDA



and the Operator



AF447 inquiry recommends use of cockpit

image recorders

The role of professional institutions and

accreditation bodies

Better Communication is necessary



AF447 INQUIRY RECOMMENDS USE OF

COCKPIT IMAGE RECORDERS

BEA recommends

that ICAO require that aircraft undertaking

public transport flights with passengers be

equipped with an image recorder that

makes it possible to observe the whole of

the instrument panel

that at the same time, ICAO establish very

strict rules for the readout of such

recordings in order to guarantee the

confidentiality of the recordings.



Source: www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp090601e3.en.pdf


THE ROLE OF PROFESSIONAL

INSTITUTIONS & ACCREDITATION

BODIES

What happens to the Engineer after

University?

Engineers can obtain professional

qualifications such as “Chartered

Engineer”

Each country has a different solution

Value of qualification is not promoted

Most qualifications are valid for life

Project Managers can get qualified

Project Management Institute (PMI)

Safety Managers can get qualified

Industry Functional Safety Expert



BETTER COMMUNICATION IS

NECESSARY

Communication is 2-way

We need to get design understanding from

Engineers to the end user (pilot, driver)

We need timely feedback from the end user

to reach the responsible Engineers

Communication is multi-layered

We need to respect NDAs and promote

Development Interface Agreements

Develop a safety culture throughout the

supply chain

What counts is what is received, not what

was transmitted

Safety is multi-disciplinary and requires

active participation by ALL stakeholders



TOP 10 TIPS

1. Contact certification company during

development to be aware of requirements

– no nasty surprises!

2. Perform a GAP-Analysis to prioritise the

implementation of functional safety – you

can’t do it all at once

3. Train your engineers to ensure their

competence in the functional safety

requirements

4. Be aware of your legal responsibilities

5. Introduce safety analysis as natural part

of your development



TOP 10 TIPS

6. Optimise communication, especially with

suppliers / OEMs

7. Specify the functional safety

requirements for your suppliers

8. Update your documentation during and

not only at the end of development

9. Processes you have documented, should

be applied

10. Use feasible tools, adequate methods

and techniques



Thank you for your attention!



YOUR PARTNER FOR FUNCTIONAL

SAFETY

SGS-TÜV Saar

Global Competence Center

Functional Safety

Hofmannstrasse 50

D-81379 Muenchen

Germany

www.sgs-tuv-saar.com/fs

Stephen Norton

Head of Automotive & Aerospace Division

E-mail: [email protected]

Telephone: +49 89 787 475 -280

Mobile: +49 152 0922 0522

Fax: +49 89 787 475 -217



Addition Information regarding our Services



HOW ARE WE HELPING

SGS-TÜV Saar experts have very many

years of experience in Functional Safety

Co-initiator of the ISO 26262 standard

Active in standardisation committees

Respected voice in the Industry

We are providing

Consulting on Functional Safety

ISO 26262 Roll-out

Review of processes, tools, templates

Guidance in creation of “work products”

Training and personal qualification

Assessments, audits and certification

according to ISO 26262



OUR SERVICES (1)

AEROSPACE

Training / Personal

qualification

Consulting

Analytics

Testing / Certification



OUR SERVICES (2)

Generic or basic training

Standards including

– ISO 26262, IEC 61508

– SAE ARP4761

– RTCA/DO-254

– RTCA/DO-178C, RTCA/DO-278

– RTCA/DO-160F

– EUROCAE ED-125

Risk analysis

System design and analysis

FMEDA / FTA

Safety relevant Software

Individual training courses

Tailored to company-specific content



OUR SERVICES (3)

Professional Qualification

Automotive Functional Safety Professional

Industry Functional Safety Professional

5-day training and exam

Competence confirmed by SGS-TÜV Seal

Expert Qualification

Automotive Functional Safety Expert

Industry Functional Safety Expert

Audit by SGS-TÜV Examining board



OUR SERVICES (4)

Functional Safety Management (FSM)

Expert monitoring of customer projects

Functional Safety Management

Assessments

Creation of Safety Cases

Support as Safety Manager

Preparation of documentation concepts

Moderation of Hazard Analysis and Risk

Assessment

Interface management between OEM and

supplier



OUR SERVICES (5)

Functional Safety Analytics

Hazard analysis and risk assessments

FMEA & FMEDA

FTA

Markov Analysis

Functional Safety of Software

Control system assessments

Assessment of software

Tool qualification



OUR SERVICES (6)

Testing

Evaluation of systems

Risk analysis (ASIL / SIL / PL / DAL)

Review of specifications and requirements

Concept and design analysis

Verification and validation

Auditing and certification of safety

processes

Functional Safety Assessments and Audits

Certification of components and systems



YOUR INTERNATIONAL CONTACTS

Germany (Headquarters)

SGS-TÜV GmbH

Functional Safety

Hofmannstrasse 50

D-81379 Munich

Gr. China

SGS Taiwan Ltd.

134, Wu Kung Road, Wu Ku Industrial Zone

New Taipei City

24866 Taipei

Japan

SGS Japan Inc.

2-2-1, Minatomirai, Nishi-ku

The Landmark Tower Yokohama 38F

220-8138 Yokohama

Korea

SGS Korea Co., Ltd.

398-1, Gomae-dong,

Giheung-gu, Yongin-si

Gyeonggi-do, 446-901

Phone +49 98 787475-270

[email protected]

www.sgs-tuv-saar.com/fs

Phone + 886 2 2299 3279 3660

[email protected]

Phone +81 45 330 5040

[email protected]

Phone + 82 31 240-6611

[email protected]


Date post:	18-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

RAISING THE LIMIT: THE DESIGN OR THE DESIGNER? · RAISING THE LIMIT: THE DESIGN OR THE DESIGNER?...

Documents