General Motors (GM) has launched a series of product recalls since January 2014, due to problems with ignition switches installed in vehicles built since 2003 – which may result in ‘moving stalls’ or disable the air bag system moments before a crash. GM acknowledges that at least 13 people have been killed in crashes when the air-bags did not deploy – although air-bag deployment would have been expected, judging by the vehicle damage and circumstances of the crash.
The problems, caused by poor design design of the ignition switch, were first reported to GM during the launch of the Chevrolet Cobalt in 2003, by employees driving early production vehicles in their ‘Captive Fleet Trials’ program, as well as journalists during the press launch, who reported ‘moving stalls’ – when the engine shut-down as the ignition key moved out of the “run position” while they were driving.
The Valukas Report released by GM in May 2014 examines ‘who knew what when’- and details their inadequate response to customer complaints and litigation, from 2003 until the launch of recall program in 2014. The picture that emerges, by their own admission, is one of professional incompetence and dysfunctional systems where ‘everything-that-could-go-wrong-did’.
While the lawyers and politicians argue about alleged cover-ups and blame, we prefer to focus on what we can learn from GM’s mistakes and how well established tools and techniques can be used to prevent similar mistakes happening again.
System Design and Failure Modes Effects Analysis (FMEA)
Failure Modes Effects Analysis (FMEA) is a well established technique used to anticipate, prevent and detect the causes of failure in the design of products or manufacturing processes, forming part of the ‘normal development process’ in many successful organisations.
In this simplified case study, based on published data, we will explain how a System FMEA could have saved GM ten years and millions of dollars.
The primary function of air-bag system is to reduce serious injuries during a crash event, by providing a means of absorbing energy when occupants hit parts of the vehicle structure or internal components. We can therefore describe two possible failure modes of the air bag control system as shown below:-
|Type||Required Control System Function||Potential System Failure Mode|
|1||Air-Bags are activated to protect occupants during a ‘crash-event’||Air-Bags are not deployed (activated) during crash event, or are activated prematurely or too late to be effective.|
|2||Air-bags are ONLY activated to protect occupants during a ‘crash-event and are not activated at any other time, or when the vehicle is not being driven.||Air bags are deployed during a ‘non crash-event’ or when the vehicle ignition switch is not in the “ON” position|
Following the AIAG Guidelines the failure modes are described as undesirable loss or change in the functional performance of the system.
In this format the potential effect of failure becomes transparently obvious, because either scenario may cause injury and would result in non-compliance with a government regulations, creating the need for a product recall.
In the System FMEA a ‘severity score’ is used to rank different failures based on the user’s experience of the problem when it occurs.
According to the AIAG Guidelines, a severity score of 10 (the highest) should be used when:-
Failure may, without warning, cause loss or injury or non-compliance with government regulations
This could be reduced to 9 if there is ‘adequate warning’ of the problem, so that the user with ‘reasonable skill and judgement’ would take action to protect themselves from the consequences. In some circumstances, this might be achieved by detecting a fault condition and alerting the user to that fault – for example by providing a warning light or audible warning to inform them that they need to act in response to a known fault, although a warning does not eliminate the possibility of injury.
As we develop the System Specification, we therefore need to consider how the Air-Bag Control system is intended to operate, and identify the various fault conditions, including user errors, that might cause the system to malfunction and generate the potential failure modes.
In this system,
- The sensors measure the acceleration on the body structure, and send the information to the Signal Detection Module (SDM)
- The SDM determines if a ‘crash-event is occurring’ by comparing the measured data with predefined threshold values for a ‘crash-event’ stored in software
- When a ‘crash-event is detected, the SDM activates the air-bag
In order to prevent the air-bags deploying when a crash event has not occurred, the system incorporates the following additional features, that form part of the system specification.
|Ref||Potential ‘Error States’||Method of Prevention (by design)|
|1||Air-Bags activated due to false readings from crash sensors, or data processing errors, causing a false crash-event to be detected||Signal Detection Module (SDM) runs diagnostic checks when powered-up and if a fault is detected, disables the air-bags, and alerts the driver by displaying a warning light. (This process takes approximately 3 seconds, and while the diagnostic checks are in progress the air bags will also be disabled)|
|2||Air-Bag deploys while the vehicle is not being driven, which may cause injury to unrestrained occupants or workshop staff,||The Air-Bag system is only activated when the ignition switch is in the ‘run position’ and is disabled when the key is in the ‘Accessory’ or ‘Off’ Position. As described by GM, the Body Control Module (BCM) detects the key position and controls which systems are activated in each key position|
It is important that we understand that some ‘features of the specification’ are introduced to prevent or detect a particular fault conditions, or prevent failure modes that may have serious consequences, and when that is the case, any design solution that does not satisfy that requirement will be potentially dangerous.
Now, if we consider a ‘crash scenario’ when we would want the air-bags to be deployed, we can describe the conditions for a successful deployment as shown below:-
This approach, quickly identifies that loss of power to the Signal Detection Module (SDM) will disable the air bags, and that the system will not recover from a power supply interruption for 3 seconds while the diagnostic checks are completed.
The implications are equally clear, any failure mode or error condition that interrupts the power supply to the Signal Detection Module while the vehicle is being driven may cause air-bag non-deployment and must be considered a safety critical failure mode, with a severity score of 10 on the AIAG 1-10 rating scale for severity.
As this conclusion is based on analysis of the system design:-
- It is equally valid for all possible designs of the ignition switch in this system
- If we find evidence of ‘unintended rotation of the key while driving’ we know it is a safety issue, regardless of the specific root cause.
This is important, because we no-longer need to experience an air-bag non-deployment or a moving stall to alert us to the safety issue, if we don’t prevent unintended rotation of the key under all normal operating conditions we have safety critical defect.
Specifying a switch that works
As we start to develop the specification for the Ignition switch we can again use the FMEA approach to help identify and quantify the requirements for the switch in the system.
We already know that ‘unintended movement of the key’ is a safety critical failure mode (severity 10) because the effect will be that it disables the air-bag with potentially fatal consequences, and this must be prevented by the detail design of switch.
When we ask, “How will we prevent unintended movement of the key?”
A logical response based on our knowledge of switch design, is that:-
“The detent mechanism in the switch is designed to prevent unintended rotation of the key while driving”
But, because we already now know the detent mechanism is being designed to prevent a safety critical failure of the air-bag system, we can now describe this functional requirement as a “Critical Function of the Design” of the switch.
The choice of language is a deliberate echo of “Critical Characteristic”, a term more frequently used in Design and Process FMEA’s to highlight product or process characteristic that must be achieved to prevent potential safety issues or non-compliance with regulations, and is widely understood in the industry. In a manufacturing environment the supplier is required to provide evidence that all critical characteristics have been achieved through inspection or evidence of process capability.
In the same way, identifying “Critical Functions of The Design” in the component specification highlights the need for special care in the design, development and validation of the component, and the functional requirements must also be quantified to reflect real operating conditions. In this case we might suggest three different acceptance criteria and methods of validation during the development process.
|Requirement||Target Setting||Suggested Validation Methods|
|Driver must be able ‘feel the detent positions’ and turn the key when required to do so.||Bench-marking switches in current may provide target values for torque required to turn the key, but the desire for a ‘light touch’ must be tempered by other functional requirements||Subjective assessment of proposed switch and competing products for ‘touch and feel’
Objective measurements to determine actual torques on switches ‘as new’ and after 25,000 operation of the key, and following vibration testing.
|Key must not rotate when subjected to ‘severe vibrations’ experienced when driving ‘off road’, or contact with the driver’s knee||Objective measurements of steering column vibration in ‘on-road’ and ‘off-road” conditions to develop a vibration test specification||Vehicle durability tests
Component vibration tests, including resonance search and dwell tests and random vibration tests
Knee impact tests (procedure to be developed)
|Key must not rotate during ‘pre-crash’ events||The detent must stop unintended movement of the key under all conditions that are less severe than the threshold for a crash-event, used to trigger air-bag deployment.||Rig based impact and shock tests using data from vehicle crash testing and simulations.|
Equipped with a more robust specification that prevents ‘unintended movement of the key’ under all normal operating conditions, we can now examine alternative design proposal, and ensure that the selected design passes the validation tests.
In a full system FMEA we would consider ‘three dimensions of risk’ which are:-
- The nature and severity of the effect (harm) that may be caused when the failure occurs
- The potential causes of the failure, and how frequently they will be present
- How effectively we could detect the presence of cause, and prevent the potential harm
However, in this simplified case study we have focused on the functional analysis of the air-bag system, to show how it enables us to establish objective design goals and sign off criteria for individual components. Recognizing the ‘Critical Design Functions’ is this way during the System FMEA of the conceptual design helps ensure that the design is fully validated before the start of production.
The Valukas Report suggest that the original GM ignition switch specification contained vague and ambiguous targets for the detent torque, which were never achieved, and provides no evidence that the specification or acceptance criteria were developed using failure modes effects analysis or similar techniques. As a direct result GM engineers failed to understand the significance of the available evidence for over ten years – and they never asked “Is the specification is fit for the purpose?” – with serious consequences for the company and it’s consumers.
In response to the crisis GM has pledged to change their corporate culture and fix their dysfunctional systems. If you would like to change yours before you have crisis, why not contact Stunell Technology for retails of our Product Liability or FMEA Training?