Tags

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Nuclear Submarine HMS Vanguard Passes HMS Dragon as She Returns to HMNB Clyde, Scotland
Nuclear Submarine HMS Vanguard Passes HMS Dragon as She Returns to HMNB Clyde, Scotland“[1] Thales has the contract for maintenance and repair of the sensor and electronic warfare systems of the UK submarine fleet, including the one above, armed with Trident II (D5) nuclear missiles.

Boeing contracted with Thales Avionics Electrical Systems to design the 787 electrical power conversion subsystem, which includes the main and APU batteries.” (NTSB, p. vii) (GS Yuasa was a subcontractor hired by Thales). Thales is 29% French government owned and 26% Dassault controlled[1]
See what happened!
burned Dreamliner battery
In the Boeing 787 Dreamliner’s first year of service, at least four aircraft suffered from electrical system problems stemming from its lithium-ion batteries.http://en.wikipedia.org/wiki/Boeing_787_Dreamliner_battery_problems
(There will be much more on the Dreamliner report after general discussion of Thales.)

29% French government owned Thales is involved in UK nuclear power and “defence” security systems, and even in Japan’s earthquake response program. All but one nuclear power station in the UK is owned by EDF which is 85% French government owned. EDF has remained partners with Russian government controlled Gazprom for the underwater segment of the South Stream project. Additionally in Oct. of 2012 Dassault Systèmes announced the creation of the first 3D digital nuclear plant management model in partnership with Russian government owned Rosatom- NIAEP. [2] So, who is the UK defending against?

In May 2013, Thales obtained a ten-year contract to maintain and repair the sensor and electronic warfare systems of the UK submarine fleet, including the Vanguard-class, armed with Trident II (D5) nuclear missiles. Thales produces sonar installations for UK and French submarines. Thales, along with several other companies, was given a contract in December 2004 to build the new M51 nuclear missile for the new French submarines. [3] On a powerpoint presentation Thales promises to offer security against protestors. But, that doesn’t require nuclear submarines and weapons and Thales appears close to Russia through both the French government and Dassault.

In the case of the Boeing Dreamliner fire, the US National Transportation and Safety Board, 21 Nov. 2014, “Auxiliary Power Unit Battery Fire, Japan Airlines Boeing 787-8, JA829J, Boston, Massachusetts, January 7, 2013” concluded that “Critical assumptions and conclusions made in GS Yuasa’s and Thales’ safety analyses and used in Boeing’s EPS safety assessment were not fully delineated and justified with appropriate data and engineering rationale” In the intro they note that: “the FAA’s oversight of Boeing, Boeing’s oversight of Thales, and Thales’ oversight of GS Yuasa did not ensure that the cell manufacturing process was consistent with established industry practices.” While not mentioned in the Abstract, it is clear if you search the document for “Thales” that they are involved in this failure. Furthermore, as the contractor to Boeing, Thales should be responsible for their subcontractor. Is the NTSB afraid of Thales that they were not mentioned in the abstract? Thales is mentioned throughout the document, as we will show below. (It seems that many are unfamiliar with a great innovative tool called search in most pdf documents – people used to have to use an index or read!) (See NTSB further down).

Thales is supposed to be expert at trouble shooting, nuclear security, cyber security, doing vulnerability assessment, system integration, training and simulation and is one of the only technology provides working in both the civilian and military sectors. In July of 2014, they were awarded a contract for support of control system services “to help extend the life of EDF Energy’s UK nuclear power stations. This follows closely on the heels of their contract for maintenance and repair of the sensor and electronic warfare systems of nuclear subs with nuclear warheads. And yet they seem unable to trouble shoot an airplane battery! Furthermore, the cozy relationship between the French government, Dassault and Russia should raise questions in this context.

Thales Group is a French multinational company that designs and builds electrical systems and provides services for the aerospace, defence, transportation and security markets.http://en.wikipedia.org/wiki/Thales_Group They are approximately one third French government owned. Thales is the UK’s second-largest defense contractor and they make a laundry list of things of critical importance for the military including batteries. Thales’ role as defense contractor, especially their maintenance and repair of sensor and electronic warfare systems of the UK submarine fleet, including those armed with Trident II (D5) nuclear missiles, and their apparent involvement in the UK’s computer “cloud” system seems to mean that a small screw up on their part could lead to Glasgow (near Faslane), Scotland, Ireland, or the world getting blown to smithereens.
Trident II USG photo of UK sub
Trident II

Additionally, Thales is involved in protection of what is deemed “Critical National Infrastructure” in the UK. They are a service delivery partner (security; electronics and probably modeling) to EDF nuclear power stations and they provide deployable communications capability for the Japanese Earthquake Response Program. They provide security and emergency management services on the UK’s NDA (Nuclear Decommissioning Authority) properties. They are involved in addressing “Beyond Design Basis scenarios due to extreme natural events” and provide “critical data from nuclear power stations to decision makers.” A Thales powerpoint presentation “National Security Resilience Case Study – UK Utility Sector“, found at wikileaks, describes “vulnerabilities” found in the UK utility sector – one can guess EDF nuclear. The vulnerabilities seemed really basic, like passwords, and it is difficult to see why the UK paid good money for this – except – oh, EDF is mostly owned by the French govt. and Thales is largely owned by the French govt., with help of friends like Serge Dassault-Dassault Family. https://www.wikileaks.org/spyfiles/docs/THALES-2011-Cybeover-en.pdf They also seem to be involved in a “cloud” for sensitive UK gov info and “currently provide secure end-to- end networks to the UK Government and advise on a number of security related matters…” Furthermore, “The Thales NOC holds List X status, which means that is it approved to hold UK Government Protectively Marked information marked at ‘CONFIDENTIAL’ and above. The NOC is certified to ISO 27001:2005 in the form of CAS(T) (CESG Assured Service Telcoms). NOC staff hold BPSS (Baseline Personnel Security Standard) and NSV (National Security Vetting) SC Security Clearances. Information Assurance consultants from the Thales Cyber Security Portfolio (CSP) work with the NOC on a frequent basis to maintain and continually improve security standards and practices.” From: “Thales Service Definition for UK NOC Services.” http://assets-production.govstore.service.gov.uk/G5/1469/5.G5.1469.012/QD1/Thales%20Service%20Definition%20NOC%20Services.pdf (UK Open Government License 3.0)

Excerpted from a speech by UK PM Cameron: “… it’s great to be here at Thales … Earlier today I was winched from a helicopter onto HMS Victorious, one of our Trident nuclear submarines, and one of the things I did on that submarine was look through the incredible periscope made, of course, by Thales to scan the horizon and to look to see what was around. And it was an incredible piece of equipment and a signal of the brilliance of this company and this organisation…. I reassure you that Britain – the United Kingdom – wants to keep its defences strong, and that should mean plenty of work for you here at Thales because you do very, very vital things for our defence industries and, as your Managing Director put it, very, very essential things for keeping our troops safe in the battle field.” Open Government Licence v3.0, except where otherwise stated, © Crown copyright From: Cabinet Office, Prime Minister’s Office; The Rt Hon David Cameron MP Delivered on: 4 April 2013

Excerpts from : “NTSB/AIR-14/01 PB2014-108867 Notation 8604 Adopted November 21, 2014 Aircraft Incident Report, Auxiliary Power Unit Battery Fire, Japan Airlines Boeing 787-8, JA829J, Boston, Massachusetts, January 7, 2013“, as related to Thales:

Boeing was responsible for the overall integration and certification of the equipment in the 787’s electrical power conversion subsystem, which is part of the airplane’s electrical power system (EPS). Boeing contracted with Thales Avionics Electrical Systems to design the 787 electrical power conversion subsystem, which includes the main and APU batteries. Thales then subcontracted with various manufacturers for the main and APU battery system components, including GS Yuasa Corporation, which developed, designed, and manufactured the main and APU batteries. (p. vii)

Cell manufacturing defects and oversight of cell manufacturing processes. After the incident, the NTSB visited GS Yuasa’s production facility to observe the cell manufacturing process. During the visit, the NTSB identified several concerns, including foreign object debris (FOD) generation during cell welding operations and a postassembly inspection process that could not reliably detect manufacturing defects, such as FOD and perturbations (wrinkles) in the cell windings, which could lead to internal short circuiting. In addition, the FAA’s oversight of Boeing, Boeing’s oversight of Thales, and Thales’ oversight of GS Yuasa did not ensure that the cell manufacturing process was consistent with established industry practices“. (p. viii)

Boeing was responsible for the overall integration and certification of the equipment in the 787’s electrical power conversion subsystem, which is part of the airplane’s electrical power system. Boeing contracted with Thales Avionics Electrical Systems of Neuilly-sur-Seine, France, to design the 787 electrical power conversion subsystem, which includes the main and APU batteries. Thales subcontracted with various manufacturers for the main and APU battery system components“. (p.4)

Battery specification information was based on information from a Thales document. Cell specification information was provided by GS Yuasa.” (p.5)

Dreamliner NSTB, p. 9
p.9

1.6 Battery Manufacturing Information

1.6.1 Main and Auxiliary Power Unit Battery Development

In 2003, Boeing created a statement of work to outsource the design and manufacture of the 787 power conversion subsystem and awarded this contract to Thales in May 2004. Thales then subcontracted (with concurrence from Boeing) the design and manufacture of the 787 main and APU battery to GS Yuasa and the design and manufacture of the 787 battery charging system to Securaplane Technologies. 78

Boeing, with participation from Thales, created the specification control drawing (SCD) and interface control drawing to be used during the development and manufacture of the 787 battery and battery charging system. 79 Thales was responsible for providing these specifications to GS Yuasa and Securaplane, managing these subtier suppliers, and meeting all of the

[Footnotes
77 The LVP65-8-403 battery design incorporated improvements to the BMU sensing wiring installation.
78 Outsourcing is an industry practice that can be practical and effective when all aspects of the design, manufacture, and certification of a component or system have been verified to ensure an airplane’s safety of flight. Post incident interviews revealed that all of the companies involved with the design and manufacture of the 787 power conversion subsystem agreed that each would retain ownership of their associated intellectual properties.
79 According to Boeing, the SCD depicts the performance and design requirements, functional and physical interfaces, and quality assurance requirements for the development, procurement, and configuration control of an item or assembly. The interface control drawing is a formal engineering document that defines, among other things, the interface between mating parts, connections, and signals.
] (p.42)

specification requirements for the battery and battery charger system. Thales, along with its subtier suppliers, was also responsible for providing Boeing with required testing and analysis results.

The basic design of the battery began in 2005. As part of the design, GS Yuasa contracted with KAI to design and manufacture the BMU. As the battery design matured, preliminary design reviews and critical design reviews were conducted by Boeing along with Thales and GS Yuasa. Qualification testing was witnessed by delegated representatives from Boeing. 80

In early 2007, GS Yuasa and Thales redesigned the battery (with Boeing’s approval) after a November 2006 fire at Securaplane during the development of the BCU. 81 The redesigned battery included a contactor and a BMU subcircuit card to interrupt charging in an abnormal situation. Qualification testing of this redesigned battery was completed in June 2007. In October 2009, GS Yuasa and Thales redesigned the battery again (with Boeing’s approval) after a July 2009 cell venting event at UTC Aerospace Systems’ Airplane Power Systems Integration Facility (APSIF), where 787 power conversion subsystem components were tested as an integrated electrical system. 82 The redesigned battery included a modified BMU4 subcircuit card to avoid the subsequent recharging of the battery after overdischarge and a battery diode module (added to the electrical system) so that the main battery could be charged only by the dedicated charger and not be inadvertently charged by the airplane’s electrical system. The critical design review for this battery redesign was completed in January 2010, and qualification testing was completed in June 2010. 83 (The FAA was aware of both battery events.)

Boeing required its suppliers and subtier suppliers to perform first article inspections (FAI), according to industry standards, on first production runs of any component. The FAI was the primary method for inspecting and testing vendor components and was considered to be an essential step in approving an order or a contract. The intent of the FAI was to determine if a vendor’s product met acceptance and quality control requirements to ensure that all engineering, design, and specification requirements were correctly understood, accounted for, verified, and

[FN: 80 Qualification tests are performed to demonstrate that a design conforms to a set of requirements, such as the requirements defined in Boeing’s main and APU battery SCD.
81 On November 6, 2006, a fire occurred at the main Securaplane building when a 787 development battery was being charged for a test. The battery had been in use for about 14 months. Investigation of the incident found that thermal runaway of the battery occurred and that the BMU was not connected directly to the BCU. The cause of battery failure was unknown but was surmised to be a cell internal short circuit followed by overcharge of at least one other cell.
82 On July 7, 2009, an APU battery experienced a loss of voltage and vented electrolyte during integrated system testing at UTC Aerospace Systems’ APSIF. An investigation of the incident by Boeing, Thales, and GS Yuasa determined that the failure of the battery most likely resulted from thermal runaway of a single cell due to an internal short circuit created by repetitive overdischarge and subsequent high-rate charging operations. During the NTSB’s April 2013 investigative hearing on the BOS incident, Boeing representatives testified that integrated system testing was conducted on the entire electrical system, including the APU and its grounding system, and that a number of protective (non-abuse) tests were conducted to ensure that the APU system would meet its design requirements.
83 The changes to the battery that were made after the BOS and TAK incidents are discussed in sections 1.2.4 and 1.8.1]
. (p. 43)

recorded. GS Yuasa accomplished the FAI for the main and APU battery in November 2008, and Thales approved the FAI results in January 2009. GS Yuasa performed another FAI of the battery after its redesign resulting from the APSIF event. Further, in November 2010, Boeing performed an FAI on an LVP65-8-402 battery at GS Yuasa and found that the battery complied with acceptance and quality control requirements.

Boeing’s surveillance of Thales was conducted in accordance with contractual specifications and requirements. Boeing also relied on the Bureau Veritas Certification to perform surveillance assessments of Thales twice a year. 84

Thales conducted two audits of GS Yuasa between the time that battery production began and the incident. These audits, which were conducted in June 2011 and September 2012, found 11 discrepancies, all of which were subsequently closed. None of the discrepancies were directly related to battery or cell manufacturing. Thales reported the results of these audits to Boeing.

Boeing did not conduct any audits of GS Yuasa before the incident and relied on Thales to audit its subtier suppliers. 85 After the incident, Boeing sent an audit team to Thales and GS Yuasa (and KAI) to review the management of subtier suppliers, quality of manufacturing and business processes, and adherence to Boeing standards. The audit found 17 items of noncompliance with Boeing requirements. Most of the noncompliance items at GS Yuasa involved adherence to written procedures and communication with Thales and Boeing regarding authorization for proposed procedural and testing changes for the battery. The noncompliance items at Thales involved adherence to contractual requirements for Boeing’s approval on drawing or procedural changes. Corrective actions for all of the noncompliance items have been completed by Thales and verified by Boeing.

The FAA did not conduct any audits of GS Yuasa before the incident. 86 In late January 2013, the FAA conducted an audit of GS Yuasa (and KAI) and found several items of noncompliance, including (1) noncompliance with component/assembly part markings and no traceability to assembly drawings and instructions and (2) noncompliance with assembly and installation instructions of battery components. 87 Corrective actions for these and other items of noncompliance have been completed by GS Yuasa and verified by the FAA.

[FN: 84 The Bureau Veritas Certification is an international certification organization that Boeing used to help ensure that its suppliers had an accredited quality management system in place.
85 Boeing had a source inspector at GS Yuasa, but the inspector was contractually limited to determining whether specific inspection and checklist items, as detailed in agreements among Boeing, Thales, and GS Yuasa, met minimum quality standards. Any issues that the inspector found had to be routed to a US Boeing representative to coordinate through Thales.
86 The FAA did not consider the 787 battery to be a critical component because the Seattle Aircraft Certification Office (which was responsible for the airplane’s certification) regarded the battery as a redundant system. As a result, the FAA’s automated supplier selection process, which identifies suppliers for evaluation, did not select GS Yuasa.
87 Other items of noncompliance involved storage procedures for returned batteries and the root cause and analysis for returned batteries.]
” (p. 44)

1.7.3 System Safety Assessment

Safety assessments are a primary means of compliance for systems that are critical to safe flight and operation. These assessments are performed by the manufacturer and its suppliers and are reviewed and accepted by the FAA. Safety assessments proceed in a stepwise, data-driven manner to ensure that all significant single-failure conditions have been identified and all combinations of failures that could lead to hazardous or catastrophic airplane-level effects have been considered and appropriately mitigated. The safety assessment process, which is outlined in FAA Advisory Circular (AC) 25.1309-1A, “System Design and Analysis,” is not mandatory, but manufacturers that do not conduct safety assessments must demonstrate compliance in another manner, such as ground or flight tests. Boeing indicated in certification documents that it used a version of AC 25.1309 (referred to as the Arsenal draft) as guidance during the 787 type design certification program. 102

Overall compliance with the applicable 787-8 main and APU lithium-ion battery safety requirements was shown through formal analyses and qualification tests. Thales and GS Yuasa performed these analyses and tests, and Boeing reviewed and approved the results.

Boeing’s 787-8 EPS safety assessment, dated September 16, 2009, presented the overall safety analysis of the EPS. This analysis evaluated the design of the EPS for compliance with safety requirements derived from 14 CFR Part 25, EASA certification specifications, Special Conditions 25-359-SC, and accompanying advisory material. For the main and APU lithium-ion battery and battery charger systems, the safety assessment included a failure modes and effects analysis (FMEA) to provide a bottom-up qualitative and quantitative way to identify the effects

102 In 1996, an FAA aviation rulemaking advisory committee (ARAC) was chartered to harmonize the FAA’s practices related to 14 CFR 25.1309 with those of Europe and Canada. The committee released its final report to the FAA in August 2002, but the revised AC 25.1309, referred to as the Arsenal draft, has not yet been issued. On April 29, 2003, the FAA published a notice of availability of the ARAC-recommended proposed changes to the airworthiness standards for transport-category airplanes regarding equipment, systems, and installations as well as the current AC 25.1309 (version 1A). This notice of availability indicated that the ARAC-recommended proposed changes could be used for airplane certification programs through a request for an equivalent level of safety finding“. (p. 49 )

… Boeing’s FMEA was based on information contained within GS Yuasa’s FMEA, which GS Yuasa developed with assistance from Boeing and Thales. GS Yuasa’s FMEA included a calculation of a representative failure rate for the LVP65 cell…. 107 Boeing collaborated with GS Yuasa and Thales about the development tests to be performed on cells and batteries. Results from this testing helped Boeing determine what types of abuse (thermal, physical, and/or electrical) certification testing and/or safety analyses needed to be performed to show compliance with the applicable battery regulations, including the special conditions. The development tests were not required by the FAA. (p. 51)

2.3 Cell Manufacturing Concerns

…. GS Yuasa stated that it manufactured the incident battery according to drawing specifications provided by Thales and Boeing, and GS Yuasa’s and Boeing’s FAI processes showed that the battery complied with Boeing’s acceptance and quality control requirements. However, the NTSB’s observations of GS Yuasa’s cell manufacturing process identified several concerns….” (p. 58)

… Although GS Yuasa was responsible for manufacturing the 787 main and APU battery and cells, Thales was responsible for providing Boeing with consistent and safe power conversion subsystems (which included the main and APU battery systems) for 787 airplanes. Thales audited GS Yuasa in June 2011 and September 2012, and all of the discrepancies noted in the audits were subsequently addressed. However, none of the discrepancies were related to cell features, such as perturbations created and FOD generated, from GS Yuasa’s cell manufacturing process. Postincident interviews revealed that Thales did not recognize that such features could result from the cell manufacturing process or that GS Yuasa’s quality controls were not established to detect these features.

Boeing and FAA personnel did not conduct any audits of GS Yuasa before the incident. (Boeing stated that it relied on Thales to audit its subtier suppliers.) Boeing, as the production approval holder (that is, the holder of a production certificate), provided oversight to ensure that its contracted suppliers of the 787 power conversion subsystem adhered to their approved quality control system for the manufacturing of subsystem components. The FAA provided oversight of Boeing to ensure that (1) its contracted suppliers followed approved procedures for the production of products, articles, and parts that conformed to Boeing’s approved type design and (2) such products, articles, and parts were airworthy and safe for operations. However, given the observations discussed above about GS Yuasa’s cell manufacturing process, Boeing’s and the FAA’s oversight of suppliers manufacturing the 787 power conversion subsystem components could have been more effective.

The NTSB concludes that GS Yuasa’s cell manufacturing process allowed defects that could lead to internal short circuiting, including wrinkles and FOD, to be introduced into the (p. 61)
….

2.5.1 Validation of Assumptions and Data Used in Safety Assessments Involving New Technology

To effectively show compliance with FAA requirements during the certification process, Boeing needed to identify all foreseeable ways that 787 main and APU battery failures could cause the identified airplane-level hazards of venting with smoke and fire (classified by Boeing as a catastrophic event) or venting with or without smoke (classified by Boeing as a hazardous event). Boeing recognized that the propagation of cell-to-cell thermal runaway was a failure condition that could result from an internal short circuit in a single battery cell and evaluated this failure condition using the results of GS Yuasa’s November 2006 development nail penetration test. 135 As stated in section 1.7.3, the nail penetration test results showed that the surface temperature of the nail-penetrated cell increased, smoke vented from the cell and the battery case, and the surface temperature of the adjacent cells increased with no venting. As a result of this test, Boeing, Thales, and GS Yuasa determined that an internal short circuit in a single cell that resulted in thermal runaway would not propagate to other cells within the battery case or generate a fire.

Boeing and Thales performed preliminary and final EPS safety assessments, which included fault tree analyses, FMEAs, and failure rate data provided by GS Yuasa. These assessments considered internal short circuit failures but were developed with the underlying assumption that the most severe effect of an internal short circuit within a cell would be limited to venting of only that cell without fire and propagation to other cells. Thus, the potential for an internal short circuit to lead to multiple-cell or battery thermal runaway with venting, electrolyte leakage, excessive heat, and fire was not analyzed in the safety assessment.

As shown by the circumstances of the BOS incident, the assumption that thermal runaway of a cell would not propagate to other cells within the battery case was incorrect.

135 Boeing, Thales, and GS Yuasa indicated that other battery-level development nail penetration tests were performed, but no documentation of those tests and their results was available for the NTSB’s review. For information about these tests, see the addendum to the System Safety and Certification Group Chairman’s Factual Report, which is available at http://www.ntsb.gov in the public docket for this incident. (p. 68)

Validation of assumptions related to failure conditions that can impact safety is a critical step in the development and certification of an aircraft. The validation process must employ a level of rigor that is consistent with the potential hazard to the aircraft in case an assumption is incorrect. Society of Automotive Engineers (SAE) Aerospace Recommended Practice (ARP) 4754 provides a structured process for managing and validating assumptions with steps that include ensuring that assumptions are explicitly stated, appropriately disseminated, and justified by supporting data (SAE 2010). 136 The ARP notes that validating assumptions can be accomplished using reviews, analyses, and tests.

Development testing is often necessary to validate important design assumptions, but the nail penetration test performed by GS Yuasa did not adequately account for a number of factors that were relevant to propagation risk. For example, the test was not conducted at the battery’s maximum operating temperature of 158ºF, and the test setup did not fully represent the battery installation on the 787 airplane. 137 Also, the test did not include repeated trials of inducing thermal runaway of a cell in multiple batteries to understand how the repeatability of these tests could impact the validity of the test results. Further, the test was performed using a development unit that did not incorporate the final battery design certified as part the 787 type design. 138

Other development tests were performed to evaluate various aspects of the 787 battery’s performance, including the July 2009 integrated system test at UTC Aerospace Systems’ APSIF. This test was not designed to evaluate internal short circuiting effects or the cell-to-cell propagation risk. During the test, the battery was unintentionally charged at an excessive rate, which resulted in the venting of a single cell. Although the thermal runaway of that cell did not propagate to other cells within the battery case, the results of this test should not have been considered to be confirmation of the results of GS Yuasa’s 2006 nail penetration test because the APSIF test was not designed to examine engineering factors that could likely influence whether

136 SAE ARP 4754 is an industry guideline that addresses design development for civil aircraft systems with failure modes that could affect the safety of aircraft on which the systems are installed. SAE ARP 4754 defines validation as “the determination that the requirements for a product are correct and complete.” The original version of the ARP, “Certification Considerations for Highly-Integrated or Complex Aircraft Systems,” was issued in November 1996 and was in use at the time of the 787 certification program. The current version of the ARP, revision A, was issued in December 2010 and was retitled, “Guidelines for Development of Civil Aircraft and Systems.” The revised guideline was expanded to include all types of aircraft certification programs and not just those incorporating highly integrated or complex systems.

FN: 137 The NTSB and UL’s postincident nail penetration testing with an ungrounded battery at the battery’s maximum operating temperature showed that thermal runaway of a single cell propagated to all other cells inside the battery case. Also, the JTSB conducted a heat propagation test on three 787 main and APU batteries. During all three tests, an internal short circuit was initiated in a single cell of each test battery using the nail penetration method. According to the JTSB’s final report on the TAK incident, propagation of thermal runaway to multiple cells within the battery occurred during two of the three tests. For both of these tests, the battery was connected to the BCU, and the battery case was grounded, simulating the actual configuration as installed on the airplane. One of these tests was conducted at 158ºF, and the other test was conducted at 86ºF. The test involving the ungrounded battery case (during which no propagation occurred) was conducted at 86ºF.
138 According to Boeing, Thales, and GS Yuasa, electrolyte leakage was observed during two engineering (noncertification) cell vent tests in September 2009; as a result, the battery case design was modified to incorporate additional sealing to prevent electrolyte leakage. Also, the preproduction battery design used during GS Yuasa’s testing had a different vent disc arrangement than the arrangement in the final battery design. (p. 69)

an internal short circuit would lead to propagation. As a result, the repeatability of the test result under all operating environments and usage conditions was not ensured.

Further, GS Yuasa’s qualification abuse tests, which were intended to demonstrate that the battery design met the criteria established in the 787 main and APU battery SCD, did not provide adequate evidence to discount the possibility of propagation in the event of cell thermal runaway resulting from an internal short circuit. 139 Specifically, none of these tests drove a cell into thermal runaway to demonstrate that propagation would not occur or that the battery case could contain the effects of multiple-cell venting. Also, the batteries used during the tests were not grounded as installed on the airplane. Thus, the results of these tests were not relevant or sufficient for making assumptions about propagation with a grounded battery and for the full range of operating conditions. 140

In addition to underestimating the most severe effects of a cell internal short circuit, Boeing, Thales, and GS Yuasa also underestimated the rate of occurrence for this failure mode. Boeing indicated in its EPS safety assessment that the rate of occurrence of cell venting would be about one in 10 million flight hours. However, this predicted failure rate was significantly lower than the actual failure rate observed for the 787’s first 52,000 hours of service, during which time both the BOS and TAK incidents occurred.

Boeing used data from GS Yuasa to determine the rate of occurrence of cell venting. These data were based on GS Yuasa’s experience with a lithium-ion battery with a similar mechanical design, which GS Yuasa manufactured for use in an industrial application. Of the more than 14,000 similarly designed lithium-ion battery cells in service at the time, GS Yuasa found that none had experienced thermal runaway or venting. Because no failures had occurred, GS Yuasa used probabilistic methods to estimate a failure rate for the industrial battery cells. 141

After accounting for capacity differences between the two battery applications and establishing that the environmental and usage conditions and the manufacturing processes for the 787 and industrial applications would be similar, GS Yuasa determined that the 787 main and APU battery cells would have a failure rate similar to that of the industrial cells.

The method that GS Yuasa used in estimating the failure rate for 787 main and APU battery cells was consistent with industry practices for components manufactured with controlled processes and subjected to similar stress conditions during normal use over time. However, the NTSB found no documented analysis comparing the duty cycle and environment expected in the

139 The qualification abuse testing included two external short circuit tests (low and high impedance shorts at battery terminals), one overcharge test (charge battery to 36 volts for 25 hours), and one overdischarge test (discharge battery to zero volts). These qualification tests were conducted at the battery’s maximum operating temperature of 158ºF, and no thermal runaway occurred. A qualification test involving high-temperature storage (185ºF for 18 hours) also resulted in no thermal runaway.
140 During the NTSB’s April 2013 investigative hearing on the BOS incident, a Boeing representative testified that Boeing used “state of the art in testing” and that no propagation of cells occurred during qualification abuse testing, nail penetration testing, and the venting event at APSIF.
141 Probabilistic methods model and describe the random variations in systems. Probabilistic methods demonstrate compliance in the certification process using probabilistic risk analysis techniques.
(p. 70)

787 application with that experienced in the industrial application. If the 787 application had higher mechanical and/or electrical stress levels than the industrial application due to differences in duty cycle and environment, the onset of certain failure modes could be accelerated, or failure modes not previously exhibited in the industrial cells, such as internal short circuiting and cell venting, could be manifested in the 787 battery cells. 142 Given the potential safety consequences of cell venting and the lack of historical data on cell and battery performance in an airplane application, Boeing, Thales, and GS Yuasa should have performed a structured engineering analysis, supplemented by testing, to compare the differences in duty cycle and environment between the two applications and measure the impact on battery and cell features that drive safety-related failure modes, effects, and rates. This level of rigor was needed to determine whether the use of the industrial cell failure rate was appropriate for the 787 application.

Boeing indicated in certification documents that it used a version of AC 25.1309 (referred to as the Arsenal draft) as guidance in preparing the EPS safety assessment for the 787 type design certification program. The draft AC addressed the treatment of assumptions and data, stating that the underlying assumptions, data sources, and analytical techniques used in safety analyses should be identified and justified to ensure the validity of the conclusions made in safety assessments. However, the analysis that Boeing presented in its EPS safety assessment did not appear to be consistent with the guidance provided in the draft AC. Specifically, the analysis did not (1) identify Boeing’s assumption that thermal runaway of a cell would not propagate to other cells and (2) provide the engineering rationale needed to justify broad use of this assumption under all operating conditions. Also, the analysis did not sufficiently evaluate and justify the use of the industrial battery failure rate data in predicting the risk of a cell venting occurrence for the 787 battery. Further, even if this information had been included in the EPS safety assessment, the validity of the supporting safety analyses would have been difficult to justify given the limited data available. For example, the assumption that propagation would not occur was based on the result of GS Yuasa’s single 2006 nail penetration test, and the failure rate prediction for cell venting was developed without a rigorous comparison of the most severe environmental and usage conditions between the industrial and 787 battery applications.

AC 25.1309 (Arsenal draft) also stated, “where it is not possible to fully justify the adequacy of the safety analysis and where data or assumptions are critical to the acceptability of the failure condition, extra conservatism should be built into either the analysis or the design.” The assumption that the design of the main and APU battery prevented thermal runaway of a single cell from propagating to other cells inside the battery case was critical to accepting the risk of an internal short circuit in a cell because, if the assumption were incorrect, thermal runaway of the battery could occur. As a result, Boeing should have taken a more conservative approach in its safety analyses by including the possibility that propagation of thermal runaway from cell to cell could result from an internal short circuit and considering the potential effects if this failure condition were to occur. If such an approach had been taken, Boeing authorized representatives

142 For example, stresses on the cells introduced by altitude changes would only be present in the 787 application, and these stresses applied over time in service could change the failure modes, the severity of failure effects, and increase the rates of failure for the cells and the entire battery installation. Deterministic methods that involve accelerated stress testing are commonly used to evaluate the influence of engineering factors, such as stress, design, and environment, on item reliability (Condra 1993)“. (p. 71)

….
and/or FAA certification engineers independently reviewing the EPS safety assessment would likely have required Boeing, Thales, and GS Yuasa design engineers to (1) perform more exhaustive test and analysis to properly validate claims about propagation and cell failure rate or (2) incorporate design features to safely accommodate cascading thermal runaway of all cells inside the battery case. 143

Critical assumptions and conclusions made in GS Yuasa’s and Thales’ safety analyses and used in Boeing’s EPS safety assessment were not fully delineated and justified with appropriate data and engineering rationale. However, multiple independent reviews of the EPS safety assessment by Boeing authorized representatives and FAA certification engineers did not reveal these deficiencies. The review process for safety assessments should be designed to closely examine the data used to support conclusions and challenge assumptions, particularly those that could result in significant safety consequences if incorrect. Also, the review process should be designed to ensure a conservative approach when available engineering data and experience are limited.

The NTSB concludes that Boeing’s EPS safety assessment did not consider the most severe effects of a cell internal short circuit and include requirements to mitigate related risks and that the review of the assessment by Boeing authorized representatives and FAA certification engineers did not reveal this deficiency. Therefore, the NTSB recommends that Boeing modify its process for developing safety assessments for designs incorporating new technology to ensure that the conclusions made are validated and that any identified deficiencies are corrected. The NTSB also recommends that the FAA provide its certification engineers with written guidance and training to ensure that (1) assumptions, data sources, and analytical techniques are fully identified and justified in applicants’ safety assessments for designs incorporating new technology and (2) an appropriate level of conservatism is included in the analysis or design, consistent with the intent of AC 25.1309 (Arsenal draft). Further, the NTSB recommends that, during annual recurrent training for engineering designees, the FAA discuss the need for applicants to identify, validate, and justify key assumptions and supporting engineering rationale used in safety assessments addressing new technology.” (p. 72) Read the entire report here: http://www.ntsb.gov/doclib/reports/2014/AIR1401.pdf
[Most emphasis here and throughout this blog post is our own.]

Now the top power sports battery producer, Yuasa provides nearly 90% of the batteries used in power sport vehicles in North America.[2] The company was linked to faulty electrics used in Boeing’s 787 Dreamliner plane.[3]The electrical battery control system was made by Thales Group which also selected GS Yuasa.[4][5]All Nippon Airways (ANA) had replaced 10 batteries (of 17 planes) while Japan Airlines (JAL) had replaced “several” on its 7 planes, before recent mishaps.[6] As of January 29, 2013, the Japan Transport Safety Board has approved the Yuasa factory quality control and continues to investigate the damaged battery of the ANA 787.[7][8][9] Meanwhile, the American National Transportation Safety Board continues to look for defects in the Boston JAL 787 battery“.[10] http://en.wikipedia.org/wiki/GS_Yuasa

NOTES
(ordered by length – importance)

[2] “Dassault Systèmes S.A. (French pronunciation: ​[daˈso]; abbreviated 3DS) is a French software company that specializes in the production of 3D design software, 3D digital mock-up and product lifecycle management (PLM) solutions. The company also offers social and collaboration and information and intelligence products.http://en.wikipedia.org/wiki/Dassault_Systèmes

Floating shares : 51,0 %
Groupe Dassault : 41,1 %
Charles Edelstenne : 6,2 %
MFS : 2,0 %
Allianz : 1,1 %
Jupiter : 1,1 %
Kingdom of Norway : 1,0 %
Bernard Charlès : 0,65 % (août 2012)
Parent company: Groupe Dassault http://fr.wikipedia.org/wiki/Dassault_Systèmes

[4] “Thales is producing sonar installations for British and French submarines. In March 2013, the company obtained a £ 600 million (€ 708 million) ten-year contract to maintain and repair the sensor and electronic warfare systems of the Royal Navy submarine fleet, including Vanguard-class submarines, armed with Trident II (D5) nuclear missiles. Thales, together with EADS, Safran, SNPE (part of Safran-subsidiary Herakles) and DCNS, obtained a contract in December 2004 to build the new M51 nuclear missile for the new French submarines, an estimated value of € 3 billion. EADS’s subsidiary Astrium is the lead contractor, whereas Safran, SNPE, DCNS and Thales are the main subcontractors.http://www.dontbankonthebomb.com/thales/
They may have obtained it in March, but apparently signed in May: https://www.gov.uk/government/news/600-million-royal-navy-contract-secures-more-than-500-jobs

[1] Submarine photo: NE100530248, CPOA(Phot) Tam McDonald, Credit: Crown Copyright, Source: ROYAL NAVY, Caption Writer: CPOA(Phot) Thomas McDonald
Headline: Nuclear Submarine HMS Vanguard Passes HMS Dragon as She Returns to HMNB Clyde, Scotland. File is available for reuse under the OGL (Open Government License) Created date : 29/11/2010

[3] Thales Ownership

(Thales Avionics is the aviation division of Thales Group.)

Approximately 29% French govt. owned. Thales is 27% French govt. owned but the French also have a stake in Dassault Aviation via EADS France, 11.99% of which is held by the French State. Also, Thales owns a small part of itself. Nonetheless, the Dassault family still holds controlling interest in Dassault Aviation and Serge Dassault is CEO.

Thales:
French State 27 %
Dassault Aviation 26 %
Floating 47 %
of which employees 3.0 %
and Thales 1.8 %
http://fr.wikipedia.org/wiki/Thales
Dassault Aviation:
Groupe Dassault : 50.55 %
EADS France : 46.32 %
Public : 3.13 %
http://fr.wikipedia.org/wiki/Dassault_Aviation

EADS:
French State 11.99 %
German State 10.94 %
Spanish State 4.13 %
Floating : 72.94 %
as of 31 December 2013 http://fr.wikipedia.org/wiki/European_Aeronautic_Defence_and_Space_Company

Dassault Group:
Serge Dassault CEO
Stock holders Dassault Family
Holding company http://fr.wikipedia.org/wiki/Groupe_Dassault

In 1997 Serge Dassault had an issue of the French magazine Marianne seized only 3 days after start of sales because they presented him as the “Tricolor Emperor of Corruption” (l’empereur tricolore de la corruption).

In 1998 he was condemned in Belgium to 2 years in prison with reprieve for corruption in the framework of the Agusta Affair. On April 10, 2014 he was indicted for alleged vote buying, involvement in illegal campaign financing. http://fr.wikipedia.org/wiki/Serge_Dassault#Affaires_judiciaires

Corruption allegations against Thales itself have included:
Centralized slush fund
Michel Josserand, former head of THEC, a subsidiary of Thales, and Dominique Monleau, alleged that Thales has a centralized slush fund that it uses to bribe officials.[20]

ANC
Schabir Shaik, the financial advisor to the president of the African National Congress party Jacob Zuma, was found guilty of organising a bribe on behalf of Thales.[21]

World Bank
In 2004 the World Bank’s Integrity Unit blacklisted Thales from any of the World Bank’s projects for one year because of its fraudulent practices in a US$6.9 million contract for the supply and maintenance of motorcycles in Cambodia.[22]

Taiwanese Naval Order
On June 10, 2011 Thales was ordered to pay 630 million euros (almost a billion US dollars) in fines after the courts heard that bribes had been paid to the Taiwanese government to win a large naval contract. To this day, this is the largest corruption case in French history. [23]

http://en.wikipedia.org/wiki/Thales_Group Sounds like lots of allegations of bribery.