Field Notes — A Solutions Series

Public safety failures, turned into engineering work products.

Every quarter brings another headline that sounds like a technology problem but reads, to anyone who has run a HARA, like a process problem. This blog covers functional safety and cybersecurity across automotive, aerospace, robotics & physical AI, industrial, and medical — translating each story into the artifacts our standards already ask us to produce.

AutomotiveAerospaceRobotics & Physical AIIndustrialMedical
FuSa · SOTIF · CyberSec · Across Domains
5×
Domains covered
15+
Audit-ready tabs / workbook
59
Safety goals derived (ex.)
2026
Field Notes — issue 01
Latest

Field notes

June 30, 202615 min

When the Maintenance Manual Disabled the Monitor: The Boeing 737NG Thrust-Reverser Lock-Indication AD Through an ARP4761A and 25.933 Lens

FAA NPRM AD-2025-00364-T (91 FR 15566, March 30, 2026) proposes inspections across all Boeing 737-600/-700/-700C/-800/-900/-900ER airplanes after a report that an AMM rigging procedure can leave a thrust reverser indicating 'locked' when it is not. Re-framed as a latent monitor failure ARP4761A should have bounded, a 14 CFR 25.933/25.1309 single-failure gap, and a recurrence of the same defeat the FAA already chased in 2019's AD 2019-18-03.

Read the post
June 28, 202614 min

When the Safety Limits Were One Network Packet Away: The Universal Robots PolyScope 5 Command-Injection Flaw (CVE-2026-8153) Through an ISO 10218:2025 and IEC 62443 Lens

CISA advisory ICSA-26-134-17 (May 14, 2026) and Universal Robots' PSIRT advisory cover CVE-2026-8153, an unauthenticated OS command injection (CWE-78, CVSS 9.8) in the PolyScope 5 Dashboard Server that hands a network attacker root on a UR cobot controller - the same controller that enforces the ISO/TS 15066 power-and-force limits keeping an operator safe in the shared workspace. Re-framed as the cybersecurity risk assessment ISO 10218:2025 now demands, a missing IEC 62443 conduit boundary, and the safety-function integrity claim one unsanitized string defeats.

Read the post
June 26, 202614 min

When the Relay Could Be Reflashed Over Its Own Engineering Port: The Siemens SIPROTEC 5 DIGSI 5 File-Upload Advisory Through an IEC 62443 and IEC 61850 Lens

CISA re-released ICSA-26-174-02 on June 23, 2026 over CVE-2025-40808 — an authenticated arbitrary file upload via the DIGSI 5 engineering protocol that can brick a Siemens SIPROTEC 5 protection relay or silently rewrite its trip logic. Re-framed as a missing IEC 62443-4-2 input-validation and integrity control, an unsigned-firmware gap no allow-list fully closes, and a protection-independence claim defeated by one upload.

Read the post
June 24, 202614 min

When the Monitor Wore Out on the Shaft It Was Watching: The ATR 42 Flap-Asymmetry Detector AD Through an ARP4761A and 25.671 Lens

FAA AD 2026-09-13 (effective June 18, 2026) adopts EASA AD 2025-0087 across all ATR 42-200/-300/-320 airplanes after a flap asymmetry detector was found with worn splines, no longer engaged to the interconnection shaft it exists to watch. Re-framed as a dormant-monitor failure ARP4761A should have bounded, a 25.671/25.701 common-mode gap, and a certification maintenance task that arrived only after a mechanic found it on the bench.

Read the post
June 22, 202614 min

When the Restraint Became the Hazard: The Honda Odyssey 26V227 Inadvertent Airbag Recall Through an ISO 26262 and ISO 21448 Lens

NHTSA recall 26V227 (filed April 9, 2026) covers 440,830 model-year 2018-2022 Honda Odyssey minivans whose SRS ECU can fire the side and side-curtain airbags over potholes and speed bumps - the deployment-threshold margin treats road shock as a side crash. Re-framed as an ISO 26262-3 Clause 7 commission row rated ASIL D, an ISO 21448 Known Unsafe triggering condition, and a 2021 'no safety concern' closure that should have been a requirement.

Read the post
June 20, 202614 min

When 'No Fix Planned' Lands on a Safety-Capable PLC: The Mitsubishi MELSEC iQ-F FX5 DoS Advisories Through an IEC 62443 and IEC 62061 Lens

CISA advisories ICSA-26-169-05 and -06 (June 18, 2026) disclose two remotely triggerable denial-of-service flaws in the EtherNet/IP and Ethernet modules of Mitsubishi's MELSEC iQ-F FX5 - the same compact PLC family that carries a SIL 3 / PL e safety extension, and one flaw ships marked 'no fix planned.' Re-framed as a missing IEC 62443-4-2 availability control, an unbuilt zone-and-conduit boundary, and the IEC 62061 safe-state requirement that should never have depended on the attacked path.

Read the post
June 18, 202614 min

When the Console Rebooted and Said Nothing: The Abiomed Impella Controller Restart Through an IEC 62304 and IEC 60601-1-8 Lens

FDA Early Alert (May 21, 2026) warns that a software error in Abiomed's Automated Impella Controller can force the console to restart during left-ventricular support - stopping the pump for ~35 seconds with a black screen and no alarm, two serious injuries and one death so far. Re-framed as an IEC 62304 Class C segregation failure, an IEC 60601-1-8 alarm gap, and the ISO 14971 risk row that asks what annunciates when the monitor itself reboots.

Read the post
June 17, 202615 min

When the Service Letter Said 'Not Safety of Flight': The UPS MD-11 Pylon-Separation Crash Through a 14 CFR 25.571 and ARP4761A Lens

UPS Flight 2976, an MD-11F, lost its left engine and pylon on rotation out of Louisville on Nov 4, 2025, killing 15. The NTSB's May 2026 hearing traced it to a fatigue crack in a pylon aft-mount spherical bearing race that Boeing flagged in a 2011 Service Letter and judged 'not a safety of flight condition.' Re-framed as a misclassified 25.571 Principal Structural Element and five derived requirements.

Read the post
June 8, 202615 min

When the Detector Was Already in the Catalog: The Volkswagen ID.4 Battery-Fire Recalls Through an ISO 26262 and UN GTR 20 Lens

Volkswagen filed three overlapping ID.4 recalls (Dec 2025-Jan 2026) over high-voltage battery fires traced to shifted electrodes from SK Battery America. The largest - NHTSA 26V030, 43,881 vehicles - exists only because a Self-Discharge Detection function that would have warned drivers before three known fires was never installed. Re-framed as an ASIL D safety mechanism left unallocated, a UN GTR 20 occupant-warning gap, and five derived requirements.

Read the post
June 6, 202614 min

When the Routine Was the Hazard: The Unitree G1 Public-Demo Strikes Through an ISO 10218 and ISO/TS 15066 Lens

A Unitree G1 roundhouse-kicked a child at a public demo in Urumqi on June 1, 2026 - the third bystander-contact event in Chinese humanoid performances this year. The robot wasn't rogue; it followed its script. Re-framed as a missing ISO 12100 risk assessment, an unrun ISO 13855 separation calculation, and five derived requirements for the most dangerous operating mode in robotics: the demo.

Read the post
June 4, 202614 min

When the Backup Was the Operator: The Draeger Atlan A350 Anesthesia Workstation Correction Through an ISO 80601-2-13 and ISO 14971 Lens

FDA Early Alert (May 18, 2026) expands Draeger's October 2024 Urgent Medical Device Correction on Atlan A350 and A350 XL anesthesia workstations after a manufacturing impurity in the piston ventilator drive can stop mechanical ventilation before or during a case. Re-framed as a missing ISO 80601-2-13 essential-performance row, a 21 CFR 820.70 process-control gap, and the alarm requirement nobody wrote.

Read the post
June 2, 202614 min

When the Charger Was the Conduit: The ABB Terra AC OCPP Heap Overflow Through an IEC 62443-4-2 and ISO 15118 Lens

CISA advisory ICSA-26-146-01 (May 26, 2026) republishes ABB PSIRT 9AKK108471A8948 for CVE-2025-5517, a heap-based buffer overflow in the OCPP message parser of the Terra AC Wallbox that lets a malicious or hijacked CSMS take remote control of a Level-2 EV charger. Re-framed as a missing IEC 62443-4-2 CR 3.5 input-validation control, an absent OCPP Security Profile 3 deployment, and five derived cybersecurity requirements.

Read the post
May 30, 202614 min

When the Crew Was the HUMS: The Airbus H145 D-3 Rotor Hub-Shaft Emergency AD Through an ARP4761A and 14 CFR 29.571 Lens

FAA Emergency AD 2026-08-51 (effective May 14, 2026) and EASA EAD 2026-0078-E ground the H145 / MBB-BK 117 D-3 fleet over a cracked main-rotor hub-shaft detected only after the crew flew a vibrating helicopter. Re-framed as a 14 CFR 29.571 PSE gap, an ARP4761A Particular Risks row, and the AC 29 MG-15 HUMS allocation that should have caught the crack before the pilot did.

Read the post
May 28, 202614 min

When the Safety Mechanism Becomes the Hazard: The Hyundai 26V316 Phantom-Braking Recall Through an ISO 21448 SOTIF Lens

NHTSA recall 26V316 (May 2026) covers 421,078 model-year 2025-2026 Hyundai Tucson and Santa Cruz vehicles after the Mobis front-camera Forward Collision Avoidance software produced unintended braking - four crashes, four alleged injuries, 376 field reports. Re-framed as an ISO 26262-3 Clause 7 HARA commission row, an ISO 21448 Known Unsafe triggering-condition entry, and five derived requirements.

Read the post
May 26, 202614 min

When the Slat Could Lie and the Flight Deck Couldn't Tell: The Boeing 787 LEOLA AD Through an ARP4761A and AC 25-19A Lens

FAA NPRM 2026-05327 (March 18, 2026) supersedes the 2019 interim AD on Boeing 787 leading-edge outboard slats - six years of operational checks and an AFM icing prohibition were never the safety case, just a holding pattern. Re-framed as a Catastrophic FHA row that demanded a design change, a Common Mode Analysis gap on the torque brake, and a CMR finally arriving as 27-CMR-14.

Read the post
May 24, 202613 min

When the Bug Shipped Inside the Firmware: The SENTRON 7KT PAC1261 Advisory Through an IEC 62443-4-1 Lens

CISA advisory ICSA-26-134-14 (May 14, 2026) rates the Siemens SENTRON 7KT PAC1261 Data Manager CVSS 9.1 for a request-smuggling device takeover - but the flaw is CVE-2025-22871, a Go net/http bug public and patched 13 months earlier. Re-framed as a missing IEC 62443-4-1 SBOM, an absent defect-management feed, and five derived cybersecurity requirements.

Read the post
May 22, 202613 min

Three Recalls, One Dark Cluster: Stellantis's Instrument-Panel Software Failures Through an ISO 26262 Lens

Three FCA US recalls in six months - 72,509 Ram trucks, 65,348 more, and 20,271 Jeep and Dodge EVs - all trace to instrument-cluster software that goes blank. Re-framed as a QM-rated display silently carrying ASIL C warnings, a missing dependent-failure analysis, and five derived requirements.

Read the post
May 20, 202614 min

When the Safe State Wasn't Safe: The ACCOLADE Pacemaker Class I Recall Through an ISO 14971 and IEC 62304 Lens

FDA confirmed a Class I recall correction for 1.4 million Boston Scientific ACCOLADE pacemakers and CRT-Ps - four deaths, 2,557 serious injuries from a battery defect that latches the device into a fixed-rate Safety Mode. Re-framed as a missing ISO 14971 risk row for the risk control measure itself and an IEC 62304 software-maintenance regression.

Read the post
May 18, 202614 min

When the Robot Bought a Plane Ticket: Southwest's Humanoid Ban Through a 49 CFR 175 and ISO 13482 Lens

Southwest Airlines banned humanoid and animal-like robots from its cabin and checked baggage on May 13, 2026 after a 70-lb humanoid named Bebop blew the 100-Wh installed-battery limit on Flight 1568 and a 3.5-ft humanoid named Stewie bought a window seat from Las Vegas to Dallas. Re-framed as a missing transport-mode operating state, an absent hazmat conformance flowdown, and five derived requirements every humanoid product file should already have.

Read the post
May 16, 202615 min

When the Skin Was Off by a Mil: The A320neo Sofitec Fuselage Panel AD Through a Part 21 and ARP4761A Lens

FAA Emergency AD 2026-09-06 (effective May 26, 2026) forces a fleet-wide thickness map of forward-fuselage skin panels on 628 Airbus A319/A320/A321neo aircraft after Sofitec Aero found stretch-and-mill deviations. Re-framed as a 14 CFR Part 21 quality-system gap, an AS9100D supplier-flowdown failure, and the Particular Risks Analysis row ARP4761A would have expected.

Read the post
May 14, 202613 min

The Car Saw the Flood and Drove In Anyway: Waymo's Untraversable-Lane Recall Through an ISO 21448 Lens

Waymo recalled 3,791 robotaxis on May 12, 2026 after an unoccupied vehicle detected a flooded San Antonio roadway, slowed, and drove in anyway - ending up in Salado Creek. Re-framed as a SOTIF functional insufficiency, a missing ODD exit condition, and a behavior-policy requirement that was never gated on road-speed class.

Read the post
May 12, 202614 min

When the Robot Said the Staple Line Closed: The SureForm 30 Class I Recall Through an IEC 80601-2-77 Lens

FDA classified Intuitive Surgical's 8mm SureForm 30 Gray Reload recall as Class I on May 5, 2026 after one death and four serious injuries traced to incomplete staple lines on blood vessels. The engineering story isn't the staple - it's that the robot reported a completed fire without verifying outcome. Re-framed as a missing IEC 80601-2-77 essential-performance verification, an ISO 14971 row that should have been Catastrophic, and an IEC 62304 Class C supervisor gap.

Read the post
May 10, 202616 min

When the Manual Was the Exploit: The April 2026 Iranian-PLC Advisory Through an IEC 62443 and IEC 61511 Lens

CISA AA26-097A (April 7, 2026) confirms Iranian-affiliated CyberAv3ngers compromising Rockwell CompactLogix and Micro850 PLCs across U.S. water, wastewater, energy, and government sites. Re-framed as a missing IEC 62443-3-2 zone/conduit, an IEC 62443-3-3 SR-1.1/1.2 control gap, and an IEC 61511 11.2.10 SIS independence violation - with worked rows, a fault tree, and five derived requirements.

Read the post
May 10, 202613 min

When the Battery Lies and the UI Freezes: The Ivenix LVP Class I Recall Through an IEC 62304 Lens

FDA classified the Fresenius Kabi Ivenix Large Volume Pump software recall as Class I in February 2026 - two anomalies (silent battery shutdown and a fail-stop UI freeze on a leading-zero input) on a Class C device. Re-framed as missing IEC 62304 unit verification, an ISO 14971 risk row that should have been Catastrophic, and an IEC 60601-1-8 alarm conformance gap.

Read the post
May 9, 202614 min

When Ham Radio Crashes the Transponder: The Boeing 787 ISSPU AD Through an ARP4761 Lens

FAA AD 2026-04832 grounds 150 Boeing 787s for ISSPU replacement after CW interference quietly killed the Mode S transponder. Re-framed as a missing FHA row, a Common Mode Analysis gap, a DO-160G Section 20 test envelope hole, and five traceable derived requirements.

Read the post
May 9, 202612 min

Three Headlines, Three Engineering Fixes: How a FuSa Lens Turns Tesla, Waymo, and Nvidia News into Solvable Problems

A walk through the Tesla NHTSA EA26002 visibility probe, Waymo's school-bus software recall, and the Nvidia Jetson Orin CVE disclosures - translated into HARA rows, fault trees, FMEA snippets, derived requirements, and TARA scenarios. Two audit-style workbooks attached.

Read the post