Jherrod ThomasThe Lion of Functional Safety™
Field Notes — A Solutions Series

Public safety failures, turned into engineering work products.

Every quarter brings another headline that sounds like a technology problem but reads, to anyone who has run a HARA, like a process problem. This blog covers functional safety and cybersecurity across automotive, aerospace, robotics & physical AI, industrial, and medical — translating each story into the artifacts our standards already ask us to produce.

Read the latest →Visit main site
AutomotiveAerospaceRobotics & Physical AIIndustrialMedical
FuSa · SOTIF · CyberSec · Across Domains
5×
Domains covered
15+
Audit-ready tabs / workbook
59
Safety goals derived (ex.)
2026
Field Notes — issue 01
Latest

Field notes

Issue 01 · May 2026
June 8, 202615 minISO 26262ISO 6469-1 / UN GTR 20IATF 16949

When the Detector Was Already in the Catalog: The Volkswagen ID.4 Battery-Fire Recalls Through an ISO 26262 and UN GTR 20 Lens

Volkswagen filed three overlapping ID.4 recalls (Dec 2025–Jan 2026) over high-voltage battery fires traced to shifted electrodes from SK Battery America. The largest — NHTSA 26V030, 43,881 vehicles — exists only because a Self-Discharge Detection function that would have warned drivers before three known fires was never installed. Re-framed as an ASIL D safety mechanism left unallocated, a UN GTR 20 occupant-warning gap, and five derived requirements.

Read the post
June 6, 202614 minISO 10218 / TS 15066ISO 13482ISO 12100 / ISO 13855

When the Routine Was the Hazard: The Unitree G1 Public-Demo Strikes Through an ISO 10218 and ISO/TS 15066 Lens

A Unitree G1 roundhouse-kicked a child at a public demo in Urumqi on June 1, 2026 — the third bystander-contact event in Chinese humanoid performances this year. The robot wasn't rogue; it followed its script. Re-framed as a missing ISO 12100 risk assessment, an unrun ISO 13855 separation calculation, and five derived requirements for the most dangerous operating mode in robotics: the demo.

Read the post
June 4, 202614 minISO 80601-2-13ISO 14971IEC 60601-1 / 21 CFR 820.70

When the Backup Was the Operator: The Draeger Atlan A350 Anesthesia Workstation Correction Through an ISO 80601-2-13 and ISO 14971 Lens

FDA Early Alert (May 18, 2026) expands Draeger's October 2024 Urgent Medical Device Correction on Atlan A350 and A350 XL anesthesia workstations after a manufacturing impurity in the piston ventilator drive can stop mechanical ventilation before or during a case. Re-framed as a missing ISO 80601-2-13 essential-performance row, a 21 CFR 820.70 process-control gap, and the alarm requirement nobody wrote.

Read the post
June 2, 202614 minIEC 62443-4-2ISO 15118 / OCPPCWE-122

When the Charger Was the Conduit: The ABB Terra AC OCPP Heap Overflow Through an IEC 62443-4-2 and ISO 15118 Lens

CISA advisory ICSA-26-146-01 (May 26, 2026) republishes ABB PSIRT 9AKK108471A8948 for CVE-2025-5517, a heap-based buffer overflow in the OCPP message parser of the Terra AC Wallbox that lets a malicious or hijacked CSMS take remote control of a Level-2 EV charger. Re-framed as a missing IEC 62443-4-2 CR 3.5 input-validation control, an absent OCPP Security Profile 3 deployment, and five derived cybersecurity requirements.

Read the post
May 30, 202614 minARP4761A / AC 29.130914 CFR 29.571 PSEAC 29 MG-15 HUMS

When the Crew Was the HUMS: The Airbus H145 D-3 Rotor Hub-Shaft Emergency AD Through an ARP4761A and 14 CFR 29.571 Lens

FAA Emergency AD 2026-08-51 (effective May 14, 2026) and EASA EAD 2026-0078-E ground the H145 / MBB-BK 117 D-3 fleet over a cracked main-rotor hub-shaft detected only after the crew flew a vibrating helicopter. Re-framed as a 14 CFR 29.571 PSE gap, an ARP4761A Particular Risks row, and the AC 29 MG-15 HUMS allocation that should have caught the crack before the pilot did.

Read the post
May 28, 202614 minISO 21448 SOTIFISO 26262-3 HARAFMVSS 127 / 49 CFR §571.127

When the Safety Mechanism Becomes the Hazard: The Hyundai 26V316 Phantom-Braking Recall Through an ISO 21448 SOTIF Lens

NHTSA recall 26V316 (May 2026) covers 421,078 model-year 2025–2026 Hyundai Tucson and Santa Cruz vehicles after the Mobis front-camera Forward Collision Avoidance software produced unintended braking — four crashes, four alleged injuries, 376 field reports. Re-framed as an ISO 26262-3 §7 HARA commission row, an ISO 21448 Known Unsafe triggering-condition entry, and five derived requirements.

Read the post
May 26, 202614 minARP4761A / AC 25.1309DO-178C / DO-254AC 25-19A CMR

When the Slat Could Lie and the Flight Deck Couldn't Tell: The Boeing 787 LEOLA AD Through an ARP4761A and AC 25-19A Lens

FAA NPRM 2026-05327 (March 18, 2026) supersedes the 2019 interim AD on Boeing 787 leading-edge outboard slats — six years of operational checks and an AFM icing prohibition were never the safety case, just a holding pattern. Re-framed as a Catastrophic FHA row that demanded a design change, a Common Mode Analysis gap on the torque brake, and a CMR finally arriving as 27-CMR-14.

Read the post
May 24, 202613 minIEC 62443-4-1CRA / SBOMCWE-444

When the Bug Shipped Inside the Firmware: The SENTRON 7KT PAC1261 Advisory Through an IEC 62443-4-1 Lens

CISA advisory ICSA-26-134-14 (May 14, 2026) rates the Siemens SENTRON 7KT PAC1261 Data Manager CVSS 9.1 for a request-smuggling device takeover — but the flaw is CVE-2025-22871, a Go net/http bug public and patched 13 months earlier. Re-framed as a missing IEC 62443-4-1 SBOM, an absent defect-management feed, and five derived cybersecurity requirements.

Read the post
May 22, 202613 minISO 26262-3 HARAISO 26262-9 DFAFMVSS 101

Three Recalls, One Dark Cluster: Stellantis's Instrument-Panel Software Failures Through an ISO 26262 Lens

Three FCA US recalls in six months — 72,509 Ram trucks, 65,348 more, and 20,271 Jeep and Dodge EVs — all trace to instrument-cluster software that goes blank. Re-framed as a QM-rated display silently carrying ASIL C warnings, a missing dependent-failure analysis, and five derived requirements.

Read the post
May 20, 202614 minISO 14971IEC 62304ISO 14708-2

When the Safe State Wasn't Safe: The ACCOLADE Pacemaker Class I Recall Through an ISO 14971 and IEC 62304 Lens

FDA confirmed a Class I recall correction for 1.4 million Boston Scientific ACCOLADE pacemakers and CRT-Ps — four deaths, 2,557 serious injuries from a battery defect that latches the device into a fixed-rate Safety Mode. Re-framed as a missing ISO 14971 risk row for the risk control measure itself and an IEC 62304 software-maintenance regression.

Read the post
May 18, 202614 min49 CFR 175 / IATA DGRISO 13482UN 38.3 / ANSI A3 R15.06

When the Robot Bought a Plane Ticket: Southwest's Humanoid Ban Through a 49 CFR 175 and ISO 13482 Lens

Southwest Airlines banned humanoid and animal-like robots from its cabin and checked baggage on May 13, 2026 after a 70-lb humanoid named Bebop blew the 100-Wh installed-battery limit on Flight 1568 and a 3.5-ft humanoid named Stewie bought a window seat from Las Vegas to Dallas. Re-framed as a missing transport-mode operating state, an absent hazmat conformance flowdown, and five derived requirements every humanoid product file should already have.

Read the post
May 16, 202615 min14 CFR Part 21AS9100D / AS9145ARP4761A

When the Skin Was Off by a Mil: The A320neo Sofitec Fuselage Panel AD Through a Part 21 and ARP4761A Lens

FAA Emergency AD 2026-09-06 (effective May 26, 2026) forces a fleet-wide thickness map of forward-fuselage skin panels on 628 Airbus A319/A320/A321neo aircraft after Sofitec Aero found stretch-and-mill deviations. Re-framed as a 14 CFR Part 21 quality-system gap, an AS9100D supplier-flowdown failure, and the Particular Risks Analysis row ARP4761A would have expected.

Read the post
May 14, 202613 minISO 21448ISO 26262UL 4600

The Car Saw the Flood and Drove In Anyway: Waymo's Untraversable-Lane Recall Through an ISO 21448 Lens

Waymo recalled 3,791 robotaxis on May 12, 2026 after an unoccupied vehicle detected a flooded San Antonio roadway, slowed, and drove in anyway — ending up in Salado Creek. Re-framed as a SOTIF functional insufficiency, a missing ODD exit condition, and a behavior-policy requirement that was never gated on road-speed class.

Read the post
May 12, 202614 minIEC 80601-2-77ISO 14971IEC 62304

When the Robot Said the Staple Line Closed: The SureForm 30 Class I Recall Through an IEC 80601-2-77 Lens

FDA classified Intuitive Surgical's 8mm SureForm 30 Gray Reload recall as Class I on May 5, 2026 after one death and four serious injuries traced to incomplete staple lines on blood vessels. The engineering story isn't the staple — it's that the robot reported a completed fire without verifying outcome. Re-framed as a missing IEC 80601-2-77 essential-performance verification, an ISO 14971 row that should have been Catastrophic, and an IEC 62304 Class C supervisor gap.

Read the post
May 10, 202616 minIEC 62443IEC 61511NIST SP 800-82

When the Manual Was the Exploit: The April 2026 Iranian-PLC Advisory Through an IEC 62443 and IEC 61511 Lens

CISA AA26-097A (April 7, 2026) confirms Iranian-affiliated CyberAv3ngers compromising Rockwell CompactLogix and Micro850 PLCs across U.S. water, wastewater, energy, and government sites. Re-framed as a missing IEC 62443-3-2 zone/conduit, an IEC 62443-3-3 SR-1.1/1.2 control gap, and an IEC 61511 11.2.10 SIS independence violation — with worked rows, a fault tree, and five derived requirements.

Read the post
May 10, 202613 minIEC 62304ISO 14971IEC 60601-1-8

When the Battery Lies and the UI Freezes: The Ivenix LVP Class I Recall Through an IEC 62304 Lens

FDA classified the Fresenius Kabi Ivenix Large Volume Pump software recall as Class I in February 2026 — two anomalies (silent battery shutdown and a fail-stop UI freeze on a leading-zero input) on a Class C device. Re-framed as missing IEC 62304 unit verification, an ISO 14971 risk row that should have been Catastrophic, and an IEC 60601-1-8 alarm conformance gap.

Read the post
May 9, 202614 minARP4761DO-178C / DO-254DO-160G

When Ham Radio Crashes the Transponder: The Boeing 787 ISSPU AD Through an ARP4761 Lens

FAA AD 2026-04832 grounds 150 Boeing 787s for ISSPU replacement after CW interference quietly killed the Mode S transponder. Re-framed as a missing FHA row, a Common Mode Analysis gap, a DO-160G Section 20 test envelope hole, and five traceable derived requirements.

Read the post
May 9, 202612 minISO 26262ISO 21434ISO 21448

Three Headlines, Three Engineering Fixes: How a FuSa Lens Turns Tesla, Waymo, and Nvidia News into Solvable Problems

A walk through the Tesla NHTSA EA26002 visibility probe, Waymo's school-bus software recall, and the Nvidia Jetson Orin CVE disclosures — translated into HARA rows, fault trees, FMEA snippets, derived requirements, and TARA scenarios. Two audit-style workbooks attached.

Read the post