Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 133
5 Review of National Highway Traffic Safety Administration Initiatives on Unintended Acceleration The statement of task for this study requests “an independent review of past and ongoing industry and NHTSA [National Highway Traffic Safety Administration] analyses to identify possible causes of unintended accel- eration.” As noted in Chapter 1, NHTSA’s Office of Defects Investigation (ODI) has investigated driver complaints of unintended acceleration for more than 40 years, and these complaints have encompassed a wide range of reported vehicle behaviors. Some complaints have involved moving vehicles that do not slow down as expected when pressure on the accelerator pedal is released. Others have involved vehicles that speed up abruptly with high engine power from a stopped position or while moving slowly. At other times the complainants describe fluctuations in engine idling, hesitation, shuddering during gear change, fluctuation of cruise control speeds around their set values, or delayed deceleration when brakes are applied on an uneven road surface. Degraded or failed braking is often asserted along with the unintended acceleration. Some complainants report having brought the vehicle to a dealer or other repair facility after the episode only to learn that no vehicle-related causes could be found or to receive an unsatisfactory explanation of possible causes.1 The committee is not charged with determining which of these vehicle behaviors constitute unintended acceleration or with examining alterna- tive theories of the causes of such behaviors. The charge is to review the The committee read the narratives of hundreds of complaints submitted to NHTSA and downloaded 1 from the agency’s website to make these characterizations. 133
OCR for page 134
134 || The Safety Promise and Challenge of Automotive Electronics investigations conducted and supported by ODI on the basis of its defini- tion of unintended acceleration and its purposes in conducting the inves- tigations. ODI informed the committee that it investigates consumer complaints to determine whether the conditions and behaviors reported result from a vehicle-related deficiency that presents a public safety risk.2 The agency’s investigations inform decisions about whether specific fol- low-up steps are warranted, such as influencing or ordering a manufac- turer safety recall, amending a Federal Motor Vehicle Safety Standard (FMVSS), or sponsoring research to identify vehicle- and human-related factors that may be causing or contributing to an evident safety defi- ciency. The emphasis of this chapter is on reviewing ODI investigations of unintended acceleration with regard to their use in informing such agency decisions. As a consequence, the chapter does not assess ODI’s investigations with regard to reasons unconnected to agency decision making—for example, whether the investigations are suited to explor- ing all conceivable means by which electronics systems could fail and lead to unsafe vehicle conditions or behaviors. The committee under- stands that ODI’s investigations are intended to identify defects that present a demonstrable safety hazard.3 For years, ODI’s Defects Assessment Division has sorted the com- plaints it receives on unintended acceleration according to certain signa- ture characteristics that it associates with driver pedal misapplication. By doing so, ODI believes that it can make more effective use of its investi- gative resources and better identify complaints involving unintended acceleration in which pedal misapplication was not the likely cause. The criteria that ODI uses for this sorting are derived from the report An Examination of Sudden Acceleration (Pollard and Sussman 1989), which was produced by the U.S. Department of Transportation’s (DOT’s) Trans- portation Systems Center (TSC). The committee was asked to review Title 49, United States Code, Chapter 301, Subchapter 1, Section 30101. To demonstrate the existence 2 of a safety defect, NHTSA needs to show that a defect exists and that it is safety-related. Accordingly, the agency must prove both that substantial numbers of failures attributable to the defect have occurred or are likely to occur and that the failures pose an unreasonable risk to safety. One could argue that NHTSA should examine electronics systems to assess any vulnerabilities that 3 could plausibly lead to unsafe behaviors in the field and then perhaps look for evidence of such behav- iors in the fleet. However, NHTSA does not view “prove out” as part of its mission, and therefore ODI’s investigations are not designed for this purpose. As noted in Chapter 1, NHTSA describes the purpose of its initiatives on unintended acceleration as “intended to provide NHTSA with the information it needed to determine what additional steps may be necessary to identify the causes of unintended acceleration in Toyota vehicles and determine whether a previously unknown electronic defect may be present in those vehicles and warrant a defect investigation” (NHTSA 2011, 12).
OCR for page 135
135 Review of NHTSA Initiatives on Unintended Acceleration || and comment on the continued relevance of the criteria derived from that report, which is often referred to as the Silver Book. More recently, questions have arisen about whether vulnerabilities in electronic throttle control systems (ETCs) have caused or contributed to an increase in consumer complaints alleging unintended acceleration, particularly by drivers of Toyota vehicles, which experienced a notable increase in these complaints in recent years. In February 2011, NHTSA released its most comprehensive report on unintended acceleration since sponsoring the Silver Book more than 20 years ago. The report, Tech- nical Assessment of Toyota Electronic Throttle Control Systems (NHTSA 2011), recounts ODI’s investigations of unintended acceleration complaints involving Toyota vehicles over the past decade, analyzes the entire con- sumer complaint database for all reported incidents involving forms of unintended acceleration, reports on agency analyses of warranty data and crash investigations, and draws conclusions from a NHTSA-commissioned study (NASA 2011) by the National Aeronautics and Space Adminis- tration (NASA) of potential design and implementation vulnerabilities in the Toyota ETC. NASA’s study results are not detailed in this chapter (since the study is available on the Internet),4 but ODI’s conclusions about the candidate causes of unintended acceleration as informed by the NASA results are examined. Finally, ODI’s investigative actions and processes are not considered with regard to matters such as their documentability or compliance with administrative and statutory requirements.5 The committee was not constituted to perform such auditlike functions. The U.S. DOT Office of Inspector General (OIG) did undertake such an audit (OIG 2011) and has made several recommendations to NHTSA for improving related aspects of its defect surveillance and investigation programs. The emphasis of the chapter is on describing how ODI has monitored for and investigated the potential causes of unintended acceleration. The purpose is to obtain insight into where changes in NHTSA’s regula- tory, research, and defect investigation approaches may be needed, given that other electronics systems could be suspected in reports of vehicle control problems and other unintended behaviors in the same manner as Toyota’s ETC. http://www.nhtsa.gov/UA. 4 For example, the committee did not review the grounds for NHTSA assessing a civil penalty against 5 Toyota for recall timeliness.
OCR for page 136
136 || The Safety Promise and Challenge of Automotive Electronics Past NHtsa INItIatIves oN UNINteNded acceleratIoN As indicated in Chapter 1, two major investigations of unintended acceleration were commissioned by NHTSA during the 1980s. The first (Walter et al. 1988) was undertaken in response to incidents involving the Audi 5000. The second, which led to the Silver Book (Pollard and Sussman 1989), involved more vehicle makes and models and focused on incidents involving vehicles that had been stopped or moving slowly before accelerating suddenly. Audi 5000 Investigation During the mid-1980s, ODI received a large number of consumer com- plaints by owners of the Audi 5000 reporting episodes of unintended acceleration. In analyzing complaints for all vehicle makes and models spanning Model Years 1978 to 1986, ODI calculated an exceptionally high rate of complaints against the Audi 5000: an estimated 556 per 100,000 vehicles produced compared with a fleetwide average of 28 per 100,000.6 The complaint rate remained high even after the vehicle had been the subject of earlier recalls intended to fix the perceived problem. In 1982, for example, Volkswagen (the Audi importer) had issued a recall to modify the shape of the accelerator pedal to prevent interfer- ence by the floor mat. In 1983, the company issued a recall to attach a plate to the brake pedal to elevate it relative to the accelerator pedal. Even before commencing its Audi investigation, ODI had conducted dozens of investigations of complaints alleging unintended acceleration involving scores of vehicle makes and models. Some of the complaints involved prolonged, high-speed events, and others involved abrupt, short- lived acceleration often ending with a crash. The investigations prompted a number of recalls to repair various problems, including pedal entrap- ment, throttle icing, broken or ill-fitting parts in the throttle assembly, and bound accelerator cables that had caused the throttle to remain open even when the driver’s foot was removed from the accelerator pedal. In all of these cases, physical evidence could be identified to determine the source of the problem, but in a large majority of other cases no vehicle-related The Audi complaint rates were calculated by NHTSA in October 1988. As noted in Chapter 1, media 6 attention contributed to the rate of complaint reporting by Audi drivers. For example, a November 1986 broadcast of the CBS show 60 Minutes portrayed the Audi as “out of control” (the title of the broadcast).
OCR for page 137
137 Review of NHTSA Initiatives on Unintended Acceleration || deficiency was found. The latter cases tended to involve vehicles that were accelerating abruptly from a stopped or parked position or from a low travel speed, often accompanied by a reported loss of braking. It was also common for the driver to claim that the acceleration started at the same time as brake application. Unable to find physical evidence of brake failure or the kinds of mechanical problems listed above, ODI usually attributed these incidents to drivers pressing the accelerator pedal instead of, or in addition to, the brake pedal. The large number of reports of unintended acceleration involving the Audi 5000 caused ODI to enlist TSC to conduct a more thorough investigation of why the phenomenon was being reported much more frequently among owners of this vehicle (Walter et al. 1988). The TSC investigators analyzed the vehicle’s major mechanical, electronics, and electromechanical systems to determine the conditions under which they could create high engine power; measured the dimensions and examined the design of the Audi driver compartment to determine whether the fea- tures of the compartment and driving controls might increase the proba- bility of pedal misapplication; and studied the age and other characteristics of Audi drivers to determine whether they were more likely than the drivers of other vehicles to be exposed to situations in which unintended acceleration could occur. In examining the Audi complaints, the TSC investigators found that a large proportion of the incidents involved reports of unintended accelera- tion and brake failure occurring at the same moment. The investigators were unable to identify any combination of failures that could create simultaneous failures of these two systems without leaving any physical evidence and concluded that pedal misapplication had to be the cause. The investigators therefore sought to explain why the accelerator pedal was being misapplied more often by drivers of the Audi than by drivers of other vehicles. They observed that the pedal and seating arrangements of the Audi differed from those of peer domestic vehicles, and they noted that many of the drivers reporting unintended acceleration had owned the vehicle for a short period of time. The investigators surmised that the higher incidence of pedal misapplication may have resulted from drivers’ unfamiliarity with the vehicle’s seating and pedal layout. Another feature of the Audi 5000 that TSC investigators suspected may have contributed to pedal misapplication was the vehicle’s idle sta- bilizer. After Model Year 1983, Audi incorporated an electronically con- trolled idle stabilizer to regulate engine speed according to the demands
OCR for page 138
138 || The Safety Promise and Challenge of Automotive Electronics of engine load. The system, composed of an electronic control unit and an electromechanical air valve, was prone to defects that caused a high idle speed and periodic engine surging.7 The TSC team noted that because of their intermittent nature, these behaviors may not have been detected during premarket testing of the Audi or in postcrash investigations by ODI and others. Volkswagen had recalled the idle stabilizer valve because of the surging problem. While the surges were not accompanied by a large throttle opening and were not found to be consistent with con- sumer complaints of high-power acceleration, the TSC team speculated that the vehicle behavior could have startled some drivers and led some to press the accelerator pedal when they intended to apply the brake. Silver Book After the Audi 5000 investigation, TSC was enlisted again by ODI to conduct a more broadly based review of unintended acceleration com- plaints. The focus of this follow-up study was on incidents in which the acceleration began while the vehicle was stopped or moving slowly. ODI recognized the occurrence of other types of unintended acceleration incidents such as those starting from higher speeds but wanted to obtain a better understanding of this more common class of incidents. These sudden acceleration incidents were also troubling because they tended to be accompanied by reports of complete brake loss. The product of this second TSC investigation, An Examination of Sudden Acceleration, has come to be known as the Silver Book (Pollard and Sussman 1989). In carrying out its investigation, the TSC team reviewed hundreds of complaints submitted by drivers alleging unintended acceleration during the previous decade. The investigators also reviewed relevant literature and case documentation; interviewed drivers who had filed complaints; and studied the fuel systems, brakes, cruise control systems, power trains, and pedal and gearshift lever layouts of 10 vehicle makes, some of which were selected because of their above-average complaint rates. The team’s methods and results were subjected to peer review by a group of experts in various safety and engineering disciplines. In a manner similar to the Audi 5000 investigation, the TSC investiga- tors examined possible mechanical causes. They focused on the potential The idle speed control systems of the time would more appropriately be called idle stabilization sys- 7 tems, since they only provided a “trimming function” around the normal operating point to help achieve smoother idle quality.
OCR for page 139
139 Review of NHTSA Initiatives on Unintended Acceleration || for a sticking throttle caused by problems such as frayed or kinked cables, broken springs, and stuck pedals. They concluded that such mechanical faults were not likely to be causes of unexplained cases of unintended acceleration since their origins would be evident during postevent inspec- tion of the vehicle. Transmission and idle speed stabilizer systems were also examined for conditions that might lead to unintended acceleration. Because it had no influence on throttle actuation, the transmission was dismissed as a possible cause. The TSC team concluded that the idle speed stabilizer was incapable of causing the simultaneous high levels of fuel and air flow needed to produce the reported high-power acceleration. Cruise control modules had often been suspected as a source of unin- tended acceleration, and they were tested to assess whether they could create and sustain a large throttle opening.8 Modules were thus placed in an environmental chamber and subjected to variations in power supply, temperature, and electromagnetic interference over a period of months.9 The TSC team did not find any significant or sustained malfunctions of the modules as a result of any of the environmental conditions tested. Whereas the electromagnetic interference tests caused system malfunc- tions, they were found to be momentary. In examining the possible tran- sient conditions that might cause intermittent problems, the TSC team concluded that the low probability of simultaneous failures of more than one component, coupled with the many redundant mechanical and electrical fail-safe mechanisms for disabling the servo (including light tapping of the brake), ruled out the cruise control as a plausible cause of wide-open throttle. Once again, the TSC investigators found that complete loss of brak- ing was common among driver complaints of unintended acceleration occurring in a stopped or slow-moving vehicle. The team could not iden- tify any credible mechanisms by which brakes could fail fully but then recover normal function with no signs of physical damage. In addition, the team pointed to tests indicating that brake application, even if it is Cruise control systems of the time consisted of control switches, an electronic control module (typi- 8 cally using a microprocessor or custom integrated circuit), a speed sensor typically mounted in the transmission or in the speedometer cable, a servo that mechanically pulled on the throttle lever, and electric or vacuum dump valves that would release the vacuum in the actuator when the brake pedal was depressed. The electromagnetic interference test simulated a transient of an air conditioning clutch engaging and 9 disengaging (which produces a large electrical transient on the power line), and the radio frequency interference units were subjected to a signal from a high-power citizens band antenna located close to the module and a simulated electrostatic discharge.
OCR for page 140
140 || The Safety Promise and Challenge of Automotive Electronics assumed to be delayed somewhat to simulate a driver’s emergency response to the onset of acceleration, will quickly stop a vehicle acceler- ating from a stationary position or low travel speed.10 Unintended acceleration accompanied by unexplained brake loss had long been associated with pedal misapplication.11,12 The TSC inves- tigators knew this and questioned whether certain vehicle-related fac- tors could be responsible for drivers applying the wrong pedal after being startled by a vehicle-related condition or behavior. They surmised that phenomena such as engine surging, high idling, or even unex- pected noises could induce this effect, especially among drivers unfa- miliar with the vehicle, its operating characteristics, and its control layout. Noting that many incidents had involved motorists operating new vehicles, the team surmised that such patterns could be indicative of the driver lacking familiarity with the gearshift lever and pedals. The Silver Book therefore recommended that NHTSA undertake more research to determine whether such vehicle-related factors may have contributed to pedal misapplication, including research to examine the effect of pedal layouts and configurations. NHTSA subsequently spon- sored research by the Texas Transportation Institute (Brackett et al. 1989) to advise on pedal designs and layouts that might be less suscep- tible to misapplication. In the decade following the release of the Silver Book (and before the introduction of ETCs), NHTSA continued to receive complaints involving unintended acceleration across vehicle makes and models. ODI’s investi- gations of these complaints led to many of the same conclusions reached in the Silver Book: most incidents were caused by drivers mistakenly pressing the accelerator pedal, while the remainder resulted from mechan- The Silver Book’s Appendix E refers to brake force and performance tests conducted at NHTSA’s test 10 center by R. G. Mortimer, L. Segal, and R. W. Murphy: “Brake Force Requirements: Driver–Vehicle Braking Performance as a Function of Brake System Design Variables.” The TSC investigators were not the first to associate pedal misapplication with unintended accelera- 11 tion. ODI had concluded that pedal misapplication was the cause of many episodes of unintended acceleration during the previous 20 years of case investigations. Pedal misapplication had also received attention in the human factors literature (Schmidt 1989; Rogers and Wierwille 1988; Vernoy and Tomerlin 1989). Pedal misapplication is also now known to be a source of unintended acceleration by operators of 12 commercial vehicles. In a study of unintended acceleration involving school buses and other heavy vehicles, the National Transportation Safety Board (NTSB) reported that the drivers in these occur- rences all reported a loss of braking, but the investigators did not find physical evidence of brake damage. NTSB concluded that the brakes did not fail; instead, the drivers had applied the accelerator pedal when they had intended to apply the brake (NTSB 2009).
OCR for page 141
141 Review of NHTSA Initiatives on Unintended Acceleration || ical problems (e.g., stuck pedals and accelerator cables) and pedal obstructions (such as floor mat entrapment). During this period, pedal misapplication was found to be more common among vehicles with automatic transmissions that lacked brake transmission shift interlocks. Although these devices were not required at the time by federal regula- tion, many manufacturers began installing them during the 1980s and 1990s. The interlock requires the driver to press the brake pedal to shift out of park and is designed to keep the driver from shifting into drive or reverse while the accelerator pedal is mistakenly depressed. The increased use of the interlock during the 1990s substantially lowered the number of reports of unintended acceleration involving vehicles maneuvering in parking lots and driveways (Reinhart 1994).13 Much of the history of ODI’s investigations of unintended accelera- tion during the 1990s can be found in an April 2000 notice issued by NHTSA in the Federal Register.14 During that period, ODI often referred to the Silver Book’s findings as grounds for determining when a reported incident had the hallmarks of pedal misapplication and when it did not. As the design of power trains and cruise controls changed during the 1990s, the test results reported in the Silver Book lost their relevance and were no longer cited by ODI when it investigated unintended accel- eration incidents involving later model vehicles. Nevertheless, ODI inves- tigators continued to refer to the Silver Book’s characterization of pedal misapplication incidents as a way to sort complaints of unintended accel- eration. The advent of ETCs did not change the relationship between the brakes and the throttle control systems, which continue to remain inde- pendent of one another. INvestIgatIoNs of toyota comPlaINts According to a recent report by the U.S. DOT OIG, ODI conducted 24 investigations of unintended acceleration involving numerous vehi- cle makes and models from 2002 through 2010. The investigations led to The brake shift interlock is not always fail-safe. In a notable case from 1998, ODI investigated a case 13 of unintended acceleration by a police officer in Minneapolis, Minnesota. ODI concluded that the cause was pedal misapplication but found that the functioning of the brake transmission shift inter- lock had been compromised by an aftermarket device causing the cruiser’s brake lights to flash when the dome light was energized (NHTSA File Number MF99-002, March 18, 1999). April 28, 2000 (Vol. 65, No. 83, pp. 25026–25037). 14
OCR for page 142
142 || The Safety Promise and Challenge of Automotive Electronics 15 recalls affecting 13 manufacturers (OIG 2011, 5).15 Eight of the inves- tigations involved Toyota vehicles and led to two manufacturer recalls. ODI made several other preinvestigation inquiries of unintended accel- eration in Toyota vehicles; two of them resulted in Toyota issuing recalls before ODI had opened a formal investigation. During the same period, ODI investigated Ford four times, General Motors three times, and Chrysler twice for reports of unintended acceleration (OIG 2011, 11). Nine other automotive manufacturers were the subject of investigations and inquiries.16 ODI concluded that in all of these cases pedal misapplica- tion or mechanical factors such as floor mats impeding the pedal, throt- tle valve sticking, and bound cables were the sources of the behavior. OIG’s audit assessed the effectiveness of ODI’s processes for identify- ing and addressing safety defects and compared the processes with those followed by automotive safety authorities in other countries. OIG con- cluded that ODI had followed established procedures in conducting its investigations of unintended acceleration complaints and in monitoring resulting safety recalls. Although it did not question ODI’s conclusions about the causes of the investigated cases of unintended acceleration, OIG recommended that ODI improve its documentation of preinvestiga- tion activities and communications with manufacturers, establish a sys- tematic process for seeking third-party assistance with investigations, and set and adhere to timelines for completing investigations.17 Early Toyota Investigations A summary of the Toyota investigations and inquiries is provided in Table 5-1. It indicates how the consumer complaint data were used both by ODI and by consumers to identify, analyze, and investigate occurrences of unintended acceleration. The four earliest investigations, occurring from 2003 to 2006, were initiated in response to petitions by consumers The OIG report also contains tabulations of unintended acceleration complaints across the industry by 15 manufacturer. These complaints were identified through broad searches of the Vehicle Owner’s Questionnaire database using the component code “vehicle speed control.” The OIG report notes that using this component code to sort complaints will exclude some complaints that may have involved unintended acceleration if the complaint was filed by using a different component code such as “ser- vice brakes.” In addition, some complaints coded for “vehicle speed control” may involve issues unre- lated to acceleration, such as transmission behaviors. The committee’s own sampling of the Vehicle Owner’s Questionnaire data found numerous instances of both shortcomings. Honda, Audi, Daimler, Buell, MacNeill Auto Products, Electronic Mobility, Jonway, CTS, and Kia were 16 each investigated once. The OIG report is available at http://www.oig.dot.gov/sites/dot/files/ODI%20Final%20Report%20 17 10-06-11.pdf.
OCR for page 143
TABLE 5-1 Summary of ODI Investigations and Inquiries on Unintended Acceleration Involving Toyota Vehicles, 2003–2010 Vehicles Involved (Toyota and Lexus Makes) ODI Investigation or Inquiry Findings and Conclusions Action Lexus GS and Response to a consumer petition: A petitioner to ODI After normalization to account for Assessment closed LS (Model Years reported experiencing multiple events of unintended vehicle production data, ODI did not 1997–2000) acceleration, one that led to a rear-end collision. In find the Lexus complaint rate to be each case, no vehicle-related cause was identified by higher than that of peer vehicles. In Petition assess- the dealer. After reviewing other VOQs, the petitioner the interview, the petitioner reported ment opened cited a high percentage of complaints in which the applying the brake before the crash. 2003 component code “vehicle speed control” had been ODI cited findings from earlier work (the marked in the complaints filed for this vehicle model. 1989 Silver Book) indicating that the ODI interviewed the petitioner, inspected a Model Year driver probably applied the accelerator 1999 Lexus LS 400, examined past complaints involving pedal when the intent was to apply the reports of unintended acceleration involving the same brake pedal. vehicle model, and compared complaint rates of peer vehicles made by other manufacturers. Camry and Lexus Response to a consumer petition: A petitioner reported After conducting an analysis of past Investigation ES 300 (Model that her Lexus accelerated unintentionally, causing complaints, conducting driver interviews, closed, no recall Years 2002–2003) a low-speed crash in a parking lot. The petitioner and performing vehicle inspections, ODI reported that she applied the brakes but that they concluded that the reported incidents Investigation were ineffective. In scanning complaints, ODI found involved acceleration coincidental with opened 2004 20 reports alleging unintended acceleration involving brake application during low-speed these vehicle makes and model years. maneuvering with no evidence of failed components. The agency cited earlier investigations involving similar circumstances (low initiation speeds and acceleration and reported brake failure occurring coincidentally), suggesting that the likely cause was pedal misapplication. (continued on next page)
OCR for page 158
158 || The Safety Promise and Challenge of Automotive Electronics causing unintended acceleration in the fleet, the NESC team reviewed consumer complaints for hallmarks of the failures and tested vehicles and components previously used by drivers alleging unintended acceleration. On the basis of its vulnerability analysis, the NESC team identified the following two scenarios that it described as having at least a theoretical potential to produce unintended acceleration characteristic of a large throttle opening: (a) a systematic failure of software in the ETC’s central processing unit that goes undetected by the supervisory processor and (b) two faults in the pedal position sensing system that mimic a valid accelerator command. The two scenarios are shown in Table 5-5, which is an abbreviated version of the failure mode and effects analysis (FMEA) performed by the NESC team during its vulnerability analysis. To test the plausibility of the first scenario, NESC investigators used multiple tools to analyze software logic paths and to examine the pro- gramming code for paths that might lead to unintended acceleration. These extensive testing and analytic efforts did not uncover any evi- dence of problems, but the team pointed out that no practical amount of testing and analysis can guarantee that software is free of faults. The NESC software analysts reported that certain characteristics of the sub- ject software (from a 2005 Camry) hindered the testing. For example, they found that the code structure relied on the use of a single large memory space shared among all tasks with unrestricted access (in con- trast to designs where each task is given private memory inaccessible to other tasks). This lack of modularity reportedly precluded automated analysis and required more time-consuming manual inspection by ana- lysts (NASA 2011, Appendix A, Section A.8.2). Thus, the NESC team’s technical description of its analysis suggested a concern that the software was not structured to facilitate assessments of dependability to a high degree of confidence. To examine the second scenario, the team tested numerous potential software and hardware failure modes by using bench-top simulators and by testing vehicles involved in reported cases of unintended acceleration. The vehicles were inspected for signs of electrical faults. They were also subjected to electromagnetic interference by using radiated and con- ducted levels in excess of those required for type certification by the European Union.29 The electromagnetic interference tests did not produce As explained in Chapter 3, the European Union requires automobile manufacturers to subject their 29 vehicles and systems to electromagnetic compatibility testing, whereas the United States does not.
OCR for page 159
TABLE 5-5 Abbreviated FMEA of Toyota ETC by NASA Conditions Failure Condition Physical or Necessary for and Symptoms Electronic Range of Failure System Failure Electronics Failure to Occur, Found in Real Evidence, Failure Throttle Effect Response: Fail-Safe System-Level Component Failure Mode World Detection Opening Braking? Modes Applied Prevention Functional Area: Pedal Command Pedal Position sensor Pedal sensor DTC for high, low, Throttle does Limp-home mode— Idle mode fuel sensors fail high, low, failures in war- outside operational not open with cut. Fuel cut throttle limited to <15°. intermediate ranty data. NESC lane. None if pedal single failure. If neither sensor is oper- limits <2,500 values engineered test sensor fails within able then idle mode. revolutions per lane and a DTC Under certain conditions minute when is set involving potentiometer accelerator sensors, limp-home pedal released. mode is not limited and may jump depending on the rate at which the pedal is applied. Incorrect learned No evidence in Engineered fault in Small open- None. Dual failures look value. Dual warranty data. lane. Valid pedal like valid pedal signal ing, <10° failure to specific NESC engi- signal escapes max between cannot be detected, voltages that neered test detection, no normal sensor but 10° opening max. result in voltages DTC set. Electrical values and within opera- failures should leave DTC limit tional range trace. None possible Dual failures No signs of dual Engineered fault in Wide-open None. Dual failures that >35° open- that result in resistive failures. lane. Valid pedal throttle is emulate or look like a for multiple ing could voltages within NESC engi- signal escapes conceptually valid pedal signal can- failures that deplete vac- operational neered test detection, no DTC possible, but not be detected. look valid uum assist range set. Electrical failures no real-world if brakes are should leave trace. evidence. pumped. (continued on next page)
OCR for page 160
TABLE 5-5 (continued ) Abbreviated FMEA of Toyota ETC by NASA Conditions Failure Condition Physical or Necessary for and Symptoms Electronic Range of Failure System Failure Electronics Failure to Occur, Found in Real Evidence, Failure Throttle Effect Response: Fail-Safe System-Level Component Failure Mode World Detection Opening Braking? Modes Applied Prevention Functional Area: Throttle Control Computer Main CPU Faulty power, ECM failures in DTC set for bad None Engine turned off Engine turned memory failure warranty data. power, memory off NESC engi- fault, consistent neered test data Sub-CPU Faulty power, ECM failures in DTC set for bad None Engine turned off Engine turned memory failure warranty data. power, memory off NESC engi- fault, consistent neered test data None possible, Main CPU Software uni- Cannot engineer Theoretical fault Wide-open Engineered fault >35° open- software laterally opens a test. No escapes detection. throttle is escapes detection. malfunction- ing could throttle with place found in conceptually ing computer deplete vac- pedal released, software where a possible, but opens throttle uum assist idle fuel cut not single memory/ no real-world and appears if brakes are active, watch- variable cor- evidence. normal without pumped. dog serviced, no ruption results DTC, watchdog EDAC error, sub- in unintended timeout, limp- CPU does not acceleration. home mode, or detect failure. other errors. Note: CPU = central processing unit; ECM = error-correcting memory; EDAC = error detection and correction. Shaded cells indicate scenarios that can theoretically lead to an uncommanded large throttle opening. Source: NASA 2011, Table 22.214.171.124-1, page 77.
OCR for page 161
161 Review of NHTSA Initiatives on Unintended Acceleration || acceleration indicative of a large throttle opening, but some produced engine slowing and stalling. After contacting a consumer who had complained about unusual accel- erator pedal responses, ODI recovered the vehicle’s accelerator pedal assembly, which it turned over to the NESC team for analysis. The faulty assembly was found to contain a low-resistance path, which was deter- mined to have been caused by an electrically conductive tin whisker (a crystalline, hairlike structure of tin that can form on a tin-finished surface) that had formed between signal outputs from the potentiometer pedal position sensors.30 Consideration was given to whether low-resistance paths in the pedal position sensing system—whether created by tin whiskers or other means31—could have produced unintended acceleration indicative of a large throttle opening. The NESC team concluded that if a single low- resistance path were to exist between the pedal sensor outputs, the system could be vulnerable to unintended acceleration if accompanied by a sec- ond specific fault condition. However, for a vulnerability to be created, the two fault conditions would need to escape detection by meeting restrictive criteria consisting of a specific resistance range as needed to create the exact circuit configuration in a correct time phase. If the two faults did not meet these criteria, they would be detected and trigger a diagnostic trouble code (DTC) and a system fail-safe response such as reduced engine power. To gain a better understanding of the probability of the two fault con- ditions occurring in the field, the NESC team examined Camry warranty repair data and consumer complaints of high-power unintended accel- eration. The team posited that for every instance in which two unde- tected faults had led to an episode of unintended acceleration, numerous pedal repairs associated with single detected faults would be expected, since they would be much more likely than two faults having highly restrictive resistance ranges, circuit configurations, and timing phases. In May 2010, ODI had requested warranty claim data from Toyota on all vehicles equipped with ETCs sold in the United States. In particular, ODI asked for details on any warranty claim involving an ETC hardware As discussed in Chapter 3, these sensors provide a voltage output to the engine control module that 30 is proportional to the pedal’s displacement when it is pressed by the driver. The engine control module uses the pedal position sensing information, along with information provided by other sensors, to adjust the throttle plate. Although the NESC team found evidence of tin whiskers, low-resistance paths can also be produced 31 by the presence of moisture, salt spray, and other contaminants.
OCR for page 162
162 || The Safety Promise and Challenge of Automotive Electronics component, the engine control module, the throttle actuator, the accel- erator pedal, any related wiring or harness connectors, and any DTCs that could be associated with a failure of the ETC. In reviewing the war- ranty data generally, ODI had determined that claim rates for the Camry components (per vehicle sold) were much lower than the claim rates typically found for defective components in other vehicle systems that had been the subject of safety recalls and were thus not suggestive of a defect trend in the Camry ETC. The NESC team also reviewed the Camry warranty repair data for DTCs and repair items indicative of problems in the relevant accelerator pedal sensors and circuitry (NASA 2011, 37–41). The team found fewer warranty repair items than driver reports of high-power unintended acceleration and concluded that the warranty repair data “does not sup- port an observable failure signature of pedal-induced DTCs” (NASA 2011, 16). In short, the warranty data indicated that the postulated dual- fault scenario involving the Camry pedal sensor system was an implau- sible source of the high-power unintended acceleration reported in consumer complaints. Finally, the NESC team reported that its testing revealed ways in which a single-failure mode could cause relatively small throttle open- ings leading to controllable engine behaviors such as high idle speed, hesitation, and “jumpiness.” The team noted that while some of these conditions did not trigger a DTC during testing, they were eliminated by releasing the accelerator pedal or could be overridden by applying the brakes. These controllable behaviors were inconsistent with reports of high-power unintended acceleration. The NASA investigators thus con- cluded that its testing and analysis “did not find that [the Toyota ETC] electronics are a likely cause of throttle openings as described in the VOQs” (NASA 2011, 17). NHTSA’s Response to NASA Results On the basis of the NESC team’s study, NHTSA has concluded “that the Toyota ETC system does not have design or implementation flaws that could reasonably be expected to cause UA [unintended acceleration] events involving large throttle openings as described in consumer com- plaints to NHTSA” (NHTSA 2011, 62). Specifically with respect to the postulated dual-fault scenario in the ETC’s pedal position sensing system, NHTSA concurred that the absence of significant numbers of warranty repairs for more likely single faults is indicative of a hypothetical scenario
OCR for page 163
163 Review of NHTSA Initiatives on Unintended Acceleration || and not one “occurring in the real world” (NHTSA 2011, 63). NHTSA likewise concurred that the other forms of unintended acceleration cre- ated by single faults do not create large throttle openings and are likely to be rare and controllable; in NHTSA’s view, they do not present a safety hazard. NHTSA acknowledged that Toyota’s fail-safe strategy for the ETC studied can be characterized as imperfect because it does not respond to all theoretical failure pathways but concluded that “there is cur- rently no evidence of a real-world safety risk produced by this phenom- enon” (NHTSA 2011, 63). NHTSA also noted that the NESC team’s study did not reveal any ETC failure mode that could affect the vehicle’s braking system (NHTSA 2011, 64), and hence any lack of braking effectiveness reported by a driver experiencing unintended acceleration could not be attributed to a shortcoming in the ETC. On the basis of NASA’s study and its own series of analyses and inves- tigations, NHTSA outlined several steps that it planned to take in response to the findings, some of which were discussed in Chapter 4. It indicated that it will consider initiating new rulemakings to require (a) installation of systems that cause the brake to override the throttle, to prevent or mitigate unintended acceleration incidents (e.g., in the case of pedal entrapment); (b) measures to ensure that keyless ignition systems can be turned off by drivers during an on-road emergency; and (c) installation of EDRs on all new vehicles. NHTSA also indicated that it would consider research on the layout and spacing of accelerator and brake pedals, the utility of DTCs in conveying safety-critical information to drivers, and robust software development processes and fail-safe strategies to protect against multifault scenarios. The committee comments on some of these proposed initiatives in the next chapter. cHaPter fINdINgs Finding 5.1: NHTSA has investigated driver complaints of vehicles exhibiting various forms of unintended acceleration for decades, the most serious involving high engine power indicative of a large throttle opening. The two main types of unintended acceleration incidents involving a large throttle opening are those in which rapid acceleration occurs suddenly when the vehicle is in a stopped position, moving slowly, or in the process of slowing down and those in which a moving vehicle maintains or increases its speed after
OCR for page 164
164 || The Safety Promise and Challenge of Automotive Electronics the driver releases the accelerator pedal. Degraded or failed braking is often asserted along with both of these forms of unintended acceleration. A range of other vehicle behaviors, from high engine idling to surging and transmission hesitations, are sometimes characterized as unintended acceleration. They are controllable and do not present the same safety hazard as acceleration involving a large throttle opening unless the vehi- cle behavior prompts an unsafe response by the driver, such as acciden- tally applying the accelerator pedal instead of the brake. Finding 5.2: NHTSA has most often attributed the occurrence of unintended acceleration indicative of a large throttle opening to pedal-related issues, including the driver accidentally pressing the accelerator pedal instead of the brake pedal, floor mats and other obstructions that entrap the accelerator pedal in a depressed position, and sticking accelerator pedals. Other commonly identified prob- lems include malfunctioning mechanical components in the throttle control system, such as frozen and broken throttle plates, and frayed and trapped connector cables. NHTSA attributes forms of unintended accel- eration involving a large throttle opening occurring in stopped and slow-moving vehicles to pedal misapplication, unless there is a credible explanation of why the vehicle’s brakes were not applied or why they failed to stop and control the engine torque if they were applied. Braking action may not control unintended acceleration occurring in vehicles traveling at faster speeds under limited circumstances. Such incidents are investigated for other potential causes, including pedal entrapment and sticking and malfunctioning throttle control systems, and for evi- dence of brake damage caused by prolonged brake application. Finding 5.3: NHTSA’s rationale for attributing certain unintended acceleration events to pedal misapplication is valid, but such determinations should not preclude further consideration of possible vehicle-related factors contributing to the pedal mis- application. Reports of braking ineffectiveness in controlling a vehicle expe- riencing the onset of unintended acceleration from a stopped position or when moving slowly require an explanation for the ineffectiveness, such as physical evidence of damage to the brake system. Under these circum- stances, investigating for phenomena other than pedal misapplication absent an explanation for the ineffectiveness of brakes, which are inde- pendent of the throttle control system and are designed to dominate engine torque, is not likely to be useful. Full consideration of the causes of pedal misapplication requires that vehicle design and operational conditions that can affect a driver’s actions to control the vehicle be taken into account.
OCR for page 165
165 Review of NHTSA Initiatives on Unintended Acceleration || Finding 5.4: Not all complaints of unintended acceleration have the signature characteristics of pedal misapplication; in particular, when severe brake damage is confirmed or the loss of braking effectiveness occurs more gradually after a pro- longed effort by the driver to control the vehicle’s speed, pedal misapplication is improbable, and NHTSA reported that it treats these cases differently. In its investigations of such cases, NHTSA has usually concluded that the acceleration was caused by faulty mechanical components or the accel- erator pedal becoming stuck or entrapped, often by a floor mat. NHTSA did not have a prior technical basis for suspecting the ETC as an alterna- tive cause of such unintended acceleration events reported by owners of Toyota vehicles. Nevertheless, NHTSA commissioned a team of engi- neering specialists from NASA to investigate the potential for Toyota’s ETC to produce unintended acceleration. Finding 5.5: NHTSA’s decision to close its investigation of Toyota’s ETC as a possible cause of high-power unintended acceleration is justified on the basis of the agency’s initial defect investigations, which were confirmed by its follow-up analyses of thousands of consumer complaints, in-depth examinations of EDRs in vehicles suspected to have crashed as a result of unintended acceleration, and the examination of the Toyota ETC by NASA. In its initial investigations of complaints and examinations of warranty repair data, NHTSA did not find evidence implicating the ETC as a cause of unintended accelera- tion reported by drivers of Toyota vehicles. It confirmed the occurrence of pedal entrapment and sticking in some reported cases and the signa- ture characteristics of pedal misapplication in others. The subsequent NASA investigation did not yield evidence contradicting these conclu- sions. NASA identified means by which vulnerabilities in the ETC could produce unintended acceleration but could not find evidence that these means offered a plausible explanation for any occurrences of high-power unintended acceleration observed in the fleet. Finding 5.6: The VOQ consumer complaint data appear to have been sufficient for ODI analysts and investigators to detect an increase in high-power unintended acceleration behaviors in Toyota vehicles, to distinguish these behaviors from those commonly attributed to pedal misapplication, and to aid investigators in identi- fying pedal entrapment by floor mats as the likely cause. Other data available to ODI for monitoring the fleet for defects, including warranty repair information submitted quarterly by Toyota as part of the Early Warning Reporting system, were consulted in response to the suspicious VOQ patterns. These data did not provide indications of malfunctioning ETCs
OCR for page 166
166 || The Safety Promise and Challenge of Automotive Electronics or any other vehicle defects as possible causes. Unintended acceleration resulting from pedal entrapment or pedal misapplication would not be expected to be revealed by warranty repair data; thus, in this sense the absence of suspect patterns in the warranty data corroborated ODI’s con- clusions that floor mat entrapment was the cause of the increase in the Toyota complaints uncharacteristic of pedal misapplication. Finding 5.7: ODI’s investigation of unintended acceleration in Toyota vehicles indicated how data saved in EDRs can be retrieved from vehicles involved in crashes to supplement and assess other information, including circumstantial evi- dence, in determining causal and contributing factors. In this instance, the EDR data corroborated investigator findings of unintended acceleration occurring through pedal misapplication. refereNces Abbreviations NASA National Aeronautics and Space Administration NHTSA National Highway Traffic Safety Administration NTSB National Transportation Safety Board OIG Office of Inspector General, U.S. Department of Transportation Brackett, R. Q., V. J. Pezoldt, M. G. Sherrod, and L. Roush. 1989. Human Factors Analysis of Automotive Foot Pedals. DOT-HS-807-512. National Highway Traffic Safety Administration, Washington, D.C. NASA. 2011. National Highway Traffic Safety Administration Toyota Unintended Acceleration Investigation: Technical Support to the National Highway Traffic Safety Administration (NHTSA) on the Reported Toyota Motor Corporation (TMC) Unintended Acceleration (UA) Investigation. Jan. 18. http://www.nhtsa.gov/ staticfiles/nvs/pdf/NASA-UA_report.pdf. NHTSA. 2011. Technical Assessment of Toyota Electronic Throttle Control (ETC) Systems. Feb. http://www.nhtsa.gov/staticfiles/nvs/pdf/NHTSA-UA_report.pdf. NTSB. 2009. Highway Special Investigation Report: Pedal Misapplication in Heavy Vehicles. http://www.ntsb.gov/doclib/safetystudies/SIR0902.pdf. OIG. 2011. Process Improvements Are Needed for Identifying and Addressing Vehicle Safety Defects. Report MH-2012-001. Oct. 6. Pollard, J., and E. D. Sussman. 1989. An Examination of Sudden Acceleration. Report DOT-HS-807-367. Transportation Systems Center, U.S. Department of Transportation.
OCR for page 167
167 Review of NHTSA Initiatives on Unintended Acceleration || Reinhart, W. 1994. The Effect of Countermeasures to Reduce the Incidence of Unintended Acceleration Accidents. Paper 94 S5 O 07. Proc., 14th International Technical Conference on Enhanced Safety of Vehicles, Washington, D.C., Vol. 1, pp. 821–845. Rogers, S. B., and W. W. Wierwille. 1988. The Occurrence of Accelerator and Brake Pedal Actuation Errors During Simulated Driving. Human Factors, Vol. 31, No. 1, pp. 71–81. Schmidt, R. A. 1989. Unintended Acceleration: A Review of Human Factors Contributions. Human Factors, Vol. 31, No. 3, pp. 345–364. Vernoy, M. W., and J. Tomerlin. 1989. Pedal Error and Misperceived Centerline in Eight Different Automobiles. Human Factors, Vol. 31, No. 4, pp. 369–375. Walter, R., G. Carr, H. Weinstock, E. D. Sussman, and J. Pollard. 1988. Study of Mechanical and Driver-Related Systems of the Audi 5000 Capable of Producing Uncontrolled Sudden Acceleration Incidents. Report DOT-TSC-NHTSA-88-4. Transportation Systems Center, U.S. Department of Transportation.
OCR for page 168