Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 169
6
Recommendations to National
Highway Traffic Safety
Administration on Preparing for
the Electronics-Intensive Vehicle
This report describes how
• Increasingly software-intensive electronics systems are being used in
automobiles to provide capabilities that are both related and unrelated
to vehicle safety (Chapter 2);
• Automotive manufacturers seek to ensure the performance of these
electronics systems through preventive and fail-safe measures imple-
mented during product design, development, and manufacturing as
well as through lessons learned from postproduction surveillance
(Chapter 3); and
• The National Highway Traffic Safety Administration’s (NHTSA’s) reg-
ulatory, research, and defect surveillance and investigation programs
are oriented and applied to oversee the performance of vehicles and
their constituent electronics systems (Chapter 4).
In reviewing NHTSA’s response to reports of unintended acceleration,
Chapter 5 provides a concrete example of much of the subject matter
of these earlier chapters. It discusses how NHTSA has sought to address
concerns about whether one electronics system, Toyota’s electronic
throttle control system (ETC), has performed safely. The discussion pro-
vides insight into the agency’s defect surveillance and investigation pro-
cesses and an example of how one automotive manufacturer has sought
to ensure the performance of a safety-critical electronics system. The
public apprehension and controversy that have surrounded Toyota’s
169
OCR for page 170
170 || The Safety Promise and Challenge of Automotive Electronics
ETC suggest the potential for other electronics systems to become impli-
cated in safety concerns, particularly as electronics systems assume more
vehicle safety and control functions.
In requesting these reviews, NHTSA tasked the committee with mak-
ing recommendations on how the agency’s regulatory, research, and
defect investigation activities can be strengthened to meet the safety
assurance challenges associated with the increasing use of electronics
systems. The various findings from Chapters 2 through 5, which are
summarized in Box 6-1, are synthesized in the following discussion and
provide the basis for several recommendations to NHTSA.
NHTSA’s CurreNT role wiTH reSpeCT
To VeHiCle eleCTroNiCS
NHTSA recognizes that electronics systems are transforming the auto-
mobile and in the process giving rise to opportunities for making driving
safer and to new demands for ensuring that vehicles operate in a safe
manner. For example, NHTSA now requires that new vehicles possess
certain safety-enhancing capabilities that only electronics can provide,
such as electronic stability control intended to aid in rollover prevention.
Similar safety regulations may be promulgated in the future as agency
researchers evaluate and monitor the development status of other tech-
nologies for crash avoidance, such as automatic lane-keeping, crash-
imminent braking, alcohol detection, and blind spot surveillance. Because
of the use of electronics systems in managing and controlling more vehi-
cle functions, NHTSA’s Office of Defects Investigation (ODI) is observing
more manufacturer recalls that involve software reprogramming and
other fixes to electronics systems. This is to be expected as software-
intensive electronics supplant more mechanical, electromechanical, and
hydraulic systems.
The growth of electronics systems in vehicles is thus influencing all
aspects of NHTSA’s regulatory, research, and investigation activities.
That influence will almost certainly grow and place new demands on all
of these activities. Public apprehension about Toyota’s ETC and its role
in unintended acceleration revealed these changing demands in stark
fashion. The ETC is a simple technology compared with the newer sys-
tems being introduced and envisioned for motor vehicles. As these elec-
tronics systems become more complex, capable, and interconnected
OCR for page 171
171
Recommendations to NHTSA ||
Box 6-1
Summary of Findings
The electronics-intensive Automobile
Finding 2.1: Electronics systems have become critical to the
functioning of the modern automobile.
Finding 2.2: Electronics systems are being interconnected with
one another and with devices and networks external to the vehi-
cle to provide their desired functions.
Finding 2.3: Proliferating and increasingly interconnected elec-
tronics systems are creating opportunities to improve vehicle
safety and reliability as well as demands for addressing new sys-
tem safety and cybersecurity risks.
Finding 2.4: By enabling the introduction of many new vehicle
capabilities and changes in familiar driver interfaces, electronics
systems are presenting new human factors challenges for system
design and vehicle-level integration.
Finding 2.5: Electronics technology is enabling nearly all vehi-
cles to be equipped with event data recorders (EDRs) that store
information on collision-related parameters as well as enabling
other embedded systems that monitor the status of safety-critical
electronics, identify and diagnose abnormalities and defects, and
activate predefined corrective responses when a hazardous con-
dition is detected.
Safety Assurance processes for Automotive electronics
Finding 3.1: Automotive manufacturers visited during this
study—and probably all the others—implement many processes
during product design, engineering, and manufacturing intended
(a) to ensure that electronics systems perform as expected up to
defined failure probabilities and (b) to detect failures when they
occur and respond to them with appropriate containment actions.
(continued on next page)
OCR for page 172
172 || The Safety Promise and Challenge of Automotive Electronics
Box 6-1 (continued) Summary of Findings
Finding 3.2: Testing, analysis, modeling, and simulation are
used by automotive manufacturers to verify that their electronics
systems, the large majority of which are provided by suppliers,
have met all internal specifications and regulatory requirements,
including those relevant to safety performance.
Finding 3.3: Manufacturers face challenges in identifying and
modeling how a new electronics-based system will be used by
the driver and how it will interface and interact with the driver.
Finding 3.4: Automotive manufacturers have been cooperating
through the International Organization for Standardization to
develop a standard methodology for evaluating and establishing
the functional safety requirements for their electronics systems.
NHTSA Vehicle Safety programs
Finding 4.1: A challenge before NHTSA is to further the use and
effectiveness of vehicle technologies that can aid safe driving and
mitigate hazardous driving behaviors and to develop the capa-
bilities to ensure that these technologies perform their functions
as intended and do not prompt other unsafe driver actions and
behaviors.
Finding 4.2: NHTSA’s Federal Motor Vehicle Safety Standards
(FMVSSs) are results-oriented and thus written in terms of min-
imum system performance requirements rather than prescribing
the means by which automotive manufacturers design, test, engi-
neer, and manufacture their safety-related electronics systems.
Finding 4.3: Through the Office of Defects Investigation (ODI),
NHTSA enforces the statutory requirement that vehicles in con-
sumer use not exhibit defects that adversely affect safe vehicle
performance.
Finding 4.4: NHTSA refers to its vehicle safety research program
as being “data driven” and decision-oriented, guided by analyses
of traffic crash data indicating where focused research can fur-
OCR for page 173
173
Recommendations to NHTSA ||
Box 6-1 (continued) Summary of Findings
ther the introduction of new regulations and vehicle capabilities
aimed at mitigating known safety problems.
Finding 4.5: NHTSA regularly updates a multiyear plan that
explains the rationale for its near-term research and regulatory
priorities; however, the plan does not communicate strategic
considerations, such as how the safety challenges arising from
the electronics-intensive vehicle may require new regulatory and
research responses.
Finding 4.6: The Federal Aviation Administration’s (FAA’s) reg-
ulations for aircraft safety are comparable with the performance-
oriented FMVSSs in that the details of product design and
development are left largely to the manufacturers; however, FAA
exercises far greater oversight of the verification and validation
of designs and their implementation.
Finding 4.7: The U.S. Food and Drug Administration’s (FDA’s)
and NHTSA’s safety oversight processes are comparable in that
they combine safety performance requirements as a condition for
approval with postmarketing monitoring to detect and remedy
product safety deficiencies occurring in the field. FDA has estab-
lished a voluntary network of clinicians and hospitals known as
MedSun to provide a two-way channel of communication to sup-
port surveillance and more in-depth investigations of the safety
performance of medical devices.
NHTSA initiatives on unintended Acceleration
Finding 5.1: NHTSA has investigated driver complaints of vehicles
exhibiting various forms of unintended acceleration for decades,
the most serious involving high engine power indicative of a large
throttle opening.
Finding 5.2: NHTSA has most often attributed the occurrence of
unintended acceleration indicative of a large throttle opening to
pedal-related issues, including the driver accidentally pressing
the accelerator pedal instead of the brake pedal, floor mats and
(continued on next page)
OCR for page 174
174 || The Safety Promise and Challenge of Automotive Electronics
Box 6-1 (continued) Summary of Findings
other obstructions that entrap the accelerator pedal in a depressed
position, and sticking accelerator pedals.
Finding 5.3: NHTSA’s rationale for attributing certain unintended
acceleration events to pedal misapplication is valid, but such deter-
minations should not preclude further consideration of possible
vehicle-related factors contributing to the pedal misapplication.
Finding 5.4: Not all complaints of unintended acceleration have
the signature characteristics of pedal misapplication; in particu-
lar, when severe brake damage is confirmed or the loss of braking
effectiveness occurs more gradually after a prolonged effort by the
driver to control the vehicle’s speed, pedal misapplication is improb-
able, and NHTSA reported that it treats these cases differently.
Finding 5.5: NHTSA’s decision to close its investigation of Toyota’s
ETC as a possible cause of high-power unintended acceleration is
justified on the basis of the agency’s initial defect investigations,
which were confirmed by its follow-up analyses of thousands of
consumer complaints, in-depth examinations of EDRs in vehicles
suspected to have crashed as a result of unintended acceleration,
and the National Aeronautics and Space Administration’s exami-
nation of the Toyota ETC.
Finding 5.6: The Vehicle Owner’s Questionnaire consumer
complaint data appear to have been sufficient for ODI analysts
and investigators to detect an increase in high-power unintended
acceleration behaviors in Toyota vehicles, to distinguish these
behaviors from those commonly attributed to pedal misapplica-
tion, and to aid investigators in identifying pedal entrapment by
floor mats as the likely cause.
Finding 5.7: ODI’s investigation of unintended acceleration in
Toyota vehicles indicated how data saved in EDRs can be retrieved
from vehicles involved in crashes to supplement and assess other
information, including circumstantial evidence, in determining
causal and contributing factors.
OCR for page 175
175
Recommendations to NHTSA ||
with one another, not only will safety assurance demands grow but so
too will the challenge of building and maintaining public confidence in
their safe performance (see Finding 4.1).
NHTSA does not regulate vehicle electronics directly. Through its
Federal Motor Vehicle Safety Standards (FMVSSs), the agency requires
that vehicles have certain safety-critical features and capabilities and that
they perform to certain levels (see Finding 4.2). The regulatory emphasis
on system performance rather than design is evidenced by the fact that
the throttle control system in some vehicles might still rely on mechanical
links from the accelerator pedal to the throttle, whereas others may make
this connection through an ETC consisting of sensors, wires, computers,
and motorized actuators. Since NHTSA does not require a specific design,
it does not require, advise on, or evaluate the methods used by automo-
tive manufacturers in design-specific areas such as corrosion testing, elec-
tromagnetic compatibility, resistance to vibrations, or software integrity.
For the most part, NHTSA’s FMVSSs do not address such aspects of prod-
uct assurance, which are left to the manufacturer to decide.
Furthermore, the FMVSSs do not cover the vast majority of systems
that are in today’s vehicles, much less all electronics systems. Only a frac-
tion of the electronics systems in the modern automobile are intended to
provide an FMVSS-regulated safety capability. The manufacturer, there-
fore, is responsible for ensuring that these other systems do not create
safety hazards through their design or interaction with safety-critical
vehicle systems. For example, the FMVSSs require that certain vehicle
control mechanisms, such as the gearshift lever, be located within safe
reach of the driver, but the regulations are silent about similar controls
for nonsafety features such as the radio and navigation system. NHTSA
does not provide specific guidance or standards for the design of these
unregulated systems with regard to safety. Similarly, the FMVSSs do not
prescribe how electronics and other systems must be designed to avoid
interfering with the functioning of systems that are intended to meet an
FMVSS, such as keeping an entertainment system from interfering with
the required performance of wipers.
NHTSA enforces the use of safe system designs and compels effective
safety assurance by manufacturers through its compliance testing pro-
gram and defect surveillance and investigation activities (see Finding 4.3).
Moreover, ODI’s scope of interest is much wider than enforcing compli-
ance with FMVSSs; it can monitor, investigate, and seek remedies for any
vehicle-related deficiency considered to be harmful to public safety. ODI’s
OCR for page 176
176 || The Safety Promise and Challenge of Automotive Electronics
investigation of floor mats as a possible cause of unintended acceleration
and its influence over Toyota in recalling millions of its vehicles for pedal
entrapment demonstrate ODI’s wider scope of interest and authority.
NHTSA’s vehicle safety research programs are focused on support-
ing agency decision making, particularly regulatory decisions (see
Finding 4.4). This emphasis is consistent with the agency’s mission of
addressing known traffic safety problems while it avoids entangle-
ment in the specific technological means by which automotive manufac-
turers meet the FMVSSs. Agency researchers do not generally develop
technologies.1 Instead, they examine emerging technologies to advise
regulators on whether new safety-enhancing vehicle capabilities are
technically feasible and could thus be required. The agency assumes
that manufacturers will undertake the requisite research to obtain the
design and engineering knowledge to establish appropriate safety pre-
cautions for their products.
KeepiNg pACe wiTH THe SAFeTy ASSurANCe
CHAlleNgeS AriSiNg From VeHiCle eleCTroNiCS
As electronics systems proliferate in vehicles, it is reasonable to ask
whether NHTSA’s oversight and regulatory approach will need to be
adjusted to keep pace with the safety assurance challenges these systems
present. The ETC experience may be a harbinger of the demands to
come. The fact that NHTSA was subjected to and could not respond con-
vincingly to public concerns about Toyota’s ETC and needed to enlist the
technical expertise of the National Aeronautics and Space Administration
indicates how demands on the agency’s programs are changing.
The committee cannot predict the extent to which NHTSA’s vehicle
safety programs will need to be supplemented over time with new
resources, competencies, and infrastructure as electronics continue to
take over more vehicle controls. The findings in this study suggest that
NHTSA will need to know more about how manufacturers design safety
and security into electronics systems, monitor vehicles for evidence of
safety deficiencies that may have new hallmarks, and investigate and
test for problems in systems that may leave little physical evidence from
NHTSA research has led to the development of some technologies used by the automotive industry,
1
such as instrumented crash-test dummies used by automotive manufacturers during vehicle develop-
ment and testing.
OCR for page 177
177
Recommendations to NHTSA ||
which to assess their cause. The remainder of this section discusses the
implications of the proliferation of electronics systems for NHTSA over-
sight and engagement.
The controversy over whether ETCs caused unintended acceleration
and the general trend toward increasing use of electronics systems for
vehicle controls have raised questions about whether NHTSA should
exert more influence over the safety assurance processes followed by
industry.2 Although it is not an immediate option, NHTSA could move to
regulate these processes by establishing or approving testing methods
used for electronic control systems and their components, such as testing
for resistance to electromagnetic disturbances or software coding integrity.
Such in-depth oversight appears to be unlikely. It is difficult to see how
NHTSA could obtain the capacity for identifying suitable testing methods
in light of the wide variability in the way manufacturers design and engi-
neer vehicle systems. A more foreseeable option is for NHTSA to require
that automobile manufacturers provide evidence that they have followed
rigorous safety assurance processes during the design, development, and
manufacture of electronics systems having implications for vehicle safety.
Chapter 3 reviews how automotive manufacturers seek to ensure the
safe performance of their electronics systems. This study could not assess
the quality of these processes or how well they are executed. Nevertheless,
Chapter 3’s review suggests that automotive manufacturers use many of
the same fundamental processes for safety assurance and that they are
systematic and carefully thought through (see Findings 3.1, 3.2, and
3.3). The processes consist of measures intended to guard against failures
up to defined risk probabilities and to detect and respond to failures that
do occur. Their design relevance and the system-level structure of these
processes suggest the futility of NHTSA (or any other regulator) prescrib-
ing specific testing methods, preventive measures, fail-safe strategies, or
other assurance processes.
The closest example of a regulatory agency having such hands-on
safety assurance responsibility in the U.S. Department of Transportation
is the Federal Aviation Administration’s (FAA’s) oversight of aircraft
development and manufacturing. Even FAA recognizes the impractical-
ity of prescribing specific design and testing processes. Instead, the agen-
cy’s emphasis is on requiring manufacturers to demonstrate that they
See “Response by Toyota and NHTSA to Incidents of Sudden Unintended Acceleration.” Hearing
2
before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on
Oversight and Investigations, February 23, 2010.
OCR for page 178
178 || The Safety Promise and Challenge of Automotive Electronics
have established robust and carefully followed safety assurance systems.
These assurance systems can be examined in depth by FAA because air-
craft manufacturers must apply to the regulatory agency for approval to
build a new aircraft type. Accordingly, FAA verifies and certifies that
aircraft manufacturers have instituted sound safety assurance systems
through preapproval of plans and reviews of their implementation. To
facilitate compliance, FAA advises manufacturers to follow certain pre-
approved processes for aspects of product development, including safety
assurance standards developed by industry.
FAA’s approach to safety oversight requires significant resources and
authorities (see Finding 4.6). Although the agency designates senior
engineers from aircraft manufacturers to fulfill many of the detailed doc-
ument reviews and inspections that make up the certification process,
FAA staff must review the most significant process elements. As dis-
cussed in Chapter 4, FAA has a major unit, the Aircraft Certification
Service, dedicated to this function and housed in more than two dozen
offices across the country and abroad. The Aircraft Certification Service
requires a large cadre of test pilots, manufacturing inspectors, safety
engineers, and technical specialists in key disciplines such as flight loads,
nondestructive evaluation, flight management, and human factors.
For NHTSA to engage in similar regulatory oversight would represent
a fundamental change in the agency’s regulatory approach and would
require justification and substantial resources. The introduction of auton-
omous vehicles, as envisioned in some intelligent vehicle concepts, could
one day provide the grounds for NHTSA to adopt an oversight approach
with elements modeled after those of FAA. At the moment, the justifica-
tion for such a fundamental change in the way NHTSA regulates automo-
tive safety is not evident, nor is such a change in regulatory direction a
foreseeable prospect.
The near-term prospect is an effort to establish a consensus standard
through the International Organization for Standardization (ISO) intended
to guide automotive manufacturers as they develop their safety assurance
processes, particularly for electronics systems affecting vehicle safety and
control functions (see Finding 3.4). The pending standard, ISO 26262, will
not prescribe the specific content of each manufacturer’s safety assur-
ance regime. However, it will compel subscribers to follow steps ensur-
ing that the safety implications of electronics systems are well identified,
analyzed for risks, and the subject of appropriate risk management actions.
How influential this voluntary standard will become is not yet known,
OCR for page 179
179
Recommendations to NHTSA ||
but many manufacturers selling vehicles and automotive equipment in
the United States appear to be intent on following its guidance in whole
or in large part.
Whether widespread industry adherence to a process-based standard
like ISO 26262 will lead to safer-performing vehicle electronics will depend
to a large extent on the adequacy of existing manufacturer assurance pro-
cesses and the degree to which manufacturers change their processes in
response to the standard’s guidance. The industry’s apparent intention to
follow ISO 26262 may give NHTSA greater confidence that manufacturers
are striving to keep abreast of the challenges associated with electronics.
Even if the agency does not endorse or require adherence to the standard,
NHTSA will have a keen interest in ensuring the standard’s safety effec-
tiveness if many automotive manufacturers choose to follow it.
As a general matter, the committee recommends that NHTSA
become more familiar with and engaged in standard-setting and other
efforts involving industry that are aimed at strengthening the means
by which manufacturers ensure the safe performance of their automo-
tive electronics systems (Recommendation 1). In the committee’s view,
such cooperative efforts represent an opportunity for NHTSA to gain a
stronger understanding of how manufacturers seek to prevent safety
problems through measures taken during product design, development,
and fabrication. By engaging in these efforts, the agency will be better
able to influence industry safety assurance and recognize where it can
contribute most effectively to strengthening such preventive measures.
The introduction of ISO 26262 represents a potential opportunity for
NHTSA to engage and collaborate with industry. As manufacturers reas-
sess and adjust their safety assurance processes in response to the ISO
standard and other industry-level guidance, many will undoubtedly
need more information and analysis. Some will have research needs that
NHTSA may be able to help meet. In the committee’s view, support for
this industry research can be a practical means by which NHTSA engi-
neers and other personnel can increase their familiarity with industry
safety assurance processes. Box 6-2 gives examples of where collabora-
tive research and analysis supported by NHTSA may contribute to the
strengthening of industry safety assurance processes and to the agency’s
own technical knowledge and competencies.
Exploration of other means by which NHTSA can interact with indus-
try in furthering electronics safety assurance will also be important.
Exploiting a range of opportunities will be critical in the committee’s
OCR for page 186
186 || The Safety Promise and Challenge of Automotive Electronics
Box 6-3
Candidate research and Analysis to Support oDi
Capabilities and Functions
• Examine modifications to the VOQ that can make it more use-
ful to ODI analysts and investigators by facilitating the ability
of consumers to convey the vehicle conditions and behaviors
they experience more precisely and by making the informa-
tion more amenable to quantitative evaluation. Consideration
might be given to new features in the online questionnaire,
such as drop-down menus with condition choices or upload-
ing capabilities, that can make the questionnaire easier to
complete and provide drivers more opportunity to convey
details on the vehicle and its condition and behavior.
• In collaboration with manufacturers, examine a cross section of
safety-related recalls whose cause was attributed to deficiencies
in electronics or software and identify how the defects escaped
verification and safety assurance processes. The examination
should seek to identify weaknesses in these processes and
means by which they have been strengthened.
• Investigate and make recommendations on ways to obtain
more timely and detailed EWR-type data for defect surveil-
lance and investigation. For example, consideration might be
given to the creation of a voluntary network of automotive
dealers and major repair centers to which ODI can turn for
more timely and detailed vehicle servicing, repair, and parts
data for defect monitoring and investigation. FDA’s network
for obtaining safety performance data on medical devices might
serve as a model. To the extent that NHTSA can make use of
current dealer–original equipment manufacturer networks for
this data-gathering purpose, the inflexibilities associated with
mandated data reporting systems such as the EWR could be
reduced. NHTSA’s Crash Injury Research Engineering Network
program for collecting data for research on crash injuries offers
another potential conceptual model for a collaborative forum.
OCR for page 187
187
Recommendations to NHTSA ||
Box 6-3 (continued) Candidate Research and Analysis to Support ODI
Capabilities and Functions
• Examine how the data from consumer complaints of unsafe
experiences in the field can be mined through electronic
means and how the complaints might offer insight into safety
issues that arise from human–systems interactions. Explore
how these issues may be changing with the introduction and
expansion of vehicle electronics systems.
The committee is not in a position to know where these initiatives
should rank among NHTSA’s research and rulemaking priorities.
Nevertheless, the committee concurs with NHTSA’s intent to ensure
that EDRs be commonplace in new vehicles and recommends that
the agency pursue this outcome, recognizing that the utility of more
extensive and capable EDRs will depend in large part on the extent
to which the stored data can be retrieved for safety investigations
(Recommendation 4). NHTSA’s stated plan is to consider “future enhance-
ments” to EDRs, which is particularly intriguing for the following two
reasons. First, failures in electronics systems, including those related to
software programming, intermittent electrical faults, and electromagnetic
disturbances, may not leave physical traces to aid investigations into the
causes of failures. Second, mistakes by drivers also may not leave a phys-
ical trace, even if these errors result in part from vehicle-related factors
such as startling vehicle noises or unexpected or unfamiliar vehicle
behaviors. The absence of such physical evidence has hindered investiga-
tions of the ETC’s role in unintended acceleration and may become even
more problematic as the number and complexity of automotive electron-
ics systems grow. Advanced data recording systems may help counter
some of these problems if the data can be accessed by investigators. In the
committee’s view, the utility and feasibility of equipping vehicles with
more advanced data-recording systems that can log a wider range of data
warrant further study and are thus among the candidate research topics
identified in Box 6-2.
The committee also endorses NHTSA’s stated plan to conduct
research on pedal design and placement and keyless ignition design
OCR for page 188
188 || The Safety Promise and Challenge of Automotive Electronics
requirements but recommends that this research be a precursor to a
broader human factors research initiative in collaboration with indus-
try and that the research be aimed at informing manufacturers’ sys-
tem design decisions (Recommendation 5). A number of examples
of research that could be pursued through such a program are given
in Box 6-2.
STrATegiC plANNiNg To guiDe
FuTure DeCiSioNS AND prioriTieS
The four priority items above represent specific agency responses to the
events surrounding unintended acceleration. The next priority plan may
list more such items, some in response to newly arising safety concerns.
Asked to advise NHTSA on its rulemaking, research, and resource pri-
orities, the committee questions the wisdom of recommending the addi-
tion to this list of more narrowly construed initiatives and whether doing
so would be at odds with the agency developing an effective longer-term
strategy for meeting the safety demands arising from vehicle electronics.
The committee notes that the current priority plan describes the Office of
Vehicle Safety as being “currently in the process of developing a longer-
term motor vehicle safety strategic plan that would encompass the period
2014 to 2020” (NHTSA 2011, 1). Presumably, this strategic plan could
provide a road map for NHTSA’s decisions with regard to the safety over-
sight challenges arising from the electronics-intensive vehicle; however,
the plan’s status and purpose have not been articulated.
The committee believes that strategic planning is fundamental
to sound decision making and thus recommends that NHTSA initi-
ate a strategic planning effort that gives explicit consideration to the
safety challenges resulting from vehicle electronics and that gives
rise to an agenda for meeting them. The agenda should spell out the
near- and longer-term changes that will be needed in the scope,
direction, and capabilities of the agency’s regulatory, research, and
defect investigation programs (Recommendation 6). Some of the key
elements of successful strategic planning are outlined in Box 6-4. In
the committee’s view, it is vital that the planning be (a) prospective in
considering the safety challenges arising from the electronics-intensive
vehicle, (b) introspective in considering the implications of these chal-
lenges for NHTSA’s vehicle safety role and programs, and (c) strategic in
OCR for page 189
189
Recommendations to NHTSA ||
Box 6-4
elements of a Strategic planning process
In the committee’s view, the following are fundamental to strate-
gic planning:
• Involved and supportive management led by senior staff,
• Cross-functional participation from throughout the organi-
zation,
• Third-party facilitation and other influential outside partici-
pants,
• The expectation that the process will take time and effort and
not be completed in one or two meetings, and
• Regular updates made available to the public and decision
makers.
The following are key process elements:
• Define the agency mission and principal agency activities
• State goals and desired outcomes
• Assess the external environment. The following are example
considerations:
– Who are the prime “customers” of the agency?
– What are their expectations, and are they changing?
– How is the technology of the automobile changing funda-
mentally, and how is this affecting the agency in fulfilling
its mission or role?
– How will technology continue to change?
– Which external organizations have a major impact on the
agency’s functioning, and what is the agency’s relationship
with them?
– What data are important in executing the agency’s role
effectively?
(continued on next page)
OCR for page 190
190 || The Safety Promise and Challenge of Automotive Electronics
Box 6-4 (continued) Elements of a Strategic Planning Process
– How can technology changes, such as the Internet and its
instant communications, be expected to affect the agency,
positively and negatively?
– How might adversaries utilize the vehicle fleet for harm?
What can be done about it?
• Assess the agency. The following are example considerations:
– What are the agency’s strengths and weaknesses (unit by
unit)?
– Has the agency’s role changed over the years? Has the
agency adapted to those changes? How?
– Is the agency’s staffing of the various functions consistent
with the needed activity level in those functions? Is it con-
sistent with the technology level?
– What are the strengths and weaknesses of the databases
used by the agency in conducting its work? For example,
what do the databases indicate in terms of changing rea-
sons for recalls and changing corrective actions?
– Is the agency using the technology of the Internet and
modern information technology in general to enhance per-
formance of its role?
– What are the strengths and weaknesses of the agency’s
relationship with the industry it monitors and regulates?
– What are the strengths and weaknesses of the FMVSSs in
terms of the automotive technology of today and the future?
– What are the strengths and weaknesses of agency research
programs, including research staff levels and capabilities?
– How does the agency compare with FAA and FDA with
respect to staffing, relationship with the industry regulated,
and effectiveness?
– What have been the greatest agency successes and its great-
est failures?
– What does the agency consider to be critical factors for its
success?
OCR for page 191
191
Recommendations to NHTSA ||
Box 6-4 (continued) Elements of a Strategic Planning Process
• Articulate the agency’s key strategies and objectives going
forward:
– The agency’s role and responsibilities redefined or reiter-
ated clearly
– An explicit strategy developed for how to adapt to the
expected changes in technology
– Goals set for the size, nature, and content of the research
programs in support of agency goals
– Goals set for the size and capabilities of the staff in its vari-
ous units such as ODI
– Improvement objectives established for the databases used
in the work of the agency
– Metrics defined to indicate the agency’s performance of its
defined roles and responsibilities
guiding critical decisions concerning matters such as the most appro-
priate agency regulatory approaches and associated research and
resource requirements.
The strategic planning process will put NHTSA in a better position to
address and make decisions about matters such as the following:
• Whether the agency’s regulatory role should be modified to take
into account the safety assurance processes followed by automotive
manufacturers during product development. For example, the advan-
tages and disadvantages of urging or requiring manufacturers to dem-
onstrate that they are implementing rigorous safety assurance as part
of the design, development, and manufacturing of electronics systems
that affect safety-critical functions should be examined.
• How NHTSA’s research can be broadened to go beyond the provision
of mostly technical support for regulatory decisions to (a) provide
similar support for ODI as it seeks to strengthen its safety surveil-
lance, investigation, and data availability and analysis capabilities and
(b) help meet the shared research needs of automotive manufacturers
OCR for page 192
192 || The Safety Promise and Challenge of Automotive Electronics
as they seek to improve their safety assurance processes. Such strate-
gic planning would provide an opportunity for NHTSA to consider
the nature of the research it undertakes, what should be encom-
passed by its research in the future, and the methods that are used to
identify key research needs.
• The most appropriate means by which NHTSA can consult and inter-
act more effectively with automotive manufacturers to (a) identify
the safety assurance challenges arising from vehicle electronics,
(b) understand how industry is working to meet these challenges,
and (c) facilitate collaboration and cooperation among manufactur-
ers and NHTSA.
The committee further recommends that NHTSA make develop-
ment and completion of the strategic plan a top goal in its coming
3-year priority plan. NHTSA should communicate the purpose of the
planning effort, define how it will be developed and implemented
commensurate with advice in this report, and give a definite time
frame for its completion. The plan should be made public so as to
guide key policy decisions—from budgetary to legislative—that will
determine the scope and direction of the agency’s vehicle safety pro-
grams (Recommendation 7).
The long-term importance of strategic planning is obvious: the tech-
nological transformation of the automobile will continue, and being pre-
pared for more safety concerns that arise rather than reacting to them
will become increasingly important. As electronics systems proliferate,
NHTSA will be called on to investigate suspected safety deficiencies in
them, but it can ill afford to explore potential vulnerabilities in the same
extraordinary manner that it did for Toyota’s ETC.
The committee observes that NHTSA researchers are working with
the automotive industry, universities, and other government agencies to
examine future crash avoidance concepts such as vehicle-to-vehicle (V2V)
and vehicle-to-infrastructure (V2I) communications systems. These sys-
tems will enable even greater vehicle autonomy and necessitate advance-
ments in vehicle electronics that will go well beyond any systems now
being deployed. In the same vein, changes in the division of functions
between the driver and the vehicle will (a) present new demands for and
interpretations of FMVSSs; (b) heighten the need for safety assurance
processes that instill high levels of driver confidence in these systems; and
(c) place new demands on ODI’s defect surveillance, analysis, and investi-
gation activities.
OCR for page 193
193
Recommendations to NHTSA ||
The technical and economic feasibility of V2V, V2I, and other intelli-
gent transportation systems are not considered in this study. However, it
is difficult to imagine NHTSA accommodating their introduction without
adapting its regulatory, research, and investigation processes. The strate-
gic planning recommended here is not of a scope that would allow the
agency to prepare for the many implications associated with conceived
future systems such as V2V and V2I. However, by engaging in strategic
planning on an ongoing basis, NHTSA will be in a better position to
meet the safety demands that such technological advancements are
likely to bring. The recommendations to NHTSA in this report are con-
tained in Box 6-5.
Box 6-5
recommendations to NHTSA
Recommendation 1: The committee recommends that NHTSA
become more familiar with and engaged in standard-setting and
other efforts involving industry that are aimed at strengthening
the means by which manufacturers ensure the safe performance
of their automotive electronics systems.
Recommendation 2: The committee recommends that NHTSA
convene a standing technical advisory panel comprising individ-
uals with backgrounds in the disciplines central to the design,
development, and safety assurance of automotive electronics sys-
tems, including software and systems engineering, human fac-
tors, and electronics hardware. The panel should be consulted on
relevant technical matters that arise with respect to all of the
agency’s vehicle safety programs, including regulatory reviews,
defect investigation processes, and research needs assessments.
Recommendation 3: The committee recommends that NHTSA
undertake a comprehensive review of the capabilities that ODI
will need in monitoring for and investigating safety deficiencies
in electronics-intensive vehicles. A regular channel of communi-
cation should be established between NHTSA’s research program
(continued on next page)
OCR for page 194
194 || The Safety Promise and Challenge of Automotive Electronics
Box 6-5 (continued) Recommendations to NHTSA
and ODI to ensure that (a) recurrent vehicle- and driver-related
safety problems observed in the field are the subjects of research
and (b) research is committed to furthering ODI’s surveillance
and investigation capabilities, particularly the detail, timeliness,
and analyzability of the consumer complaint and early warning
data central to these capabilities.
Recommendation 4: The committee concurs with NHTSA’s
intent to ensure that EDRs be commonplace in new vehicles and
recommends that the agency pursue this outcome, recognizing
that the utility of more extensive and capable EDRs will depend
in large part on the extent to which the stored data can be
retrieved for safety investigations.
Recommendation 5: The committee endorses NHTSA’s stated
plan to conduct research on pedal design and placement and
keyless ignition design requirements but recommends that this
research be a precursor to a broader human factors research ini-
tiative in collaboration with industry and that the research be
aimed at informing manufacturers’ system design decisions.
Recommendation 6: The committee recommends that NHTSA
initiate a strategic planning effort that gives explicit consideration
to the safety challenges resulting from vehicle electronics and
that gives rise to an agenda for meeting them. The agenda should
spell out the near- and longer-term changes that will be needed
in the scope, direction, and capabilities of the agency’s regulatory,
research, and defect investigation programs.
Recommendation 7: The committee recommends that NHTSA
make development and completion of the strategic plan a top
goal in its coming 3-year priority plan. NHTSA should communi-
cate the purpose of the planning effort, define how it will be
developed and implemented commensurate with advice in this
report, and give a definite time frame for its completion. The plan
should be made public so as to guide key policy decisions—from
budgetary to legislative—that will determine the scope and direc-
tion of the agency’s vehicle safety programs.
OCR for page 195
195
Recommendations to NHTSA ||
reFereNCe
Abbreviation
NHTSA National Highway Traffic Safety Administration
NHTSA. 2011. NHTSA Vehicle Safety and Fuel Economy Rulemaking and Research
Priority Plan, 2011–2013. March. http://www.nhtsa.gov/staticfiles/rulemaking/
pdf/2011-2013_Vehicle_Safety-Fuel_Economy_Rulemaking-Research_
Priority_Plan.pdf.
OCR for page 196
