Click for next page ( 170


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 169
6 Recommendations to National Highway Traffic Safety Administration on Preparing for the Electronics-Intensive Vehicle This report describes how • Increasingly software-intensive electronics systems are being used in automobiles to provide capabilities that are both related and unrelated to vehicle safety (Chapter 2); • Automotive manufacturers seek to ensure the performance of these electronics systems through preventive and fail-safe measures imple- mented during product design, development, and manufacturing as well as through lessons learned from postproduction surveillance (Chapter 3); and • The National Highway Traffic Safety Administration’s (NHTSA’s) reg- ulatory, research, and defect surveillance and investigation programs are oriented and applied to oversee the performance of vehicles and their constituent electronics systems (Chapter 4). In reviewing NHTSA’s response to reports of unintended acceleration, Chapter 5 provides a concrete example of much of the subject matter of these earlier chapters. It discusses how NHTSA has sought to address concerns about whether one electronics system, Toyota’s electronic throttle control system (ETC), has performed safely. The discussion pro- vides insight into the agency’s defect surveillance and investigation pro- cesses and an example of how one automotive manufacturer has sought to ensure the performance of a safety-critical electronics system. The public apprehension and controversy that have surrounded Toyota’s 169

OCR for page 169
170 || The Safety Promise and Challenge of Automotive Electronics ETC suggest the potential for other electronics systems to become impli- cated in safety concerns, particularly as electronics systems assume more vehicle safety and control functions. In requesting these reviews, NHTSA tasked the committee with mak- ing recommendations on how the agency’s regulatory, research, and defect investigation activities can be strengthened to meet the safety assurance challenges associated with the increasing use of electronics systems. The various findings from Chapters 2 through 5, which are summarized in Box 6-1, are synthesized in the following discussion and provide the basis for several recommendations to NHTSA. NHTSA’s CurreNT role wiTH reSpeCT To VeHiCle eleCTroNiCS NHTSA recognizes that electronics systems are transforming the auto- mobile and in the process giving rise to opportunities for making driving safer and to new demands for ensuring that vehicles operate in a safe manner. For example, NHTSA now requires that new vehicles possess certain safety-enhancing capabilities that only electronics can provide, such as electronic stability control intended to aid in rollover prevention. Similar safety regulations may be promulgated in the future as agency researchers evaluate and monitor the development status of other tech- nologies for crash avoidance, such as automatic lane-keeping, crash- imminent braking, alcohol detection, and blind spot surveillance. Because of the use of electronics systems in managing and controlling more vehi- cle functions, NHTSA’s Office of Defects Investigation (ODI) is observing more manufacturer recalls that involve software reprogramming and other fixes to electronics systems. This is to be expected as software- intensive electronics supplant more mechanical, electromechanical, and hydraulic systems. The growth of electronics systems in vehicles is thus influencing all aspects of NHTSA’s regulatory, research, and investigation activities. That influence will almost certainly grow and place new demands on all of these activities. Public apprehension about Toyota’s ETC and its role in unintended acceleration revealed these changing demands in stark fashion. The ETC is a simple technology compared with the newer sys- tems being introduced and envisioned for motor vehicles. As these elec- tronics systems become more complex, capable, and interconnected

OCR for page 169
171 Recommendations to NHTSA || Box 6-1 Summary of Findings The electronics-intensive Automobile Finding 2.1: Electronics systems have become critical to the functioning of the modern automobile. Finding 2.2: Electronics systems are being interconnected with one another and with devices and networks external to the vehi- cle to provide their desired functions. Finding 2.3: Proliferating and increasingly interconnected elec- tronics systems are creating opportunities to improve vehicle safety and reliability as well as demands for addressing new sys- tem safety and cybersecurity risks. Finding 2.4: By enabling the introduction of many new vehicle capabilities and changes in familiar driver interfaces, electronics systems are presenting new human factors challenges for system design and vehicle-level integration. Finding 2.5: Electronics technology is enabling nearly all vehi- cles to be equipped with event data recorders (EDRs) that store information on collision-related parameters as well as enabling other embedded systems that monitor the status of safety-critical electronics, identify and diagnose abnormalities and defects, and activate predefined corrective responses when a hazardous con- dition is detected. Safety Assurance processes for Automotive electronics Finding 3.1: Automotive manufacturers visited during this study—and probably all the others—implement many processes during product design, engineering, and manufacturing intended (a) to ensure that electronics systems perform as expected up to defined failure probabilities and (b) to detect failures when they occur and respond to them with appropriate containment actions. (continued on next page)

OCR for page 169
172 || The Safety Promise and Challenge of Automotive Electronics Box 6-1 (continued) Summary of Findings Finding 3.2: Testing, analysis, modeling, and simulation are used by automotive manufacturers to verify that their electronics systems, the large majority of which are provided by suppliers, have met all internal specifications and regulatory requirements, including those relevant to safety performance. Finding 3.3: Manufacturers face challenges in identifying and modeling how a new electronics-based system will be used by the driver and how it will interface and interact with the driver. Finding 3.4: Automotive manufacturers have been cooperating through the International Organization for Standardization to develop a standard methodology for evaluating and establishing the functional safety requirements for their electronics systems. NHTSA Vehicle Safety programs Finding 4.1: A challenge before NHTSA is to further the use and effectiveness of vehicle technologies that can aid safe driving and mitigate hazardous driving behaviors and to develop the capa- bilities to ensure that these technologies perform their functions as intended and do not prompt other unsafe driver actions and behaviors. Finding 4.2: NHTSA’s Federal Motor Vehicle Safety Standards (FMVSSs) are results-oriented and thus written in terms of min- imum system performance requirements rather than prescribing the means by which automotive manufacturers design, test, engi- neer, and manufacture their safety-related electronics systems. Finding 4.3: Through the Office of Defects Investigation (ODI), NHTSA enforces the statutory requirement that vehicles in con- sumer use not exhibit defects that adversely affect safe vehicle performance. Finding 4.4: NHTSA refers to its vehicle safety research program as being “data driven” and decision-oriented, guided by analyses of traffic crash data indicating where focused research can fur-

OCR for page 169
173 Recommendations to NHTSA || Box 6-1 (continued) Summary of Findings ther the introduction of new regulations and vehicle capabilities aimed at mitigating known safety problems. Finding 4.5: NHTSA regularly updates a multiyear plan that explains the rationale for its near-term research and regulatory priorities; however, the plan does not communicate strategic considerations, such as how the safety challenges arising from the electronics-intensive vehicle may require new regulatory and research responses. Finding 4.6: The Federal Aviation Administration’s (FAA’s) reg- ulations for aircraft safety are comparable with the performance- oriented FMVSSs in that the details of product design and development are left largely to the manufacturers; however, FAA exercises far greater oversight of the verification and validation of designs and their implementation. Finding 4.7: The U.S. Food and Drug Administration’s (FDA’s) and NHTSA’s safety oversight processes are comparable in that they combine safety performance requirements as a condition for approval with postmarketing monitoring to detect and remedy product safety deficiencies occurring in the field. FDA has estab- lished a voluntary network of clinicians and hospitals known as MedSun to provide a two-way channel of communication to sup- port surveillance and more in-depth investigations of the safety performance of medical devices. NHTSA initiatives on unintended Acceleration Finding 5.1: NHTSA has investigated driver complaints of vehicles exhibiting various forms of unintended acceleration for decades, the most serious involving high engine power indicative of a large throttle opening. Finding 5.2: NHTSA has most often attributed the occurrence of unintended acceleration indicative of a large throttle opening to pedal-related issues, including the driver accidentally pressing the accelerator pedal instead of the brake pedal, floor mats and (continued on next page)

OCR for page 169
174 || The Safety Promise and Challenge of Automotive Electronics Box 6-1 (continued) Summary of Findings other obstructions that entrap the accelerator pedal in a depressed position, and sticking accelerator pedals. Finding 5.3: NHTSA’s rationale for attributing certain unintended acceleration events to pedal misapplication is valid, but such deter- minations should not preclude further consideration of possible vehicle-related factors contributing to the pedal misapplication. Finding 5.4: Not all complaints of unintended acceleration have the signature characteristics of pedal misapplication; in particu- lar, when severe brake damage is confirmed or the loss of braking effectiveness occurs more gradually after a prolonged effort by the driver to control the vehicle’s speed, pedal misapplication is improb- able, and NHTSA reported that it treats these cases differently. Finding 5.5: NHTSA’s decision to close its investigation of Toyota’s ETC as a possible cause of high-power unintended acceleration is justified on the basis of the agency’s initial defect investigations, which were confirmed by its follow-up analyses of thousands of consumer complaints, in-depth examinations of EDRs in vehicles suspected to have crashed as a result of unintended acceleration, and the National Aeronautics and Space Administration’s exami- nation of the Toyota ETC. Finding 5.6: The Vehicle Owner’s Questionnaire consumer complaint data appear to have been sufficient for ODI analysts and investigators to detect an increase in high-power unintended acceleration behaviors in Toyota vehicles, to distinguish these behaviors from those commonly attributed to pedal misapplica- tion, and to aid investigators in identifying pedal entrapment by floor mats as the likely cause. Finding 5.7: ODI’s investigation of unintended acceleration in Toyota vehicles indicated how data saved in EDRs can be retrieved from vehicles involved in crashes to supplement and assess other information, including circumstantial evidence, in determining causal and contributing factors.

OCR for page 169
175 Recommendations to NHTSA || with one another, not only will safety assurance demands grow but so too will the challenge of building and maintaining public confidence in their safe performance (see Finding 4.1). NHTSA does not regulate vehicle electronics directly. Through its Federal Motor Vehicle Safety Standards (FMVSSs), the agency requires that vehicles have certain safety-critical features and capabilities and that they perform to certain levels (see Finding 4.2). The regulatory emphasis on system performance rather than design is evidenced by the fact that the throttle control system in some vehicles might still rely on mechanical links from the accelerator pedal to the throttle, whereas others may make this connection through an ETC consisting of sensors, wires, computers, and motorized actuators. Since NHTSA does not require a specific design, it does not require, advise on, or evaluate the methods used by automo- tive manufacturers in design-specific areas such as corrosion testing, elec- tromagnetic compatibility, resistance to vibrations, or software integrity. For the most part, NHTSA’s FMVSSs do not address such aspects of prod- uct assurance, which are left to the manufacturer to decide. Furthermore, the FMVSSs do not cover the vast majority of systems that are in today’s vehicles, much less all electronics systems. Only a frac- tion of the electronics systems in the modern automobile are intended to provide an FMVSS-regulated safety capability. The manufacturer, there- fore, is responsible for ensuring that these other systems do not create safety hazards through their design or interaction with safety-critical vehicle systems. For example, the FMVSSs require that certain vehicle control mechanisms, such as the gearshift lever, be located within safe reach of the driver, but the regulations are silent about similar controls for nonsafety features such as the radio and navigation system. NHTSA does not provide specific guidance or standards for the design of these unregulated systems with regard to safety. Similarly, the FMVSSs do not prescribe how electronics and other systems must be designed to avoid interfering with the functioning of systems that are intended to meet an FMVSS, such as keeping an entertainment system from interfering with the required performance of wipers. NHTSA enforces the use of safe system designs and compels effective safety assurance by manufacturers through its compliance testing pro- gram and defect surveillance and investigation activities (see Finding 4.3). Moreover, ODI’s scope of interest is much wider than enforcing compli- ance with FMVSSs; it can monitor, investigate, and seek remedies for any vehicle-related deficiency considered to be harmful to public safety. ODI’s

OCR for page 169
176 || The Safety Promise and Challenge of Automotive Electronics investigation of floor mats as a possible cause of unintended acceleration and its influence over Toyota in recalling millions of its vehicles for pedal entrapment demonstrate ODI’s wider scope of interest and authority. NHTSA’s vehicle safety research programs are focused on support- ing agency decision making, particularly regulatory decisions (see Finding 4.4). This emphasis is consistent with the agency’s mission of addressing known traffic safety problems while it avoids entangle- ment in the specific technological means by which automotive manufac- turers meet the FMVSSs. Agency researchers do not generally develop technologies.1 Instead, they examine emerging technologies to advise regulators on whether new safety-enhancing vehicle capabilities are technically feasible and could thus be required. The agency assumes that manufacturers will undertake the requisite research to obtain the design and engineering knowledge to establish appropriate safety pre- cautions for their products. KeepiNg pACe wiTH THe SAFeTy ASSurANCe CHAlleNgeS AriSiNg From VeHiCle eleCTroNiCS As electronics systems proliferate in vehicles, it is reasonable to ask whether NHTSA’s oversight and regulatory approach will need to be adjusted to keep pace with the safety assurance challenges these systems present. The ETC experience may be a harbinger of the demands to come. The fact that NHTSA was subjected to and could not respond con- vincingly to public concerns about Toyota’s ETC and needed to enlist the technical expertise of the National Aeronautics and Space Administration indicates how demands on the agency’s programs are changing. The committee cannot predict the extent to which NHTSA’s vehicle safety programs will need to be supplemented over time with new resources, competencies, and infrastructure as electronics continue to take over more vehicle controls. The findings in this study suggest that NHTSA will need to know more about how manufacturers design safety and security into electronics systems, monitor vehicles for evidence of safety deficiencies that may have new hallmarks, and investigate and test for problems in systems that may leave little physical evidence from NHTSA research has led to the development of some technologies used by the automotive industry, 1 such as instrumented crash-test dummies used by automotive manufacturers during vehicle develop- ment and testing.

OCR for page 169
177 Recommendations to NHTSA || which to assess their cause. The remainder of this section discusses the implications of the proliferation of electronics systems for NHTSA over- sight and engagement. The controversy over whether ETCs caused unintended acceleration and the general trend toward increasing use of electronics systems for vehicle controls have raised questions about whether NHTSA should exert more influence over the safety assurance processes followed by industry.2 Although it is not an immediate option, NHTSA could move to regulate these processes by establishing or approving testing methods used for electronic control systems and their components, such as testing for resistance to electromagnetic disturbances or software coding integrity. Such in-depth oversight appears to be unlikely. It is difficult to see how NHTSA could obtain the capacity for identifying suitable testing methods in light of the wide variability in the way manufacturers design and engi- neer vehicle systems. A more foreseeable option is for NHTSA to require that automobile manufacturers provide evidence that they have followed rigorous safety assurance processes during the design, development, and manufacture of electronics systems having implications for vehicle safety. Chapter 3 reviews how automotive manufacturers seek to ensure the safe performance of their electronics systems. This study could not assess the quality of these processes or how well they are executed. Nevertheless, Chapter 3’s review suggests that automotive manufacturers use many of the same fundamental processes for safety assurance and that they are systematic and carefully thought through (see Findings 3.1, 3.2, and 3.3). The processes consist of measures intended to guard against failures up to defined risk probabilities and to detect and respond to failures that do occur. Their design relevance and the system-level structure of these processes suggest the futility of NHTSA (or any other regulator) prescrib- ing specific testing methods, preventive measures, fail-safe strategies, or other assurance processes. The closest example of a regulatory agency having such hands-on safety assurance responsibility in the U.S. Department of Transportation is the Federal Aviation Administration’s (FAA’s) oversight of aircraft development and manufacturing. Even FAA recognizes the impractical- ity of prescribing specific design and testing processes. Instead, the agen- cy’s emphasis is on requiring manufacturers to demonstrate that they See “Response by Toyota and NHTSA to Incidents of Sudden Unintended Acceleration.” Hearing 2 before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, February 23, 2010.

OCR for page 169
178 || The Safety Promise and Challenge of Automotive Electronics have established robust and carefully followed safety assurance systems. These assurance systems can be examined in depth by FAA because air- craft manufacturers must apply to the regulatory agency for approval to build a new aircraft type. Accordingly, FAA verifies and certifies that aircraft manufacturers have instituted sound safety assurance systems through preapproval of plans and reviews of their implementation. To facilitate compliance, FAA advises manufacturers to follow certain pre- approved processes for aspects of product development, including safety assurance standards developed by industry. FAA’s approach to safety oversight requires significant resources and authorities (see Finding 4.6). Although the agency designates senior engineers from aircraft manufacturers to fulfill many of the detailed doc- ument reviews and inspections that make up the certification process, FAA staff must review the most significant process elements. As dis- cussed in Chapter 4, FAA has a major unit, the Aircraft Certification Service, dedicated to this function and housed in more than two dozen offices across the country and abroad. The Aircraft Certification Service requires a large cadre of test pilots, manufacturing inspectors, safety engineers, and technical specialists in key disciplines such as flight loads, nondestructive evaluation, flight management, and human factors. For NHTSA to engage in similar regulatory oversight would represent a fundamental change in the agency’s regulatory approach and would require justification and substantial resources. The introduction of auton- omous vehicles, as envisioned in some intelligent vehicle concepts, could one day provide the grounds for NHTSA to adopt an oversight approach with elements modeled after those of FAA. At the moment, the justifica- tion for such a fundamental change in the way NHTSA regulates automo- tive safety is not evident, nor is such a change in regulatory direction a foreseeable prospect. The near-term prospect is an effort to establish a consensus standard through the International Organization for Standardization (ISO) intended to guide automotive manufacturers as they develop their safety assurance processes, particularly for electronics systems affecting vehicle safety and control functions (see Finding 3.4). The pending standard, ISO 26262, will not prescribe the specific content of each manufacturer’s safety assur- ance regime. However, it will compel subscribers to follow steps ensur- ing that the safety implications of electronics systems are well identified, analyzed for risks, and the subject of appropriate risk management actions. How influential this voluntary standard will become is not yet known,

OCR for page 169
179 Recommendations to NHTSA || but many manufacturers selling vehicles and automotive equipment in the United States appear to be intent on following its guidance in whole or in large part. Whether widespread industry adherence to a process-based standard like ISO 26262 will lead to safer-performing vehicle electronics will depend to a large extent on the adequacy of existing manufacturer assurance pro- cesses and the degree to which manufacturers change their processes in response to the standard’s guidance. The industry’s apparent intention to follow ISO 26262 may give NHTSA greater confidence that manufacturers are striving to keep abreast of the challenges associated with electronics. Even if the agency does not endorse or require adherence to the standard, NHTSA will have a keen interest in ensuring the standard’s safety effec- tiveness if many automotive manufacturers choose to follow it. As a general matter, the committee recommends that NHTSA become more familiar with and engaged in standard-setting and other efforts involving industry that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automo- tive electronics systems (Recommendation 1). In the committee’s view, such cooperative efforts represent an opportunity for NHTSA to gain a stronger understanding of how manufacturers seek to prevent safety problems through measures taken during product design, development, and fabrication. By engaging in these efforts, the agency will be better able to influence industry safety assurance and recognize where it can contribute most effectively to strengthening such preventive measures. The introduction of ISO 26262 represents a potential opportunity for NHTSA to engage and collaborate with industry. As manufacturers reas- sess and adjust their safety assurance processes in response to the ISO standard and other industry-level guidance, many will undoubtedly need more information and analysis. Some will have research needs that NHTSA may be able to help meet. In the committee’s view, support for this industry research can be a practical means by which NHTSA engi- neers and other personnel can increase their familiarity with industry safety assurance processes. Box 6-2 gives examples of where collabora- tive research and analysis supported by NHTSA may contribute to the strengthening of industry safety assurance processes and to the agency’s own technical knowledge and competencies. Exploration of other means by which NHTSA can interact with indus- try in furthering electronics safety assurance will also be important. Exploiting a range of opportunities will be critical in the committee’s

OCR for page 169
186 || The Safety Promise and Challenge of Automotive Electronics Box 6-3 Candidate research and Analysis to Support oDi Capabilities and Functions • Examine modifications to the VOQ that can make it more use- ful to ODI analysts and investigators by facilitating the ability of consumers to convey the vehicle conditions and behaviors they experience more precisely and by making the informa- tion more amenable to quantitative evaluation. Consideration might be given to new features in the online questionnaire, such as drop-down menus with condition choices or upload- ing capabilities, that can make the questionnaire easier to complete and provide drivers more opportunity to convey details on the vehicle and its condition and behavior. • In collaboration with manufacturers, examine a cross section of safety-related recalls whose cause was attributed to deficiencies in electronics or software and identify how the defects escaped verification and safety assurance processes. The examination should seek to identify weaknesses in these processes and means by which they have been strengthened. • Investigate and make recommendations on ways to obtain more timely and detailed EWR-type data for defect surveil- lance and investigation. For example, consideration might be given to the creation of a voluntary network of automotive dealers and major repair centers to which ODI can turn for more timely and detailed vehicle servicing, repair, and parts data for defect monitoring and investigation. FDA’s network for obtaining safety performance data on medical devices might serve as a model. To the extent that NHTSA can make use of current dealer–original equipment manufacturer networks for this data-gathering purpose, the inflexibilities associated with mandated data reporting systems such as the EWR could be reduced. NHTSA’s Crash Injury Research Engineering Network program for collecting data for research on crash injuries offers another potential conceptual model for a collaborative forum.

OCR for page 169
187 Recommendations to NHTSA || Box 6-3 (continued) Candidate Research and Analysis to Support ODI Capabilities and Functions • Examine how the data from consumer complaints of unsafe experiences in the field can be mined through electronic means and how the complaints might offer insight into safety issues that arise from human–systems interactions. Explore how these issues may be changing with the introduction and expansion of vehicle electronics systems. The committee is not in a position to know where these initiatives should rank among NHTSA’s research and rulemaking priorities. Nevertheless, the committee concurs with NHTSA’s intent to ensure that EDRs be commonplace in new vehicles and recommends that the agency pursue this outcome, recognizing that the utility of more extensive and capable EDRs will depend in large part on the extent to which the stored data can be retrieved for safety investigations (Recommendation 4). NHTSA’s stated plan is to consider “future enhance- ments” to EDRs, which is particularly intriguing for the following two reasons. First, failures in electronics systems, including those related to software programming, intermittent electrical faults, and electromagnetic disturbances, may not leave physical traces to aid investigations into the causes of failures. Second, mistakes by drivers also may not leave a phys- ical trace, even if these errors result in part from vehicle-related factors such as startling vehicle noises or unexpected or unfamiliar vehicle behaviors. The absence of such physical evidence has hindered investiga- tions of the ETC’s role in unintended acceleration and may become even more problematic as the number and complexity of automotive electron- ics systems grow. Advanced data recording systems may help counter some of these problems if the data can be accessed by investigators. In the committee’s view, the utility and feasibility of equipping vehicles with more advanced data-recording systems that can log a wider range of data warrant further study and are thus among the candidate research topics identified in Box 6-2. The committee also endorses NHTSA’s stated plan to conduct research on pedal design and placement and keyless ignition design

OCR for page 169
188 || The Safety Promise and Challenge of Automotive Electronics requirements but recommends that this research be a precursor to a broader human factors research initiative in collaboration with indus- try and that the research be aimed at informing manufacturers’ sys- tem design decisions (Recommendation 5). A number of examples of research that could be pursued through such a program are given in Box 6-2. STrATegiC plANNiNg To guiDe FuTure DeCiSioNS AND prioriTieS The four priority items above represent specific agency responses to the events surrounding unintended acceleration. The next priority plan may list more such items, some in response to newly arising safety concerns. Asked to advise NHTSA on its rulemaking, research, and resource pri- orities, the committee questions the wisdom of recommending the addi- tion to this list of more narrowly construed initiatives and whether doing so would be at odds with the agency developing an effective longer-term strategy for meeting the safety demands arising from vehicle electronics. The committee notes that the current priority plan describes the Office of Vehicle Safety as being “currently in the process of developing a longer- term motor vehicle safety strategic plan that would encompass the period 2014 to 2020” (NHTSA 2011, 1). Presumably, this strategic plan could provide a road map for NHTSA’s decisions with regard to the safety over- sight challenges arising from the electronics-intensive vehicle; however, the plan’s status and purpose have not been articulated. The committee believes that strategic planning is fundamental to sound decision making and thus recommends that NHTSA initi- ate a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics and that gives rise to an agenda for meeting them. The agenda should spell out the near- and longer-term changes that will be needed in the scope, direction, and capabilities of the agency’s regulatory, research, and defect investigation programs (Recommendation 6). Some of the key elements of successful strategic planning are outlined in Box 6-4. In the committee’s view, it is vital that the planning be (a) prospective in considering the safety challenges arising from the electronics-intensive vehicle, (b) introspective in considering the implications of these chal- lenges for NHTSA’s vehicle safety role and programs, and (c) strategic in

OCR for page 169
189 Recommendations to NHTSA || Box 6-4 elements of a Strategic planning process In the committee’s view, the following are fundamental to strate- gic planning: • Involved and supportive management led by senior staff, • Cross-functional participation from throughout the organi- zation, • Third-party facilitation and other influential outside partici- pants, • The expectation that the process will take time and effort and not be completed in one or two meetings, and • Regular updates made available to the public and decision makers. The following are key process elements: • Define the agency mission and principal agency activities • State goals and desired outcomes • Assess the external environment. The following are example considerations: – Who are the prime “customers” of the agency? – What are their expectations, and are they changing? – How is the technology of the automobile changing funda- mentally, and how is this affecting the agency in fulfilling its mission or role? – How will technology continue to change? – Which external organizations have a major impact on the agency’s functioning, and what is the agency’s relationship with them? – What data are important in executing the agency’s role effectively? (continued on next page)

OCR for page 169
190 || The Safety Promise and Challenge of Automotive Electronics Box 6-4 (continued) Elements of a Strategic Planning Process – How can technology changes, such as the Internet and its instant communications, be expected to affect the agency, positively and negatively? – How might adversaries utilize the vehicle fleet for harm? What can be done about it? • Assess the agency. The following are example considerations: – What are the agency’s strengths and weaknesses (unit by unit)? – Has the agency’s role changed over the years? Has the agency adapted to those changes? How? – Is the agency’s staffing of the various functions consistent with the needed activity level in those functions? Is it con- sistent with the technology level? – What are the strengths and weaknesses of the databases used by the agency in conducting its work? For example, what do the databases indicate in terms of changing rea- sons for recalls and changing corrective actions? – Is the agency using the technology of the Internet and modern information technology in general to enhance per- formance of its role? – What are the strengths and weaknesses of the agency’s relationship with the industry it monitors and regulates? – What are the strengths and weaknesses of the FMVSSs in terms of the automotive technology of today and the future? – What are the strengths and weaknesses of agency research programs, including research staff levels and capabilities? – How does the agency compare with FAA and FDA with respect to staffing, relationship with the industry regulated, and effectiveness? – What have been the greatest agency successes and its great- est failures? – What does the agency consider to be critical factors for its success?

OCR for page 169
191 Recommendations to NHTSA || Box 6-4 (continued) Elements of a Strategic Planning Process • Articulate the agency’s key strategies and objectives going forward: – The agency’s role and responsibilities redefined or reiter- ated clearly – An explicit strategy developed for how to adapt to the expected changes in technology – Goals set for the size, nature, and content of the research programs in support of agency goals – Goals set for the size and capabilities of the staff in its vari- ous units such as ODI – Improvement objectives established for the databases used in the work of the agency – Metrics defined to indicate the agency’s performance of its defined roles and responsibilities guiding critical decisions concerning matters such as the most appro- priate agency regulatory approaches and associated research and resource requirements. The strategic planning process will put NHTSA in a better position to address and make decisions about matters such as the following: • Whether the agency’s regulatory role should be modified to take into account the safety assurance processes followed by automotive manufacturers during product development. For example, the advan- tages and disadvantages of urging or requiring manufacturers to dem- onstrate that they are implementing rigorous safety assurance as part of the design, development, and manufacturing of electronics systems that affect safety-critical functions should be examined. • How NHTSA’s research can be broadened to go beyond the provision of mostly technical support for regulatory decisions to (a) provide similar support for ODI as it seeks to strengthen its safety surveil- lance, investigation, and data availability and analysis capabilities and (b) help meet the shared research needs of automotive manufacturers

OCR for page 169
192 || The Safety Promise and Challenge of Automotive Electronics as they seek to improve their safety assurance processes. Such strate- gic planning would provide an opportunity for NHTSA to consider the nature of the research it undertakes, what should be encom- passed by its research in the future, and the methods that are used to identify key research needs. • The most appropriate means by which NHTSA can consult and inter- act more effectively with automotive manufacturers to (a) identify the safety assurance challenges arising from vehicle electronics, (b) understand how industry is working to meet these challenges, and (c) facilitate collaboration and cooperation among manufactur- ers and NHTSA. The committee further recommends that NHTSA make develop- ment and completion of the strategic plan a top goal in its coming 3-year priority plan. NHTSA should communicate the purpose of the planning effort, define how it will be developed and implemented commensurate with advice in this report, and give a definite time frame for its completion. The plan should be made public so as to guide key policy decisions—from budgetary to legislative—that will determine the scope and direction of the agency’s vehicle safety pro- grams (Recommendation 7). The long-term importance of strategic planning is obvious: the tech- nological transformation of the automobile will continue, and being pre- pared for more safety concerns that arise rather than reacting to them will become increasingly important. As electronics systems proliferate, NHTSA will be called on to investigate suspected safety deficiencies in them, but it can ill afford to explore potential vulnerabilities in the same extraordinary manner that it did for Toyota’s ETC. The committee observes that NHTSA researchers are working with the automotive industry, universities, and other government agencies to examine future crash avoidance concepts such as vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications systems. These sys- tems will enable even greater vehicle autonomy and necessitate advance- ments in vehicle electronics that will go well beyond any systems now being deployed. In the same vein, changes in the division of functions between the driver and the vehicle will (a) present new demands for and interpretations of FMVSSs; (b) heighten the need for safety assurance processes that instill high levels of driver confidence in these systems; and (c) place new demands on ODI’s defect surveillance, analysis, and investi- gation activities.

OCR for page 169
193 Recommendations to NHTSA || The technical and economic feasibility of V2V, V2I, and other intelli- gent transportation systems are not considered in this study. However, it is difficult to imagine NHTSA accommodating their introduction without adapting its regulatory, research, and investigation processes. The strate- gic planning recommended here is not of a scope that would allow the agency to prepare for the many implications associated with conceived future systems such as V2V and V2I. However, by engaging in strategic planning on an ongoing basis, NHTSA will be in a better position to meet the safety demands that such technological advancements are likely to bring. The recommendations to NHTSA in this report are con- tained in Box 6-5. Box 6-5 recommendations to NHTSA Recommendation 1: The committee recommends that NHTSA become more familiar with and engaged in standard-setting and other efforts involving industry that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automotive electronics systems. Recommendation 2: The committee recommends that NHTSA convene a standing technical advisory panel comprising individ- uals with backgrounds in the disciplines central to the design, development, and safety assurance of automotive electronics sys- tems, including software and systems engineering, human fac- tors, and electronics hardware. The panel should be consulted on relevant technical matters that arise with respect to all of the agency’s vehicle safety programs, including regulatory reviews, defect investigation processes, and research needs assessments. Recommendation 3: The committee recommends that NHTSA undertake a comprehensive review of the capabilities that ODI will need in monitoring for and investigating safety deficiencies in electronics-intensive vehicles. A regular channel of communi- cation should be established between NHTSA’s research program (continued on next page)

OCR for page 169
194 || The Safety Promise and Challenge of Automotive Electronics Box 6-5 (continued) Recommendations to NHTSA and ODI to ensure that (a) recurrent vehicle- and driver-related safety problems observed in the field are the subjects of research and (b) research is committed to furthering ODI’s surveillance and investigation capabilities, particularly the detail, timeliness, and analyzability of the consumer complaint and early warning data central to these capabilities. Recommendation 4: The committee concurs with NHTSA’s intent to ensure that EDRs be commonplace in new vehicles and recommends that the agency pursue this outcome, recognizing that the utility of more extensive and capable EDRs will depend in large part on the extent to which the stored data can be retrieved for safety investigations. Recommendation 5: The committee endorses NHTSA’s stated plan to conduct research on pedal design and placement and keyless ignition design requirements but recommends that this research be a precursor to a broader human factors research ini- tiative in collaboration with industry and that the research be aimed at informing manufacturers’ system design decisions. Recommendation 6: The committee recommends that NHTSA initiate a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics and that gives rise to an agenda for meeting them. The agenda should spell out the near- and longer-term changes that will be needed in the scope, direction, and capabilities of the agency’s regulatory, research, and defect investigation programs. Recommendation 7: The committee recommends that NHTSA make development and completion of the strategic plan a top goal in its coming 3-year priority plan. NHTSA should communi- cate the purpose of the planning effort, define how it will be developed and implemented commensurate with advice in this report, and give a definite time frame for its completion. The plan should be made public so as to guide key policy decisions—from budgetary to legislative—that will determine the scope and direc- tion of the agency’s vehicle safety programs.

OCR for page 169
195 Recommendations to NHTSA || reFereNCe Abbreviation NHTSA National Highway Traffic Safety Administration NHTSA. 2011. NHTSA Vehicle Safety and Fuel Economy Rulemaking and Research Priority Plan, 2011–2013. March. http://www.nhtsa.gov/staticfiles/rulemaking/ pdf/2011-2013_Vehicle_Safety-Fuel_Economy_Rulemaking-Research_ Priority_Plan.pdf.

OCR for page 169