Click for next page ( 24


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 23
1 Background and Charge The National Highway Traffic Safety Administration (NHTSA) requested this study of its efforts to determine the possible causes of unintended acceleration in vehicles in order to advise on ways to strengthen the agency’s regulatory, research, and defect investigation capabilities as automobiles become more electronics-intensive. While NHTSA has investigated complaints of unintended acceleration for many decades, an unusually large number of such complaints have been made in recent years, particularly by owners of Toyota vehicles.1 Many complaints have involved high-power acceleration, which NHTSA’s investigators con- cluded was attributable to drivers applying the accelerator pedal by mis- take and to certain other mechanical causes, including sticking pedal assemblies and pedals becoming obstructed or entrapped.2 Pedal mis- application, entrapment, and sticking have often been identified by NHTSA as causes of unintended acceleration, along with various other mechanical causes such as throttle icing and damage to the physical link- ages between the pedal and throttle assemblies.3 However, the pro- liferation of electronics systems, and particularly the introduction of According to data presented to the committee by NHTSA, about 35 percent of the complaints it 1 received between 2004 and 2010 alleging unintended acceleration were by drivers of Toyota vehicles. Presentation by Daniel C. Smith, NHTSA Associate Administrator, Enforcement, June 30, 2010, Slide 17. http://onlinepubs.trb.org/onlinepubs/UA/100630DOTSlidesSmith. NHTSA investigations into the causes of unintended acceleration in Toyota vehicles are discussed in 2 Chapter 5. The National Transportation Safety Board has also investigated pedal misapplication by drivers of 3 school buses and other heavy vehicles (NTSB 2009). 23

OCR for page 23
24 || The Safety Promise and Challenge of Automotive Electronics electronic throttle control systems (ETCs) during the past decade, has prompted questions about whether faults in these systems were respon- sible for some of the complaints of unintended acceleration.4 The Toyota vehicles that NHTSA concluded were susceptible to pedal sticking and entrapment were equipped with ETCs. NHTSA’s initial findings of pedal entrapment caused by floor mats prompted Toyota to issue a series of recalls involving millions of vehicles. The first recalls involved redesigned floor mats and notifications to own- ers and dealers about the dangers of unsecured and incompatible floor mats and how to respond safely to pedal entrapment should it happen. In subsequent recalls, Toyota reshaped the accelerator pedal to make it less prone to floor mat interference and to install software that causes brake application to override the throttle on vehicles equipped with push- button ignition systems. The latter step was taken as evidence emerged that some drivers were unfamiliar with how to turn off the engine by holding down the start–stop button during an emergency while the vehicle is in motion.5 Even as these multiple recalls proceeded, questions persisted about the adequacy of Toyota’s remedies and whether its ETC technology was to blame, particularly after media reports of more cases of Toyota vehicles exhibiting unintended acceleration, some involving fatalities.6,7 ETCs were mass introduced beginning about 10 years ago. They replaced the physical connection between the accelerator pedal and the As recounted in Chapter 5, NHTSA received consumer petitions starting in 2003 requesting that the 4 agency investigate the Toyota ETC as the possible cause of unintended acceleration. In addition, in late 2009 Toyota observed through its field reports, and NHTSA confirmed through its 5 review of consumer complaints, that a sticking pedal assembly component was causing episodes in which vehicles were not slowing down in response to the driver reducing pressure on the accelerator pedal. In early 2010, Toyota initiated a recall to fix a mechanical defect in the pedal assembly, which involved many of the same Toyota vehicles subject to the floor mat recalls. In particular, a fatal crash involving a Lexus 350 ES that occurred in the city of Santee in San Diego 6 County, California, on August 28, 2009, received considerable media, public, and congressional atten- tion. NHTSA and the San Diego County Sheriff’s Department later concluded that the cause of the crash was pedal entrapment as a result of an incompatible all-weather floor mat. See San Diego County Sheriff’s Department Incident Report concerning August 2009 crash in Santee, California (Case No. 09056454). The origins of the initial driver concerns over Toyota’s ETC as a possible cause of unintended accelera- 7 tion remain unclear. However, these concerns appear to have increased after a report prepared by David W. Gilbert for the advocacy group Safety Research and Strategies, Inc., which purported to demonstrate how Toyota’s ETC could operate with undetected faults in its pedal position sensors. A videotape of Gilbert’s demonstration was broadcast on February 22, 2010, on ABC News: http:// abcnews.go.com/Blotter/toyota-recall-electronic-design-flaw-linked-toyota-runaway-acceleration- problems/story?id=9909319. The Gilbert paper can be found at http://www.safetyresearch.net/ Library/Preliminary_Report022110.pdf.

OCR for page 23
25 Background and Charge || throttle with an electronic connection consisting of sensors, wires, micro- processors, other circuitry, and a motorized throttle actuator. ETCs are now commonplace in new vehicles across the fleet. Concerns about public confidence in this common technology prompted NHTSA to take several actions. First, the agency’s Office of Defects Investigation (ODI) rescreened and reanalyzed all vehicle owner complaints for all vehicle makes during the past decade to identify and examine any that might be indicative of unintended acceleration. In its analysis, ODI observed a range of reported vehicle behaviors that could be described as unintended acceleration, from vehicles hesitating or lurching during gear changes to abrupt increases in engine power and vehicle speed that suggested a large throt- tle opening. In many of the latter cases in particular, ODI observed that reported brake application was described by the driver as being ineffec- tive in controlling acceleration. Reports of lost braking capacity also raised the possibility of brake defects, although brake damage or degradation was confirmed only in a relatively small number of cases in which the vehicle traveled at a high rate of speed for several miles and the brake pedal was depressed by the driver for a long time or repeatedly pumped. In NHTSA’s view, cases in which alleged immediate and profound brake loss could not be explained were consistent with pedal misapplication. The latter cases of unintended acceleration involving degraded braking capacity were believed to be caused by pedal entrapment, pedal sticking, and other identifiable mechanical problems. NHTSA did not find any unusual patterns in the warranty repair data submitted by Toyota or any other manufacturer related to ETCs, and the agency believed that its rescreening of consumer complaints did not sug- gest any new explanations for unintended acceleration involving vehicle electronics. Nevertheless, NHTSA undertook further analyses and inves- tigations of Toyota’s ETC in response to the growing public concern. First, ODI investigators conducted more detailed examinations of a small subset of complaints involving crashes of Toyota vehicles in which infor- mation from the vehicles’ electronic event data recorders was retrieved and analyzed (NHTSA 2011). These investigations, discussed in more detail later in this report, did not provide any reason for the agency to question its earlier findings and conclusions about pedal misapplication, entrapment, and sticking being the causes of high-power unintended acceleration in Toyota vehicles. Second, NHTSA commissioned a team of engineers with expertise in electronics and software testing from the

OCR for page 23
26 || The Safety Promise and Challenge of Automotive Electronics National Aeronautics and Space Administration (NASA) to investigate whether vulnerabilities exist in the design and implementation of Toyota’s ETC that could have plausibly produced any of the unintended acceleration behaviors reported by consumers.8 While these latter investigations were under way, NHTSA requested the National Research Council to convene an independent committee to conduct this study. The committee’s task was to inform a broader exam- ination of the safety assurance challenges arising from the proliferation and growing complexity of automotive electronics and their implications for NHTSA’s vehicle safety programs. In performing its task, the commit- tee was to consider the pending results of the ODI and NASA investiga- tions as well as the results of past NHTSA investigations. The committee was not tasked with conducting its own investigations of the incidence and potential causes of unintended acceleration. For study background, NHTSA asked the committee to review the means by which automotive manufacturers seek to ensure the safe and secure performance of their electronics systems and to consider how safety assurance is handled in other industries such as aviation. This report describes these safety assur- ance processes but does not critique them or make recommendations to the automotive industry. These requested reviews proved valuable to the study. The commit- tee learned, for example, that ETCs are simple and mature systems in comparison with the many other automotive electronics systems being developed and deployed that can affect vehicle control. The public appre- hension over whether ETCs were the cause of unsafe vehicle behaviors thus raises the prospect, in the committee’s view, that similar or even more serious concerns could arise as more complex electronics systems are introduced into the fleet. That prospect is troubling because, as the committee describes in this report, electronics-intensive systems are now central to vehicle functionality and provide many significant ben- efits to motorists, including safety benefits. Indeed, NHTSA is promoting the development and introduction of many new crash-avoidance sys- tems that have become possible only as a result of advancements in electronics technology. The investigation was conducted by NASA’s Engineering and Safety Center and the results reported 8 to NHTSA in January 2011 in National Highway Traffic Safety Administration Toyota Unintended Acceleration Investigation: Technical Support to the National Highway Traffic Safety Administration (NHTSA) on the Reported Toyota Motor Corporation (TMC) Unintended Acceleration (UA) Investigation. Released to the public on NHTSA’s website in February 2011. http://www.nhtsa.gov/staticfiles/nvs/pdf/ NASA-UA_report.pdf.

OCR for page 23
27 Background and Charge || Innovations in the automobile will be driven extensively by develop- ments in electronics technology. Therefore, the emphasis of this report is not on second-guessing the past actions of NHTSA but instead on steps that can be taken to ensure that the agency’s programs are aligned with meeting the safety assurance challenges likely to accompany these developments. More background on many of the issues raised above and a descrip- tion of how the report is organized to address the study charge are given next. The background begins with an overview of NHTSA’s vehicle safety oversight role and its past responses to concerns over unintended accel- eration. The chapter concludes by explaining the study goals and the report’s organization. NHTSA’s AuTomoTive SAfeTy Role Legislation enacted 45 years ago that introduced a federal role in ensur- ing traffic safety, and that soon led to NHTSA’s creation within the U.S. Department of Transportation (DOT), called for the establishment of regulations specifying minimum safety features and capabilities in motor vehicles.9 At the time, automobiles were almost entirely mechanical in their function, having no computing capabilities, software, or internal networks. Nevertheless, the automobile of about 1970 was the product of a steady stream of innovations in designs, materials, and engineering by original equipment manufacturers (OEMs) and their suppliers. To avoid impeding this innovation, NHTSA was charged with writing the Federal Motor Vehicle Safety Standards (FMVSSs) in terms of minimum performance requirements and thus avoiding prescriptions about how manufacturers should meet the requirements through their product design, development, and production processes.10 The FMVSSs promulgated by NHTSA consist of three main categories of regulations covering crash avoidance, crashworthiness, and postcrash integrity. The first category covers vehicle capabilities essential to pre- venting a crash, such as minimum capabilities for braking, visibility, and More details on the laws establishing NHTSA and its vehicle safety mission are given in Chapter 4. 9 The FMVSSs, along with other NHTSA regulations, are incorporated into Chapter 5 of Title 49, Code 10 of Federal Regulations. The authorizing law defines an FMVSS as a “minimum standard for motor vehicle performance, or motor vehicle equipment performance, which is practicable, which meets the need for motor vehicle safety, and which provides objective criteria.”

OCR for page 23
28 || The Safety Promise and Challenge of Automotive Electronics accelerator control. The second contains regulations intended to make vehicles more capable of withstanding crash forces and protecting occu- pants in the event of a crash, such as by having certain restraint systems and crush resistance. The third specifies requirements for maintaining vehicle integrity after a crash has occurred, such as fire resistance. NHTSA sets and enforces several other standards that are not contained within these three categories of FMVSSs, such as requirements for vehicles equipped with event data recorders and mandated reporting to NHTSA of certain safety-related data. Automobile manufacturers are not required to notify NHTSA when they introduce a new component or system design, even if it pertains to an FMVSS. Each manufacturer is responsible for determining whether the product design and its implementation meet all relevant FMVSSs, and in so doing the manufacturer may consult NHTSA for interpreta- tions of the requirements. NHTSA does not set its own design and imple- mentation standards, nor does it demand that manufacturers follow third-party standards to guide design, development, and evaluation pro- cesses such as testing of software code, materials properties, and electro- magnetic compatibility. Automotive manufacturers must determine for themselves which processes are best suited to their product designs and are required to certify that their vehicles meet all relevant FMVSSs.11 Because the FMVSSs are intended to be technology neutral, the changeover from mechanical to electronics systems in recent years has not necessitated substantial regulatory revisions. For example, NHTSA officials informed the committee that the introduction of keyless ignition systems occurred within the context of the existing FMVSS 114.12 The agency has interpreted the standard’s requirements governing the use of a “key” as encompassing both a traditional physical key and codes that are electronically transmitted by a fob or entered by the driver using a keypad inside the vehicle. Likewise, the introduction of ETCs in the late 1990s occurred in accordance with the original FMVSS 124 on accelerator control systems, which was promulgated in the early 1970s. FMVSS 124 requires that a vehicle’s throttle plate return to the idle position when the driver removes the actuating force from the accelera- Certification of a vehicle’s compliance with relevant FMVSSs must be shown by a label or tag perma- 11 nently affixed to the vehicle. The committee was provided this explanation by Nathaniel Beuse, Director, Office of Crash Avoidance 12 Standards, in a briefing titled “Government and Voluntary Standards as They Related to Unintended Acceleration,” June 30, 2010.

OCR for page 23
29 Background and Charge || tor control, even if there is a disconnection. NHTSA officials explained to the committee that in this case the agency interprets a “disconnection” to cover separations of physical linkages as well as separations of electri- cal connections.13 For technical support of its regulatory activities, NHTSA relies on its vehicle safety research program. NHTSA officials explained to the com- mittee that its neutrality with respect to the technologies used by manu- facturers to meet the FMVSSs does not mean that the agency can afford to neglect technological developments taking place in the automotive sector. Accordingly, NHTSA’s Office of Vehicle Safety Research is charged with keeping abreast of existing and emerging technologies that may create safety assurance challenges or that may provide opportunities to make driving safer. The content and priorities of the research program are thus driven by ongoing regulatory needs (such as the development of a performance test for a new standard) and by evidence from crash records indicating safety problems that may be candidates for mitigation through advancements in vehicle technologies.14 NHTSA’s main method for ensuring that manufacturers comply with the FMVSSs is through its Office of Vehicle Safety Compliance, which inspects and tests samples of vehicles to assess their conformance to the regulations.15 However, a vehicle may be in full compliance with all FMVSSs and still exhibit a safety defect in use. The committee was informed by NHTSA that for the agency to order a safety recall, it must be able to demonstrate that (a) a defect exists as shown by a significant number of real-world failures and (b) the defect poses an unreasonable risk to safety.16 Furthermore, NHTSA (2011, 1) states: “To demonstrate the existence of a safety defect . . . NHTSA would need to prove that a substantial number of failures attributable to the defect have occurred or are likely to occur in consumers’ use of the vehicle or equipment and that the failures pose an unreasonable risk to motor vehicle safety.” The committee was provided the information by Nathaniel Beuse, Director, Office of Crash Avoidance 13 Standards, in a briefing titled “Government and Voluntary Standards as They Related to Unintended Acceleration,” June 30, 2010. Presentation to the committee by John Maddox, Associate Administrator, Vehicle Safety Research, 14 Research Capabilities, Program Prioritization, and Resources: “National Highway Traffic Safety Administration—Research Overview,” January 27, 2011. The Office of Vehicle Safety Compliance (as well as the Office of Rulemaking) also receives reports 15 from manufacturers when they determine that some of their vehicles do not comply with one or more FMVSSs. Presentation to the committee by Richard Boyd, Acting Director, ODI, October 22, 2010. 16

OCR for page 23
30 || The Safety Promise and Challenge of Automotive Electronics The responsibility for identifying and investigating safety defects rests with ODI. ODI fulfills this responsibility with significant assistance from consumers, who file complaints of unsafe vehicle behaviors and condi- tions. ODI analysts regularly screen and analyze consumer complaints to detect vehicle behaviors and conditions indicative of defects or other vehicle-related problems that present a safety concern.17 Such concerns may prompt ODI to investigate further by examining more complaints, reviewing warranty repair records submitted by manufacturers, inspect- ing and testing vehicles and their parts, interviewing drivers and repair technicians, and consulting with and seeking more detailed information from manufacturers.18 When a deeper investigation of a suspect problem establishes that a vehicle safety deficiency exists and is sufficient in mag- nitude and scope to pose an unreasonable safety risk, ODI has authority to compel the manufacturer to issue a product recall. In practice, most recalls are initiated by the manufacturer before ODI even opens an inves- tigation, and nearly all are initiated without ODI having to take an enforcement action.19 eARlieR NHTSA iNiTiATiveS oN uNiNTeNded AcceleRATioN The committee learned that ODI has fielded and investigated driver reports of unintended acceleration for more than 40 years.20 More than three dozen investigations of such concerns were conducted by ODI during the 1980s alone, resulting in a number of manufacturer recalls (Pollard and Sussman 1989). Nearly all of the recalls from that era addressed mechanical problems, including pedal entrapment by floor mats, broken parts in the throttle, malfunctions in the vacuum actuators According to NHTSA (2011, 1), the agency receives 30,000 to 40,000 consumer complaints each year. 17 According to the USDOT Office of Inspector General, from 2002 to 2009 NHTSA screened roughly 40,000 consumer complaints annually, leading to 77 investigations for safety defects (see Report MH-2012-001, issued October 6, 2011, p. 1). Presentation to the committee by Gregory E. Magno, Defects Assessment Division Chief, ODI, titled 18 “Use of VOQ Data in ODI Screening of Unintended Acceleration and Vehicle Electronics,” and by Jeffrey L. Quandt, Vehicle Control Division Chief, ODI, titled “Use of Data in ODI Investigations of Unintended Acceleration and Vehicle Electronics,” October 22, 2010. According to statements in the agency’s report (NHTSA 2011, 2), the majority of recalls are initiated 19 by manufacturers without NHTSA opening a formal investigation. This report recounts investigations since the mid-1980s, when electronics started to become sus- 20 pected causes of defects. During the 1970s, NHTSA conducted an 8-year-long investigation of possible mechanical causes of unintended acceleration involving more than 1,700 crashes (ODI Report EA78-110).

OCR for page 23
31 Background and Charge || that mechanically moved the throttle, and faulty physical linkages that caused the throttle to remain open even when the driver released the accelerator pedal. Even though ODI typically received complaints of unintended accel- eration by owners of a wide range of vehicle makes and models, com- plaint analysts noticed that starting in the early 1980s an inordinate number had involved the Audi 5000.21,22 The Audi importer, Volkswagen, believed that the high complaint rate stemmed from the layout of the brake and accelerator pedals. In 1982 and 1983, Volkswagen initiated recalls to modify the Audi’s accelerator pedal to prevent interference by the floor mat and elevate the brake pedal relative to the accelerator pedal to reduce the chance of pedal misapplication. A continued high rate of complaints prompted ODI to enlist U.S. DOT’s Volpe Transportation Systems Center (TSC) to conduct a more thorough investigation of the problem, first by examining the reports involving Audi (Walter et al. 1988) and then by examining the complaints lodged during the pre- vious decade involving all other vehicle makes and models (Pollard and Sussman 1989).23 The TSC investigators examined means by which electronics systems in the Audi could lead to unintended acceleration. While vehicles manu- factured during the mid- to late 1980s typically had computer-based engine control units, the throttle remained connected to the accelerator pedal through a cable and other physical connectors. However, in testing the Audi 5000, TSC investigators found that some versions of the vehicle had an electronically controlled idle stabilizer prone to defects that could intermittently cause high engine idling and unexpected increases in engine power, which the investigators characterized as “surging.”24 The idle stabilizer was composed of an electronic control unit and an From 1978 to 1987, Audi’s complaint rate for unintended acceleration was 586 per 100,000 vehicles 21 in the fleet. The November 1986 broadcast of “Out of Control” by the CBS news program 60 Minutes interviewed 22 individuals who had allegedly experienced sudden acceleration by Audi vehicles and were suing the importer (Volkswagen). The broadcast also presented a video purporting to show an Audi 5000 surg- ing forward while the brake pedal was depressed. The segment heightened public concern over unin- tended acceleration. The demonstration in the video was executed by individuals associated with the plaintiffs; indeed, NHTSA maintains that the Audi 5000 in the demonstration was extensively modi- fied by a plaintiff’s consultant (Federal Register, Vol. 65, No. 83, pp. 25026–25037). During roughly the same period of time, Transport Canada (Marriner and Granery 1988) and the 23 Japanese Ministry of Transport (1989) conducted their own studies of the phenomenon. The idle speed control systems of the era would more appropriately be called idle stabilization sys- 24 tems, since they only provided a “trimming function” around the normal operating point to help achieve smoother idle quality.

OCR for page 23
32 || The Safety Promise and Challenge of Automotive Electronics electromechanical air valve.25 The TSC investigators suspected that the intermittent malfunctions observed in the control unit might have gone undetected during normal Audi-specified testing or in postcrash inspections. They concluded that the resulting surging differed from high-power acceleration reported by drivers and that such reported epi- sodes of acceleration were most likely the result of drivers mistakenly applying the accelerator pedal instead of the brake.26 They surmised that the intermittent surging could have startled or even panicked some drivers, prompting them to misapply the accelerator pedal. The TSC investigators also observed that the pedal and seating layouts of the Audi 5000 differed significantly from those of peer domestic vehicles. These differences, the investigators reported, may have further con- tributed to a higher incidence of pedal misapplication in the Audi, par- ticularly among drivers lacking familiarity with the vehicle. Apart from the defective idle stabilizer, TSC investigators could not identify an electronic or mechanical anomaly that could cause the Audi’s high rate of complaints. The investigators did observe that a large portion of the consumer complaints involved acceleration occurring at the same moment as the reported occurrence of brake failure. The investigators were unable to identify any combination of malfunctions in the vehicle that could create such a simultaneous failure of two independent sys- tems without leaving physical evidence, especially in the brakes. The TSC researchers also found that many of the motorists reported experi- encing sudden acceleration during maneuvers in parking lots and drive- ways and in other low-speed situations. Typically in these cases, the brakes were alleged to have been completely ineffective in stopping the acceleration, and the episode ended within seconds with a crash. In a follow-up to the Audi report, therefore, NHTSA commissioned TSC to examine more closely the large portion of complaints, as reported across many makes and models, involving sudden acceleration from a low- speed or stationary position and allegations of major brake failure. This The electronic control unit monitored the engine revolutions per minute (RPM), engine coolant 25 temperature, throttle plate state, air conditioner on–off switch, and air conditioner clutch operation. On the basis of the measurements taken, the control unit selected the appropriate engine idle RPM. The TSC investigators were not the first to associate pedal misapplication with unintended accelera- 26 tion, although the TSC work provided a clearer model for how to identify such cases. For example, ODI had concluded that pedal misapplication was the cause of many episodes of unintended accel- eration during the previous 20 years of case investigations. Pedal misapplication had also received attention in the human factors literature (see, for example, Schmidt 1989; Rogers and Wierwille 1988; Vernoy and Tomerlin 1989).

OCR for page 23
33 Background and Charge || second study led to the TSC report that is now commonly referred to as the Silver Book (Pollard and Sussman 1989). The Silver Book researchers tested 10 vehicles of different makes and model years to identify all possible factors that could cause or contribute to sudden acceleration. They examined the vehicles’ engines, transmis- sions, and cruise control systems to determine whether and how they might produce unwanted power; the effect of electromagnetic interfer- ence on the functioning of these systems; the effectiveness of fail-safe mechanisms built into vehicles to prevent or control unwanted accelera- tion; the pedal effort required and effectiveness of brakes in stopping a vehicle with wide-open throttle; the means by which braking systems can fail spontaneously and recover; and the role of vehicle design factors that might contribute to pedal misapplication. Because these tests were conducted on 1980s-era vehicles, many of the results have limited rele- vance to contemporary vehicles that utilize much different technologies and designs for many of their control systems. However, one conclusion of the TSC investigators remains relevant: sudden acceleration com- mencing in a vehicle that had been stationary or moving slowly should be controllable by brake application. Referring to testing that showed the stopping effectiveness of brakes and their independence from the throttle,27 the TSC investigators could not offer a credible explanation, apart from pedal misapplication, for how drivers claiming to have applied the brakes promptly would not have been able to stop a vehicle during the onset of acceleration or how the alleged complete brake failure would not be accompanied by physical evidence of a malfunction. In particular, the investigators observed that a large portion of incidents occurred at the start of the driving cycle when drivers were shifting out of park. This circumstance suggests that the drivers had inadvertently pressed the accelerator pedal instead of the brake. During the 1980s, most vehicles in the fleet did not have brake transmission shift interlock systems requiring the driver to depress the brake pedal in order to shift out of park.28 Thus, The Silver Book’s Appendix E refers to brake force and performance tests conducted at NHTSA’s test 27 center by R. G. Mortimer, L. Segal, and R. W. Murphy: “Brake Force Requirements: Driver–Vehicle Braking Performance as a Function of Brake System Design Variables.” NHTSA now requires (in FMVSS 114 as of September 2010) the installation of brake transmission 28 shift interlocks on all new cars equipped with automatic transmissions, but these devices have been common in vehicles since the 1990s. The use of these devices was shown to be effective almost imme- diately in reducing the occurrence of pedal misapplication in vehicles with automatic transmissions (Reinhart 1994).

OCR for page 23
34 || The Safety Promise and Challenge of Automotive Electronics the Silver Book recommended that NHTSA conduct more studies to consider this design solution and to examine other factors associated with vehicle designs that may contribute to pedal misapplication and that warrant mitigation. NHTSA officials explained to the committee that the conditions and circumstances characteristic of pedal misapplication, as enumerated in the Silver Book, remain relevant today as ODI screens complaints alleg- ing unintended acceleration. In receiving hundreds of complaints of this behavior each year (among the tens of thousands of other complaints lodged), ODI decides how best to deploy its investigatory resources to assess the safety relevance and causes of these and other complaints. According to the Silver Book, if a complainant alleges high-power accel- eration occurring at the same time as the loss of braking, pedal mis- application should be presumed to be the cause. ODI therefore notes the presence of such signature characteristics of pedal misapplication when it screens complaints.29 According to ODI, consumer complaints alleging unintended accel- eration that do not exhibit these signature characteristics are subject to further analysis. For example, ODI reported to the committee that a number of complaints by drivers of Toyota vehicles alleging unintended acceleration involved a loss of braking capacity after a prolonged effort by the driver to slow the vehicle through brake application.30 According to ODI, these complaints stood out from the more common complaints alleging the simultaneous occurrence of high-power acceleration and complete brake loss.31 Further investigation of these complaints led ODI to conclude that their cause was not pedal misapplication, but rather entrapment of the accelerator pedal by the floor mat.32 NHTSA requested that this committee assess the continued relevance of the Silver Book in identifying and investigating incidents involving unintended acceleration. Such an assessment is offered in this report, but not for every aspect of the Silver Book’s investigations. The commit- tee presumes, for example, that NHTSA is not interested in an assess- TSC researchers could identify no mechanism that could cause the throttle to open because of brake 29 application. They found that any engine power increases that may occur during a brake application should be controllable by the driver. As explained subsequently, NHTSA later attributed the loss in braking capacity to depletion of the 30 vacuum assist and to brake overheating. Presentation by Jeffrey L. Quandt, Vehicle Control Division Chief, ODI, “Use of Data in ODI 31 Investigations of Unintended Acceleration and Vehicle Electronics,” October 22, 2010. Presentation by Jeffrey L. Quandt, Vehicle Control Division Chief, ODI, “Use of Data in ODI 32 Investigations of Unintended Acceleration and Vehicle Electronics,” October 22, 2010.

OCR for page 23
35 Background and Charge || ment of the Silver Book’s testing of the electronics systems in 1980s-era vehicles, which differ fundamentally from those in the fleet today.33 It is self-evident that the results of these tests would have limited appli- cability for current technologies. Indeed, ODI did not indicate to the committee that its investigators consult the results of the Silver Book’s electronics testing when they investigate behaviors in later model vehi- cles, nor did the committee find any recent cases in which ODI had cited the Silver Book for this purpose.34 The content of the Silver Book that remains influential is its characterization of the circumstances indicative of pedal misapplication. Thus, this is the aspect of the Silver Book that was examined by the committee for continued relevance. THe RevoluTioN iN AuTomoTive elecTRoNicS The 1980s-era vehicles discussed in the Silver Book were not devoid of electronics, but the state of technology marked the beginning of the electronics revolution that is now well under way. Until the mid-1970s, radios, cassette players, and ignition systems were the most sophisti- cated electronics in vehicles. During the late 1970s, solid-state circuits were introduced in systems such as electro-vacuum cruise controllers, and elementary microprocessors were introduced for ignition timing and control of the fuel–air mixture, the latter to meet demands for improved emissions performance (Cook et al. 2007).35 As microproces- sors and integrated circuits evolved to become smaller and more power- ful, manufacturers started using computers to control other systems, from fuel injectors to antilock brakes and interior climate controls. By the 1980s, most new vehicles had computer-based engine control units, and some had a separate electronic control module for the cruise con- trol (Bereisa 1983). Mechanical and hydraulic systems remained pre- dominant, however. For example, cruise control systems no longer use a vacuum servo; fully electronic cruise control 33 systems were phased into the fleet during the 1990s. The last significant reference the committee could find of NHTSA referencing the Silver Book’s testing 34 of vehicle electronics and mechanical components was in a denial of a petition for a defect investiga- tion on April 28, 2000 (Federal Register, Vol. 65, No. 83, pp. 25026–25037). The petition in that case stemmed from a 1995 traffic incident involving a 1988 Lincoln Town Car having a cruise control system similar to those tested in the Silver Book. The first production engine control unit was a single-function controller used for electronic spark 35 timing in the 1977 General Motors Oldsmobile Toronado (Bereisa 1983).

OCR for page 23
36 || The Safety Promise and Challenge of Automotive Electronics Initial growth in computerized vehicle electronics centered on replac- ing existing mechanical and hydraulic systems; adding new vehicle capabilities and features received less emphasis. Processors, sensors, and actuators were thus distributed throughout the vehicle, with each pro- cessor often dedicated to controlling a specific vehicle task that was once handled through mechanical or hydraulic means. Although constraints on computing capacity presented practical limits on the ability of the new controllers to interconnect, their isolation and dedication to specific tasks had the advantage of reducing the weight, cost, and complexity of wiring one module to another. The modular approach to system architecture corresponded to the traditional model of vehicle production. According to this model, OEMs retained responsibility for overall vehicle design and assembly but depended on specialized suppliers for the development and engineering of the many individual vehicle components and subsystems. Suppliers were thus able to specialize in production and achieve scale economies by selling their electronics systems to multiple manufacturers, and the need for OEMs to invest in increasingly specialized and fast-changing areas such as electronics design and manufacturing was reduced. As computing capacity expanded and became less expensive, OEMs outfitted their vehicles with dozens of computers capable of controlling more varied and complicated vehicle tasks. As these systems grew in number, their isolation from one another became impractical and costly because of the demand for dedicated wiring and lost opportunities to share sensors and information. The introduction of networks, which are discussed in more detail in the next chapter, solved this problem.36 The networking of electronics systems not only has improved the capabili- ties and performance of many existing features—such as allowing for the integration of interior lights, locks, and power windows—but also has made more feasible the introduction of many new capabilities, including those promising to aid motorists in driving safely.37 The capabilities that electronics systems now provide in vehicles are extensive. They include comfort and convenience features, lower emis- sions, improved fuel economy, enhanced driving performance, and new In 1985, Bosch introduced the controller area network (CAN), a widely used peer-to-peer network 36 that precludes the need for a master controller. As a node in the network, each connected device receives messages from and transmits messages to other devices on the CAN bus. Each device has a CAN controller chip that enables it to prioritize and use relevant messages. A more detailed review of the history of automotive software is given by Broy et al. (2007). 37

OCR for page 23
37 Background and Charge || safety features; many more examples of these capabilities are given in the next chapter. Advancements in electronics are, in essence, trans- forming the automobile every few years and thus changing the driving experience itself. Electronics are enabling the introduction of many new vehicle capabilities, creating new driver interfaces, and affecting the divi- sion of responsibilities between the driver and vehicle for maintaining vehicle control. Some of the interface changes are evident in features such as push- button ignition and dashboard display and control media free of the physical constraints that dictated their designs for decades. Other inter- face changes are less evident, such as a perceptible but small change in the feel of a pedal connected by wire rather than by a mechanical link- age.38 Electronics are enabling new vehicle capabilities, such as blind spot surveillance and active collision avoidance, and some of the new capabilities will undoubtedly affect driving behavior in both positive and negative ways. Designing these new systems to minimize their potential to introduce safety hazards, while maximizing the joint performance of the driver and the technology, is becoming a major challenge for OEMs. In addition to overcoming design challenges associated with human factors, OEMs strive to ensure that the new electronics systems perform their functions reliably. For example, when mechanical and hydraulic systems are replaced with electronics, OEMs want to make sure that the new technologies are at least as dependable as the earlier systems. In most cases, manufacturers expect each new generation of technologies to yield improved performance in all respects. This assurance can present a particular challenge for entirely new systems, especially as systems interconnect and interact with one another in new and potentially unanticipated ways. How automotive manufacturers are meeting these safety assurance challenges is discussed in this report. STudy GoAlS ANd RepoRT oRGANizATioN The full charge to the committee is contained in the statement of task in Box 1-1. The overarching study goals, given at the outset of the state- ment, are to (a) review past and ongoing NHTSA and industry analyses Such differences in pedal feel, at least for one type of vehicle (the Toyota Camry with and without 38 ETCs), are documented by NHTSA (2011, 53).

OCR for page 23
38 || The Safety Promise and Challenge of Automotive Electronics Box 1-1 Statement of Task The objective of this study is to provide NHTSA with an indepen- dent review of past and ongoing industry and NHTSA analyses to identify possible causes of unintended acceleration (UA) and make recommendations on: • NHTSA research, rulemaking, and defects investigation activi- ties; and, • Human, infrastructure, and financial resources required for NHTSA to assure the safety of electronic throttle controls and other electronic vehicle control functions. In accordance, the study committee shall: A. Conduct a broad review and assessment of electronic vehicle controls, systems, and UA across the industry and safeguards used by manufacturers and suppliers to ensure safety. The committee’s review, assessment, and recommendations shall, at a minimum, encompass the following subject areas: (1). Vehicle control electronics design and reliability: • oftware life-cycle process including specification, S design, implementation, change control, and testing; • omputer hardware design and testing methods and C integration with the software; • ehicle systems engineering, including how combina- V tions of electronics and mechanical design are used to jointly achieve safety objectives; (2). Electromagnetic compatibility and electromagnetic interference; (3). Environmental factors; (4). Existing relevant design and testing standards (SAE, ISO, IEEE, etc.); (5). Vehicle design and testing methods for safety; (6). Human system integration/human factors; (7). Potential forensic/problem-solving methods not already in use by industry and regulatory agencies; (8). Cybersecurity of automotive electronic control systems.

OCR for page 23
39 Background and Charge || Box 1-1 (continued) Statement of Task B. The study committee shall review the 1989 “Silver Book” to analyze its continued relevance with respect to technologies, possible defects, and failure modes associated with UA. The committee shall report on the current understanding of pos- sible causes of UA and how the increasing prevalence of electronic throttle controls, other electronic vehicle control systems (e.g. brakes), event data recorders, and the like, which have emerged since the 1980s, may require supplementing the Silver Book. The committee shall provide guidance on fac- tors NHTSA should consider in light of these developments. C. The study committee shall review NHTSA policies, proce- dures, and practices as they are applied in Office of Defects Investigation (ODI) UA investigations of UA and make rec- ommendations for improvement with respect to the possible involvement of electronic control systems in UA. In doing so, the committee shall: (1). Review the general history of and process used in NHTSA’s defect investigations related to UA; (2). Provide recommendations and suggest priorities for the manner in which future possible defects involving elec- tronic control systems should be investigated; and (3). Make recommendations and suggest priorities for future research that may support investigations of such systems. D. Review possible sources of UA other than electronic vehi- cle controls, such as human error, mechanical failure, and mechanical interference with accelerator mechanisms. E. Examine best practices for assuring safety in other sectors, such as avionics, and consider any lessons that might apply to vehicle safety design and assurance. F. Discuss the limitations of testing in establishing the causes of rare events. G. Describe improvements in design, development process, test- ing, and manufacturing, including countermeasures and fail- safe strategies that could be used to increase confidence in electronic throttle controls and other electronic vehicle con- trol systems.

OCR for page 23
40 || The Safety Promise and Challenge of Automotive Electronics of the possible causes of unintended acceleration and (b) make recom- mendations on NHTSA’s research, rulemaking, and defect investigation activities, including the capabilities required for the agency to ensure the safe performance of ETCs and other electronic vehicle controls. With respect to the first goal, the focus of the study’s review of unin- tended acceleration is on NHTSA’s initiatives to monitor for, analyze, and investigate this problem. The committee could think of no practical way to examine the means by which each of the large number of OEMs handles consumer reports of unintended acceleration specifically, al- though OEM safety assurance and field monitoring capabilities in general are discussed in Chapter 3. As discussed above, NHTSA has undertaken and commissioned several major investigations of unintended accel- eration over the past 40 years, including the Audi and Silver Book reports by TSC during the 1980s. More recently, NHTSA enlisted the help of NASA (NHTSA 2011). All of these investigations were presum- ably undertaken to inform NHTSA’s decisions on whether to pursue recalls or take other regulatory and research steps. The committee’s review of these agency initiatives, therefore, centers on their relevance to informing such agency decisions. With respect to the second goal in the statement of task, the commit- tee used the insights gained from examining the concerns over unin- tended acceleration to inform its advice to NHTSA on steps the agency should take to prepare for and meet the safety challenges arising from the electronics-intensive automobile. The statement of task calls for rec- ommendations on NHTSA’s research priorities and required human, infrastructure, and financial resources to oversee the safety of auto- motive electronics. NHTSA needs to rank its policy priorities on the basis of competing safety demands. The committee does not know all of NHTSA’s safety priorities and their associated resource requirements. The report therefore offers suggestions on relevant research topics and recommends a means by which NHTSA can make more strategic choices with regard to allocating its resources to meet the safety oversight chal- lenges arising from automotive electronics. The committee’s review and findings are contained in the remainder of this report. Chapter 2 provides more background on the electronics systems in today’s vehicles and those of the not-too-distant future. Chapter 3 describes the safety assurances processes used by automotive manufacturers during the design and development of electronics sys- tems and efforts at the industry level to standardize aspects of these pro-

OCR for page 23
41 Background and Charge || cesses. Chapter 4 describes NHTSA’s oversight of vehicle electronics safety through its regulatory, research, and defect investigation programs and compares this oversight with the federal role in overseeing the safety of the design and manufacture of aircraft and medical devices. Chapter 5 reviews NHTSA’s initiatives on unintended acceleration, including the Silver Book, more recent ODI investigations, and the NASA study. In Chapter 6, key findings from the chapters are synthesized and assessed to make recommendations to NHTSA. RefeReNceS Abbreviations NHTSA National Highway Traffic Safety Administration NTSB National Transportation Safety Board Bereisa, J. 1983. Applications of Microcomputers in Automotive Electronics. Institute of Electrical and Electronics Engineers Transactions on Industrial Electronics, Vol. IE-30, No. 2, May. Broy, M., I. H. Kruger, A. Pretschner, and C. Salzmann. 2007. Engineering Auto- motive Software. Proceedings of the Institute of Electrical and Electronics Engineers, Vol. 95, No. 2, Feb., pp. 356–373. Cook, J. A., I. V. Kolmanovsky, D. McNamara, E. C. Nelson, and K. V. Prasad. 2007. Control, Computing and Communications: Technologies for the Twenty-First Century Model T. Proceedings of the Institute of Electrical and Electronics Engineers, Vol. 95, No. 2, Feb., pp. 334–355. Japanese Ministry of Transport. 1989. An Investigation on Sudden Starting and/or Acceleration of Vehicles with Automatic Transmissions. Marriner, P., and J. Granery. 1988. Investigation of Sudden Acceleration Incidents. ASF3282-8-18. Transport Canada. NHTSA. 2011. Technical Assessment of Toyota Electronic Throttle Control (ETC) Systems. http://www.nhtsa.gov/staticfiles/nvs/pdf/NHTSA-UA_report.pdf. NTSB. 2009. Highway Special Investigation Report: Pedal Misapplication in Heavy Vehicles. http://www.ntsb.gov/doclib/safetystudies/SIR0902.pdf. Pollard, J., and E. D. Sussman. 1989. An Examination of Sudden Acceleration. Report DOT-HS-807-367. Transportation Systems Center, U.S. Department of Transportation. Reinhart, W. 1994. The Effect of Countermeasures to Reduce the Incidence of Unintended Acceleration Accidents. Paper 94 S5 O 07. Proc., 14th International Technical Conference on Enhanced Safety of Vehicles, Washington, D.C., Vol. 1, pp. 821–845.

OCR for page 23
42 || The Safety Promise and Challenge of Automotive Electronics Rogers, S. B., and W. W. Wierwille. 1988. The Occurrence of Accelerator and Brake Pedal Actuation Errors During Simulated Driving. Human Factors, Vol. 31, No. 1, pp. 71–81. Schmidt, R. A. 1989. Unintended Acceleration: A Review of Human Factors Contributions. Human Factors, Vol. 31, No. 3, pp. 345–364. Vernoy, M. W., and J. Tomerlin. 1989. Pedal Error and Misperceived Centerline in Eight Different Automobiles. Human Factors, Vol. 31, No. 4, pp. 369–375. Walter, R., G. Carr, H. Weinstock, E. D. Sussman, and J. Pollard. 1988. Study of Mechanical and Driver-Related Systems of the Audi 5000 Capable of Producing Uncon- trolled Sudden Acceleration Incidents. Report DOT-TSC-NHTSA-88-4. Transporta- tion Systems Center, U.S. Department of Transportation.