Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 99
4 National Highway Traffic Safety Administration Vehicle Safety Programs In April 2011, the National Highway Traffic Safety Administration (NHTSA) reported that 32,788 people were killed during 2010 on U.S. roads in crashes, of which about 80 percent involved passenger cars and light trucks.1 As in previous years, a number of risky driver behaviors and actions, such as alcohol use, inattention, fatigue, and speeding, were among the major causal factors.2 Yet the 2010 data were widely acclaimed as providing further statistical evidence of a generally positive trend in traffic safety. About 18,000 fewer people died in motor vehicle crashes in 2010 than in 1980, even as vehicle travel almost doubled.3 This substantial improvement resulted from a combination of factors, such as better design and control of highways, stricter laws governing seat belt use and penalizing drunk driving, and more responsive and protective motor vehicles. The automotive industry deserves credit for responding to consumer and NHTSA demands to make vehicles inherently safer through inno- vations in automotive designs, materials, and engineering, including advancements in vehicle electronics. However, safer vehicles are widely recognized as providing only part of the solution to making driving safer. Since 1995, the number of people who have died on U.S. road- ways has declined by about 20 percent. This decline is impressive, but during the same period traffic fatalities declined by 40 percent in the http://www-nrd.nhtsa.dot.gov/Pubs/811451.pdf. 1 http://www-fars.nhtsa.dot.gov/People/PeopleDrivers.aspx. 2 http://www.nhtsa.gov/PR/NHTSA-05-11. 3 99
OCR for page 100
100 || The Safety Promise and Challenge of Automotive Electronics United Kingdom and by more than 50 percent in France and 15 other high-income countries for which long-term traffic safety data are avail- able (TRB 2011). In all of these countries, policy makers have emphasized changing high-risk driver behaviors, particularly speeding, drunk driving, and lax seat belt use, by means of stringent laws, intensive public com- munication and education, and a commitment to traffic enforcement. Although NHTSA does not license drivers, design roads, or set and enforce traffic laws, the agency shares responsibility with the Federal Highway Administration for providing funding aid and technical assis- tance to state and local governments having these responsibilities. In collecting and analyzing the nation’s traffic safety data, NHTSA has long reported that driver behavior and performance are the most significant factors in crashes. The most recent results of agency crash causation studies are summarized in Table 4-1. They indicate that crashes in which the driver was the proximate cause far outnumber those in which vehi- cle defects or roadway deficiencies were the most critical factors (NHTSA 2008). Thus, one of the challenges before NHTSA’s Office of Vehicle Safety is to ensure that vehicles retain their high levels of safety perfor- mance while finding ways to make vehicles more effective in counter- ing many of the unsafe driver behaviors. The focus of this report is on automotive electronics. However, as indicated by these crash causation data, NHTSA faces many safety-related challenges (and accompanying demands on its resources) in addition to those associated with over- seeing the safe performance of automotive electronics. The committee was asked to advise NHTSA on how the regulatory, research, and defect investigation activities carried out by the Office of Vehicle Safety can be improved to meet the safety assurance demands of the increasingly electronics-intensive automobile. This chapter describes the key responsibilities and capabilities of the office. The committee was not asked to examine all responsibilities of the office, and it is not in a posi- tion to advise on the priority that should be given to such improvements relative to other program interests and associated resource demands. Nev- ertheless, it became evident to the committee that the Office of Vehicle Safety is highly optimistic that vehicle electronics will play an important role in mitigating risky driver behaviors. In this regard, the office’s interest in promoting the introduction of these electronics systems is intertwined with its interest in ensuring that they and all other electronics systems in the vehicle perform their functions safely and reliably. The next section starts with an overview of the Office of Vehicle Safety and then reviews its regulatory, research, and defect investigation
OCR for page 101
101 NHTSA Vehicle Safety Programs || TABLE 4-1 Critical Precrash Event Attributed to Vehicles, Drivers, and Roadway and Atmospheric Conditions Number of Crashes in Sample Nationally Weighted Key Reason for Critical Precrash Event Unweighted Weighted Percentage Key Reasons for Critical Precrash Event Attributed to Vehicles Tires failed or degraded; wheels failed 56 19,320 43.3 Brakes failed or degraded 39 11,144 25.0 Other vehicle failure or deficiency 17 9,298 20.8 Steering, suspension, transmission, or engine failed 16 4,669 10.5 Unknown 2 212 0.5 Total in category 130 44,643 100 Key Reasons for Critical Precrash Event Attributed to Drivers Recognition error (e.g., distraction, inattention) 2,094 828,308 40.6 Decision error (e.g., too fast, illegal maneuver) 1,752 695,516 34.1 Performance error (e.g., panic, overcompensation) 510 210,143 10.3 Nonperformance error (sleep, medical problem) 369 145,844 7.1 Other or unknown driver error 371 162,132 7.9 Total in category 5,096 2,041,943 100 Key Reasons for Critical Precrash Event Attributed to Roadway and Atmospheric Conditions Roadway Slick roads (e.g., ice, debris) 58 26,350 49.6 View obstructions 19 6,107 11.6 Signs and signals 5 1,452 2.7 Road design 3 745 1.4 Other highway-related condition 9 5,190 9.8 Subtotal 94 39,844 75.2 Atmospheric conditions Fog, rain, or snow 11 2,338 4.4 Other weather-related condition 6 2,147 4.0 Glare 24 8,709 16.4 Subtotal 41 13,194 24.8 Total in category 135 53,038 100 Note: Sample of 5,471 crashes investigated from July 3, 2005, to December 31, 2007. The “critical reason” is the immediate reason for the critical precrash event and is often the last failure in the causal chain. Numbers may not add up to total because of independent rounding. Source: NHTSA 2008, Tables 9(a), 9(b), and 9(c).
OCR for page 102
102 || The Safety Promise and Challenge of Automotive Electronics programs in greater depth, with emphasis on the applicability of these programs to ensuring safe vehicle electronics. Consideration is then given to how NHTSA’s oversight of vehicle electronics safety through its regulatory, research, and defect investigation programs compares with aspects of federal oversight of the design and manufacture of aircraft and medical devices. Vehicle Safety Program oVerView In 1966, the federal government took on a central role in promoting highway safety across the nation by enactment of both the National Traf- fic and Motor Vehicle Safety Act and the Highway Safety Act. Congress delegated responsibility for administering the provisions of these acts to the U.S. Department of Transportation (DOT), which was created in the same year. The first act established a federal role in prescribing minimum safety standards for motor vehicles, enforcing compliance, and monitor- ing the safety performance of vehicles on the road, and it included authority to order manufacturer recalls for noncompliance and for safety defects. The act also authorized a federal role in motor vehicle and high- way safety research. The second act established a federal program for granting funds to states for the development of highway safety programs, including those intended to affect driver behavior. Since its creation within the U.S. DOT in 1970, NHTSA has held the responsibilities for promulgating and enforcing the Federal Motor Vehicle Safety Standards (FMVSSs) and for the monitoring and remediation of vehicle safety defects. Along with the Federal Highway Administration, NHTSA has responsibility for administering the state highway safety grants program and for carrying out research to support these activities. Administrative responsibility for the motor vehicle safety regulatory program and the state highway safety grant program is divided within NHTSA offices. The focus of this study is on the activities of the Office of Vehicle Safety, which has responsibility for the former program. That program includes development and enforcement of the FMVSSs and the conduct of vehicle safety research (as opposed to research in support of highway safety programs such as driver education and traf- fic enforcement). An organization chart for the Office of Vehicle Safety is shown in Fig- ure 4-1. The rulemaking division is responsible for development of the
OCR for page 103
103 NHTSA Vehicle Safety Programs || FIGURE 4-1 Organization chart, NHTSA’s Office of Vehicle Safety (NDR = National Driver Register). safety-related FMVSSs, as well as other activities such as the nonregula- tory New Car Assessment Program (NCAP)4 and the setting of corporate average fuel economy standards. The enforcement division includes the Office of Defects Investigation (ODI), which monitors for and investi- gates safety defects in the fleet, and the regulatory compliance program, which randomly tests vehicles in the marketplace for adherence to par- ticular FMVSSs. The research division undertakes studies to inform and provide the basis for new safety regulations, including research on vehi- cle crashworthiness, human–vehicle performance, and advanced crash avoidance technologies. Each of these three major programs is discussed below. Particular consideration is given to how they contribute to NHTSA’s oversight and understanding of the safety opportunities and challenges arising from vehicle electronics. The other major division of the Office of Vehicle Safety, the National Center for Statistics and Analysis (NCSA), provides NHTSA with the information necessary for understanding In 1979, NHTSA created the NCAP to improve occupant safety by development of timely comparative 4 safety information that encourages manufacturers to improve the safety of their vehicles voluntarily. Since that time, the agency added rating programs and offered information to consumers via the website, www.safercar.gov. The program is not regulatory but seeks to influence manufacturers to build vehicles that consistently achieve high ratings.
OCR for page 104
104 || The Safety Promise and Challenge of Automotive Electronics the nature and causes of traffic crashes nationally and for assessing agency regulatory activities. NCSA’s activities, which include develop- ment of the National Motor Vehicle Crash Causation Survey (NMVCCS), are described in Box 4-1 but are not reviewed further in this chapter. rulemaking The FMVSSs are grouped into three main categories prescribing mini- mum vehicle capabilities for crash avoidance, crashworthiness, and post- crash integrity. The FMVSSs most pertinent to electronic vehicle control systems are the crash avoidance standards, since they cover vehicle capa- bilities and features such as braking, controls, and displays. The FMVSSs covering crash avoidance are given in Table 4-2. These regulations, like all the FMVSSs, are written in terms of minimum safety performance requirements. Thus, the FMVSSs are intended to be design and technology neutral out of recognition that automotive technologies change over time and vary across manufacturers. The emphasis on pre- scribing performance, as opposed to specifying designs and interfaces, also has the advantage of making the FMVSSs more durable. This attri- bute can be especially important in view of the difficulty of amending federal regulations. The promulgation of the FMVSSs, like all federal regulations, is governed by federal rulemaking cost-effectiveness and procedural requirements5 and by NHTSA’s own statutory requirements that rules be practicable, meet a specific need for motor vehicle safety, and be stated in objective terms. Under these circumstances, the need to make frequent revisions to standards to accommodate changes in tech- nology could inhibit innovation and prove difficult to administer. FMVSS 124 offers an example of how and why the FMVSSs are perfor- mance oriented. The standard states that a vehicle’s throttle must be capa- ble of returning to the idle position when the driver removes the actuating force from the accelerator control mechanism and when there is a discon- nection between this control mechanism and the throttle. The standard does not define how the connection should be made or how the capabil- ity to return to idle should be established. When the standard was pro- mulgated 40 years ago, the connections were mechanical and included springs on the throttle plate to return it to idle. The chronology of FMVSS 124, as shown in Box 4-2, illustrates the challenge that NHTSA faces in The Administrative Procedure Act and executive orders governing cost-effectiveness assessment. 5
OCR for page 105
105 NHTSA Vehicle Safety Programs || Box 4-1 overview of ncSa NCSA supports NHTSA rulemaking and research programs by monitoring the magnitude of the traffic safety problem; seeking to understand the factors that influence highway safety; per- forming crash investigations; and collecting and analyzing inci- dent data, including crash reports from state and local authorities. Some of these data are intended to be comprehensive, such as the Fatality Analysis Reporting System (FARS), and others are sample-based, such as the National Automotive Sampling System General Estimates System (NASS GES), the NASS Crashworthiness Data System (NASS CDS), and the more detailed Special Crash Investigations (SCI). FARS is a census of fatal crashes on public roads and contains information about various crash characteris- tics as obtained from police reports and augmented by examina- tion of additional driver record and vehicle information. NASS GES has information for a stratified sample of police-reported crashes, allowing the agency to describe the general characteris- tics and incidence of motor vehicle crashes in the United States. NASS CDS also contains data on a stratified random sample of police-reported crashes. However, the number of cases is much smaller, and the police-reported data are augmented by in-depth investigations that attempt to reconstruct the critical factors lead- ing to the presence or absence of injuries in the crash. SCI cases, like NASS CDS cases, include more in-depth investigations of the crashes but are selected not through a random sample but to help the agency develop scientific understanding of new or interest- ing vehicle technologies or high-profile crashes. For example, rarely occurring events like unintended acceleration are not ade- quately represented in standard databases. NCSA may conduct special investigations of episodes or crashes linked with such fac- tors (as it has for unintended acceleration; see the discussion in Chapter 5). NCSA also periodically performs special studies that can inform rulemaking and other NHTSA activities such as the (continued on next page)
OCR for page 106
106 || The Safety Promise and Challenge of Automotive Electronics Box 4-1 (continued) Overview of NCSA NMVCCS,1 which is a nationally representative survey of crashes providing information on the contribution of precrash human factors, vehicle factors, and environmental factors related to crashes. In the most recent NMVCCS, investigators interviewed drivers and witnesses, visited the crash location to examine the physical evidence, and inspected the vehicle and extracted infor- mation from the event data recorder if one was available. http://www-nrd.nhtsa.dot.gov/Pubs/811059.PDF. 1 TABLE 4-2 FMVSSs for Crash Avoidance Standard No. Name 101 Controls and Displays 102 Transmission Shift Lever Sequence, Starter Interlock, and Transmission Braking Effect 103 Windshield Defrosting and Defogging Systems 104 Windshield Wiping and Washing Systems 105 Hydraulic and Electric Brake Systems 106 Brake Hoses 108 Lamps, Reflective Devices, and Associated Equipment 109 New Pneumatic Tires for Passenger Cars 110 Tire Selection and Rims for Passenger Cars 111 Rearview Mirrors 113 Hood Latch System 114 Theft Protection and Rollaway Prevention 116 Motor Vehicle Brake Fluids 117 Retreaded Pneumatic Tires 118 Power-Operated Window, Partition, and Roof Panel Systems 119 New Pneumatic Tires for Vehicles Other Than Passenger Cars 120 Tire Selection and Rims for Motor Vehicles Other Than Passenger Cars 121 Air Brake Systems 122 Motorcycle Brake Systems 123 Motorcycle Controls and Displays 124 Accelerator Control Systems 125 Warning Devices 129 New Non-Pneumatic Tires for Passenger Cars—New Temporary Spare Non-Pneumatic Tires for Use on Passenger Cars 131 School Bus Pedestrian Safety Devices 135 Light Vehicle Brake Systems
OCR for page 107
107 NHTSA Vehicle Safety Programs || Box 4-2 chronology of major activities for fmVSS 124, accelerator control Systems Notice of Proposed Rulemaking (NPRM) September 30, 1970, 35 Federal Register 15241 Proposed rule states that accelerator control system and auto- matic speed control systems (ASCs) would be required to have at least two independent energy sources (such as springs), each capable of returning the engine to idle on release of the actuating force. One of those energy sources must be able to return the engine to idle in case of disconnection of any element of the sys- tem. A design requirement of ASCs would be their deliberate acti- vation by the driver. ASCs must also be capable of automatic deactivation when the driver takes certain actions, such as push- ing on the brake. In addition, ASCs must automatically deactivate once specified failure modes occur. Proposed effective date: October 1, 1972. Final Rule April 8, 1972, 37 Federal Register 7097 The final rule retains the proposed two independent energy sources. In the NPRM, the return to idle only had to occur when the actuating force was removed. In the final rule, in the case of a failure in the system, the engine must return to idle at the time of the failure (such as breakage) or removal of the actuating force. The final rule dropped coverage of ASCs because the agency could not find crashes caused by the ASC and manufacturers were found to be following Society of Automotive Engineers guidelines for those systems. On issuance of the final rule, NHTSA also issued an NPRM on the time required for the engine to return to idle. NPRM April 8, 1972, 37 Federal Register 7108 Proposal would add a ½-second limit in which the engine must return to idle once the actuating force is removed or a system fail- ure occurs. (continued on next page)
OCR for page 108
108 || The Safety Promise and Challenge of Automotive Electronics Box 4-2 (continued) Chronology of Major Activities for FMVSS 124, Accelerator Control Systems Response to Petitions to Reconsideration and Final Rule on time limit September 23, 1972, 37 Federal Register 20033 Notice amends the standard to set a time limit for the system to return to idle. Under conditions of extreme cold (ambient air of 0°F or colder), the system is allowed 3 seconds to return to idle. At temperatures above 0°F, the maximum allowable return to idle time is reduced to 2 seconds for vehicles with a gross vehicle weight rating (GVWR) exceeding 10,000 pounds and to 1 second for all vehicles with a GVWR of 10,000 pounds or less. Request for comments December 4, 1995, 60 Federal Register 62061 NHTSA noted that the original standard was issued when only mechanical systems were commonly used in vehicles. The agency set out a series of questions to help it make a decision on amending the standard to address electronic accelerator control systems. NHTSA said that while it has attempted to address the issue of electronic accelerator control systems through interpretation let- ters, the volume of requests has continued. To address this issue, the agency indicated that “instead of answering these questions by drawing analogies between traditional mechanical components and new electronic systems, it amended the Standard to include provisions and language specifically tailored to electronic systems.” The agency identified the following failure modes of electron- ics systems and asked for comments on whether any other modes warranted consideration: the mechanical linkage and return springs between the pedal and the accelerator position sensor (APS); the electrical connections between the APS and the engine control processor; the electrical connections between the engine control processor and fuel or air metering devices that determine engine speed; power to the engine control processor; the APS and critical sensor; and the integrity of the engine control proces- sor, APS, and other critical sensors.
OCR for page 109
109 NHTSA Vehicle Safety Programs || Box 4-2 (continued) Chronology of Major Activities for FMVSS 124, Accelerator Control Systems Public Technical Workshop May 20, 1997 NHTSA held a workshop with participants from the Truck Manu- facturers Association and the American Automobile Manufactur- ers Association to discuss how electronics systems work and how to apply FMVSS 124 to these systems. Both organizations “empha- sized that there had been no safety-related developments con- cerning electronic accelerator controls to justify applying Standard No. 124 to such systems.” NPRM on electronic control systems July 23, 2002, 67 Federal Register 48117 NHTSA reported that “where the present standard applies only to single-point severances or disconnections such as the discon- nection of one end of a throttle cable, the proposed standard also is limited to single-point severances and disconnections such as unhooking one electrical connector or cutting a conductor at one location. The proposal does not attempt to make the require- ments more stringent by requiring fail-safe performance when multiple severances or disconnections occur simultaneously.” NHTSA also proposed several new test procedures, one of which would measure the engine speed under different load on a chas- sis dynamometer. NHTSA commented that this particular test was “technology-neutral” and could be used instead of other proposed tests. The other procedures were technology-specific. One was essentially the air throttle plate position test of the existing stan- dard. Another was measurement of fuel flow rate in diesel engines, and the other was measuring input current to a drive motor, such as would be found in an electric vehicle. Withdrawal of Proposed Electronic Rule November 10, 2004, 69 Federal Register 65126 NHTSA indicated that it was withdrawing its proposal “while it con- ducts further research on issues relating to chassis dynamometer- based test procedures for accelerator controls.” (continued on next page)
OCR for page 122
122 || The Safety Promise and Challenge of Automotive Electronics research attention to the safety assurance needs of the electronics- intensive vehicle. Strategic and Priority Planning for reSearch and rulemaking The purpose of NHTSA’s most recent Vehicle Safety and Fuel Economy Rule- making and Research Priority Plan (NHTSA 2011), according to the agency, is to describe the projects that the agency intends to work on in the rule- making and research areas that are priorities or that will take significant agency resources. The document is intended not only to be an internal management tool but also to communicate NHTSA’s highest priorities to the public. It lays out the rationale for why the identified projects are considered priorities. Emphasis is given to their relevance to specific safety problems as identified from analyses of crash data. The plan states that the priorities are based on their potential for large safety benefits. Priority is also given to projects that can address special safety hazards, such as those related to vulnerable populations (for example, children and the elderly). The plan acknowledges that Congress and the White House may request that the agency address other areas, which can affect priorities during the planning time frame. An important element of the plan is that all identified projects, includ- ing research initiatives, be accompanied by a time frame for a decision. For example, projects in the research stage are noted with milestones indicating when NHTSA expects to decide whether the initiative is ready to move from the research to the rulemaking stage. The emphasis on agency decision making, particularly for research, reflects the focus of the agency’s vehicle safety research program on supporting specific rule- making initiatives. The plan lists a number of projects for evaluating electronics systems as countermeasures for problems such as rear-end collisions, lane depar- tures, and blind spot detection. Several other projects relevant to elec- tronics safety assurance are as follows: • Event data recorder requirement—plans for a proposed rulemaking to mandate the installation of event data recorders on all light-duty vehicles and a proposal to consider enhancements to their capabilities and applicability;
OCR for page 123
123 NHTSA Vehicle Safety Programs || • Update of FMVSS 124 on accelerator control—revision of the test pro- cedure for vehicles with ETCs and the addition of systems that would override the throttle on application of the brake; and • Update of FMVSS 114 pertaining to keyless ignitions—revision of the standard to consider ways of ensuring the ability of drivers to turn off the engine in the event of an on-road emergency.16 These three priorities, as well as planned research to examine pedal placement and spacing, appear to have resulted from the recent expe- rience with unintended acceleration, for reasons discussed further in Chapter 5. The earlier discussion of NHTSA’s vehicle safety research programs noted that the agency is considering whether to support research to inform the automotive industry’s efforts to address cybersecurity and improve fail-safe and fault detection strategies for complex vehicle electronics. The priority plan does not list these areas as candidates for agency research. Whether such research, if undertaken, would be viewed as supporting prospective regulatory decisions was not made clear to the committee. NHTSA regulations in these areas, however, would be unprecedented, as pointed out earlier. The plan does not communicate strategic decisions, such as whether consideration is being given to changes in the agency’s regulatory approach in response to the safety challenges associated with vehicle electronics. However, as noted at the outset of the plan, “NHTSA is also currently in the process of developing a longer-term motor vehicle safety strategic plan that would encompass the period 2014 to 2020” (NHTSA 2011, 1). While this planning effort may be where such deci- sions will be made, no additional details on its purpose or progress were offered by NHTSA officials during the course of this study. Safety aSSurance and oVerSight in other induStrieS NHTSA’s vehicle safety activities represent one approach to overseeing the safety of a transportation activity and vehicle. Within the U.S. DOT, several agencies have transportation safety regulatory and oversight On December 12, 2011, NHTSA issued a Notice of Proposed Rulemaking to address safety issues arising 16 from keyless ignition controls and their operation (Docket No. NHTSA-2011-0174). Federal Register, Vol. 76, No. 238.
OCR for page 124
124 || The Safety Promise and Challenge of Automotive Electronics responsibilities and differ in how they implement them. Among such agencies are the Federal Railroad Administration, the Federal Motor Carrier Safety Administration, and the Federal Aviation Administration (FAA). FAA’s approach in overseeing the design and production of air- craft is reviewed briefly, since this transportation industry—perhaps more than any other—is highly safety conscious and technologically complex. In addition, consideration is given to a regulatory and over- sight approach from outside the transportation sector by reviewing aspects of the Food and Drug Administration’s (FDA’s) safety responsibil- ity for medical devices. Although in-depth reviews are not provided, the comparisons make the earlier distinctions about NHTSA’s regulatory and defect surveillance approach more concrete. FAA and Aircraft Safety In developing its airframe and engine airworthiness regulations,17 FAA is authorized by law to set minimum standards for the design, materials, construction, quality of work, and performance of aircraft and their engines. Despite its legal authority to prescribe the details of product design and construction, FAA has elected to place greater emphasis on ensuring that aviation equipment performs safely rather than on establishing specific design and construction standards for prod- ucts. In this important respect, the FAA regulations are comparable with the performance-oriented FMVSSs promulgated by NHTSA—the details of the design and development process are left to the manufacturer. In many other respects, the scope and depth of the regulatory roles of FAA and NHTSA differ significantly. These differences have many origins, not the least of which is the fact that aircraft are far more expensive to develop and build than automobiles and their systems must maintain airworthi- ness and operability in flight.18 Aircraft manufacturers must apply to FAA for approval and certifica- tion to develop and build a new aircraft type. In contrast, automotive manufacturers do not need approval from NHTSA to develop and build a new type of automobile. FAA’s certification process covers all product development phases, from initial planning to flight testing. Each manu- facturer applicant must present a certification plan that sets out the safety 14 CFR Parts 21 through 49. 17 For example, in the event of a fault, aircraft, unlike automobiles, cannot implement fail-safe defenses 18 that shut down the engines in flight. Thus, they require extensive redundancy and preventive mea- sures for faults in safety-critical systems.
OCR for page 125
125 NHTSA Vehicle Safety Programs || assurance processes it will use through all development and production stages, including specification of procedures for hazard assessment, safety analysis, testing, inspection, design change proposal, hardware and soft- ware development and integration, and manufacturing quality control. On receipt of the application, FAA exercises a prominent role in the approval of these plans: FAA must review and approve the safety assur- ance plans before the applicant can even proceed to the next phase of product development. Even at the final stages of aircraft and engine development, FAA must approve the battery of tests and evaluations that are conducted in preparation for the aircraft or engine to be placed in service. Before it grants certification, FAA audits all of the procedures fol- lowed by the manufacturer as well as the results of tests. Although FAA reviews manufacturer safety assurance plans and pro- cesses intensely, the burden of proving the soundness of the safety assur- ance system is on the manufacturer. To facilitate compliance, FAA advises manufacturers to follow certain preapproved processes for product devel- opment. In particular, the agency publishes advisory circulars (ACs) that define acceptable means of conforming to specific airworthiness regula- tions. For example, one AC (AC 25.1309-1 draft) establishes the means by which manufacturers are to determine the levels of risk tolerance for various functional capabilities of the aircraft. Manufacturers are advised to designate design assurance levels (DALs) for their safety-critical systems, not unlike the automotive safety integrity levels prescribed in ISO 26262 for automotive electronics systems as explained in Chapter 3. Manufacturers are thus expected to implement safety assurance mea- sures compatible with the DAL for each system. FAA does not specify how applicants must conduct DAL classifications, but it advises on the use of specific industry-developed standards (e.g., SAE ARP4754 and ARP4761) for analytic rigor and requires manufacturers to demonstrate the use of rigorous analytic processes (e.g., failure mode and effects anal- yses and fault tree analyses, both of which are discussed in Chapter 3). Specifically with respect to safety-critical software, FAA advises manu- facturers to follow the industry-developed standard RTCA-178B, which prescribes steps to be followed during software development.19 Aircraft and engine manufacturers are not compelled to follow the standards The Radio Technical Commission for Aeronautics is a federal advisory committee. Its participants 19 come from industry and academia. Box 3-3 in Chapter 3 provides more information on software development standards for functional safety.
OCR for page 126
126 || The Safety Promise and Challenge of Automotive Electronics referenced in ACs, but FAA’s demanding requirements for the approval of alternative processes mean that the aviation industry almost univer- sally subscribes to the processes preapproved in circulars.20 FAA’s hands-on approach to safety oversight can make fulfillment of its requirements costly and time-consuming. Although FAA designates senior engineers from manufacturers to carry out many of the detailed document reviews and inspections that make up the certification pro- cess, FAA staff must review the most significant process elements. FAA has a major unit, the Aircraft Certification Service, dedicated to this func- tion and housed in more than two dozen offices across the country and abroad. Although FAA issues a handful of new aircraft-type certificates per year, the Aircraft Certification Service requires a large cadre of test pilots, manufacturing inspectors, safety engineers, and technical special- ists in key disciplines such as flight loads, nondestructive evaluation, flight management, and human factors. FDA and Class III Medical Devices Manufacturers of the most safety-critical (Class III) medical devices must receive approval from FDA before the devices can be marketed for public use.21 FDA’s and NHTSA’s safety oversight processes are comparable in that they combine safety requirements as a condition for approval with postmarketing monitoring to detect and remedy product safety deficien- cies in the field. FDA’s postmarket surveillance uses mandatory reporting of adverse events by manufacturers and voluntary reporting by health profession- als and consumers. In 2002, FDA supplemented these sources of sur- veillance information with a new approach. It established a voluntary network of clinicians and hospitals to provide a two-way channel of communication to support surveillance and more in-depth investi- gations of medical device safety performance.22 The Medical Product Safety Network, known as MedSun, now has about 350 participating user facilities. Each participating facility has trained liaisons, who are instructed to report issues of interest to FDA electronically. According A comparison of safety assurance processes for safety-critical electronics in the automotive and aero- 20 space domains is given by Benz et al. (2004). FDA regulates three classes of medical devices. The most intensely regulated, designated as Class III, 21 are those supporting or sustaining human life, such as pacemakers, pulse generators, and implanted defibrillators. http://www.fda.gov/MedicalDevices/Safety/MedSunMedicalProductSafetyNetwork/default.htm. 22
OCR for page 127
127 NHTSA Vehicle Safety Programs || to FDA officials who briefed the committee, agency epidemiologists can query MedSun participants for specific information on the perfor- mance of devices under investigation, and participants regularly sub- mit device performance information to FDA’s surveillance program, including reports on safety-related “close calls.” MedSun represents a small part of FDA’s postmarket surveillance sys- tem. It is discussed here because it demonstrates a collaborative approach that may have application in the automotive sector. MedSun’s effective- ness for defects surveillance could not be examined in this study. A recent report by the Institute of Medicine (IOM), however, found that FDA’s MedSun and certain other collaborative initiatives for postmarket sur- veillance are “scientifically promising” provided they are resourced ade- quately (IOM 2011, 143–144).23 Conceptually, FDA’s MedSun resembles NHTSA’s Crash Injury Research Engineering Network (CIREN). CIREN was created by the agency in 1996 for detailed investigation of vehicle crashes. The program brings together experts from medicine, academia, industry, and government to perform analyses of the injuries sustained in specific collision modes such as front, side, and rollover crashes. The participating trauma centers are among the nation’s largest, and the engineering centers are based at academic laboratories with extensive experience in vehicle crash and human injury research. Each trauma and engineering center collects detailed medical and crash data on approximately 50 crashes per year, and these data are shared among participating centers through a computer network that is also accessible to NHTSA researchers. While CIREN does not collect infor- mation on the performance and functioning of vehicle electronics sys- tems, it demonstrates the value of such collaborative forums and how NHTSA can play a role in supporting them. chaPter findingS Finding 4.1: A challenge before NHTSA is to further the use and effectiveness of vehicle technologies that can aid safe driving and mitigate hazardous driving behaviors and to develop the capabilities to ensure that these technologies perform The IOM report found: “The FDA has postmarketing surveillance programs—such as MedSun, MD 23 EpiNet, and the Sentinel Initiative—that are scientifically promising, but achieving their full promise will require a commitment to provide stable, adequate resources and will require resolution of vari- ous technical issues, such as unique device identifiers.”
OCR for page 128
128 || The Safety Promise and Challenge of Automotive Electronics their functions as intended and do not prompt other unsafe driver actions and behaviors. Alcohol-impaired driving, speeding, distraction, and failure to use seat belts represent long-standing driver behaviors that contribute to many crashes and their consequences. Advancements in vehicle elec- tronics could reduce crashes and their severity through alerts, crash- imminent actions, and automated control. Such benefits will depend on drivers accepting the technologies and using them appropriately. In addi- tion, industry and NHTSA have an interest in ensuring that new safety technologies do not have the unintended effects of confusing or startling drivers or causing them to become too dependent on the technologies themselves for safe driving. Finding 4.2: NHTSA’s FMVSSs are results-oriented and thus written in terms of minimum system performance requirements rather than prescribing the means by which automotive manufacturers design, test, engineer, and manufacture their safety-related electronics systems. In being primarily performance-oriented, the standards are intended to be design- and technology-neutral, in recog- nition that automotive technologies evolve and vary across manufactur- ers. Hence, automotive manufacturers are not required to seek NHTSA approval when they develop and introduce a new vehicle system, even if it pertains to an FMVSS-required safety capability or feature. NHTSA may offer an interpretation of a new technology’s conformance to an FMVSS performance requirement, but it does not advise on specific design strate- gies or testing methods carried out by the manufacturer, such as means by which corrosion resistance, electromagnetic compatibility, software reli- ability, and diagnostic and fail-safe properties are designed and verified. Automotive manufacturers are required to self-certify that their vehicles comply with the performance requirements when they deliver each vehi- cle to the dealer. Finding 4.3: Through ODI, NHTSA enforces the statutory requirement that vehicles in consumer use not exhibit defects that adversely affect safe vehicle per- formance. ODI analysts monitor the fleet for indications of vehicle safety defects primarily through the screening and analysis of consumer com- plaints, supplemented with information submitted by manufacturers in compliance with the EWR system. By law, to demonstrate the existence of a safety defect, ODI investigators must be able to show a potential for a significant number of failures as a result of the defect and that such failures present an unreasonable risk of a crash, injury, or death. The defect may pertain to any vehicle component that can adversely affect
OCR for page 129
129 NHTSA Vehicle Safety Programs || the safe performance of the vehicle, regardless of whether it pertains to a capability required in a specific FMVSS. ODI inquiries and investigations seldom lead to manufacturers being ordered to undertake a safety recall to remedy a defect. However, ODI investigative actions often prompt the manufacturer to issue a voluntary recall, even in instances where there is uncertainty about whether the defect meets the statutory definition of presenting an unreasonable safety risk. Finding 4.4: NHTSA refers to its vehicle safety research program as being “data driven” and decision-oriented, guided by analyses of traffic crash data indicating where focused research can further the introduction of new regulations and vehi- cle capabilities aimed at mitigating known safety problems. In particular, elec- tronics systems that can aid in crash avoidance are viewed as promising ways to mitigate driver errors. The agency’s crash avoidance research thus includes evaluations of human factors issues, methodologies for esti- mating the potential safety benefits of existing and emerging crash avoid- ance technologies, performance standards and tests that can be established for technology-based crash avoidance capabilities, the state of develop- ment of emerging and more advanced technologies for driving assistance, driver monitoring, and vehicle-to-vehicle communications. Finding 4.5: NHTSA regularly updates a multiyear plan that explains the rationale for its near-term research and regulatory priorities; however, the plan does not communicate strategic considerations, such as how the safety chal- lenges arising from the electronics-intensive vehicle may require new regulatory and research responses. NHTSA has indicated that such a forward-looking strategic plan is being developed, but its purpose and the progress on it have not been made clear. For example, NHTSA does not undertake significant research in support of industry efforts to make improvements in areas such as fail-safe and diagnostic strategies, means for detect- ing dual and intermittent faults, electromagnetic compatibility, soft- ware safety assurance, or cybersecurity. Nor does the agency undertake significant research in support of improvements in the processes and data capabilities of ODI in monitoring for and investigating the fleet for electronics-related defects. Such defects may become more common (owing to the growth in electronics systems) and more difficult to iden- tify and assess because their occurrence does not always leave a physical trace. Whether such an expansion of research emphasis is warranted is a strategic consideration and a candidate for coverage in the pending strategic plan.
OCR for page 130
130 || The Safety Promise and Challenge of Automotive Electronics Finding 4.6: FAA’s regulations for aircraft safety are comparable with the performance-oriented FMVSSs in that the details of product design and develop- ment are left largely to the manufacturers; however, FAA exercises far greater oversight of the verification and validation of designs and their implementation. Aircraft manufacturers must apply to FAA for approval and certification to develop and build a new aircraft type. FAA’s certification process covers all product development phases; FAA reviews and approves all manufac- turer safety assurance plans. In contrast, under NHTSA’s approach, these responsibilities are left to manufacturers. For NHTSA to engage in com- prehensive, aviation industry–type regulatory oversight of manufacturer assurance plans and processes would represent a fundamental change in the agency’s regulatory approach that would require substantial justifi- cation and resources, and possibly new statutory authority. The introduc- tion of increasingly autonomous vehicles, as envisioned in some concepts of the electronics-intensive automobile, might one day cause the agency to consider taking a more hands-on regulatory approach with elements similar to those found in the aviation sector. At the moment, however, such a profound change in the way NHTSA regulates automotive safety does not appear to be a near-term prospect. Finding 4.7: FDA’s and NHTSA’s safety oversight processes are comparable in that they combine safety performance requirements as a condition for approval with postmarketing monitoring to detect and remedy product safety deficiencies occurring in the field. FDA has established a voluntary network of clinicians and hospitals known as MedSun to provide a two-way channel of communication to support surveillance and more in-depth investigations of the safety performance of medical devices. MedSun represents a small part of FDA’s postmarket sur- veillance system. This network is discussed here because it demonstrates a government–industry collaborative approach that may have applica- tion for automotive safety. NHTSA’s CIREN program is conceptually sim- ilar to the FDA network for medical devices, demonstrating NHTSA’s potential for supporting such collaborative surveillance activities. referenceS Abbreviations GAO Government Accountability Office IOM Institute of Medicine NHTSA National Highway Traffic Safety Administration TRB Transportation Research Board
OCR for page 131
131 NHTSA Vehicle Safety Programs || Benz, S., E. Dilger, W. Dieterle, and K. D. Müller-Glaser. 2004. A Design Methodology for Safety-Relevant Automotive Electronic Systems. SAE Paper 2004-01-1665. Presented at Society of Automotive Engineers World Congress and Exhibition, Detroit, Mich., March. GAO. 2011. NHTSA Has Options to Improve the Safety Defect Recall Process. GAO-11-603. June. http://www.gao.gov/new.items/d11603.pdf. IOM. 2011. Medical Devices and the Public’s Health: The FDA 510(k) Clearance Process at 35 Years. National Academies Press, Washington, D.C. NHTSA. 2008. National Motor Vehicle Crash Causation Survey: Report to Congress. DOT HS 811 059. July. http://www-nrd.nhtsa.dot.gov/Pubs/811059.PDF. NHTSA. 2011. NHTSA Vehicle Safety and Fuel Economy Rulemaking and Research Priority Plan, 2011–2013. March. http://www.nhtsa.gov/staticfiles/rulemaking/ pdf/2011-2013_Vehicle_Safety-Fuel_Economy_Rulemaking-Research_ Priority_Plan.pdf. TRB. 2011. Special Report 300: Achieving Traffic Safety Goals in the United States: Lessons from Other Nations. National Academies, Washington, D.C.
OCR for page 132