Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Summary The National Highway Traffic Safety Administration (NHTSA) requested this National Research Council (NRC) study of how the agencyâs regu- latory, research, and defect investigation programs can be strengthened to meet the safety assurance and oversight challenges arising from the expanding functionality and use of automotive electronics. To conduct the study, NRC appointed a 16-member committee of experts tasked with considering NHTSAâs recent experience in responding to concerns over the potential for faulty electronics to cause the unintentional vehicle acceleration as reported by some drivers. The subject matter of the committeeâs findings is summarized in Box S-1 and provided in full at the end of each chapter. These findings indicate how the electronics systems being added to automobiles pre- sent many opportunities for making driving safer but at the same time present new demands for ensuring the safe performance of increas- ingly capable and complex vehicle technologies. These safety assurance demands pertain both to the automotive industryâs development and deployment of electronics systems and to NHTSAâs fulfillment of its safety oversight role. With regard to the latter, the committee recommends that NHTSA give explicit consideration to the oversight challenges arising from automotive electronics and that the agency develop and articu- late a long-term strategy for meeting the challenges. A successful strat- egy will reduce the chances of a recurrence of the kind of controversy that drove NHTSAâs response to questions about electronics causing unintended acceleration. As electronics systems proliferate to provide 1
2 || The Safety Promise and Challenge of Automotive Electronics Box S-1 Summary of Findings The Electronics-Intensive Automobile Finding 2.1: Electronics systems have become critical to the functioning of the modern automobile. Finding 2.2: Electronics systems are being interconnected with one another and with devices and networks external to the vehi- cle to provide their desired functions. Finding 2.3: Proliferating and increasingly interconnected elec- tronics systems are creating opportunities to improve vehicle safety and reliability as well as demands for addressing new sys- tem safety and cybersecurity risks. Finding 2.4: By enabling the introduction of many new vehicle capabilities and changes in familiar driver interfaces, electronics systems are presenting new human factors challenges for system design and vehicle-level integration. Finding 2.5: Electronics technology is enabling nearly all vehi- cles to be equipped with event data recorders (EDRs) that store information on collision-related parameters as well as enabling other embedded systems that monitor the status of safety-critical electronics, identify and diagnose abnormalities and defects, and activate predefined corrective responses when a hazardous con- dition is detected. Safety Assurance Processes for Automotive Electronics Finding 3.1: Automotive manufacturers visited during this studyâand probably all the othersâimplement many processes during product design, engineering, and manufacturing intended (a) to ensure that electronics systems perform as expected up to defined failure probabilities and (b) to detect failures when they occur and respond to them with appropriate containment actions.
Summary || 3 Box S-1 (continued) Summary of Findings Finding 3.2: Testing, analysis, modeling, and simulation are used by automotive manufacturers to verify that their electronics systems, the large majority of which are provided by suppliers, have met all internal specifications and regulatory requirements, including those relevant to safety performance. Finding 3.3: Manufacturers face challenges in identifying and modeling how a new electronics-based system will be used by the driver and how it will interface and interact with the driver. Finding 3.4: Automotive manufacturers have been cooperating through the International Organization for Standardization to develop a standard methodology for evaluating and establishing the functional safety requirements for their electronics systems. NHTSA Vehicle Safety Programs Finding 4.1: A challenge before NHTSA is to further the use and effectiveness of vehicle technologies that can aid safe driving and mitigate hazardous driving behaviors and to develop the capa- bilities to ensure that these technologies perform their functions as intended and do not prompt other unsafe driver actions and behaviors. Finding 4.2: NHTSAâs Federal Motor Vehicle Safety Standards are results-oriented and thus written in terms of minimum system performance requirements rather than prescribing the means by which automotive manufacturers design, test, engi- neer, and manufacture their safety-related electronics systems. Finding 4.3: Through the Office of Defects Investigation (ODI), NHTSA enforces the statutory requirement that vehicles in con- sumer use not exhibit defects that adversely affect safe vehicle performance. Finding 4.4: NHTSA refers to its vehicle safety research program as being âdata drivenâ and decision-oriented, guided by analyses (continued on next page)
4 || The Safety Promise and Challenge of Automotive Electronics Box S-1 (continued) Summary of Findings of traffic crash data indicating where focused research can fur- ther the introduction of new regulations and vehicle capabilities aimed at mitigating known safety problems. Finding 4.5: NHTSA regularly updates a multiyear plan that explains the rationale for its near-term research and regulatory priorities; however, the plan does not communicate strategic con- siderations, such as how the safety challenges arising from the electronics-intensive vehicle may require new regulatory and research responses. Finding 4.6: The Federal Aviation Administrationâs (FAAâs) reg- ulations for aircraft safety are comparable with the performance- oriented Federal Motor Vehicle Safety Standards in that the details of product design and development are left largely to the manufacturers; however, FAA exercises far greater over- sight of the verification and validation of designs and their implementation. Finding 4.7: The U.S. Food and Drug Administrationâs (FDAâs) and NHTSAâs safety oversight processes are comparable in that they combine safety performance requirements as a condition for approval with postmarketing monitoring to detect and remedy product safety deficiencies occurring in the field. FDA has estab- lished a voluntary network of clinicians and hospitals known as MedSun to provide a two-way channel of communication to sup- port surveillance and more in-depth investigations of the safety performance of medical devices. NHTSA Initiatives on Unintended Acceleration Finding 5.1: NHTSA has investigated driver complaints of vehicles exhibiting various forms of unintended acceleration for decades, the most serious involving high engine power indicative of a large throttle opening.
Summary || 5 Box S-1 (continued) Summary of Findings Finding 5.2: NHTSA has most often attributed the occurrence of unintended acceleration indicative of a large throttle opening to pedal-related issues, including the driver accidentally pressing the accelerator pedal instead of the brake pedal, floor mats and other obstructions that entrap the accelerator pedal in a depressed position, and sticking accelerator pedals. Finding 5.3: NHTSAâs rationale for attributing certain unin- tended acceleration events to pedal misapplication is valid, but such determinations should not preclude further consideration of possible vehicle-related factors contributing to the pedal misapplication. Finding 5.4: Not all complaints of unintended acceleration have the signature characteristics of pedal misapplication; in particular, when severe brake damage is confirmed or the loss of braking effectiveness occurs more gradually after a prolonged effort by the driver to control the vehicleâs speed, pedal mis- application is improbable, and NHTSA reported that it treats these cases differently. Finding 5.5: NHTSAâs decision to close its investigation of Toyotaâs electronic throttle control system (ETC) as a possible cause of high-power unintended acceleration is justified on the basis of the agencyâs initial defect investigations, which were confirmed by its follow-up analyses of thousands of con- sumer complaints, in-depth examinations of EDRs in vehicles suspected to have crashed as a result of unintended accelera- tion, and the examination of the Toyota ETC by the National Aeronautics and Space Administration. Finding 5.6: The Vehicle Ownerâs Questionnaire consumer complaint data appear to have been sufficient for ODI ana- lysts and investigators to detect an increase in high-power unintended acceleration behaviors in Toyota vehicles, to dis- tinguish these behaviors from those commonly attributed to (continued on next page)
6 || The Safety Promise and Challenge of Automotive Electronics Box S-1 (continued) Summary of Findings pedal misapplication, and to aid investigators in identifying pedal entrapment by floor mats as the likely cause. Finding 5.7: ODIâs investigation of unintended acceleration in Toyota vehicles indicated how data saved in EDRs can be retrieved from vehicles involved in crashes to supplement and assess other information, including circumstantial evidence, in determining causal and contributing factors. more vehicle functions, neither industry nor NHTSA can afford such recurrencesânor can motorists. UNINTENdEd AccElErATIoN ANd ElEcTroNIc THroTTlE coNTrol NHTSA has investigated complaints of vehicles exhibiting unintended acceleration for decades. These complaints have encompassed a wide range of reported vehicle behaviors, the most serious involving high engine power indicative of a large throttle opening (see Finding 5.1). NHTSA has oftenâand most recently in investigating Toyota vehiclesâ concluded that these occurrences were the result of the driver acciden- tally pressing the accelerator pedal instead of the brake; floor mats and other obstructions that entrap the accelerator pedal; and damaged or malfunctioning mechanical components such as broken throttles, frayed and trapped connector cables, and sticking accelerator pedal assemblies (see Finding 5.2). During the past decade, many of the mechanical links between the pedal and the throttle have been eliminated by electronic throttle con- trol systems (ETCs), which were introduced for a number of reasons, including the desire for more flexible and precise control of air to the engine for improved emissions, fuel economy, and drivability. Typically, these systems use duplicate sensors to determine the position of the pedal and additional sensors to monitor the throttle opening. Electrical signals
Summary || 7 are transmitted by wire from the sensors to the computer in the engine control module, which in turn commands the throttle actuator and engine torque. These electronics systems have therefore reduced the number of mechanical components that can break or malfunction, while introducing the possibility of faulty electronics hardware and soft- ware. Of course, ETCs have not done away with the foot pedal as the driver interface, meaning that pedal-related conditions such as entrap- ment, sticking, and driver misapplication can continue to be a source of unintended acceleration. Because pedal-related problems have been a recognized source of unintended acceleration for decades, they are the immediate suspect in any reported event. Key in assessing the pedalâs role is determination of the sequence of brake application and its effectiveness. In all vehicles that it has examinedâwith and without ETCsâNHTSA has found no means by which the throttle control system can disable a vehicleâs brakes. The agency, therefore, cannot explain how the application of previously working brakes, as asserted by some drivers, would fail to overcome engine torque and halt acceleration commencing in a vehicle that had been stationary or moving slowly. Absent physical evidence of damaged or malfunctioning brakes, NHTSA has long concluded that complaints of unintended acceleration involving reports of unexplainable loss of brak- ing result from pedal misapplication and do not warrant examination for other causes. The committee finds this rationale to remain valid and relevant for NHTSAâs allocation of its investigative resources, but with the caveat that it should not preclude further consideration of vehicle- related factors that can prompt or contribute to pedal misapplication (see Finding 5.3). Not all complaints of unintended acceleration have the signature char- acteristics of pedal misapplication. When severe brake damage is con- firmed or the loss of braking effectiveness occurs more gradually through overheating and vacuum loss following a prolonged effort by the driver to control the vehicleâs speed, pedal misapplication is improbable, and as a result NHTSA reports that it treats these cases differently (see Find- ing 5.4). In its investigations of such cases, NHTSA has usually concluded that the acceleration was caused by faulty mechanical components in the throttle control system or by the accelerator pedal becoming struck or entrapped, often by a floor mat. Having produced evidence of these latter causal mechanismsâand finding no physical evidence of other problems, including errant electronicsâNHTSA initially decided against
8 || The Safety Promise and Challenge of Automotive Electronics undertaking more in-depth investigations of possible faults in the ETCs of Toyota vehicles that had been recalled during 2009 and 2010. Faced with persistent questions about the basis for this decision, in early 2010 NHTSA commissioned this study and another by a team of engineer- ing and safety specialists from the National Aeronautics and Space Admin- istration (NASA). The charge of the NASA team was to investigate the potential for vulnerabilities in Toyotaâs ETC to cause reported cases of unintended acceleration. NASAâs investigation was multiphased. After establishing the critical functions of the ETC, the NASA team examined how the electronics system is designed and implemented to guard against failures and to respond safely when failures do occur. Potential vulner- abilities in the systemâs design and its implementation were sought by identifying circumstances in which a failure could occur and go unde- tected so as to bypass system fail-safe responses. To assess whether an identified vulnerability had led to failures causing unintended accelera- tion, the team reviewed consumer complaints in a search for hallmarks of the failures and tested vehicles previously involved in instances of unintended acceleration. On the basis of its vulnerability analysis, the NASA team identified two scenarios that it described as having at least a theoretical potential to produce unintended acceleration characteristic of a large throttle open- ing: (a) a systematic failure of software in the ETCâs central processing unit that goes undetected by the supervisory processor and (b) two faults in the pedal position sensing system that mimic a valid acceleration com- mand. NASA investigators used multiple tools to analyze software logic paths and to examine the programming code for paths that might lead to the first postulated scenario. While the team acknowledged that no prac- tical amount of testing and analysis can guarantee that software will be free of faults, it reported that extensive analytic efforts uncovered no evidence of problems. To examine the second postulated scenario, the team tested numerous potential software and hardware fault modes by using bench-top simulators and by testing vehicles involved in reported cases of unintended acceleration, including tests for electromagnetic interference. The testing did not produce acceleration indicative of a large throttle opening. The team also examined records from consumer com- plaints involving unusual accelerator pedal responses. In so doing it recov- ered a pedal assembly that contained a low-resistance path, which was determined to have been caused by an electrically conductive crystalline
Summary || 9 structure1 that had formed between signal outputs from the pedal posi- tion sensors. Consideration was given to whether low-resistance paths in the pedal position sensing system could have produced unintended acceleration indicative of a large throttle opening. The NASA team concluded that if a single low-resistance path were to exist between the pedal sensor out- puts, the system could be vulnerable to unintended acceleration if accom- panied by a second specific fault condition. The team noted, however, that to create such a vulnerability the two sensor faults would need to escape detection by meeting restrictive criteria consisting of a specific resistance range as needed to create an exact circuit configuration in a correct time phase. In this case, the fault condition would not log a diagnostic trou- ble code; otherwise, the faults would be detected and trigger a fail-safe response such as reduced engine power. To gain a better understanding of the probability of the dual-fault conditions occurring, the NASA team examined warranty repair data and consumer complaints of high-power unintended acceleration. The team posited that for every instance in which two undetected faults had produced unintended acceleration, numerous pedal repairs associated with detected sensor faults could be expected because single faults that leave error codes are likely to occur much more often than two faults escaping detection. In reviewing warranty repair data, the NASA team found no evidence to this effect and thus concluded that this postulated failure pathway represented an implausible explanation for the high- power unintended acceleration reported in consumer complaints. Not having produced evidence of a safety-related defect in Toyotaâs ETC, NHTSA elected to close its investigation into this system as a sus- pect cause of reported cases of high-power unintended acceleration and stood by its earlier conclusions attributing these events to pedal mis- application, entrapment, and sticking. The committee finds NHTSAâs decision to close its investigation justified on the basis of the agencyâs initial defect investigations, which were corroborated by its follow- up analyses of thousands of consumer complaints, examinations of event data recorders (EDRs) in vehicles suspected to have crashed because of unintended acceleration, and the results of NASAâs study (see Finding 5.5). 1 A âtin whisker.â
10 || The Safety Promise and Challenge of Automotive Electronics Nevertheless, it is troubling that the concerns associated with unintended acceleration evolved into questions about electronics safety that NHTSA could not answer convincingly, necessitating a request for extensive technical assistance from NASA. Relative to the newer elec- tronics systems being developed, ETCs are simple and mature technolo- gies. As more complex and interacting electronics systems are deployed, the prospect that vehicle electronics will be suspected and possibly impli- cated in unsafe vehicle behaviors increases. The recommendations offered in this report presume that NHTSA will need the capacity to detect defects in these complex systems, assess their potential causes and proposed rem- edies with confidence, and make prudent decisions about when to seek the technical assistance of outside experts such as NASA. cHAllENgE oF ElEcTroNIcS SAFETy ASSUrANcE Electronics are central to the basic functionality of modern automobiles (see Finding 2.1). They provide many new and enhanced vehicle capa- bilities that confer significant benefits on motorists, including safety benefits. Electronics systems in vehicles are increasingly connected to one another and to devices and networks external to the vehicle. The growing interconnectivity and resulting complexity create opportunities to improve safety, fuel economy, emissions, and other vehicle perfor- mance characteristics and lead to new demands for ensuring the safe performance of these systems (see Findings 2.2. and 2.3). Many existing and planned electronics applications, for both vehicle control and active safety capabilities, depend on real-time coordination among various systems and subsystems. Coordination demands more software func- tionality and more interactions among features in one or more electronic control units. Growing design complexity could increase the chances of design flaws escaping manufacturer safety assurance. In the more dis- tant future, features such as vehicle-to-vehicle (V2V) and vehicle-to- infrastructure (V2I) communications will likely require further increases in software complexity, new sensor technologies and other hardware that will require dependability assessments, and the deployment of additional technologies such as wireless connections that could increase vehicle sus- ceptibility to cyberattack. Exploiting these many technological advancements to bring about more reliable and capable vehicles, provide more effective crash protec-
Summary || 11 tion systems, and enable a wide range of crash-avoidance systems is in the shared interest of motorists, the automotive industry, and NHTSA. Nevertheless, the manufacturer has the initial and primary responsibility for ensuring that these and other electronics systems in the vehicle work as intended, do not interfere with the safe performance of other systems, and can be used in a safe manner by the driver. While the specifics of automotive development differ among manu- facturers, those visited by the committee described a series of processes carried out during product design, engineering, and fabrication to ensure that products perform as intended up to defined failure probabilities (see Finding 3.1). As a backup for the occurrence of failures, manufacturers reported having established failure monitoring and diagnostics systems. These systems are designed to implement predefined strategies to mini- mize harm when a failure is detected. For example, the driver may be notified through a dashboard light, the failed system may be shut off if it is nonessential, or engine power may be reduced to avoid stranding the motorist and to enable the vehicle to âlimp homeâ for repair. The integ- rity of hardware and fail-safe applications is validated through testing and analysis (see Finding 3.2). While software programs are also tested for coding errors, manufacturers reported emphasizing sound software development processes. They recognize that even the most exhaustive testing and the strictest adherence to software development prescriptions cannot guarantee that interacting and complex software will behave safely under all plausible circumstances. In addition, all manufacturers reported having experts in human factors engaged early in the design of their new electronics systems and throughout the later stages of product development and evaluation (see Finding 3.3). The committee cannot know whether all automotive manufacturers follow the safety assurance practices described as robust by the original equipment manufacturers (OEMs) visited and whether all execute them with comparable diligence and consistency. However, the committee found that despite proprietary and competitive constraints, many auto- motive manufacturers are working with standards organizations to fur- ther their safety assurance practices out of recognition that electronics systems are creating new challenges for safe and secure product design, development, and performance (see Finding 3.4). Most prominent among these efforts is the consensus standard expected to be released in early 2012 by the International Organization for Standardization (ISO), ISO 26262, for the functional safety of automotive electronics systems.
12 || The Safety Promise and Challenge of Automotive Electronics This standard will provide OEMs and their suppliers with guidance on establishing safety requirements for their electronics systems, perform- ing hazard and risk assessments on them, tailoring appropriate safety assurance processes during system development and production, and carrying out functional safety audits and confirmation reviews. Implications for NHTSAâs Oversight and Engagement with Industry In light of the increasing use and complexity of electronics systems for vehicle control functions, the question arises as to whether NHTSA should oversee and otherwise exert more influence over the safety assurance processes followed by industry during product design, devel- opment, and manufacturing. For NHTSA to engage in comprehensive regulatory oversight of manufacturer assurance plans and processes, as occurs in the aviation sector, would represent a fundamental change in the agencyâs regulatory approach that would require substantial justifi- cation and resources (see Finding 4.6). The introduction of increasingly autonomous vehicles, as envisioned in some concepts of the electronics- intensive automobile, might one day cause the agency to consider taking a more hands-on regulatory approach with elements similar to those found in the aviation sector. At the moment, such a profound change in the way NHTSA regulates automotive safety does not appear to be a near-term prospect. A more foreseeable change is the automotive industryâs use of the aforementioned ISO 26262. Although release of the final standard is pending, many manufacturers appear to be committed to following its guidance in whole or in large part. Without necessarily endorsing or requiring adherence to the standard, NHTSA nevertheless has a keen interest in supporting the standardâs ability to produce the desired safety results for those manufacturers who do subscribe to it. As these manufacturers reassess and adjust their safety assurance processes in response to the standardâs guidance, some may need more informa- tion and analysesâincluding knowledge in areas such as cybersecurity, human factors, the electromagnetic environment, and multifault detec- tion and diagnosis. In collaboration with industry, NHTSA may be able to help meet these research and analysis needs and in so doing enable agency technical personnel to become even more familiar with industry safety assurance methods, issues, and challenges. Accordingly, the committee recommends that NHTSA become more familiar with and engaged in standard-setting and other efforts involv-
Summary || 13 ing industry that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automotive elec- tronics systems (Recommendation 1). In the committeeâs view, such cooperative efforts represent an opportunity for NHTSA to gain a stron- ger understanding of how manufacturers seek to prevent safety prob- lems through measures taken during product design, development, and fabrication. By engaging in these efforts, the agency will be better able to influence industry safety assurance and recognize where it can contrib- ute most effectively to strengthening such preventive measures. Several candidate topics for collaborative research and analysis are identified in this report and summarized in Box S-2. Exploration of other means by which NHTSA can interact with indus- try in furthering electronics safety assurance will also be important. Exploiting a range of opportunities will be critical in the committeeâs view, since it is unrealistic to expect NHTSA to hire and maintain personnel having all of the specialized technical expertise and design knowledge relevant to the growing field of automotive electronics. As a starting point for obtaining access to this expertise, the committee recommends that NHTSA convene a standing technical advisory panel comprising individuals with backgrounds in the disciplines central to the design, development, and safety assurance of auto- motive electronics systems, including software and systems engi- neering, human factors, and electronics hardware. The panel should be consulted on relevant technical matters that arise with respect to all of the agencyâs vehicle safety programs, including regulatory reviews, defect investigation processes, and research needs assess- ments (Recommendation 2). Implications for Defect Surveillance and Investigation NHTSA does not prescribe how manufacturers design, develop, or man- ufacture vehicle systems. Hence, responsibility for minimizing the occur- rence of safety defects resides primarily with automotive manufacturers and their safety assurance processes (see Finding 4.2). NHTSAâs main role in this regard is to spot and investigate safety deficiencies that escape these processes and to prompt manufacturers to correct them quickly and effectively. This postmarket surveillance and investigative capability has always been an important function for NHTSA and has resulted in many safety recalls. Electronics systems are replacing many mechanical and hydraulic systems and are being used to manage and control many new vehicle
14 || The Safety Promise and Challenge of Automotive Electronics Box S-2 candidate research and Analysis To Inform Industry Safety Assurance Processes â¢ Review state-of-the-art methods used within and outside the automotive industry for detecting, diagnosing, isolating, and responding to failures that may arise from multiple, intermittent, and timing faults in safety-critical vehicle electronics systems. â¢ Survey and identify the sources, characteristics, and probabil- ity of occurrence of electromagnetic environments produced by other vehicles, on-board consumer devices, and other elec- tromagnetic sources in the vicinity of the roadway. â¢ Explore the feasibility and utility of a remote or in-vehicle sys- tem that continually logs the subsystem states, network traffic, and interactions of the vehicle and its electronics systems and is capable of saving relevant data for querying in response to unexpected vehicle behaviors. â¢ Examine security vulnerabilities arising from the increase in remote access to and interconnectivity of electronics systems that can compromise safety-critical vehicle capabilities such as braking, exterior lighting, speed control, and steering. â¢ Examine the implications of electronics systems for the means by which automotive manufacturers are complying with the intent of the Federal Motor Vehicle Safety Standards, how changes in technology could both aid and complicate compliance with the regulations, and how the regulations themselves are likely to affect technological innovation. â¢ Assess driver response to nontraditional controls enabled by electronic interfaces, such as push-button ignition design sys- tems, and the degree to which differences among vehicles may confuse and delay responses in time-pressured and emergency situations.
Summary || 15 Box S-2 (continued) Candidate Research and Analysis â¢ Examine driver interaction with the vehicle as a mixed initiative system using simulator and naturalistic driving studies to assess when designersâ assumptions of driversâ responses diverge from driversâ expectations of system operation. â¢ Collaborate with the automotive industry in developing effec- tive methods for communicating the operational status of vehi- cle electronics to the driver. To Support odI Functions and capabilities â¢ Examine modifications to the Vehicle Ownerâs Questionnaire that can make it more useful to ODI analysts and investigators by facilitating the ability of consumers to convey the vehicle conditions and behaviors they experience more precisely and by making the information more amenable to quantitative evaluation. â¢ Examine a cross section of safety-related recalls whose cause was attributed to deficiencies in electronics or software and identify how the defects escaped verification and safety assur- ance processes. â¢ Investigate ways to obtain more timely and detailed Early Warning Reportingâtype data for defect surveillance and investigationâfor example, by examining opportunities for voluntary data collection relationships and networks with automotive dealers. â¢ Examine how the data from consumer complaints of unsafe experiences in the field can be mined electronically and how the complaints might offer insight into safety issues that arise from humanâsystems interactions. See Chapter 6 for details on the research topics.
16 || The Safety Promise and Challenge of Automotive Electronics functions. NHTSAâs Office of Defects Investigation (ODI) can there- fore anticipate that an increasing share of its time and resources will be devoted to recognizing and investigating potential defects involving electronics systems and to assessing the corrective actions proposed by manufacturers for recalls involving software reprogramming and other fixes to the hardware of electronics systems. Whether the proliferation of electronics systems will add substantially to the complexity and techni- cal requirements of ODIâs surveillance and investigative activities remains to be seen. The committee believes that it will. One reason for this belief is that failures associated with electron- ics systemsâincluding those related to software programming, dual and intermittent electronics hardware faults, and electromagnetic disturbancesâmay not leave physical evidence to aid investigations into observed or reported unsafe vehicle behaviors. Similarly, many errors by drivers using or responding to new electronics systems may not leave a physical trace. The absence of physical evidence, as illuminated by the controversy surrounding unintended acceleration, has compli- cated past investigations of incident causes and thus may become even more problematic for ODI as the number, functionality, and complexity of electronics systems grow. Another important reason for the commit- teeâs concern is that electronics systems are networked and inter- connected with one another and with electronic devices external to the vehicle, and a growing number of the interconnected electronics sys- tems have nonsafety purposes and may not be held to the same expec- tations for safety and security assurance. These complex systems will introduce new architectures and may couple and interact in unexpected ways. Anticipating and recognizing the potentially unsafe behaviors of these systems likely will present a challenge not only for automotive manufacturers during product design and development but also for ODI in spotting such behaviors in the fleet and working with OEMs to assess their causes and possible corrections (see Finding 2.4). To ensure that NHTSAâs defect surveillance and investigation capa- bilities are prepared for the changing safety challenges presented by the electronics-intensive automobile, the committee recommends that NHTSA undertake a comprehensive review of the capabilities that ODI will need in monitoring for and investigating safety deficiencies in electronics-intensive vehicles. A regular channel of communication should be established between NHTSAâs research program and ODI to ensure that (a) recurrent vehicle- and driver-related safety problems
Summary || 17 observed in the field are the subjects of research and (b) research is committed to furthering ODIâs surveillance and investigation capa- bilities, particularly the detail, timeliness, and analyzability of the consumer complaint and early warning data central to these capabili- ties (Recommendation 3). Candidate research topics to inform and sup- port ODIâs functions and capabilities are identified in Box S-2. rEAcTIoN To NHTSAâs ProPoSEd NExT STEPS In its Research and Rulemaking Priority Plan for 2011â2013, NHTSA has identified a number of rulemaking and research initiatives that appear to have been influenced by the recent experience with unintended acceleration. They include plans to (a) initiate a rulemaking that would mandate the installation of EDRs on all light-duty vehicles and a proposal to consider future enhancements of EDR capabilities, (b) change the stan- dard governing keyless ignitions to ensure that drivers are able to turn off the engine in the event of an on-road emergency, and (c) under- take pedal-related research that would examine pedal placement and spacing practices to reduce the occurrence of pedal entrapment and misapplication. The committee cannot know where these initiatives should rank among all of NHTSAâs research and rulemaking priorities. Nevertheless, the committee concurs with NHTSAâs intent to ensure that EDRs be commonplace in all new vehicles and recommends that the agency pursue this outcome, recognizing that the utility of more extensive and capable EDRs will depend in large part on the extent to which the stored data can be retrieved for safety investigations (Recommenda- tion 4). NHTSAâs stated plan is to consider âfuture enhancementsâ to EDRs, which is particularly intriguing for the following two reasons. First, failures in electronics systems, including those related to software programming, intermittent electrical faults, and electromagnetic dis- turbances, may not leave physical traces to aid investigations into the causes. Second, mistakes by drivers also may not leave a physical trace, even if these errors result in part from vehicle-related factors such as startling vehicle noises or unexpected or unfamiliar vehicle behaviors. The absence of such physical evidence has hindered investigations of the ETCâs role in unintended acceleration and may become even more prob- lematic as the number and complexity of automotive electronics systems
18 || The Safety Promise and Challenge of Automotive Electronics grow. Advanced data recording systems may help counter some of these problems if the data can be accessed by investigators (see Finding 5.7). In the committeeâs view, the technical feasibility and practicality of equip- ping vehicles with more advanced recording systems that can log a wider range of data warrant further study. The committee also endorses NHTSAâs stated plan to conduct research on pedal design and placement and keyless ignition design requirements but recommends that this research be a precursor to a broader human factors research initiative in collaboration with indus- try and that the research be aimed at informing manufacturersâ system design decisions (Recommendation 5). Examples of research that could be pursued are given in Box S-2. STrATEgIc oUTlook wITH rEgArd To PrIorITIES As vehicles become even more dependent on electronics systems for their critical functions, NHTSAâs regulatory, research, and investigation programs will need to keep pace with changing safety demands placed on them. This report describes how NHTSA researchers are working with the automotive industry, universities, and other government agen- cies to examine future crash avoidance concepts such as V2V and V2I communications systems. Such systems will enable even greater vehicle autonomy and necessitate advancements in vehicle electronics and their capabilities that will go well beyond any systems now being deployed. In the same vein, changes in the division of responsibility between the driver and the vehicle will present new demands for and interpretations of NHTSAâs Federal Motor Vehicle Safety Standards, heighten the need for safety assurance processes that instill high levels of public confidence in these systems, and place many new demands on ODIâs surveillance and investigative activities. While the technical, societal, and economic feasibility of V2V, V2I, and other intelligent transportation systems are not considered in this study, it is difficult to imagine NHTSA overseeing their safe introduction and use without adapting its regulatory, research, and investigative framework. The committee was tempted to offer a series of specific recommenda- tions on the capabilities and resources that NHTSA may need in each of these program areas. To offer such advice without knowing more about how the agency intends to proceed on a more strategic level would be
Summary || 19 presumptuous in the committeeâs view. For example, urging the agency to hire more electronics or system safety engineers or to invest in new specialized research and testing facilities would make little sense without knowing more about the specific functions they would perform. Nor can the committee know what other safety issues are demanding NHTSAâs time, resources, and attention. These are broader, strategic issues that are outside the committeeâs charge. The committee notes that NHTSA states its intention to develop such a strategic document for the period 2014â2020 in the introduction to its Priority Plan. Presumably, this strategic plan could provide a road map for NHTSAâs decisions with regard to the safety assurance challenges arising from the electronics-intensive vehicle. From its discussions with NHTSA officials, however, the committee understands that this planning process has only just begun and its purpose has not been articulated. The com- mittee believes that strategic planning is fundamental to sound deci- sion making and thus recommends that NHTSA initiate a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics and that gives rise to an agenda for meeting them. The agenda should spell out the near- and longer-term changes that will be needed in the scope, direction, and capabilities of the agencyâs regulatory, research, and defect investigation programs (Recommendation 6). Some of the key elements of successful strategic planning are outlined in this report. In the committeeâs view, it is vital that the planning be (a) prospective in considering the safety challenges arising from the electronics-intensive vehicle, (b) introspective in con- sidering the implications of these challenges for NHTSAâs vehicle safety role and programs, and (c) strategic in guiding critical decisions concern- ing matters such as the most appropriate agency regulatory approaches and associated research and resource requirements. The committee further recommends that NHTSA make develop- ment and completion of the strategic plan a top goal in its coming 3-year priority plan. NHTSA should communicate the purpose of the planning effort, define how it will be developed and implemented commensurate with advice in this report, and give a definite time frame for its completion. The plan should be made public so as to guide key policy decisionsâfrom budgetary to legislativeâthat will determine the scope and direction of the agencyâs vehicle safety pro- grams (Recommendation 7). All seven of the committeeâs recommen- dations are contained in Box S-3.
20 || The Safety Promise and Challenge of Automotive Electronics Box S-3 recommendations to NHTSA Recommendation 1: The committee recommends that NHTSA become more familiar with and engaged in standard-setting and other efforts involving industry that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automotive electronics systems. Recommendation 2: The committee recommends that NHTSA convene a standing technical advisory panel comprising individu- als with backgrounds in the disciplines central to the design, devel- opment, and safety assurance of automotive electronics systems, including software and systems engineering, human factors, and electronics hardware. The panel should be consulted on relevant technical matters that arise with respect to all of the agencyâs vehi- cle safety programs, including regulatory reviews, defect investiga- tion processes, and research needs assessments. Recommendation 3: The committee recommends that NHTSA undertake a comprehensive review of the capabilities that ODI will need in monitoring for and investigating safety deficiencies in electronics-intensive vehicles. A regular channel of commu- nication should be established between NHTSAâs research program and ODI to ensure that (a) recurrent vehicle- and driver-related safety problems observed in the field are the subjects of research and (b) research is committed to furthering ODIâs surveillance and investigation capabilities, particularly the detail, timeliness, and analyzability of the consumer complaint and early warning data central to these capabilities. Recommendation 4: The committee concurs with NHTSAâs intent to ensure that EDRs be commonplace in new vehicles and recommends that the agency pursue this outcome, recognizing that the utility of more extensive and capable EDRs will depend in large part on the extent to which the stored data can be retrieved for safety investigations.
Summary || 21 Box S-3 (continued) Recommendations to NHTSA Recommendation 5: The committee endorses NHTSAâs stated plan to conduct research on pedal design and placement and keyless ignition design requirements but recommends that this research be a precursor to a broader human factors research ini- tiative in collaboration with industry and that the research be aimed at informing manufacturersâ system design decisions. Recommendation 6: The committee recommends that NHTSA initiate a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics and that gives rise to an agenda for meeting them. The agenda should spell out the near- and longer-term changes that will be needed in the scope, direction, and capabilities of the agencyâs regulatory, research, and defect investigation programs. Recommendation 7: The committee recommends that NHTSA make development and completion of the strategic plan a top goal in its coming 3-year priority plan. NHTSA should communi- cate the purpose of the planning effort, define how it will be developed and implemented commensurate with advice in this report, and give a definite time frame for its completion. The plan should be made public so as to guide key policy decisionsâfrom budgetary to legislativeâthat will determine the scope and direc- tion of the agencyâs vehicle safety programs.