Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
4 National Highway Traffic Safety Administration Vehicle Safety Programs In April 2011, the National Highway Traffic Safety Administration (NHTSA) reported that 32,788 people were killed during 2010 on U.S. roads in crashes, of which about 80 percent involved passenger cars and light trucks.1 As in previous years, a number of risky driver behaviors and actions, such as alcohol use, inattention, fatigue, and speeding, were among the major causal factors.2 Yet the 2010 data were widely acclaimed as providing further statistical evidence of a generally positive trend in traffic safety. About 18,000 fewer people died in motor vehicle crashes in 2010 than in 1980, even as vehicle travel almost doubled.3 This substantial improvement resulted from a combination of factors, such as better design and control of highways, stricter laws governing seat belt use and penalizing drunk driving, and more responsive and protective motor vehicles. The automotive industry deserves credit for responding to consumer and NHTSA demands to make vehicles inherently safer through inno- vations in automotive designs, materials, and engineering, including advancements in vehicle electronics. However, safer vehicles are widely recognized as providing only part of the solution to making driving safer. Since 1995, the number of people who have died on U.S. road- ways has declined by about 20 percent. This decline is impressive, but during the same period traffic fatalities declined by 40 percent in the 1 http://www-nrd.nhtsa.dot.gov/Pubs/811451.pdf. 2 http://www-fars.nhtsa.dot.gov/People/PeopleDrivers.aspx. 3 http://www.nhtsa.gov/PR/NHTSA-05-11. 99
100 || The Safety Promise and Challenge of Automotive Electronics United Kingdom and by more than 50 percent in France and 15 other high-income countries for which long-term traffic safety data are avail- able (TRB 2011). In all of these countries, policy makers have emphasized changing high-risk driver behaviors, particularly speeding, drunk driving, and lax seat belt use, by means of stringent laws, intensive public com- munication and education, and a commitment to traffic enforcement. Although NHTSA does not license drivers, design roads, or set and enforce traffic laws, the agency shares responsibility with the Federal Highway Administration for providing funding aid and technical assis- tance to state and local governments having these responsibilities. In collecting and analyzing the nationâs traffic safety data, NHTSA has long reported that driver behavior and performance are the most significant factors in crashes. The most recent results of agency crash causation studies are summarized in Table 4-1. They indicate that crashes in which the driver was the proximate cause far outnumber those in which vehi- cle defects or roadway deficiencies were the most critical factors (NHTSA 2008). Thus, one of the challenges before NHTSAâs Office of Vehicle Safety is to ensure that vehicles retain their high levels of safety perfor- mance while finding ways to make vehicles more effective in counter- ing many of the unsafe driver behaviors. The focus of this report is on automotive electronics. However, as indicated by these crash causation data, NHTSA faces many safety-related challenges (and accompanying demands on its resources) in addition to those associated with over- seeing the safe performance of automotive electronics. The committee was asked to advise NHTSA on how the regulatory, research, and defect investigation activities carried out by the Office of Vehicle Safety can be improved to meet the safety assurance demands of the increasingly electronics-intensive automobile. This chapter describes the key responsibilities and capabilities of the office. The committee was not asked to examine all responsibilities of the office, and it is not in a posi- tion to advise on the priority that should be given to such improvements relative to other program interests and associated resource demands. Nev- ertheless, it became evident to the committee that the Office of Vehicle Safety is highly optimistic that vehicle electronics will play an important role in mitigating risky driver behaviors. In this regard, the officeâs interest in promoting the introduction of these electronics systems is intertwined with its interest in ensuring that they and all other electronics systems in the vehicle perform their functions safely and reliably. The next section starts with an overview of the Office of Vehicle Safety and then reviews its regulatory, research, and defect investigation
NHTSA Vehicle Safety Programs || 101 TABLE 4-1 Critical Precrash Event Attributed to Vehicles, Drivers, and Roadway and Atmospheric Conditions Number of Crashes in Sample Nationally Weighted Key Reason for Critical Precrash Event Unweighted Weighted Percentage Key Reasons for Critical Precrash Event Attributed to Vehicles Tires failed or degraded; wheels failed 56 19,320 43.3 Brakes failed or degraded 39 11,144 25.0 Other vehicle failure or deficiency 17 9,298 20.8 Steering, suspension, transmission, or engine failed 16 4,669 10.5 Unknown 2 212 0.5 Total in category 130 44,643 100 Key Reasons for Critical Precrash Event Attributed to Drivers Recognition error (e.g., distraction, inattention) 2,094 828,308 40.6 Decision error (e.g., too fast, illegal maneuver) 1,752 695,516 34.1 Performance error (e.g., panic, overcompensation) 510 210,143 10.3 Nonperformance error (sleep, medical problem) 369 145,844 7.1 Other or unknown driver error 371 162,132 7.9 Total in category 5,096 2,041,943 100 Key Reasons for Critical Precrash Event Attributed to Roadway and Atmospheric Conditions Roadway Slick roads (e.g., ice, debris) 58 26,350 49.6 View obstructions 19 6,107 11.6 Signs and signals 5 1,452 2.7 Road design 3 745 1.4 Other highway-related condition 9 5,190 9.8 Subtotal 94 39,844 75.2 Atmospheric conditions Fog, rain, or snow 11 2,338 4.4 Other weather-related condition 6 2,147 4.0 Glare 24 8,709 16.4 Subtotal 41 13,194 24.8 Total in category 135 53,038 100 Note: Sample of 5,471 crashes investigated from July 3, 2005, to December 31, 2007. The âcritical reasonâ is the immediate reason for the critical precrash event and is often the last failure in the causal chain. Numbers may not add up to total because of independent rounding. Source: NHTSA 2008, Tables 9(a), 9(b), and 9(c).
102 || The Safety Promise and Challenge of Automotive Electronics programs in greater depth, with emphasis on the applicability of these programs to ensuring safe vehicle electronics. Consideration is then given to how NHTSAâs oversight of vehicle electronics safety through its regulatory, research, and defect investigation programs compares with aspects of federal oversight of the design and manufacture of aircraft and medical devices. Vehicle Safety Program oVerView In 1966, the federal government took on a central role in promoting highway safety across the nation by enactment of both the National Traf- fic and Motor Vehicle Safety Act and the Highway Safety Act. Congress delegated responsibility for administering the provisions of these acts to the U.S. Department of Transportation (DOT), which was created in the same year. The first act established a federal role in prescribing minimum safety standards for motor vehicles, enforcing compliance, and monitor- ing the safety performance of vehicles on the road, and it included authority to order manufacturer recalls for noncompliance and for safety defects. The act also authorized a federal role in motor vehicle and high- way safety research. The second act established a federal program for granting funds to states for the development of highway safety programs, including those intended to affect driver behavior. Since its creation within the U.S. DOT in 1970, NHTSA has held the responsibilities for promulgating and enforcing the Federal Motor Vehicle Safety Standards (FMVSSs) and for the monitoring and remediation of vehicle safety defects. Along with the Federal Highway Administration, NHTSA has responsibility for administering the state highway safety grants program and for carrying out research to support these activities. Administrative responsibility for the motor vehicle safety regulatory program and the state highway safety grant program is divided within NHTSA offices. The focus of this study is on the activities of the Office of Vehicle Safety, which has responsibility for the former program. That program includes development and enforcement of the FMVSSs and the conduct of vehicle safety research (as opposed to research in support of highway safety programs such as driver education and traf- fic enforcement). An organization chart for the Office of Vehicle Safety is shown in Fig- ure 4-1. The rulemaking division is responsible for development of the
NHTSA Vehicle Safety Programs || 103 FIGURE 4-1 Organization chart, NHTSAâs Office of Vehicle Safety (NDR = National Driver Register). safety-related FMVSSs, as well as other activities such as the nonregula- tory New Car Assessment Program (NCAP)4 and the setting of corporate average fuel economy standards. The enforcement division includes the Office of Defects Investigation (ODI), which monitors for and investi- gates safety defects in the fleet, and the regulatory compliance program, which randomly tests vehicles in the marketplace for adherence to par- ticular FMVSSs. The research division undertakes studies to inform and provide the basis for new safety regulations, including research on vehi- cle crashworthiness, humanâvehicle performance, and advanced crash avoidance technologies. Each of these three major programs is discussed below. Particular consideration is given to how they contribute to NHTSAâs oversight and understanding of the safety opportunities and challenges arising from vehicle electronics. The other major division of the Office of Vehicle Safety, the National Center for Statistics and Analysis (NCSA), provides NHTSA with the information necessary for understanding 4 In 1979, NHTSA created the NCAP to improve occupant safety by development of timely comparative safety information that encourages manufacturers to improve the safety of their vehicles voluntarily. Since that time, the agency added rating programs and offered information to consumers via the website, www.safercar.gov. The program is not regulatory but seeks to influence manufacturers to build vehicles that consistently achieve high ratings.
104 || The Safety Promise and Challenge of Automotive Electronics the nature and causes of traffic crashes nationally and for assessing agency regulatory activities. NCSAâs activities, which include develop- ment of the National Motor Vehicle Crash Causation Survey (NMVCCS), are described in Box 4-1 but are not reviewed further in this chapter. rulemaking The FMVSSs are grouped into three main categories prescribing mini- mum vehicle capabilities for crash avoidance, crashworthiness, and post- crash integrity. The FMVSSs most pertinent to electronic vehicle control systems are the crash avoidance standards, since they cover vehicle capa- bilities and features such as braking, controls, and displays. The FMVSSs covering crash avoidance are given in Table 4-2. These regulations, like all the FMVSSs, are written in terms of minimum safety performance requirements. Thus, the FMVSSs are intended to be design and technology neutral out of recognition that automotive technologies change over time and vary across manufacturers. The emphasis on pre- scribing performance, as opposed to specifying designs and interfaces, also has the advantage of making the FMVSSs more durable. This attri- bute can be especially important in view of the difficulty of amending federal regulations. The promulgation of the FMVSSs, like all federal regulations, is governed by federal rulemaking cost-effectiveness and procedural requirements5 and by NHTSAâs own statutory requirements that rules be practicable, meet a specific need for motor vehicle safety, and be stated in objective terms. Under these circumstances, the need to make frequent revisions to standards to accommodate changes in tech- nology could inhibit innovation and prove difficult to administer. FMVSS 124 offers an example of how and why the FMVSSs are perfor- mance oriented. The standard states that a vehicleâs throttle must be capa- ble of returning to the idle position when the driver removes the actuating force from the accelerator control mechanism and when there is a discon- nection between this control mechanism and the throttle. The standard does not define how the connection should be made or how the capabil- ity to return to idle should be established. When the standard was pro- mulgated 40 years ago, the connections were mechanical and included springs on the throttle plate to return it to idle. The chronology of FMVSS 124, as shown in Box 4-2, illustrates the challenge that NHTSA faces in 5 The Administrative Procedure Act and executive orders governing cost-effectiveness assessment.
NHTSA Vehicle Safety Programs || 105 Box 4-1 overview of ncSa NCSA supports NHTSA rulemaking and research programs by monitoring the magnitude of the traffic safety problem; seeking to understand the factors that influence highway safety; per- forming crash investigations; and collecting and analyzing inci- dent data, including crash reports from state and local authorities. Some of these data are intended to be comprehensive, such as the Fatality Analysis Reporting System (FARS), and others are sample-based, such as the National Automotive Sampling System General Estimates System (NASS GES), the NASS Crashworthiness Data System (NASS CDS), and the more detailed Special Crash Investigations (SCI). FARS is a census of fatal crashes on public roads and contains information about various crash characteris- tics as obtained from police reports and augmented by examina- tion of additional driver record and vehicle information. NASS GES has information for a stratified sample of police-reported crashes, allowing the agency to describe the general characteris- tics and incidence of motor vehicle crashes in the United States. NASS CDS also contains data on a stratified random sample of police-reported crashes. However, the number of cases is much smaller, and the police-reported data are augmented by in-depth investigations that attempt to reconstruct the critical factors lead- ing to the presence or absence of injuries in the crash. SCI cases, like NASS CDS cases, include more in-depth investigations of the crashes but are selected not through a random sample but to help the agency develop scientific understanding of new or interest- ing vehicle technologies or high-profile crashes. For example, rarely occurring events like unintended acceleration are not ade- quately represented in standard databases. NCSA may conduct special investigations of episodes or crashes linked with such fac- tors (as it has for unintended acceleration; see the discussion in Chapter 5). NCSA also periodically performs special studies that can inform rulemaking and other NHTSA activities such as the (continued on next page)
106 || The Safety Promise and Challenge of Automotive Electronics Box 4-1 (continued) Overview of NCSA NMVCCS,1 which is a nationally representative survey of crashes providing information on the contribution of precrash human factors, vehicle factors, and environmental factors related to crashes. In the most recent NMVCCS, investigators interviewed drivers and witnesses, visited the crash location to examine the physical evidence, and inspected the vehicle and extracted infor- mation from the event data recorder if one was available. http://www-nrd.nhtsa.dot.gov/Pubs/811059.PDF. 1 TABLE 4-2 FMVSSs for Crash Avoidance Standard No. Name 101 Controls and Displays 102 Transmission Shift Lever Sequence, Starter Interlock, and Transmission Braking Effect 103 Windshield Defrosting and Defogging Systems 104 Windshield Wiping and Washing Systems 105 Hydraulic and Electric Brake Systems 106 Brake Hoses 108 Lamps, Reflective Devices, and Associated Equipment 109 New Pneumatic Tires for Passenger Cars 110 Tire Selection and Rims for Passenger Cars 111 Rearview Mirrors 113 Hood Latch System 114 Theft Protection and Rollaway Prevention 116 Motor Vehicle Brake Fluids 117 Retreaded Pneumatic Tires 118 Power-Operated Window, Partition, and Roof Panel Systems 119 New Pneumatic Tires for Vehicles Other Than Passenger Cars 120 Tire Selection and Rims for Motor Vehicles Other Than Passenger Cars 121 Air Brake Systems 122 Motorcycle Brake Systems 123 Motorcycle Controls and Displays 124 Accelerator Control Systems 125 Warning Devices 129 New Non-Pneumatic Tires for Passenger CarsâNew Temporary Spare Non-Pneumatic Tires for Use on Passenger Cars 131 School Bus Pedestrian Safety Devices 135 Light Vehicle Brake Systems
NHTSA Vehicle Safety Programs || 107 Box 4-2 chronology of major activities for fmVSS 124, accelerator control Systems Notice of Proposed Rulemaking (NPRM) September 30, 1970, 35 Federal Register 15241 Proposed rule states that accelerator control system and auto- matic speed control systems (ASCs) would be required to have at least two independent energy sources (such as springs), each capable of returning the engine to idle on release of the actuating force. One of those energy sources must be able to return the engine to idle in case of disconnection of any element of the sys- tem. A design requirement of ASCs would be their deliberate acti- vation by the driver. ASCs must also be capable of automatic deactivation when the driver takes certain actions, such as push- ing on the brake. In addition, ASCs must automatically deactivate once specified failure modes occur. Proposed effective date: October 1, 1972. Final Rule April 8, 1972, 37 Federal Register 7097 The final rule retains the proposed two independent energy sources. In the NPRM, the return to idle only had to occur when the actuating force was removed. In the final rule, in the case of a failure in the system, the engine must return to idle at the time of the failure (such as breakage) or removal of the actuating force. The final rule dropped coverage of ASCs because the agency could not find crashes caused by the ASC and manufacturers were found to be following Society of Automotive Engineers guidelines for those systems. On issuance of the final rule, NHTSA also issued an NPRM on the time required for the engine to return to idle. NPRM April 8, 1972, 37 Federal Register 7108 Proposal would add a Â½-second limit in which the engine must return to idle once the actuating force is removed or a system fail- ure occurs. (continued on next page)
108 || The Safety Promise and Challenge of Automotive Electronics Box 4-2 (continued) Chronology of Major Activities for FMVSS 124, Accelerator Control Systems Response to Petitions to Reconsideration and Final Rule on time limit September 23, 1972, 37 Federal Register 20033 Notice amends the standard to set a time limit for the system to return to idle. Under conditions of extreme cold (ambient air of 0Â°F or colder), the system is allowed 3 seconds to return to idle. At temperatures above 0Â°F, the maximum allowable return to idle time is reduced to 2 seconds for vehicles with a gross vehicle weight rating (GVWR) exceeding 10,000 pounds and to 1 second for all vehicles with a GVWR of 10,000 pounds or less. Request for comments December 4, 1995, 60 Federal Register 62061 NHTSA noted that the original standard was issued when only mechanical systems were commonly used in vehicles. The agency set out a series of questions to help it make a decision on amending the standard to address electronic accelerator control systems. NHTSA said that while it has attempted to address the issue of electronic accelerator control systems through interpretation let- ters, the volume of requests has continued. To address this issue, the agency indicated that âinstead of answering these questions by drawing analogies between traditional mechanical components and new electronic systems, it amended the Standard to include provisions and language specifically tailored to electronic systems.â The agency identified the following failure modes of electron- ics systems and asked for comments on whether any other modes warranted consideration: the mechanical linkage and return springs between the pedal and the accelerator position sensor (APS); the electrical connections between the APS and the engine control processor; the electrical connections between the engine control processor and fuel or air metering devices that determine engine speed; power to the engine control processor; the APS and critical sensor; and the integrity of the engine control proces- sor, APS, and other critical sensors.
NHTSA Vehicle Safety Programs || 109 Box 4-2 (continued) Chronology of Major Activities for FMVSS 124, Accelerator Control Systems Public Technical Workshop May 20, 1997 NHTSA held a workshop with participants from the Truck Manu- facturers Association and the American Automobile Manufactur- ers Association to discuss how electronics systems work and how to apply FMVSS 124 to these systems. Both organizations âempha- sized that there had been no safety-related developments con- cerning electronic accelerator controls to justify applying Standard No. 124 to such systems.â NPRM on electronic control systems July 23, 2002, 67 Federal Register 48117 NHTSA reported that âwhere the present standard applies only to single-point severances or disconnections such as the discon- nection of one end of a throttle cable, the proposed standard also is limited to single-point severances and disconnections such as unhooking one electrical connector or cutting a conductor at one location. The proposal does not attempt to make the require- ments more stringent by requiring fail-safe performance when multiple severances or disconnections occur simultaneously.â NHTSA also proposed several new test procedures, one of which would measure the engine speed under different load on a chas- sis dynamometer. NHTSA commented that this particular test was âtechnology-neutralâ and could be used instead of other proposed tests. The other procedures were technology-specific. One was essentially the air throttle plate position test of the existing stan- dard. Another was measurement of fuel flow rate in diesel engines, and the other was measuring input current to a drive motor, such as would be found in an electric vehicle. Withdrawal of Proposed Electronic Rule November 10, 2004, 69 Federal Register 65126 NHTSA indicated that it was withdrawing its proposal âwhile it con- ducts further research on issues relating to chassis dynamometer- based test procedures for accelerator controls.â (continued on next page)
110 || The Safety Promise and Challenge of Automotive Electronics Box 4-2 (continued) Chronology of Major Activities for FMVSS 124, Accelerator Control Systems 2011â2013 Vehicle Safety and Fuel Economy Rulemaking and Research Priority Plan March 2011 NHTSA indicated that it is considering updating the accelerator control standard (FMVSS 124) by adding test procedures for vehi- cles with electronically controlled throttles and requiring a brakeâ throttle override system on some vehicles. trying to write or amend rules to address major technological changesâ in this case the advent of electronic throttle control systems (ETCs) to replace the long-standing mechanical control mechanisms. In 1995, when automotive manufacturers began designing ETCs, NHTSA published a notice in the Federal Register posing a series of ques- tions to help it determine whether amendments to the original standard were warranted to take into account the imminent introduction of ETCs. Manufacturers had repeatedly asked NHTSA for interpretations of FMVSS 124 to accommodate the design of compliant ETCs. NHTSA considered whether a change in the rule was needed to clarify the performance and testing criteria, partly to satisfy manufacturers but also to ensure that potential safety issues associated with this new form of throttle control were fully vetted. NHTSA had difficulty in revising the rule in ways that would accommodate all technological variability, and the agency eventu- ally elected to withdraw all proposed changes to the regulation. There- fore, FMVSS 124 remains essentially unchanged since its creation 40 years ago. NHTSA simply interprets a âdisconnectionâ to cover not only separa- tions in cables and other physical linkages but also separations of electri- cal connectors and conductors linking the accelerator pedal with the engine control unit and the control unit with the throttle actuator.6 NHTSA does not know how an FMVSS performance requirement will ultimately be met through alternative product designs, materials, and technologies. Therefore, the agency is not in a position to demand that manufacturers use specific tests on their products, such as for corrosion 6 Information provided to the committee in briefing by Nathaniel Beuse, Chief, Crash Avoidance Standards, NHTSA, June 30, 2010.
NHTSA Vehicle Safety Programs || 111 resistance, electromagnetic compatibility, or resistance to cracking. An FMVSS-required performance test for a penetration-resistant windshield, for example, can be specific in defining the impact forces and testing methods that must be used in demonstrating compliance. However, the rule does not specify the treatments that must be used or how the manu- facturer should test for resistance to aging, temperature extremes, and other product properties. As explained in Chapter 3, the agency leaves these decisions to the automotive manufacturers, whose products are nevertheless required to be safe. A vehicle that complies with all FMVSSs may still contain a safety-related defect and be subject to a NHTSA-ordered recall. For example, if a compliant windshield is found to shatter sponta- neously in significant numbers from extreme summer heat, NHTSA may consider this to be a safety defect and order a recall. In the same vein, manufacturers are not required to apply for approval from NHTSA when they introduce a new vehicle system or component pertinent to an FMVSS. The manufacturer may request interpretations of the performance standard as it relates to a new technology or design, as occurred in the case of the ETC. However, NHTSA does not examine each product design and certify regulatory compliance. Automotive man- ufacturers are required to self-certify that their vehicles are in full com- pliance with the regulatory provisions when they deliver each vehicle to the dealer for sale to the public. NHTSA has various means by which it monitors and enforces adherence, which are discussed next, but compli- ance rests substantially on the diligence of the manufacturer. enforcement and defect inVeStigation Complaint monitoring and investigation are the main means by which the Office of Vehicle Safety ensures that vehicles in the fleet are free of safety defects. This function is performed through ODI. Defect Surveillance and Assessment ODIâs Defects Assessment Division, which consists of a staff of nine screeners and analysts,7 is responsible for monitoring the fleet for vehicle safety defects. It does this primarily through screening of safety-related 7 NHTSA informed the committee that the defect assessment staff consists of four mechanical engineers, one electrical engineer, one chemical engineer, and three automotive specialists with expertise obtained from working in the automobile industry.
112 || The Safety Promise and Challenge of Automotive Electronics data submitted by manufacturers [Early Warning Reporting (EWR) sys- tem discussed below], the technical service bulletins issued by manufac- turers, and consumer complaints submitted through an online or hotline Vehicle Ownerâs Questionnaire (VOQ).8 The VOQs are especially important to this process. ODI informed the committee that the Defects Assessment Division screens more than 30,000 VOQs each year. The complaints are stored in a database that is available (in redacted form) to the public but are reviewed individually by screeners as they are submitted. As discussed below, the complaints vary in detail but are intended to contain information on the complain- ant, information on the identity of the vehicle, and a description of the event and the vehicle behavior conveyed in a narrative section by the motorist. On the basis of the professional judgment of the screeners and analysts, the vehicle owner may be contacted for more detailed informa- tion on the nature and sequence of the event, police reports, and the vehicleâs repair records and history of symptoms. According to ODI, its defect assessment analysts depend on the VOQ narratives and any follow-up interviews to gather much of the critical information about the episode, vehicle conditions and behaviors, and possible causes.9 Analysts must use their professional judgment to make decisions about the existence of a safety hazard. They consider whether a trend can be discerned, such as in complaints involving issues closely spaced in time, similar consequences (fires, crashes, injuries), and similar circumstances (e.g., during parking, highway travel, low-speed driving). Consideration is also given to whether ODI has a history of complaints involving similar conditions and behaviors. Box 4-3 lists the types of questions that analysts raise when they conduct a defect assessmentâin this case when they examine complaints involving forms of unintended acceleration. Because the VOQ database is available to the public online, consum- ers may also review all complaints and file a petition with ODI to inves- tigate a suspect defect trend or pattern. In such cases, ODI may open an inquiry to assess the merits of undertaking a defect investigation. Exam- ples of inquiries involving concerns about unintended acceleration in Toyota vehicles are provided in Chapter 5 (see Table 5-1). Usually these 8 According to ODI, more than 90 percent of consumer complaints are submitted online (56 percent) or through a telephone hotline (37 percent). 9 Briefing by Gregory Magno, Defects Assessment Division Chief, ODI, October 12, 2010.
NHTSA Vehicle Safety Programs || 113 Box 4-3 example Questions asked by odi investigators of unintended acceleration cases throttle Questions Did the engine power increase from idle or did it fail to decrease after the accelerator pedal was released? Engine power level (high or low, fixed or changing)? Duration (short surge or sustained increase)? Initiation speed? Environmental conditions (ambient temperature, moisture)? Engine conditions (cold or warm)? Cruise control status? What equipment was being operated? Postincident inspection or repairs of throttle system? Throttle system service history? Brake Questions What was the vehicle response to brake application? Did the engine power increase begin when the brake was applied? Did the engine power change with braking force? Did the engine power change after brake release (in âPâ or âNâ)? Was the brake system inspected after the incident? Were any prob- lems found? Did the brake components display signs of overheating? Did the driver apply the brake pedal more than once during the event? Were there any brake system service issues before or after the incident? Source: Briefing by Jeffrey Quandt, Vehicle Control Division Chief, ODI, October 12, 2010.
114 || The Safety Promise and Challenge of Automotive Electronics inquiries include an examination of complaint rates for the subject vehi- cle and comparisons with peer vehicles as well as follow-up interviews with and surveys of complainants. One simple means of sorting the VOQs is by the vehicle component code that the motorist assigns as being the suspected source of the defect. The motorist can choose from more than two dozen component codes such as service brakes, electrical system, power train, fuel system, steer- ing, tires, and vehicle speed control. However, sorting by these codes to identify complaint rates is unreliable for many vehicle behaviors and conditions, since the code selections depend on the judgment of the vehicleâs owner with regard to the component involved in the event. As discussed in the next chapter, for example, unintended acceleration could be categorized under the code for the service brake, speed control, power train, or a number of other components. Similarly, conditions that have little to do with unintended acceleration, such as stalling or hesitation due to transmission problems, may be categorized under the code vehi- cle speed control. Accordingly, ODI analysts do not routinely sort com- plaints on component codes when they assess complaints for suspect defects. Instead, they review the consumer narrative section, since it can convey more information on vehicle behaviors, conditions, and event circumstances. Another source of data available to ODI for defect surveillance is the EWR system. Automotive manufacturers are required by the 2000 Transportation Recall Enhancement, Accountability, and Documenta- tion (TREAD) Act to provide NHTSA with reports, mostly on a quarterly basis, of vehicle production counts, warranty claims, consumer com- plaints, dealer and nondealer field reports, property damage claims, and fatality and injury claims and notices. The TREAD Act also expanded NHTSAâs staffing and budgetary resources and called for improvements in ODIâs computer systems to make use of the newly required early warning data. ODI analysts explained to the committee that they use various meth- ods to filter and analyze these aggregated data to identify high counts and high rates, increasing trends, and outliers.10 Analysts sort some of the data, such as the warranty claims, by the same component codes as contained in the VOQ. As in the case of the VOQs, two dozen compo- nent codes can lack the specificity needed to identify defect trends. If the 10 Briefing to the committee by Christina Morgan, EWR Division Chief, October 12, 2010.
NHTSA Vehicle Safety Programs || 115 vehicle behavior is not the result of a clearly identifiable component defect, the EWR data may not be helpful in alerting ODI to the problemâs occurrence. In briefings to the committee, ODI analysts noted that the EWR data lack the detail needed to be the primary source for monitoring the fleet for safety defects and that the main use of these data (especially the field reports) has been to support defect monitoring and investigations by supplementing traditional ODI data.11 Defect Investigations ODIâs investigative unit consists of specialists in crash avoidance, crash- worthiness, and heavy-vehicle (truck and bus) defects. The specialists are usually asked to initiate an investigation in response to a referral from the Defects Assessment Division. These investigations typically consist of two phases. The first is a preliminary evaluation, and the sec- ond is an engineering analysis. During the preliminary phase, investiga- tors send an information request letter to the manufacturer to obtain data on complaints, crashes, injuries, warranty claims, modifications, part sales, and service bulletins. The manufacturer can present its views with regard to the suspected defect in a response to the letter. Prelimi- nary evaluations are expected to be completed within three months of the date they are opened. A preliminary evaluation may be closed on the basis of a determination that a more in-depth investigation is not warranted or because the manufacturer has decided to conduct a recall in response. If a recall is not forthcoming and investigators believe that further analysis is warranted, the preliminary evaluation is upgraded to an engi- neering analysis, during which ODI investigators conduct a more detailed analysis of the nature and scope of the suspected defect. Although inves- tigators consult the information collected during the preliminary evalu- ation, such as analyses of VOQs and EWR data, they usually require more detailed supplemental information. They obtain it through inspec- tions, tests, surveys, and additional information from the manufacturer and suppliers, such as returned parts, parts sales data, information on design changes, and more details on warranty claims. Engineering anal- yses may involve the examination of specific vehicles, but ODI informed the committee that it does not have the staffing or resources to examine 11 Briefing to the committee by Christina Morgan, EWR Division Chief, October 12, 2010.
116 || The Safety Promise and Challenge of Automotive Electronics large numbers of vehicles or conduct full crash investigations.12 ODI may therefore seek assistance from NCSAâs Special Crash Investigations unit. ODI can also use the Vehicle Research and Test Center for testing and engineering analysis if a preliminary evaluation has not resolved the concern raised by the complaints. More examples of how these resources were deployed to investigate concerns about unintended acceleration and the possibility of electronics vulnerabilities are given in Chapter 5. If investigators conclude that the evidence indicates the existence of a safety-related defect, they prepare a briefing for a multidisciplinary review panel (a panel of experts from throughout the agency) for crit- ical assessment. ODI evaluates the recommendations of the panel and decides whether to send a recall request letter to the manufacturers. Manufacturers rarely let a situation progress to this point. A recent report (GAO 2011) indicated that since 2000 not a single recall has been ordered by NHTSA for passenger cars; manufacturers have undertaken recalls voluntarily, either in advance of a NHTSA investigation or in response to an ongoing one, long before issuance of a recall request letter. Under the law,13 ODI may require a manufacturer to conduct a recall only if the agency can establish that a defect exists and is ârelated to motor vehicle safety.â To demonstrate the existence of a defect, ODI must be able to show the potential for a significant number of failures. To establish that the defect pertains to safety, ODI must be able to show that the defect presents an unreasonable risk of a crash, injury, or death. According to ODI, one of the main challenges investigators face in ordering a recall is in proving a safety defectâs existence when the defect has yet to exhibit a safety consequence. Therefore, establishing legal proof of defect can be challenging, and ODIâs âinfluencingâ of voluntary recallsâwhich is the normâis viewed as permitting a more effective and practical enforcement program. Box 4-4 gives an example of a recent ODI investigation of an elec- tronics system exhibiting a defect. The number of complaints received, the warranty claims data consulted, and the types of testing undertaken by ODI are shown. In this case, the manufacturer issued a voluntary recall that was influenced by the ODI investigation. 12 Information submission by NHTSA to committee on December 7, 2010. 13 Chapter 301, Title 49, United States Code.
NHTSA Vehicle Safety Programs || 117 Box 4-4 example of an odi electronics investigation and recall Investigation: EA09-002 Manufacturer recall: 10V-172 Alleged defect Electronic stability control malfunction Fretting corrosion of steering wheel position sensor connector Safety consequences Inappropriate electronic stability control activation Inappropriate braking with no brake lights Risk of lane departure from braking âpullâ Vehicle population: 40,028 Complaints: 58 Crashes: 4 Warranty claims: 2,424 (steering wheel position sensor connec- tor repairs) Testing to simulate fault condition Fault detection normally occurs in less than 1 second (electronic stability control deactivated) Fault injection produced range of sensor voltages where fault detection may be delayed by several seconds Source: Briefing by Jeffrey Quandt, Vehicle Control Division Chief, ODI, October 10, 2010. Recall Monitoring ODIâs Recall Management Division oversees recalls to ensure compli- ance with statutory and regulatory requirements and to track progress in implementing defects remedies. Manufacturers are required to describe the population of vehicles subject to the recall, the nature of the defect and its consequences (e.g., number of reported accidents, injuries, fatal- ities, and warranty claims), and the remedial actions planned as part of
118 || The Safety Promise and Challenge of Automotive Electronics FIGURE 4-2 Key reasons for critical precrash event, percent share by the vehicle, driver, roadway, and weather. See Table 4-1 for data. (Source: NHTSA 2008.) the recall campaign. Manufacturers are required to furnish a chrono- logical summary of all the principal events that were the basis for the determination of the defect to the Recall Management Division. NHTSA is required to approve the recall plan, and the agency imposes fines on manufacturers for violations of requirements relating to the recall pro- cess, including defect notification and campaign timeliness.14 Vehicle Safety reSearch Figure 4-2 shows NMVCCS estimates of the share of all crashes for which the critical precrash event can be attributed to the vehicle, the driver, the roadway, and weather conditions. The figure shows the dominant influ- 14 For example, in 2010, the agency twice imposed the maximum penalty of $16.375 million on Toyota for failing to notify the agency of defects involving accelerator pedals in a timely manner.
NHTSA Vehicle Safety Programs || 119 ence of the driver on traffic safety. Although vehicle, weather, and road- way factors are often contributing factors to crashes, they are the critical reason for a crash only 5 percent of the time, as determined by NHTSA. From the standpoint of NHTSAâs research programs, the large propor- tion of crashes attributed to driver errors is grounds for focusing research and development on technological (including vehicle-based) and non- technological means of improving driving safety performance. The for- mer is the responsibility of NHTSAâs Office of Vehicle Safety Research (OVSR), which has a budget of about $33 million annually for research on vehicle safety systems (e.g., occupant restraint and protection) (about $8 million), biomechanics (about $11 million), heavy-duty vehicles (about $2 million), alternative fuel safety (about $4 million), and crash avoid- ance (about $8 million). Crash avoidance technologies in particular are viewed as a promising means of mitigating driver errors, and OVSR conducts research to evalu- ate the developmental status and effectiveness of these technologies and how drivers are likely to use and respond to them. Crash avoidance research includes the following: â¢ Evaluations of human factors issues, such as the best way for vehicle- based safety systems to provide hazard notifications and warnings to drivers, modify unsafe driving behaviors (e.g., distraction and alcohol impairment), and mitigate unintended side effects on drivers (e.g., ensure that systems do not lead to a loss of driver vigilance or situa- tion awareness); â¢ Development of methodologies for estimating the potential safety ben- efits of existing and emerging crash avoidance technologies, such as those that increase driver awareness and vehicle visibility, decrease alcohol involvement in crashes, and decrease intersection collisions and rollovers; â¢ Development of performance standards and tests for technology- based crash avoidance capabilities, including support for the agencyâs considerations of FMVSS rulemakings to require certain capabilities in vehicles (e.g., performance standards and tests for electronic stabil- ity control); and â¢ Monitoring of the state of technology development of emerging and more advanced (or âintelligentâ) technologies for driving assistance (warning and control systems), driver monitoring, and vehicle-to-
120 || The Safety Promise and Challenge of Automotive Electronics vehicle communications. What technologies are becoming available? In what situations do they promise to work? What is their potential safety effectiveness? Some of these research activities are performed by outside contrac- tors, and others are conducted and administered by research personnel at the Vehicle Research and Test Center. According to committee brief- ings from OVSR, much of the research is performed in collaboration with research institutes, universities, automotive manufacturers, and other U.S. DOT agencies such as the Research and Innovative Tech- nology Administration and the Federal Highway Administration. One example of such collaboration, as described by OVSR to the committee, is a research activity being undertaken by NHTSA in cooperation with the Automotive Coalition for Traffic Safety (which includes automotive manufacturers). This multiyear research program, known as the Driver Alcohol Detection System for Safety Program, is intended to develop and test prototypes of noninvasive technologies for measuring driver blood alcohol levels.15 NHTSA described these efforts as intended to support a nonregulatory, market-based approach for preventing crashes caused by drunk driving. According to OVSR, crash avoidance research activities are âdata driven.â They are intended to be guided by where the agencyâs crash database indicates that research can be helpful in mitigating safety prob- lems, such as drunk driving, rear-end collisions, and unsafe lane changes, as well as other concerns pertaining to vulnerable populations such as children and the elderly. The intent of the research planning is to priori- tize resource allocations on the basis of the potential for realizing reduc- tions in traffic fatalities and injuries. Allocations are also affected by programmatic requirements (e.g., responsibility for heavy-duty vehicle and alternative energy safety research) and events that may arise and warrant immediate research attention (e.g., unintended acceleration concerns). Because of the emphasis on research results that can be applied to known safety problems, much of the programâs research is designed to support agency decisions such as whether and how to promulgate a performance-oriented FMVSS mandating a vehicle safety capability made possible by advancements in vehicle technology. 15 For more information on the Driver Alcohol Detection System for Safety Program, see http:// www.nhtsa.gov/DOT/NHTSA/NVS/Public%20Meetings/Presentations/2010%20Meetings/ HyundaiDADSS.pdf.
NHTSA Vehicle Safety Programs || 121 Mostly through the activities and facilities of the Vehicle Research and Test Center, OVSR also provides engineering analysis and testing support for ODIâs surveillance and investigation activities. For the most part, however, this research activity consists of testing and engineering analy- ses of suspected defects in vehicles in response to a request by ODI inves- tigators. NHTSA officials informed the committee that OVSR does not conduct significant research in areas such as fail-safe and diagnostic strat- egies, software design and validation, or cybersecurity. During committee briefings, OVSR presented a framework for how it sees its research helping NHTSA achieve the agencyâs dual mission of reducing the incidence and severity of motor vehicle crashes and ensur- ing that vehicles perform safely. The framework, shown in Figure 4-3, divides agency research activities into the traditional crash avoidance and crashworthiness stages and further divides them into the ânormal driv- ing,â âcrash imminent,â âcrash event,â and âpostcrashâ phases. Examples of NHTSA research to further the role of electronics systems in each of these four crash phases are given. Missing from these listed activities, as acknowledged by OVSR, is research to address the safety assurance chal- lenges that these advanced systems may present. As shown in the bottom shaded rows of Figure 4-3, OVSR is beginning to venture into these research areas, particularly in view of the emphasis placed by the agency on electronics systems as possible solutions to traffic safety problems. In the next section, the strategic and priority planning activities of OVSR are described. Through these activities, OVSR will presum- ably make determinations about whether it should devote more Crash Avoidance Crashworthiness Normal Driving Crash Imminent Crash Event Postcrash Driver distraction Forward crash avoidance Adaptive restraints Crash notification Alcohol detection Lane-departure warning Child side impact Event data recorders Driver support systems Crash-imminent braking Oblique offset/frontal Advanced crash notification Drowsy driver detection Lane-keeping Blind spot surveillance Vehicle-to-vehicle, vehicle- to-infrastructure Advanced air bags New Topics Fail-safe strategies Advanced event data recorders Software reliability Fault detection and diagnosis methods FIGURE 4-3 NHTSA vehicle safety research topics.
122 || The Safety Promise and Challenge of Automotive Electronics research attention to the safety assurance needs of the electronics- intensive vehicle. Strategic and Priority Planning for reSearch and rulemaking The purpose of NHTSAâs most recent Vehicle Safety and Fuel Economy Rule- making and Research Priority Plan (NHTSA 2011), according to the agency, is to describe the projects that the agency intends to work on in the rule- making and research areas that are priorities or that will take significant agency resources. The document is intended not only to be an internal management tool but also to communicate NHTSAâs highest priorities to the public. It lays out the rationale for why the identified projects are considered priorities. Emphasis is given to their relevance to specific safety problems as identified from analyses of crash data. The plan states that the priorities are based on their potential for large safety benefits. Priority is also given to projects that can address special safety hazards, such as those related to vulnerable populations (for example, children and the elderly). The plan acknowledges that Congress and the White House may request that the agency address other areas, which can affect priorities during the planning time frame. An important element of the plan is that all identified projects, includ- ing research initiatives, be accompanied by a time frame for a decision. For example, projects in the research stage are noted with milestones indicating when NHTSA expects to decide whether the initiative is ready to move from the research to the rulemaking stage. The emphasis on agency decision making, particularly for research, reflects the focus of the agencyâs vehicle safety research program on supporting specific rule- making initiatives. The plan lists a number of projects for evaluating electronics systems as countermeasures for problems such as rear-end collisions, lane depar- tures, and blind spot detection. Several other projects relevant to elec- tronics safety assurance are as follows: â¢ Event data recorder requirementâplans for a proposed rulemaking to mandate the installation of event data recorders on all light-duty vehicles and a proposal to consider enhancements to their capabilities and applicability;
NHTSA Vehicle Safety Programs || 123 â¢ Update of FMVSS 124 on accelerator controlârevision of the test pro- cedure for vehicles with ETCs and the addition of systems that would override the throttle on application of the brake; and â¢ Update of FMVSS 114 pertaining to keyless ignitionsârevision of the standard to consider ways of ensuring the ability of drivers to turn off the engine in the event of an on-road emergency.16 These three priorities, as well as planned research to examine pedal placement and spacing, appear to have resulted from the recent expe- rience with unintended acceleration, for reasons discussed further in Chapter 5. The earlier discussion of NHTSAâs vehicle safety research programs noted that the agency is considering whether to support research to inform the automotive industryâs efforts to address cybersecurity and improve fail-safe and fault detection strategies for complex vehicle electronics. The priority plan does not list these areas as candidates for agency research. Whether such research, if undertaken, would be viewed as supporting prospective regulatory decisions was not made clear to the committee. NHTSA regulations in these areas, however, would be unprecedented, as pointed out earlier. The plan does not communicate strategic decisions, such as whether consideration is being given to changes in the agencyâs regulatory approach in response to the safety challenges associated with vehicle electronics. However, as noted at the outset of the plan, âNHTSA is also currently in the process of developing a longer-term motor vehicle safety strategic plan that would encompass the period 2014 to 2020â (NHTSA 2011, 1). While this planning effort may be where such deci- sions will be made, no additional details on its purpose or progress were offered by NHTSA officials during the course of this study. Safety aSSurance and oVerSight in other induStrieS NHTSAâs vehicle safety activities represent one approach to overseeing the safety of a transportation activity and vehicle. Within the U.S. DOT, several agencies have transportation safety regulatory and oversight 16 On December 12, 2011, NHTSA issued a Notice of Proposed Rulemaking to address safety issues arising from keyless ignition controls and their operation (Docket No. NHTSA-2011-0174). Federal Register, Vol. 76, No. 238.
124 || The Safety Promise and Challenge of Automotive Electronics responsibilities and differ in how they implement them. Among such agencies are the Federal Railroad Administration, the Federal Motor Carrier Safety Administration, and the Federal Aviation Administration (FAA). FAAâs approach in overseeing the design and production of air- craft is reviewed briefly, since this transportation industryâperhaps more than any otherâis highly safety conscious and technologically complex. In addition, consideration is given to a regulatory and over- sight approach from outside the transportation sector by reviewing aspects of the Food and Drug Administrationâs (FDAâs) safety responsibil- ity for medical devices. Although in-depth reviews are not provided, the comparisons make the earlier distinctions about NHTSAâs regulatory and defect surveillance approach more concrete. FAA and Aircraft Safety In developing its airframe and engine airworthiness regulations,17 FAA is authorized by law to set minimum standards for the design, materials, construction, quality of work, and performance of aircraft and their engines. Despite its legal authority to prescribe the details of product design and construction, FAA has elected to place greater emphasis on ensuring that aviation equipment performs safely rather than on establishing specific design and construction standards for prod- ucts. In this important respect, the FAA regulations are comparable with the performance-oriented FMVSSs promulgated by NHTSAâthe details of the design and development process are left to the manufacturer. In many other respects, the scope and depth of the regulatory roles of FAA and NHTSA differ significantly. These differences have many origins, not the least of which is the fact that aircraft are far more expensive to develop and build than automobiles and their systems must maintain airworthi- ness and operability in flight.18 Aircraft manufacturers must apply to FAA for approval and certifica- tion to develop and build a new aircraft type. In contrast, automotive manufacturers do not need approval from NHTSA to develop and build a new type of automobile. FAAâs certification process covers all product development phases, from initial planning to flight testing. Each manu- facturer applicant must present a certification plan that sets out the safety 17 14 CFR Parts 21 through 49. 18 For example, in the event of a fault, aircraft, unlike automobiles, cannot implement fail-safe defenses that shut down the engines in flight. Thus, they require extensive redundancy and preventive mea- sures for faults in safety-critical systems.
NHTSA Vehicle Safety Programs || 125 assurance processes it will use through all development and production stages, including specification of procedures for hazard assessment, safety analysis, testing, inspection, design change proposal, hardware and soft- ware development and integration, and manufacturing quality control. On receipt of the application, FAA exercises a prominent role in the approval of these plans: FAA must review and approve the safety assur- ance plans before the applicant can even proceed to the next phase of product development. Even at the final stages of aircraft and engine development, FAA must approve the battery of tests and evaluations that are conducted in preparation for the aircraft or engine to be placed in service. Before it grants certification, FAA audits all of the procedures fol- lowed by the manufacturer as well as the results of tests. Although FAA reviews manufacturer safety assurance plans and pro- cesses intensely, the burden of proving the soundness of the safety assur- ance system is on the manufacturer. To facilitate compliance, FAA advises manufacturers to follow certain preapproved processes for product devel- opment. In particular, the agency publishes advisory circulars (ACs) that define acceptable means of conforming to specific airworthiness regula- tions. For example, one AC (AC 25.1309-1 draft) establishes the means by which manufacturers are to determine the levels of risk tolerance for various functional capabilities of the aircraft. Manufacturers are advised to designate design assurance levels (DALs) for their safety-critical systems, not unlike the automotive safety integrity levels prescribed in ISO 26262 for automotive electronics systems as explained in Chapter 3. Manufacturers are thus expected to implement safety assurance mea- sures compatible with the DAL for each system. FAA does not specify how applicants must conduct DAL classifications, but it advises on the use of specific industry-developed standards (e.g., SAE ARP4754 and ARP4761) for analytic rigor and requires manufacturers to demonstrate the use of rigorous analytic processes (e.g., failure mode and effects anal- yses and fault tree analyses, both of which are discussed in Chapter 3). Specifically with respect to safety-critical software, FAA advises manu- facturers to follow the industry-developed standard RTCA-178B, which prescribes steps to be followed during software development.19 Aircraft and engine manufacturers are not compelled to follow the standards 19 The Radio Technical Commission for Aeronautics is a federal advisory committee. Its participants come from industry and academia. Box 3-3 in Chapter 3 provides more information on software development standards for functional safety.
126 || The Safety Promise and Challenge of Automotive Electronics referenced in ACs, but FAAâs demanding requirements for the approval of alternative processes mean that the aviation industry almost univer- sally subscribes to the processes preapproved in circulars.20 FAAâs hands-on approach to safety oversight can make fulfillment of its requirements costly and time-consuming. Although FAA designates senior engineers from manufacturers to carry out many of the detailed document reviews and inspections that make up the certification pro- cess, FAA staff must review the most significant process elements. FAA has a major unit, the Aircraft Certification Service, dedicated to this func- tion and housed in more than two dozen offices across the country and abroad. Although FAA issues a handful of new aircraft-type certificates per year, the Aircraft Certification Service requires a large cadre of test pilots, manufacturing inspectors, safety engineers, and technical special- ists in key disciplines such as flight loads, nondestructive evaluation, flight management, and human factors. FDA and Class III Medical Devices Manufacturers of the most safety-critical (Class III) medical devices must receive approval from FDA before the devices can be marketed for public use.21 FDAâs and NHTSAâs safety oversight processes are comparable in that they combine safety requirements as a condition for approval with postmarketing monitoring to detect and remedy product safety deficien- cies in the field. FDAâs postmarket surveillance uses mandatory reporting of adverse events by manufacturers and voluntary reporting by health profession- als and consumers. In 2002, FDA supplemented these sources of sur- veillance information with a new approach. It established a voluntary network of clinicians and hospitals to provide a two-way channel of communication to support surveillance and more in-depth investi- gations of medical device safety performance.22 The Medical Product Safety Network, known as MedSun, now has about 350 participating user facilities. Each participating facility has trained liaisons, who are instructed to report issues of interest to FDA electronically. According 20 A comparison of safety assurance processes for safety-critical electronics in the automotive and aero- space domains is given by Benz et al. (2004). 21 FDA regulates three classes of medical devices. The most intensely regulated, designated as Class III, are those supporting or sustaining human life, such as pacemakers, pulse generators, and implanted defibrillators. 22 http://www.fda.gov/MedicalDevices/Safety/MedSunMedicalProductSafetyNetwork/default.htm.
NHTSA Vehicle Safety Programs || 127 to FDA officials who briefed the committee, agency epidemiologists can query MedSun participants for specific information on the perfor- mance of devices under investigation, and participants regularly sub- mit device performance information to FDAâs surveillance program, including reports on safety-related âclose calls.â MedSun represents a small part of FDAâs postmarket surveillance sys- tem. It is discussed here because it demonstrates a collaborative approach that may have application in the automotive sector. MedSunâs effective- ness for defects surveillance could not be examined in this study. A recent report by the Institute of Medicine (IOM), however, found that FDAâs MedSun and certain other collaborative initiatives for postmarket sur- veillance are âscientifically promisingâ provided they are resourced ade- quately (IOM 2011, 143â144).23 Conceptually, FDAâs MedSun resembles NHTSAâs Crash Injury Research Engineering Network (CIREN). CIREN was created by the agency in 1996 for detailed investigation of vehicle crashes. The program brings together experts from medicine, academia, industry, and government to perform analyses of the injuries sustained in specific collision modes such as front, side, and rollover crashes. The participating trauma centers are among the nationâs largest, and the engineering centers are based at academic laboratories with extensive experience in vehicle crash and human injury research. Each trauma and engineering center collects detailed medical and crash data on approximately 50 crashes per year, and these data are shared among participating centers through a computer network that is also accessible to NHTSA researchers. While CIREN does not collect infor- mation on the performance and functioning of vehicle electronics sys- tems, it demonstrates the value of such collaborative forums and how NHTSA can play a role in supporting them. chaPter findingS Finding 4.1: A challenge before NHTSA is to further the use and effectiveness of vehicle technologies that can aid safe driving and mitigate hazardous driving behaviors and to develop the capabilities to ensure that these technologies perform 23 The IOM report found: âThe FDA has postmarketing surveillance programsâsuch as MedSun, MD EpiNet, and the Sentinel Initiativeâthat are scientifically promising, but achieving their full promise will require a commitment to provide stable, adequate resources and will require resolution of vari- ous technical issues, such as unique device identifiers.â
128 || The Safety Promise and Challenge of Automotive Electronics their functions as intended and do not prompt other unsafe driver actions and behaviors. Alcohol-impaired driving, speeding, distraction, and failure to use seat belts represent long-standing driver behaviors that contribute to many crashes and their consequences. Advancements in vehicle elec- tronics could reduce crashes and their severity through alerts, crash- imminent actions, and automated control. Such benefits will depend on drivers accepting the technologies and using them appropriately. In addi- tion, industry and NHTSA have an interest in ensuring that new safety technologies do not have the unintended effects of confusing or startling drivers or causing them to become too dependent on the technologies themselves for safe driving. Finding 4.2: NHTSAâs FMVSSs are results-oriented and thus written in terms of minimum system performance requirements rather than prescribing the means by which automotive manufacturers design, test, engineer, and manufacture their safety-related electronics systems. In being primarily performance-oriented, the standards are intended to be design- and technology-neutral, in recog- nition that automotive technologies evolve and vary across manufactur- ers. Hence, automotive manufacturers are not required to seek NHTSA approval when they develop and introduce a new vehicle system, even if it pertains to an FMVSS-required safety capability or feature. NHTSA may offer an interpretation of a new technologyâs conformance to an FMVSS performance requirement, but it does not advise on specific design strate- gies or testing methods carried out by the manufacturer, such as means by which corrosion resistance, electromagnetic compatibility, software reli- ability, and diagnostic and fail-safe properties are designed and verified. Automotive manufacturers are required to self-certify that their vehicles comply with the performance requirements when they deliver each vehi- cle to the dealer. Finding 4.3: Through ODI, NHTSA enforces the statutory requirement that vehicles in consumer use not exhibit defects that adversely affect safe vehicle per- formance. ODI analysts monitor the fleet for indications of vehicle safety defects primarily through the screening and analysis of consumer com- plaints, supplemented with information submitted by manufacturers in compliance with the EWR system. By law, to demonstrate the existence of a safety defect, ODI investigators must be able to show a potential for a significant number of failures as a result of the defect and that such failures present an unreasonable risk of a crash, injury, or death. The defect may pertain to any vehicle component that can adversely affect
NHTSA Vehicle Safety Programs || 129 the safe performance of the vehicle, regardless of whether it pertains to a capability required in a specific FMVSS. ODI inquiries and investigations seldom lead to manufacturers being ordered to undertake a safety recall to remedy a defect. However, ODI investigative actions often prompt the manufacturer to issue a voluntary recall, even in instances where there is uncertainty about whether the defect meets the statutory definition of presenting an unreasonable safety risk. Finding 4.4: NHTSA refers to its vehicle safety research program as being âdata drivenâ and decision-oriented, guided by analyses of traffic crash data indicating where focused research can further the introduction of new regulations and vehi- cle capabilities aimed at mitigating known safety problems. In particular, elec- tronics systems that can aid in crash avoidance are viewed as promising ways to mitigate driver errors. The agencyâs crash avoidance research thus includes evaluations of human factors issues, methodologies for esti- mating the potential safety benefits of existing and emerging crash avoid- ance technologies, performance standards and tests that can be established for technology-based crash avoidance capabilities, the state of develop- ment of emerging and more advanced technologies for driving assistance, driver monitoring, and vehicle-to-vehicle communications. Finding 4.5: NHTSA regularly updates a multiyear plan that explains the rationale for its near-term research and regulatory priorities; however, the plan does not communicate strategic considerations, such as how the safety chal- lenges arising from the electronics-intensive vehicle may require new regulatory and research responses. NHTSA has indicated that such a forward-looking strategic plan is being developed, but its purpose and the progress on it have not been made clear. For example, NHTSA does not undertake significant research in support of industry efforts to make improvements in areas such as fail-safe and diagnostic strategies, means for detect- ing dual and intermittent faults, electromagnetic compatibility, soft- ware safety assurance, or cybersecurity. Nor does the agency undertake significant research in support of improvements in the processes and data capabilities of ODI in monitoring for and investigating the fleet for electronics-related defects. Such defects may become more common (owing to the growth in electronics systems) and more difficult to iden- tify and assess because their occurrence does not always leave a physical trace. Whether such an expansion of research emphasis is warranted is a strategic consideration and a candidate for coverage in the pending strategic plan.
130 || The Safety Promise and Challenge of Automotive Electronics Finding 4.6: FAAâs regulations for aircraft safety are comparable with the performance-oriented FMVSSs in that the details of product design and develop- ment are left largely to the manufacturers; however, FAA exercises far greater oversight of the verification and validation of designs and their implementation. Aircraft manufacturers must apply to FAA for approval and certification to develop and build a new aircraft type. FAAâs certification process covers all product development phases; FAA reviews and approves all manufac- turer safety assurance plans. In contrast, under NHTSAâs approach, these responsibilities are left to manufacturers. For NHTSA to engage in com- prehensive, aviation industryâtype regulatory oversight of manufacturer assurance plans and processes would represent a fundamental change in the agencyâs regulatory approach that would require substantial justifi- cation and resources, and possibly new statutory authority. The introduc- tion of increasingly autonomous vehicles, as envisioned in some concepts of the electronics-intensive automobile, might one day cause the agency to consider taking a more hands-on regulatory approach with elements similar to those found in the aviation sector. At the moment, however, such a profound change in the way NHTSA regulates automotive safety does not appear to be a near-term prospect. Finding 4.7: FDAâs and NHTSAâs safety oversight processes are comparable in that they combine safety performance requirements as a condition for approval with postmarketing monitoring to detect and remedy product safety deficiencies occurring in the field. FDA has established a voluntary network of clinicians and hospitals known as MedSun to provide a two-way channel of communication to support surveillance and more in-depth investigations of the safety performance of medical devices. MedSun represents a small part of FDAâs postmarket sur- veillance system. This network is discussed here because it demonstrates a governmentâindustry collaborative approach that may have applica- tion for automotive safety. NHTSAâs CIREN program is conceptually sim- ilar to the FDA network for medical devices, demonstrating NHTSAâs potential for supporting such collaborative surveillance activities. referenceS Abbreviations GAO Government Accountability Office IOM Institute of Medicine NHTSA National Highway Traffic Safety Administration TRB Transportation Research Board
NHTSA Vehicle Safety Programs || 131 Benz, S., E. Dilger, W. Dieterle, and K. D. MÃ¼ller-Glaser. 2004. A Design Methodology for Safety-Relevant Automotive Electronic Systems. SAE Paper 2004-01-1665. Presented at Society of Automotive Engineers World Congress and Exhibition, Detroit, Mich., March. GAO. 2011. NHTSA Has Options to Improve the Safety Defect Recall Process. GAO-11-603. June. http://www.gao.gov/new.items/d11603.pdf. IOM. 2011. Medical Devices and the Publicâs Health: The FDA 510(k) Clearance Process at 35 Years. National Academies Press, Washington, D.C. NHTSA. 2008. National Motor Vehicle Crash Causation Survey: Report to Congress. DOT HS 811 059. July. http://www-nrd.nhtsa.dot.gov/Pubs/811059.PDF. NHTSA. 2011. NHTSA Vehicle Safety and Fuel Economy Rulemaking and Research Priority Plan, 2011â2013. March. http://www.nhtsa.gov/staticfiles/rulemaking/ pdf/2011-2013_Vehicle_Safety-Fuel_Economy_Rulemaking-Research_ Priority_Plan.pdf. TRB. 2011. Special Report 300: Achieving Traffic Safety Goals in the United States: Lessons from Other Nations. National Academies, Washington, D.C.