Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
6 Recommendations to National Highway Traffic Safety Administration on Preparing for the Electronics-Intensive Vehicle This report describes how â¢ Increasingly software-intensive electronics systems are being used in automobiles to provide capabilities that are both related and unrelated to vehicle safety (Chapter 2); â¢ Automotive manufacturers seek to ensure the performance of these electronics systems through preventive and fail-safe measures imple- mented during product design, development, and manufacturing as well as through lessons learned from postproduction surveillance (Chapter 3); and â¢ The National Highway Traffic Safety Administrationâs (NHTSAâs) reg- ulatory, research, and defect surveillance and investigation programs are oriented and applied to oversee the performance of vehicles and their constituent electronics systems (Chapter 4). In reviewing NHTSAâs response to reports of unintended acceleration, Chapter 5 provides a concrete example of much of the subject matter of these earlier chapters. It discusses how NHTSA has sought to address concerns about whether one electronics system, Toyotaâs electronic throttle control system (ETC), has performed safely. The discussion pro- vides insight into the agencyâs defect surveillance and investigation pro- cesses and an example of how one automotive manufacturer has sought to ensure the performance of a safety-critical electronics system. The public apprehension and controversy that have surrounded Toyotaâs 169
170 || The Safety Promise and Challenge of Automotive Electronics ETC suggest the potential for other electronics systems to become impli- cated in safety concerns, particularly as electronics systems assume more vehicle safety and control functions. In requesting these reviews, NHTSA tasked the committee with mak- ing recommendations on how the agencyâs regulatory, research, and defect investigation activities can be strengthened to meet the safety assurance challenges associated with the increasing use of electronics systems. The various findings from Chapters 2 through 5, which are summarized in Box 6-1, are synthesized in the following discussion and provide the basis for several recommendations to NHTSA. NHTSAâs CurreNT role wiTH reSpeCT To VeHiCle eleCTroNiCS NHTSA recognizes that electronics systems are transforming the auto- mobile and in the process giving rise to opportunities for making driving safer and to new demands for ensuring that vehicles operate in a safe manner. For example, NHTSA now requires that new vehicles possess certain safety-enhancing capabilities that only electronics can provide, such as electronic stability control intended to aid in rollover prevention. Similar safety regulations may be promulgated in the future as agency researchers evaluate and monitor the development status of other tech- nologies for crash avoidance, such as automatic lane-keeping, crash- imminent braking, alcohol detection, and blind spot surveillance. Because of the use of electronics systems in managing and controlling more vehi- cle functions, NHTSAâs Office of Defects Investigation (ODI) is observing more manufacturer recalls that involve software reprogramming and other fixes to electronics systems. This is to be expected as software- intensive electronics supplant more mechanical, electromechanical, and hydraulic systems. The growth of electronics systems in vehicles is thus influencing all aspects of NHTSAâs regulatory, research, and investigation activities. That influence will almost certainly grow and place new demands on all of these activities. Public apprehension about Toyotaâs ETC and its role in unintended acceleration revealed these changing demands in stark fashion. The ETC is a simple technology compared with the newer sys- tems being introduced and envisioned for motor vehicles. As these elec- tronics systems become more complex, capable, and interconnected
Recommendations to NHTSA || 171 Box 6-1 Summary of Findings The electronics-intensive Automobile Finding 2.1: Electronics systems have become critical to the functioning of the modern automobile. Finding 2.2: Electronics systems are being interconnected with one another and with devices and networks external to the vehi- cle to provide their desired functions. Finding 2.3: Proliferating and increasingly interconnected elec- tronics systems are creating opportunities to improve vehicle safety and reliability as well as demands for addressing new sys- tem safety and cybersecurity risks. Finding 2.4: By enabling the introduction of many new vehicle capabilities and changes in familiar driver interfaces, electronics systems are presenting new human factors challenges for system design and vehicle-level integration. Finding 2.5: Electronics technology is enabling nearly all vehi- cles to be equipped with event data recorders (EDRs) that store information on collision-related parameters as well as enabling other embedded systems that monitor the status of safety-critical electronics, identify and diagnose abnormalities and defects, and activate predefined corrective responses when a hazardous con- dition is detected. Safety Assurance processes for Automotive electronics Finding 3.1: Automotive manufacturers visited during this studyâand probably all the othersâimplement many processes during product design, engineering, and manufacturing intended (a) to ensure that electronics systems perform as expected up to defined failure probabilities and (b) to detect failures when they occur and respond to them with appropriate containment actions. (continued on next page)
172 || The Safety Promise and Challenge of Automotive Electronics Box 6-1 (continued) Summary of Findings Finding 3.2: Testing, analysis, modeling, and simulation are used by automotive manufacturers to verify that their electronics systems, the large majority of which are provided by suppliers, have met all internal specifications and regulatory requirements, including those relevant to safety performance. Finding 3.3: Manufacturers face challenges in identifying and modeling how a new electronics-based system will be used by the driver and how it will interface and interact with the driver. Finding 3.4: Automotive manufacturers have been cooperating through the International Organization for Standardization to develop a standard methodology for evaluating and establishing the functional safety requirements for their electronics systems. NHTSA Vehicle Safety programs Finding 4.1: A challenge before NHTSA is to further the use and effectiveness of vehicle technologies that can aid safe driving and mitigate hazardous driving behaviors and to develop the capa- bilities to ensure that these technologies perform their functions as intended and do not prompt other unsafe driver actions and behaviors. Finding 4.2: NHTSAâs Federal Motor Vehicle Safety Standards (FMVSSs) are results-oriented and thus written in terms of min- imum system performance requirements rather than prescribing the means by which automotive manufacturers design, test, engi- neer, and manufacture their safety-related electronics systems. Finding 4.3: Through the Office of Defects Investigation (ODI), NHTSA enforces the statutory requirement that vehicles in con- sumer use not exhibit defects that adversely affect safe vehicle performance. Finding 4.4: NHTSA refers to its vehicle safety research program as being âdata drivenâ and decision-oriented, guided by analyses of traffic crash data indicating where focused research can fur-
Recommendations to NHTSA || 173 Box 6-1 (continued) Summary of Findings ther the introduction of new regulations and vehicle capabilities aimed at mitigating known safety problems. Finding 4.5: NHTSA regularly updates a multiyear plan that explains the rationale for its near-term research and regulatory priorities; however, the plan does not communicate strategic considerations, such as how the safety challenges arising from the electronics-intensive vehicle may require new regulatory and research responses. Finding 4.6: The Federal Aviation Administrationâs (FAAâs) reg- ulations for aircraft safety are comparable with the performance- oriented FMVSSs in that the details of product design and development are left largely to the manufacturers; however, FAA exercises far greater oversight of the verification and validation of designs and their implementation. Finding 4.7: The U.S. Food and Drug Administrationâs (FDAâs) and NHTSAâs safety oversight processes are comparable in that they combine safety performance requirements as a condition for approval with postmarketing monitoring to detect and remedy product safety deficiencies occurring in the field. FDA has estab- lished a voluntary network of clinicians and hospitals known as MedSun to provide a two-way channel of communication to sup- port surveillance and more in-depth investigations of the safety performance of medical devices. NHTSA initiatives on unintended Acceleration Finding 5.1: NHTSA has investigated driver complaints of vehicles exhibiting various forms of unintended acceleration for decades, the most serious involving high engine power indicative of a large throttle opening. Finding 5.2: NHTSA has most often attributed the occurrence of unintended acceleration indicative of a large throttle opening to pedal-related issues, including the driver accidentally pressing the accelerator pedal instead of the brake pedal, floor mats and (continued on next page)
174 || The Safety Promise and Challenge of Automotive Electronics Box 6-1 (continued) Summary of Findings other obstructions that entrap the accelerator pedal in a depressed position, and sticking accelerator pedals. Finding 5.3: NHTSAâs rationale for attributing certain unintended acceleration events to pedal misapplication is valid, but such deter- minations should not preclude further consideration of possible vehicle-related factors contributing to the pedal misapplication. Finding 5.4: Not all complaints of unintended acceleration have the signature characteristics of pedal misapplication; in particu- lar, when severe brake damage is confirmed or the loss of braking effectiveness occurs more gradually after a prolonged effort by the driver to control the vehicleâs speed, pedal misapplication is improb- able, and NHTSA reported that it treats these cases differently. Finding 5.5: NHTSAâs decision to close its investigation of Toyotaâs ETC as a possible cause of high-power unintended acceleration is justified on the basis of the agencyâs initial defect investigations, which were confirmed by its follow-up analyses of thousands of consumer complaints, in-depth examinations of EDRs in vehicles suspected to have crashed as a result of unintended acceleration, and the National Aeronautics and Space Administrationâs exami- nation of the Toyota ETC. Finding 5.6: The Vehicle Ownerâs Questionnaire consumer complaint data appear to have been sufficient for ODI analysts and investigators to detect an increase in high-power unintended acceleration behaviors in Toyota vehicles, to distinguish these behaviors from those commonly attributed to pedal misapplica- tion, and to aid investigators in identifying pedal entrapment by floor mats as the likely cause. Finding 5.7: ODIâs investigation of unintended acceleration in Toyota vehicles indicated how data saved in EDRs can be retrieved from vehicles involved in crashes to supplement and assess other information, including circumstantial evidence, in determining causal and contributing factors.
Recommendations to NHTSA || 175 with one another, not only will safety assurance demands grow but so too will the challenge of building and maintaining public confidence in their safe performance (see Finding 4.1). NHTSA does not regulate vehicle electronics directly. Through its Federal Motor Vehicle Safety Standards (FMVSSs), the agency requires that vehicles have certain safety-critical features and capabilities and that they perform to certain levels (see Finding 4.2). The regulatory emphasis on system performance rather than design is evidenced by the fact that the throttle control system in some vehicles might still rely on mechanical links from the accelerator pedal to the throttle, whereas others may make this connection through an ETC consisting of sensors, wires, computers, and motorized actuators. Since NHTSA does not require a specific design, it does not require, advise on, or evaluate the methods used by automo- tive manufacturers in design-specific areas such as corrosion testing, elec- tromagnetic compatibility, resistance to vibrations, or software integrity. For the most part, NHTSAâs FMVSSs do not address such aspects of prod- uct assurance, which are left to the manufacturer to decide. Furthermore, the FMVSSs do not cover the vast majority of systems that are in todayâs vehicles, much less all electronics systems. Only a frac- tion of the electronics systems in the modern automobile are intended to provide an FMVSS-regulated safety capability. The manufacturer, there- fore, is responsible for ensuring that these other systems do not create safety hazards through their design or interaction with safety-critical vehicle systems. For example, the FMVSSs require that certain vehicle control mechanisms, such as the gearshift lever, be located within safe reach of the driver, but the regulations are silent about similar controls for nonsafety features such as the radio and navigation system. NHTSA does not provide specific guidance or standards for the design of these unregulated systems with regard to safety. Similarly, the FMVSSs do not prescribe how electronics and other systems must be designed to avoid interfering with the functioning of systems that are intended to meet an FMVSS, such as keeping an entertainment system from interfering with the required performance of wipers. NHTSA enforces the use of safe system designs and compels effective safety assurance by manufacturers through its compliance testing pro- gram and defect surveillance and investigation activities (see Finding 4.3). Moreover, ODIâs scope of interest is much wider than enforcing compli- ance with FMVSSs; it can monitor, investigate, and seek remedies for any vehicle-related deficiency considered to be harmful to public safety. ODIâs
176 || The Safety Promise and Challenge of Automotive Electronics investigation of floor mats as a possible cause of unintended acceleration and its influence over Toyota in recalling millions of its vehicles for pedal entrapment demonstrate ODIâs wider scope of interest and authority. NHTSAâs vehicle safety research programs are focused on support- ing agency decision making, particularly regulatory decisions (see Finding 4.4). This emphasis is consistent with the agencyâs mission of addressing known traffic safety problems while it avoids entangle- ment in the specific technological means by which automotive manufac- turers meet the FMVSSs. Agency researchers do not generally develop technologies.1 Instead, they examine emerging technologies to advise regulators on whether new safety-enhancing vehicle capabilities are technically feasible and could thus be required. The agency assumes that manufacturers will undertake the requisite research to obtain the design and engineering knowledge to establish appropriate safety pre- cautions for their products. KeepiNg pACe wiTH THe SAFeTy ASSurANCe CHAlleNgeS AriSiNg From VeHiCle eleCTroNiCS As electronics systems proliferate in vehicles, it is reasonable to ask whether NHTSAâs oversight and regulatory approach will need to be adjusted to keep pace with the safety assurance challenges these systems present. The ETC experience may be a harbinger of the demands to come. The fact that NHTSA was subjected to and could not respond con- vincingly to public concerns about Toyotaâs ETC and needed to enlist the technical expertise of the National Aeronautics and Space Administration indicates how demands on the agencyâs programs are changing. The committee cannot predict the extent to which NHTSAâs vehicle safety programs will need to be supplemented over time with new resources, competencies, and infrastructure as electronics continue to take over more vehicle controls. The findings in this study suggest that NHTSA will need to know more about how manufacturers design safety and security into electronics systems, monitor vehicles for evidence of safety deficiencies that may have new hallmarks, and investigate and test for problems in systems that may leave little physical evidence from NHTSA research has led to the development of some technologies used by the automotive industry, 1 such as instrumented crash-test dummies used by automotive manufacturers during vehicle develop- ment and testing.
Recommendations to NHTSA || 177 which to assess their cause. The remainder of this section discusses the implications of the proliferation of electronics systems for NHTSA over- sight and engagement. The controversy over whether ETCs caused unintended acceleration and the general trend toward increasing use of electronics systems for vehicle controls have raised questions about whether NHTSA should exert more influence over the safety assurance processes followed by industry.2 Although it is not an immediate option, NHTSA could move to regulate these processes by establishing or approving testing methods used for electronic control systems and their components, such as testing for resistance to electromagnetic disturbances or software coding integrity. Such in-depth oversight appears to be unlikely. It is difficult to see how NHTSA could obtain the capacity for identifying suitable testing methods in light of the wide variability in the way manufacturers design and engi- neer vehicle systems. A more foreseeable option is for NHTSA to require that automobile manufacturers provide evidence that they have followed rigorous safety assurance processes during the design, development, and manufacture of electronics systems having implications for vehicle safety. Chapter 3 reviews how automotive manufacturers seek to ensure the safe performance of their electronics systems. This study could not assess the quality of these processes or how well they are executed. Nevertheless, Chapter 3âs review suggests that automotive manufacturers use many of the same fundamental processes for safety assurance and that they are systematic and carefully thought through (see Findings 3.1, 3.2, and 3.3). The processes consist of measures intended to guard against failures up to defined risk probabilities and to detect and respond to failures that do occur. Their design relevance and the system-level structure of these processes suggest the futility of NHTSA (or any other regulator) prescrib- ing specific testing methods, preventive measures, fail-safe strategies, or other assurance processes. The closest example of a regulatory agency having such hands-on safety assurance responsibility in the U.S. Department of Transportation is the Federal Aviation Administrationâs (FAAâs) oversight of aircraft development and manufacturing. Even FAA recognizes the impractical- ity of prescribing specific design and testing processes. Instead, the agen- cyâs emphasis is on requiring manufacturers to demonstrate that they See âResponse by Toyota and NHTSA to Incidents of Sudden Unintended Acceleration.â Hearing 2 before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, February 23, 2010.
178 || The Safety Promise and Challenge of Automotive Electronics have established robust and carefully followed safety assurance systems. These assurance systems can be examined in depth by FAA because air- craft manufacturers must apply to the regulatory agency for approval to build a new aircraft type. Accordingly, FAA verifies and certifies that aircraft manufacturers have instituted sound safety assurance systems through preapproval of plans and reviews of their implementation. To facilitate compliance, FAA advises manufacturers to follow certain pre- approved processes for aspects of product development, including safety assurance standards developed by industry. FAAâs approach to safety oversight requires significant resources and authorities (see Finding 4.6). Although the agency designates senior engineers from aircraft manufacturers to fulfill many of the detailed doc- ument reviews and inspections that make up the certification process, FAA staff must review the most significant process elements. As dis- cussed in Chapter 4, FAA has a major unit, the Aircraft Certification Service, dedicated to this function and housed in more than two dozen offices across the country and abroad. The Aircraft Certification Service requires a large cadre of test pilots, manufacturing inspectors, safety engineers, and technical specialists in key disciplines such as flight loads, nondestructive evaluation, flight management, and human factors. For NHTSA to engage in similar regulatory oversight would represent a fundamental change in the agencyâs regulatory approach and would require justification and substantial resources. The introduction of auton- omous vehicles, as envisioned in some intelligent vehicle concepts, could one day provide the grounds for NHTSA to adopt an oversight approach with elements modeled after those of FAA. At the moment, the justifica- tion for such a fundamental change in the way NHTSA regulates automo- tive safety is not evident, nor is such a change in regulatory direction a foreseeable prospect. The near-term prospect is an effort to establish a consensus standard through the International Organization for Standardization (ISO) intended to guide automotive manufacturers as they develop their safety assurance processes, particularly for electronics systems affecting vehicle safety and control functions (see Finding 3.4). The pending standard, ISO 26262, will not prescribe the specific content of each manufacturerâs safety assur- ance regime. However, it will compel subscribers to follow steps ensur- ing that the safety implications of electronics systems are well identified, analyzed for risks, and the subject of appropriate risk management actions. How influential this voluntary standard will become is not yet known,
Recommendations to NHTSA || 179 but many manufacturers selling vehicles and automotive equipment in the United States appear to be intent on following its guidance in whole or in large part. Whether widespread industry adherence to a process-based standard like ISO 26262 will lead to safer-performing vehicle electronics will depend to a large extent on the adequacy of existing manufacturer assurance pro- cesses and the degree to which manufacturers change their processes in response to the standardâs guidance. The industryâs apparent intention to follow ISO 26262 may give NHTSA greater confidence that manufacturers are striving to keep abreast of the challenges associated with electronics. Even if the agency does not endorse or require adherence to the standard, NHTSA will have a keen interest in ensuring the standardâs safety effec- tiveness if many automotive manufacturers choose to follow it. As a general matter, the committee recommends that NHTSA become more familiar with and engaged in standard-setting and other efforts involving industry that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automo- tive electronics systems (Recommendation 1). In the committeeâs view, such cooperative efforts represent an opportunity for NHTSA to gain a stronger understanding of how manufacturers seek to prevent safety problems through measures taken during product design, development, and fabrication. By engaging in these efforts, the agency will be better able to influence industry safety assurance and recognize where it can contribute most effectively to strengthening such preventive measures. The introduction of ISO 26262 represents a potential opportunity for NHTSA to engage and collaborate with industry. As manufacturers reas- sess and adjust their safety assurance processes in response to the ISO standard and other industry-level guidance, many will undoubtedly need more information and analysis. Some will have research needs that NHTSA may be able to help meet. In the committeeâs view, support for this industry research can be a practical means by which NHTSA engi- neers and other personnel can increase their familiarity with industry safety assurance processes. Box 6-2 gives examples of where collabora- tive research and analysis supported by NHTSA may contribute to the strengthening of industry safety assurance processes and to the agencyâs own technical knowledge and competencies. Exploration of other means by which NHTSA can interact with indus- try in furthering electronics safety assurance will also be important. Exploiting a range of opportunities will be critical in the committeeâs
180 || The Safety Promise and Challenge of Automotive Electronics Box 6-2 Candidate research and Analysis to inform industry Safety Assurance processes â¢ Review state-of-the-art methods used within and outside the automotive industry for detecting, diagnosing, isolating, and responding to failures that may arise from multiple, intermit- tent, and timing faults in safety-critical vehicle electronics systems. â¢ Survey and identify the sources, characteristics (e.g., levels, frequency range), and probability of occurrence of electromag- netic environments produced by other vehicles (e.g., radar transmitters), on-board consumer devices (both emissions and intentional transmissions), and other electromagnetic sources in the vicinity of the roadway (e.g., commercial radio stations, military radar systems). Study the potential operating impacts of these exposures on safety-critical vehicle electronics by con- sulting with experts in electromagnetic compatibility and by seeking their advice on design, testing, and control strategies relating to functional safety. â¢ Explore the feasibility and utility of a remote or in-vehicle sys- tem that continually logs the subsystem states, network traf- fic, and interactions of the vehicle and its electronics systems and is capable of saving relevant data for querying in response to unexpected vehicle behaviors. â¢ Examine security vulnerabilities arising from the increase in remote access to and interconnectivity of electronics systems that can compromise safety-critical vehicle capabilities such as braking, exterior lighting, speed control, and steering. Review ways of reducing these vulnerabilities. Among the possibili- ties to examine are means to isolate safety-critical components, to restrict network access, and to use security engineering approaches such as improving code robustness and scheduling authenticated software updates.
Recommendations to NHTSA || 181 Box 6-2 (continued) Candidate Research and Analysis to Inform Industry Safety Assurance Processes â¢ Examine the implications of electronics systems for the means by which automotive manufacturers are complying with the intent of the FMVSSs, how changes in technology could both aid and complicate compliance with the regulations, and how the regulations themselves are likely to affect technological innovation. â¢ Assess driver response to nontraditional controls enabled by electronic interfaces, such as push-button ignition design sys- tems, and the degree to which differences among vehicles may confuse and delay responses in time-pressured and emer- gency situations. â¢ Examine driver interaction with the vehicle as a mixed initiative system using simulator and naturalistic driving studies to assess when designersâ assumptions of driversâ responses diverge from driversâ expectations of system operation. Vehicle electronics that take the initiative in monitoring the roadway and control- ling the vehicle might fundamentally change the demands placed on the driver and driver expectations with regard to vehicle behavior. Such studies should address the potential for multiple sources of information and warnings to distract and overload drivers, as well as the tendency for increasingly sophisticated vehicle automation to lead drivers to entrust more responsibil- ity for driving to the vehicle than the designers intend. â¢ Collaborate with the automotive industry in developing effec- tive methods for communicating the operational status of vehi- cle electronics to the driver. Examine how drivers interpret dashboard indicator icons and their suitability for conveying the operational status of more complex vehicle systems, such as indicating changes in vehicle behavior associated with the âlimp home.â While advances in display media, such as liquid crystal displays, are allowing the use of more elaborate warning icons and messages to communicate vehicle status, research can help develop a common âlanguageâ to ensure that drivers under- stand the intended message.
182 || The Safety Promise and Challenge of Automotive Electronics view, because NHTSA cannot be expected to hire and maintain person- nel having all of the specialized technical expertise and design knowl- edge relevant to the growing field of automotive electronics. As a starting point for obtaining access to this expertise, the committee recommends that NHTSA convene a standing technical advisory panel comprising individuals with backgrounds in the disciplines central to the design, development, and safety assurance of automotive electronics systems, including software and systems engineering, human factors, and elec- tronics hardware. The panel should be consulted on relevant technical matters that arise with respect to all of the agencyâs vehicle safety pro- grams, including regulatory reviews, defect investigation processes, and research needs assessments (Recommendation 2). STreNgTHeNiNg CApAbiliTieS For DeFeCT SurVeillANCe AND iNVeSTigATioN ODIâs role in monitoring the fleet for safety defects and ensuring that automotive manufacturers correct them quickly and effectively is an important part of NHTSAâs safety mission (see Finding 4.3). As noted earlier, ODIâs defect surveillance and investigation authorities go well beyond identifying deficiencies that pertain to the specific requirements of FMVSSs. ODI has authority to monitor, investigate, and seek remedies for any vehicle-related deficiency considered to be harmful to public safety. This postmarket safety monitoring capability has always been important to NHTSA, since it cannot assess all of the preventive and fail- safe measures that manufacturers implement during system design and manufacturing. Such measures will likely become even more complex as electronics functions grow. Access to timely information on the behaviors and conditions exhib- ited by vehicles is vital to ODIâs ability to monitor for safety deficiencies, identify vehicles warranting further investigation, and assess the preva- lence and consequences of a vehicle safety deficiency (see Finding 4.3). The main data available to ODI for these purposes are the safety complaints lodged on an ongoing basis through the agencyâs Internet- and telephone-based Vehicle Ownerâs Questionnaire (VOQ). Among the challenges ODIâs analysts face in examining VOQs is that much of the information vital for assessing vehicle conditions and their causes can be found only in the narrative section of the form, if the infor-
Recommendations to NHTSA || 183 mation is conveyed at all. Because the VOQ does not have a field in which consumers can choose from a common set of vehicle behaviors such as hesitation, high idling, and degraded braking, ODI analysts must review and manually categorize the relevant information conveyed in each com- plaint narrative. Even when they are aided by computer text searches, such manual analyses can be time-consuming and overlook trends and relationships that more quantitative analytic methods might detect. ODI investigators also reported to the committee that the proliferation of electronics systems in vehicles is creating new challenges for âtrouble shootingâ the vehicle behaviors that are detected through consumer complaints and other means. Among the other data ODI has at its dis- posal for defect analysis and investigation are the quarterly submissions by manufacturers on warranty repairs, vehicles produced, claim notices, consumer complaints, and field investigation reports as required by the Early Warning Reporting (EWR) provisions of the Transportation Recall Enhancement, Accountability, and Documentation Act of 2000.3 These data were originally intended to aid ODI with defect surveillance. Because the reports are submitted by manufacturers only four times per year, they may not provide the desired early information for detecting safety prob- lems in their incipiency.4 However, once a vehicle defect or safety prob- lem is suspected through complaints analysis or other means, the EWR data can serve a supplemental or corroborating role (for example, by enabling investigators to check for indications of problems by consulting warranty repair data) (see Finding 5.6). To obtain more in-depth infor- mation such as more detailed warranty and parts records, ODI can query the manufacturer, as it did when it examined Toyotaâs ETC. As discussed in Chapter 4, the U.S. Food and Drug Administration (FDA) needs detailed data for monitoring and investigating the safety performance of medical devices. FDA has established a network of hospital administrators and clinicians who volunteer more detailed information on device performance. According to FDA officials who met with the committee, the network is designed to provide timely and detailed information for both safety surveillance and more thorough defect investigations. The agency can query network participants for information on the performance of devices under investigation, and Public Law 106-414. The law also requires manufacturers to make a report to NHTSA within 5 days 3 of the time a safety defect is identified and a recall initiated. ODI briefing to committee, June 30, 2010. 4
184 || The Safety Promise and Challenge of Automotive Electronics participants regularly submit device performance information to FDAâs surveillance program, including reports on safety-related âclose calls.â This industry-assisted monitoring network may provide a model for NHTSA to follow in obtaining more detailed information on the safety performance of electronics (see Finding 4.7). During the Toyota ETC investigation, ODI was substantially aided by the availability of information on the actions of the driver and the status of the vehicle obtained from vehicle event data recorders (EDRs) (see Findings 2.5 and 5.5). These data, including recordings of the brake sta- tus and accelerator pedal position, were used to supplement and cor- roborate other information obtained during crash investigations, such as eyewitness accounts, the driverâs stated actions, vehicle inspections, and physical evidence from the crash scene. Because most new vehicles are equipped with EDRs, their utility for crash investigations is likely to grow, and they may be helpful in assess- ing whether new electronics systems have mitigated or contributed to a crash.5 However, most EDRs only save data in the event of a crash that triggers an air bag deployment or vehicle accelerations in multiple direc- tions. EDR data are thus not available for the investigation of less serious crashes or the thousands of consumer complaints alleging unsafe vehicle behaviors, including most cases of unintended acceleration, that do not result in crashes. To aid investigations into these cases, a recorder would need to log data continually and capture more aspects of the vehicleâs subsystem states and network traffic, and perhaps save the data in response to a detected unusual vehicle condition or behavior or even on request by the driver. The committee believes that ODI will need to seek ways to strengthen its capabilities and processes for defect monitoring, analysis, and investi- gation in response to the increasing use of electronics systems in automo- biles. Accordingly, the committee recommends that NHTSA undertake a comprehensive review of the capabilities that ODI will need in moni- toring for and investigating safety deficiencies in electronics-intensive vehicles. A regular channel of communication should be established between NHTSAâs research program and ODI to ensure that (a) recur- rent vehicle- and driver-related safety problems observed in the field are the subjects of research and (b) research is committed to furthering The utility of EDR data for crash investigations will also be affected by legal issues governing investiga- 5 tor access to the stored data.
Recommendations to NHTSA || 185 ODIâs surveillance and investigation capabilities, particularly the detail, timeliness, and analyzability of the consumer complaint and early warning data central to these capabilities (Recommendation 3). In keeping with this recommendation, the committee believes that NHTSA should consider dedicating research to support improvements in ODIâs surveillance and investigative processes and capabilities. Research to identify ways to improve the quality and timeliness of consumer com- plaint data; the tools and methods used by ODI to analyze these data; and the skill sets and testing infrastructure needed by analysts and inves- tigators to support defect surveillance, analysis, and assessment should be considered. Several candidate research and analysis topics for these purposes are given in Box 6-3. reACTioN To NHTSAâs propoSeD NexT STepS NHTSA (2011) identified a number of rulemaking and research initia- tives that appear to have been influenced by the recent experience with unintended acceleration. They include plans to consider the following: â¢ A rulemaking that would mandate the installation of EDRs on all light-duty vehicles and a proposal to consider future enhancements of EDR capabilities and applicability, â¢ An update of the accelerator control standard (FMVSS 124) examin- ing revisions of performance test procedures for ETC-equipped vehi- cles and a requirement that systems be installed that can override the throttle through brake application, â¢ An update of the standard governing keyless ignitions (FMVSS 114) examining revisions that may be needed to ensure that drivers are able to turn off the engine in the event of an on-road emergency,6 and â¢ Pedal-related research that would examine pedal placement and spac- ing practices to prevent entrapment or misapplication. On December 12, 2011, NHTSA issued a Notice of Proposed Rulemaking to address safety issues arising 6 from keyless ignition controls and their operation (Docket No. NHTSA-2011-0174) (Federal Register, Vol. 76, No. 238).
186 || The Safety Promise and Challenge of Automotive Electronics Box 6-3 Candidate research and Analysis to Support oDi Capabilities and Functions â¢ Examine modifications to the VOQ that can make it more use- ful to ODI analysts and investigators by facilitating the ability of consumers to convey the vehicle conditions and behaviors they experience more precisely and by making the informa- tion more amenable to quantitative evaluation. Consideration might be given to new features in the online questionnaire, such as drop-down menus with condition choices or upload- ing capabilities, that can make the questionnaire easier to complete and provide drivers more opportunity to convey details on the vehicle and its condition and behavior. â¢ In collaboration with manufacturers, examine a cross section of safety-related recalls whose cause was attributed to deficiencies in electronics or software and identify how the defects escaped verification and safety assurance processes. The examination should seek to identify weaknesses in these processes and means by which they have been strengthened. â¢ Investigate and make recommendations on ways to obtain more timely and detailed EWR-type data for defect surveil- lance and investigation. For example, consideration might be given to the creation of a voluntary network of automotive dealers and major repair centers to which ODI can turn for more timely and detailed vehicle servicing, repair, and parts data for defect monitoring and investigation. FDAâs network for obtaining safety performance data on medical devices might serve as a model. To the extent that NHTSA can make use of current dealerâoriginal equipment manufacturer networks for this data-gathering purpose, the inflexibilities associated with mandated data reporting systems such as the EWR could be reduced. NHTSAâs Crash Injury Research Engineering Network program for collecting data for research on crash injuries offers another potential conceptual model for a collaborative forum.
Recommendations to NHTSA || 187 Box 6-3 (continued) Candidate Research and Analysis to Support ODI Capabilities and Functions â¢ Examine how the data from consumer complaints of unsafe experiences in the field can be mined through electronic means and how the complaints might offer insight into safety issues that arise from humanâsystems interactions. Explore how these issues may be changing with the introduction and expansion of vehicle electronics systems. The committee is not in a position to know where these initiatives should rank among NHTSAâs research and rulemaking priorities. Nevertheless, the committee concurs with NHTSAâs intent to ensure that EDRs be commonplace in new vehicles and recommends that the agency pursue this outcome, recognizing that the utility of more extensive and capable EDRs will depend in large part on the extent to which the stored data can be retrieved for safety investigations (Recommendation 4). NHTSAâs stated plan is to consider âfuture enhance- mentsâ to EDRs, which is particularly intriguing for the following two reasons. First, failures in electronics systems, including those related to software programming, intermittent electrical faults, and electromagnetic disturbances, may not leave physical traces to aid investigations into the causes of failures. Second, mistakes by drivers also may not leave a phys- ical trace, even if these errors result in part from vehicle-related factors such as startling vehicle noises or unexpected or unfamiliar vehicle behaviors. The absence of such physical evidence has hindered investiga- tions of the ETCâs role in unintended acceleration and may become even more problematic as the number and complexity of automotive electron- ics systems grow. Advanced data recording systems may help counter some of these problems if the data can be accessed by investigators. In the committeeâs view, the utility and feasibility of equipping vehicles with more advanced data-recording systems that can log a wider range of data warrant further study and are thus among the candidate research topics identified in Box 6-2. The committee also endorses NHTSAâs stated plan to conduct research on pedal design and placement and keyless ignition design
188 || The Safety Promise and Challenge of Automotive Electronics requirements but recommends that this research be a precursor to a broader human factors research initiative in collaboration with indus- try and that the research be aimed at informing manufacturersâ sys- tem design decisions (Recommendation 5). A number of examples of research that could be pursued through such a program are given in Box 6-2. STrATegiC plANNiNg To guiDe FuTure DeCiSioNS AND prioriTieS The four priority items above represent specific agency responses to the events surrounding unintended acceleration. The next priority plan may list more such items, some in response to newly arising safety concerns. Asked to advise NHTSA on its rulemaking, research, and resource pri- orities, the committee questions the wisdom of recommending the addi- tion to this list of more narrowly construed initiatives and whether doing so would be at odds with the agency developing an effective longer-term strategy for meeting the safety demands arising from vehicle electronics. The committee notes that the current priority plan describes the Office of Vehicle Safety as being âcurrently in the process of developing a longer- term motor vehicle safety strategic plan that would encompass the period 2014 to 2020â (NHTSA 2011, 1). Presumably, this strategic plan could provide a road map for NHTSAâs decisions with regard to the safety over- sight challenges arising from the electronics-intensive vehicle; however, the planâs status and purpose have not been articulated. The committee believes that strategic planning is fundamental to sound decision making and thus recommends that NHTSA initi- ate a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics and that gives rise to an agenda for meeting them. The agenda should spell out the near- and longer-term changes that will be needed in the scope, direction, and capabilities of the agencyâs regulatory, research, and defect investigation programs (Recommendation 6). Some of the key elements of successful strategic planning are outlined in Box 6-4. In the committeeâs view, it is vital that the planning be (a) prospective in considering the safety challenges arising from the electronics-intensive vehicle, (b) introspective in considering the implications of these chal- lenges for NHTSAâs vehicle safety role and programs, and (c) strategic in
Recommendations to NHTSA || 189 Box 6-4 elements of a Strategic planning process In the committeeâs view, the following are fundamental to strate- gic planning: â¢ Involved and supportive management led by senior staff, â¢ Cross-functional participation from throughout the organi- zation, â¢ Third-party facilitation and other influential outside partici- pants, â¢ The expectation that the process will take time and effort and not be completed in one or two meetings, and â¢ Regular updates made available to the public and decision makers. The following are key process elements: â¢ Define the agency mission and principal agency activities â¢ State goals and desired outcomes â¢ Assess the external environment. The following are example considerations: â Who are the prime âcustomersâ of the agency? â What are their expectations, and are they changing? â How is the technology of the automobile changing funda- mentally, and how is this affecting the agency in fulfilling its mission or role? â How will technology continue to change? â Which external organizations have a major impact on the agencyâs functioning, and what is the agencyâs relationship with them? â What data are important in executing the agencyâs role effectively? (continued on next page)
190 || The Safety Promise and Challenge of Automotive Electronics Box 6-4 (continued) Elements of a Strategic Planning Process â How can technology changes, such as the Internet and its instant communications, be expected to affect the agency, positively and negatively? â How might adversaries utilize the vehicle fleet for harm? What can be done about it? â¢ Assess the agency. The following are example considerations: â What are the agencyâs strengths and weaknesses (unit by unit)? â Has the agencyâs role changed over the years? Has the agency adapted to those changes? How? â Is the agencyâs staffing of the various functions consistent with the needed activity level in those functions? Is it con- sistent with the technology level? â What are the strengths and weaknesses of the databases used by the agency in conducting its work? For example, what do the databases indicate in terms of changing rea- sons for recalls and changing corrective actions? â Is the agency using the technology of the Internet and modern information technology in general to enhance per- formance of its role? â What are the strengths and weaknesses of the agencyâs relationship with the industry it monitors and regulates? â What are the strengths and weaknesses of the FMVSSs in terms of the automotive technology of today and the future? â What are the strengths and weaknesses of agency research programs, including research staff levels and capabilities? â How does the agency compare with FAA and FDA with respect to staffing, relationship with the industry regulated, and effectiveness? â What have been the greatest agency successes and its great- est failures? â What does the agency consider to be critical factors for its success?
Recommendations to NHTSA || 191 Box 6-4 (continued) Elements of a Strategic Planning Process â¢ Articulate the agencyâs key strategies and objectives going forward: â The agencyâs role and responsibilities redefined or reiter- ated clearly â An explicit strategy developed for how to adapt to the expected changes in technology â Goals set for the size, nature, and content of the research programs in support of agency goals â Goals set for the size and capabilities of the staff in its vari- ous units such as ODI â Improvement objectives established for the databases used in the work of the agency â Metrics defined to indicate the agencyâs performance of its defined roles and responsibilities guiding critical decisions concerning matters such as the most appro- priate agency regulatory approaches and associated research and resource requirements. The strategic planning process will put NHTSA in a better position to address and make decisions about matters such as the following: â¢ Whether the agencyâs regulatory role should be modified to take into account the safety assurance processes followed by automotive manufacturers during product development. For example, the advan- tages and disadvantages of urging or requiring manufacturers to dem- onstrate that they are implementing rigorous safety assurance as part of the design, development, and manufacturing of electronics systems that affect safety-critical functions should be examined. â¢ How NHTSAâs research can be broadened to go beyond the provision of mostly technical support for regulatory decisions to (a) provide similar support for ODI as it seeks to strengthen its safety surveil- lance, investigation, and data availability and analysis capabilities and (b) help meet the shared research needs of automotive manufacturers
192 || The Safety Promise and Challenge of Automotive Electronics as they seek to improve their safety assurance processes. Such strate- gic planning would provide an opportunity for NHTSA to consider the nature of the research it undertakes, what should be encom- passed by its research in the future, and the methods that are used to identify key research needs. â¢ The most appropriate means by which NHTSA can consult and inter- act more effectively with automotive manufacturers to (a) identify the safety assurance challenges arising from vehicle electronics, (b) understand how industry is working to meet these challenges, and (c) facilitate collaboration and cooperation among manufactur- ers and NHTSA. The committee further recommends that NHTSA make develop- ment and completion of the strategic plan a top goal in its coming 3-year priority plan. NHTSA should communicate the purpose of the planning effort, define how it will be developed and implemented commensurate with advice in this report, and give a definite time frame for its completion. The plan should be made public so as to guide key policy decisionsâfrom budgetary to legislativeâthat will determine the scope and direction of the agencyâs vehicle safety pro- grams (Recommendation 7). The long-term importance of strategic planning is obvious: the tech- nological transformation of the automobile will continue, and being pre- pared for more safety concerns that arise rather than reacting to them will become increasingly important. As electronics systems proliferate, NHTSA will be called on to investigate suspected safety deficiencies in them, but it can ill afford to explore potential vulnerabilities in the same extraordinary manner that it did for Toyotaâs ETC. The committee observes that NHTSA researchers are working with the automotive industry, universities, and other government agencies to examine future crash avoidance concepts such as vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications systems. These sys- tems will enable even greater vehicle autonomy and necessitate advance- ments in vehicle electronics that will go well beyond any systems now being deployed. In the same vein, changes in the division of functions between the driver and the vehicle will (a) present new demands for and interpretations of FMVSSs; (b) heighten the need for safety assurance processes that instill high levels of driver confidence in these systems; and (c) place new demands on ODIâs defect surveillance, analysis, and investi- gation activities.
Recommendations to NHTSA || 193 The technical and economic feasibility of V2V, V2I, and other intelli- gent transportation systems are not considered in this study. However, it is difficult to imagine NHTSA accommodating their introduction without adapting its regulatory, research, and investigation processes. The strate- gic planning recommended here is not of a scope that would allow the agency to prepare for the many implications associated with conceived future systems such as V2V and V2I. However, by engaging in strategic planning on an ongoing basis, NHTSA will be in a better position to meet the safety demands that such technological advancements are likely to bring. The recommendations to NHTSA in this report are con- tained in Box 6-5. Box 6-5 recommendations to NHTSA Recommendation 1: The committee recommends that NHTSA become more familiar with and engaged in standard-setting and other efforts involving industry that are aimed at strengthening the means by which manufacturers ensure the safe performance of their automotive electronics systems. Recommendation 2: The committee recommends that NHTSA convene a standing technical advisory panel comprising individ- uals with backgrounds in the disciplines central to the design, development, and safety assurance of automotive electronics sys- tems, including software and systems engineering, human fac- tors, and electronics hardware. The panel should be consulted on relevant technical matters that arise with respect to all of the agencyâs vehicle safety programs, including regulatory reviews, defect investigation processes, and research needs assessments. Recommendation 3: The committee recommends that NHTSA undertake a comprehensive review of the capabilities that ODI will need in monitoring for and investigating safety deficiencies in electronics-intensive vehicles. A regular channel of communi- cation should be established between NHTSAâs research program (continued on next page)
194 || The Safety Promise and Challenge of Automotive Electronics Box 6-5 (continued) Recommendations to NHTSA and ODI to ensure that (a) recurrent vehicle- and driver-related safety problems observed in the field are the subjects of research and (b) research is committed to furthering ODIâs surveillance and investigation capabilities, particularly the detail, timeliness, and analyzability of the consumer complaint and early warning data central to these capabilities. Recommendation 4: The committee concurs with NHTSAâs intent to ensure that EDRs be commonplace in new vehicles and recommends that the agency pursue this outcome, recognizing that the utility of more extensive and capable EDRs will depend in large part on the extent to which the stored data can be retrieved for safety investigations. Recommendation 5: The committee endorses NHTSAâs stated plan to conduct research on pedal design and placement and keyless ignition design requirements but recommends that this research be a precursor to a broader human factors research ini- tiative in collaboration with industry and that the research be aimed at informing manufacturersâ system design decisions. Recommendation 6: The committee recommends that NHTSA initiate a strategic planning effort that gives explicit consideration to the safety challenges resulting from vehicle electronics and that gives rise to an agenda for meeting them. The agenda should spell out the near- and longer-term changes that will be needed in the scope, direction, and capabilities of the agencyâs regulatory, research, and defect investigation programs. Recommendation 7: The committee recommends that NHTSA make development and completion of the strategic plan a top goal in its coming 3-year priority plan. NHTSA should communi- cate the purpose of the planning effort, define how it will be developed and implemented commensurate with advice in this report, and give a definite time frame for its completion. The plan should be made public so as to guide key policy decisionsâfrom budgetary to legislativeâthat will determine the scope and direc- tion of the agencyâs vehicle safety programs.
Recommendations to NHTSA || 195 reFereNCe Abbreviation NHTSA National Highway Traffic Safety Administration NHTSA. 2011. NHTSA Vehicle Safety and Fuel Economy Rulemaking and Research Priority Plan, 2011â2013. March. http://www.nhtsa.gov/staticfiles/rulemaking/ pdf/2011-2013_Vehicle_Safety-Fuel_Economy_Rulemaking-Research_ Priority_Plan.pdf.