June 14, 2012
German engineering ain’t what it used to be.
Melissa Marsala, a Mercedes owner from Cape Coral, Fla., was driving her 2001 ML430 at about 45 mph down a main thoroughfare, when her vehicle suddenly went into braking mode. The two vehicles behind her in the inner left lane slammed on their brakes to avoid a collision, and Marsala was able to ease the bucking vehicle onto the grassy median that divided the roadway.
“It terrified me,” Marsala recalled. “There was no reason for the brakes to engage. I was trying to come to a full stop but the car went boom-boom-boom-boom. It happened in an interval that was so quick. The car was skipping, smoke was coming off the wheel wells and you could smell the rubber burning. I veered it right into the median strip and it stopped itself.”
Those moments of sheer fright were courtesy of a malfunctioning yaw sensor – a problem primarily in the M-Class – well known to Mercedes, some M-class owners and the National Highway Traffic Safety Administration’s Office of Defects Investigation. In 2007, NHTSA opened and quickly closed a Preliminary Evaluation into sudden unintended braking involving about 100,000 MY 2000-2001 M-class vehicles, without taking any action.
In May of 2007, Mercedes explained it all away to ODI at a presentation in which the automaker simulated electrical faults in the yaw rate sensor and showed how “the ESP [Electronic Stability Program] system is programmed to diagnose electrical faults and that brake applications resulting from yaw rate sensor electrical faults are very short in duration (0.3 seconds or less) and don’t affect vehicle control or stability.” NHTSA’s Vehicle Research and Test Center was unable to duplicate the problem in a vehicle that had experienced multiple events; and ODI’s attitude was: no documented crashes, low complaint rate, no problem.
Tell that to Melissa Marsala and the other M-Class owners whose vehicles have been suddenly thrust into full braking mode with no warning to the driver.
The Mercedes 2007 presentation to NHTSA was not submitted to the public investigation file, so we can only surmise some key omissions: Where is the failure analysis for that sensor? Where is the redundancy in this system? Did Mercedes make any software changes? A yaw sensor should not be able to seize control of a safety-critical function, like braking, during a routine drive. And how does ODI know that a fatal crash wasn’t caused by sudden braking? Post-crash, police officers have no way to determine whether loss of control was caused by electronics or the driver, if there are no surviving witnesses to the incident.
The automotive industry continues its move further and further away from mechanical systems into a complex universe of sensors, circuit boards and microchips. NHTSA is preparing to regulate vehicle-to-vehicle communications systems. And the industry is moving closer and closer to autonomous cars – vehicles that don’t require drivers. We can’t help thinking that some important foundational pieces are missing in this rush. The federal regulatory agency governing automotive safety continues to trail the curve. We have no federal standards for the functional safety of automotive electronics. The agency’s most recent rulemaking in this regard, a brake-throttle override requirement, was technologically feeble, if politically astute. It only covered mechanical malfunctions of an electronic system.
In November 2011, the International Organization for Standardization (ISO) published ISO 26262, a functional safety standard for electronics systems in mass-produced passenger vehicles. This is a voluntary standard, meant to improve the reliability of increasingly complex electronic systems. It outlines rules for performing a Functional Safety Assessment on automotive electronics. The process identifies risks during the design phase and includes guidelines throughout the lifecycle of the product from development to production to operation to reuse and decommission.
And in the absence of adherence to this new voluntary standard, the human driver, increasingly is expected to act as the failsafe for failed electronics. This thought gives no comfort to Melissa Marsala. The original owner of the ML430, she handed it down to her teenage daughter to drive, believing that she was putting her daughter in a safe vehicle. She just happened to switch vehicles with her daughter that day, so she could fill the tank. Marsala shudders to think about her daughter, a new driver, having to react to sudden bursts of braking at high speed.
“Right after it happened, I started researching and pulling all kinds of comment threads about this problem. When I saw that [NHTSA] closed the investigation, I was infuriated, because you compromised my daughter’s safety,” she says. “I’m very bitter right now,” she says. “I’ve owned Mercedes before, but I won’t buy another one.”
By the July 2007 Closing Resume, NHTSA’s ODI had gathered 462 complaints – mostly warranty claims, and promised to keep an eye out for future complaints. A review of complaints reported to the agency shows 18 new consumer reported incidents. They are remarkably consistent – although a few drivers reported that only one wheel braked unexpectedly – which does pose a stability problem.)
At a 2004 industry conference, Mercedes Benz’s vice president for electrical and electronics and chassis development, Steven Wolfsreid, “railed against the temptation to overload vehicles with electronic functions that are useless to the customer,” according to an Automotive News story. The German automaker had removed 600 electronic functions from its vehicles because of quality concerns that were damaging its reputation and ticking off its customers.
And what happens when the electronics are useful to the consumer? Many provide important safety functions, such as electronic stability control (now a required feature). In a world where electronics are playing a significant role in keeping motorist safer, isn’t it time to implement rules that ensure that when failures occur they don’t interfere with critical control systems?