Preventable Ford Airbag Death Touches off Latest Recalls

Another day, another episode of the long-running soap opera, All My Airbags. Last week, on the heels of the tenth death and the eve of an historic blizzard, the National Highway Traffic Safety Administration announced that another five million vehicles with defective Takata airbag inflators will be recalled. This recall will include driver’s side SDI-type airbag inflators in Ford vehicles.

We are now moving into the eighth year of recalls for a defect that first asserted itself to the Japanese supplier and its OEM customers in 2003. If you have become lost in the maze of inflator acronyms, Congressional hearings, rolling recalls and a Chinese menu of 13 root cause explanations, The Safety Record will draw you a map.

Takata combined a chemically volatile propellant with crappy manufacturing processes and little quality control to build a slow-release IED. Takata made many versions of its inflators, single stage, dual-stage, and side inflators, each with its own acronym and recall variations.  But they all have enough commonalities to be dangerous.

NHTSA, Safety-Crisis-Enabler-In-Chief, first investigated the problem in 2009, with a Recall Query probing Honda’s decision to radically expand its first, limited recall. But, the agency took Takata’s first explanation, and probed no further, despite Honda’s decision to launch second, third, and fourth Takata airbag recalls. It only took five more years before NHTSA officially declared itself unsatisfied with Takata’s root cause analyses. In 2014, the agency opened a Preliminary Evaluation and eventually began conducting its own tests. Meanwhile, the cancer has spread to 14 manufacturers and affected about 24 million vehicles, a number that is about to rise. In 2015, NHTSA decided this fiasco was too big to let the OEMs handle individually, and took over the whole show.

And that brings us to today. Despite the mind-numbing volume of replacement campaigns and an unprecedented regulatory intervention, the death of Joel Knight, a 52-year-old South Carolina man, demonstrated that all of the defective airbag inflators have not been added to the recall roster (let alone actually replaced) – yet. Knight died on December 22, at the wheel of a 2006 Ford Ranger, when he struck a cow in the roadway. The minor crash deployed the airbag, which ruptured with such force that a large metal shard severed his spinal cord. Knight should have walked away from that crash with nothing more than a story to tell at Christmas dinner.

The driver’s side airbag in Knight’s 2006 Ford Ranger was an SDI – a single-stage Smokeless Driver Inflator. This iteration had already ruptured with deadly force on July 27, 2014, killing a pregnant woman in Malaysia in her 2003 Honda City vehicle. That event caused Honda, and then Toyota, to recall in November 2014 more than 200,000 vehicles with SDI inflators in at least 61 countries.  Ford was the only OEM in the U.S. that had SDI inflators in a limited number of vehicles that included the 2004-2006 MY Rangers. But Ford did not join Honda and Toyota in recalling all of its SDI-inflator equipped vehicles, and the record shows an OEM with a distinct lack of urgency.

June 2014 – Ford launched a voluntary parts collection at NHTSA’s behest for inflator inspections and testing in four high humidity areas. Only four models – the 2004 Ranger (passenger-only); 2005-2007 Mustang (driver only); and 2005-2006 GT (passenger and driver) – originally sold in four locations – Florida, Hawaii, Puerto Rico, and the U.S. Virgin Islands — were included.

November 2014 – Again at NHTSA’s request, Ford added the SDI driver’s side inflators in 2004-2005 Rangers made in certain date ranges and originally sold in Florida, Hawaii, Puerto Rico, and the U.S. Virgin Islands.

December 2014 – Ford expanded its campaign for passenger inflators to include vehicles in Guam, Saipan, American Samoa, and parts of Alabama, Mississippi, Louisiana, Texas, and Georgia. They also launched a national recall for the PSDI-4 driver’s side inflators for the GT and Mustang vehicles which share some components with the SDI.

May 2015 – Ford expanded the Mustang driver recall to 2005-2014 model years, because Takata said all PSDI-4 inflators with batwing shaped propellant wafers could be dangerous.

June 2015 – Ford expanded its regional recall of 2004-2006 Ranger passenger inflators into a nationwide recall.

The sharp-eyed reader will notice: Ford never recalled the 2004-2005 MY Ranger with the SDI inflator – the same inflator type that ruptured in July 2014 with fatal consequences in Malaysia – beyond Florida, Hawaii, Puerto Rico and the U.S. Virgin Islands. The 2006 Ford Ranger with the same SDI inflator was never recalled at all.

And if that wasn’t bad enough, consider this: Honda and Toyota told NHTSA in November 2014 that the root cause of SDI inflator ruptures was Takata’s failure to control the propellant’s exposure to moisture during the manufacturing process. In fact in 2013, five manufacturers – including Toyota and Honda – named moisture exposure during manufacture as a root cause in  passenger inflator recalls. Meanwhile NHTSA, and Ford in numerous recall submissions and amendments, linked the problem to high absolute humidity in certain regions, and a scenario in which the defect presents itself after years of exposure to humidity that degrades the propellant, making it more vulnerable to over-pressurization when ignited.  

On the one hand, you’re saying: Why didn’t Ford recall all of its vehicles with these inflators? It wasn’t that many. On the other hand, Ford’s saying: Why bother? It’s not that many vehicles. What are the odds? Unfortunately, Joel Knight found out.

Many want to claim that the Takata crises was precipitated by a rogue supplier that hid information and altered data on its product problem. But this scenario, which now has become the largest recall in history, could not have unfolded for more than a decade without the OEMs enabling it and without a federal agency failing to question and investigate the many red flags set by years of rolling recalls and shifting explanations.   

 

NHTSA Proposes to Affirm Canadian Underride Standard

Q: When’s the best time to pass a rule? A: When nearly everyone already complies! While it puts you at the trailing edge of safety, it diminishes the intensity of the opposition – so it’s all good. Such is the state of a National Highway Traffic Safety Administration proposal to upgrade the Federal Motor Vehicle Safety Standards 223 and 224, for rear impact guard and rear impact protection, respectively.

The agency is proposing to align the two U.S. standards with the eight-year-old Canadian standard for rear impact guards. The proposal represents the first major upgrade to the rear impact protection standards for trucks in 21 years. It has been so long since NHTSA has addressed the current standards’ weaknesses, that an estimated “93 percent of new trailers sold in the U.S. subject to FMVSS Nos. 223 and 224 are already designed to comply with CMVSS No. 223.”

The proposed upgrade would mandate that rear impact guards meet new strength requirements at several test locations. Specifically, the current quasi-static point load test at the area around the guard’s vertical support location would be replaced by a uniform distributed load test of 350,000 Newtons (N). The performance requirements would mandate the rear impact guard to resist the 350,000 N load without deflecting more than 125 mm, and absorb at least 20,000 Joules of energy within 125 mm of guard deflection. The proposal would also require that any portion of the guard and the guard attachments not completely separate from its mounting structure after completing the test.

What NHTSA did not do: lower the guard height from the current 22 inches, nor extend the standard’s applicability to currently excluded classes of truck configurations, such as wheels back trailers, pole trailers, logging trailers, low chassis trailers and specialty equipment trucks.

Russ Rader, of the Insurance Institute for Highway Safety, which has been pushing for better rear impact guards for nearly 40 years, and formally petitioned the agency in 2011 for an upgrade, said the proposal is “a good first step, because the Canadian standard is an improvement.”

“But our tests show that they could have gone a lot further,” he added. “The Canadian standard misses protection in some offset crashes, and we know that truck manufacturers can address that in a straightforward, inexpensive way and it’s not addressed in this proposal.”

A Brief Regulatory History

Rear guard protection has been a federal requirement since 1952, when the Bureau of Motor Carriers of the Interstate Commerce Commission (ICC) established regulation 393.86 which required heavy trucks, trailers, and semitrailers to be equipped with a rear-end protection device designed to help prevent underride. The regulation contained no specifics as to the device’s efficacy, but merely required the guard to be “substantially constructed and firmly attached.”

In 1967, the Federal Highway Administration, the precursor to NHTSA, attempted to begin a rulemaking to require a rear underride guard for trucks, buses and trailers, but industry fought off any substantive upgrade to the regulations for 44 years. In 1981, the agency published an NPRM amending the equipment requirement to a moderate strength guard that would permanently deform when subjected to a load of 45,000 pounds. The agency also proposed to extend the standard to most trucks and trailers with GVWR of more than 10,000 pounds, which would include heavy single-unit trucks. In the proposed rule, the rear impact guard could not have a ground clearance greater than 21.65 inches (55 cm). The trucking industry also heavily criticized this proposal, submitting more than 100 comments. In 1992, the agency responded by proposing to split the standard in two: one for the rear guard itself, and a separate standard for the vehicle.

In 1996, NHTSA published a final rule establishing two Federal Motor Vehicle Safety Standards (FMVSS) – 223, Rear Impact Guards, and 224, Rear Impact Protection. FMVSS 223, the equipment standard, specified strength requirements and compliance procedures for rear impact guards on semitrailers. FMVSS 224, the vehicle standard, specified mounting instructions and location specifications for those guards. The final rule retained the prosed 22" guard height.  Single unit trucks were excluded from the requirements, because, the agency said, single unit trucks are far less likely to be involved in fatal accidents than combination trucks.

In 1998, the agency responded to some petitions for reconsideration and amended the Final Rule  

In the meantime, research by John E. Tomassoni, a former NHTSA safety standards engineer demonstrated the inadequacy of the U.S. rules in a series of crash tests involving rear underride guards built to reflect the then-new rear impact protection standard. The work showed that underride guards that minimally complied with the new rule were effective at impact speeds of 30 mph. But in some of the tests, the underride magnitude was such that passenger compartment intrusion occurred – in some instances, the dummy head contacted the deformed occupant compartment. And, in 2002, Transport Canada conducted a series of tests using a 1998 Ford Windstar, a 1998 Chevrolet Cavalier, and a 1998 Honda Civic,  to verify the performance of rear impact guards built under FMVSS 223/224.  It found that “none of the minimally compliant guards were effective for all three vehicle types tested.” Transport Canada effectively upgraded its standard in 2007.

The IIHS petitioned the agency in 2011. In May 2014, Marianne Karth and the Truck Safety Coalition also petitioned NHTSA to require underride guards on single unit trucks and other vehicles excluded from the current standard and to improve the standards’ requirements for all guards. NHTSA granted both petitions in July 2014, saying that it would pursue rulemaking through an ANPRM pertaining to rear impact guards for single-unit trucks and “other safety strategies not currently required for those vehicles” and a separate NPRM to upgrade FMVSS Nos. 223 and 224.

In July 2015, the agency published the advanced notice of proposed rulemaking regarding underride protection for single unit trucks.

IIHS and Karth Petitions

The IIHS has been researching various aspects of the issue, from determining the scope of the problem to developing a new underride guard. In 1977, it launched a program to develop a lightweight and effective guard that might serve as a prototype. Researchers designed and tested two guards and concluded that it was feasible to achieve substantial improvements in underride protection without significant increases in the weight of underride protection devices.

IIHS also performed a series of crash tests to determine which underride guards perform better than others and under various crash speeds and configurations (head-on and off-set) and to determine what types of failures occurred.  Testing was done using the Chevy Malibu into trailers that were certified to Canadian and U.S. requirements.  In general the testing found that the Canadian guards performed significantly better, and that there are fundamental weaknesses in the guard attachments which don’t have to be tested as a whole system. 

In 2011, the IIHS petitioned the agency to upgrade the rear impact protection standards because “the current standards allow underride guard designs that fail catastrophically when struck by passenger vehicles at speeds that frequently produce minimal intrusion and injury risk in regulatory and consumer information frontal crash test programs.”

In support, the Institute used the Large Truck Crash Causation Study, a federal database of roughly 1,000 real-world crashes in 2001-03.  The organization examined crash patterns leading to rear underride of heavy trucks and semi-trailers with and without guards and found that underride was a common outcome of the 115 crashes involving a passenger vehicle striking the back of a heavy truck or semi-trailer. Only 22 percent of the crashes didn’t involve underride or had only negligible underride, which they indicated was consistent with prior studies. The study noted that “In 23 of the 28 cases in which someone in the passenger vehicle died, there was severe or catastrophic underride damage, meaning the entire front end or more of the vehicle slid beneath the truck.”

IIHS also pointed to the regulatory gaps that allow some heavy trucks to forgo guards altogether and if they are on trucks exempt from the regulations, the guards don’t have to meet 1996 rules for strength or energy absorption.

In its petition, the IIHS asked NHTSA to consider: substantially increasing the quasi-static force requirements, move the one of the test locations farther outboard to address offset crash protection; require that attachment hardware remains intact throughout the tests; require guards be certified while attached to the trailers for which they are designed; investigate whether the maximum guard ground clearance can be reduced; and reduce the number of exempt truck and trailer types.

Marianne Karth became an activist for truck underride safety after a horrific underride crash that killed two of her nine children. In May 2013, Karth was on a Georgia highway approaching slowed traffic, when a semi trying to switch lanes hit the Karth vehicle in the rear, sending it underneath another tractor trailer.  Karth’s 17-year-old and 13-year-old daughters died in the crash.  One year later, Karth and the Truck Safety Coalition presented NHTSA with its petition and 11,000 signatories acquired online. Their petition asked for the Secretary of Transportation to raise the minimum level of insurance for truck drivers, for a final rule on electronic logging devices to reduce truck driver fatigue; and to improve the rear underride guard rules.

In July 2014, NHTSA granted the Karth petition without mentioning the IIHS at all. In July 2015, the agency published the separate ANPRM to consider conspicuity and rear impact guard standards for single unit trucks.

The Proposed Rule

According the NPRM, NHTSA’s interest in improving this rulemaking goes back to 2009 when the agency evaluated a study showing that fatalities were still occurring in frontal crashes “despite high rates of seat belt use and the presence of air bags and other advanced safety features.”  NHTSA’s review of cases in model year 2000 or newer vehicles in the Crashworthiness Data System of the National Automotive Sampling System found 14 percent were underrides into single unit trucks and trailers.  In 2010, NHTSA published another study analyzing the effectiveness of trailer rear impact guards, which showed what Tomassoni demonstrated more than a decade earlier: FMVSS 223 and 224 rear impact guard had had no impact on fatality rates.  

Now that the agency’s interest has been translated into action, it is only inclined to increase the force and energy absorption requirements without lowering the guard height or bringing other types of trucks into the standard. In the former case, NHTSA said that the issue was discussed extensively in 1996. Public comments, vehicle geometry, heavy vehicle operations, and crash test data led the agency to conclude that it would present an undue burden to industry. Apparently, it now is not the burden it was, because NHTSA now declines to decrease the guard height because “fleet data suggest that where possible, trailer manufacturers are voluntarily installing rear impact guards with ground clearances under 560 mm (22 inches).”

On the issue of extending the standard to other types of trucks, the agency said that its analysis showed that there are relatively few fatal rear-impact crashes involving the current excluded categories, such as wheels back trucks, and of those that do occur, many are at speeds that are not survivable – with or without an underride guard

Rader says that the Institute will continue its work on better rear impact guards, despite the gaps in the NPRM.

 “From our standpoint, we know that the trailer manufacturers will need to deal with offset crashes,” he said. “We plan to continue testing – we want to work with trailer manufacturers to go beyond the Canadian standards. We’ve gotten tremendous cooperation, and we are working with Marianne Karth to set up an underride round table to discuss further steps.”  

Not Very FAST Act Tackles Recall, Tire Issues, Closes Rental Loophole

After years of short-term fixes as durable as a pothole cold patch, Congress has cobbled together a $300 billion, five-year comprehensive transportation bill, the Fixing America’s Surface Transportation (FAST) Act.

(We know that Congress loves it some acronyms. But, it’s been a decade since House and Senate passed the last long-term transportation bill, the mouthful known as the Safe, Accountable, Flexible, Efficient Transportation Equity Act –a Legacy for Users [SAFETEA-LU] so perhaps they deserve some points for brevity. And irony. Or chutzpah.)

And on Friday, President Obama signed it into law. For the National Highway Traffic Safety Administration, the bill resolves one lingering safety issue, gives the agency the authority to exact larger fines, bumping the cap for civil penalties from $35 million to $105 million. It calls for some rulemakings, some improvements in the tire and vehicle recall systems, and requires the agency to collect information that – presumably – will help it improve processes and broaden its footprint.

But many advocates, like Henry Jasny of Advocates for Highway and Auto Safety, say that the bill, for all of its mass, could have done a lot more for safety.

“This was a missed opportunity to promote new safety policies over the next five years – things based on technologies, like rear seat belt reminders and child minders,” he says. “It should be packed full of initiatives for safety, but a lot of things were left on the cutting room floor.”

The Other Missed Opportunity: Tires

The current tire-recall system was established 38 years ago, when recalls and government defect investigations of tires were rare. The FAST Act has attended but lightly to its two key components: the Tire Identification Number (TIN) and the tire registration system.

Once again, it has taken an act of Congress to get NHTSA to do something to make recalls more effective. In 2012, the Moving Ahead for Progress in the 21st Century Act, (MAP-21, for short) required NHTSA to make recalls Internet-based and searchable by Vehicle Identification Number (VIN), by requiring manufacturers to submit the VIN ranges of recalled vehicles directly to the agency to augment its current consumer search interface, which allows users to look up recalls by vehicle make and model, or by the recall campaign number. In response to the Notice of Proposed Rulemaking, Safety Research & Strategies suggested that while the agency was designing a web interface, it might add a TIN look-up.

The agency declined:

“We considered the comments from SRS and ARA suggesting expanding the scope of this portion of our rulemaking to include certain aspects relevant to equipment recalls. At this time, we decline to expand the scope of the rule; the directive of MAP-21 is plainly limited to recalled vehicles.”

But that’s just how NHTSA rolls. The agency didn’t even require tiremakers to submit TIN ranges with their recall documents until 2009. Since most tire recalls relate to defects that occur during a discrete time range, tire recall information without TIN ranges was pretty much useless.

So, finally, the FAST Act requires NHTSA to create a web-accessible tire recall database that allows users to search by TIN, and any other information the agency deems useful.

Adding a TIN searchable system will certainly improve the current dataset, but again, this doesn’t work well in a service environment nor does it address the inherent problems with the use of the TIN.

The tire recall system has long been riddled with inefficiencies, and it has the recall return rates to show for it – an average of 30 percent, compared to the 72 percent and above rates vehicles, equipment or child restraints.

But a TIN look-up without the ability to automate tire identification still leaves the problem of discerning a tire’s status in a service shop environment, where it is not practical to expect techs to manually retrieve a 13 alpha-numeric code off each tire and accurately enter those numbers into a website. Technologies such as Radio Frequency Identification have the potential to transform the current cumbersome, inefficient system into one that fulfills its purpose – to remove defective and unsafe tires from the nation’s fleet, Instead of requiring NHTSA to take action and mandate a method to automate the TIN look-up (i.e., scanning), the bill only asks the agency to study the possibility of requiring “electronic identification on every tire that reflects all of the information currently required in the tire identification number.” The agency is to report its findings to the Senate and House Commerce committees, but there is no deadline for this study, so no urgency. The 21st century is still young. Plenty of time to catch up.

In the meantime, the FAST Act turns back the clock on tire registration. More than 30 years ago, tire dealers persuaded Congress to remove them from the tire recall system. Since 1983, dealers have only had to hand their customers a registration card to be filled out and returned to the manufacturer. The passage of the FAST passed that responsibility back to independent tire dealers, much to the chagrin of The Tire Industry Association. The required rulemaking will compel independent dealers to maintain customer tire purchase information and electronically transmit those records to tire manufacturers. The TIA lobbied hard against it, but apparently was no match for the Rubber Manufacturers Association, which had promoted the provision.

The FAST Act advances the tire recall system only marginally, and avoids product identification automation technology – used in so many other sectors – that would make a significant impact. And the tire makers again get to foist the defect issue to dealers and customers with no changes to their system.

Other tire provisions:

Tire manufacturers are now required to extend the remedy period for tires from 60 to 180 days. The cap was originally established to address fears that drivers might drive on a recalled tire until it was worn out and then seek free replacement, instead of removing it right away. Most manufacturers already take back tires beyond the 60-day period. 

The FAST Act also initiates several tire safety rulemakings:

Within a year of enactment, NHTSA must publish a rulemaking proposal to improve the Tire Pressure Monitoring Systems, so that such systems cannot be over-ridden, re-set or re-calibrated so that the system cannot detect significant under-inflation. 

NHTSA is required to promulgate a rule to establish minimum performance standards for passenger tire fuel efficiency and wet traction.  

Closing the Rental Car Recall Loophole

Two years after the Raechel and Jacqueline Houck Safe Rental Car Act was introduced, the measure made it into the highway bill. It requires rental car companies and dealers with fleets of at least 35 vehicles to remedy recalled vehicles before renting, leasing or selling them, or, the case of a rental, at least mitigating the hazard if a remedy is not immediately available.

The bill is named for the Houck sisters, Raechel, 24, and Jacqueline, 20, who died on October 7, 2004, in a rented 2004 PT Cruiser. The Chrysler vehicle was under a recall for power steering hoses which could fail and cause an underhood fire. Enterprise received the recall notice in early September 2004, but rented the unfixed vehicle anyway — to other three customers before the Houcks. The young women died in a fiery crash while traveling northbound on Highway 101 in Monterey County outside of King City, caused by the defect.

The Raechel and Jacqueline Houck Safe Rental Car Act was first introduced in 2013, and supported by the car rental companies. The original bill set the fleet size for rental companies and auto dealers to at least five vehicles. The auto dealers fought hard against the measure, and demanded a carve-out for loaners. Many of them got that wish, with the provision that increased the applicable fleet size to 35 vehicles. Nonetheless, Rosemary Shahan of Consumers for Auto Reliability (CARS) says it’s the greatest expansion of NHTSA’s recall authority in years.

“It’s a big deal,” she says. “One reason that we wanted the rental car companies in the bill is that they are the biggest purchasers of new cars in North America. The fact they are required to fix them before they can go back on market as used cars – that’s huge.”

Vehicle Recalls Improvements

The FAST Act includes a variety of measures to further streamline vehicle recalls.

It extends the vehicle life-span for which a manufacturer is required to make recall repairs from 10 to 15 years. And it mandates NHTSA to write a regulation requiring automakers to retain safety records for their vehicle for at least 10 years.

Under another provision, NHTSA has two years to “implement current information technology, web design trends, and best practices that will help ensure that motor vehicle safety recall information available to the public on the Federal website is readily accessible and easy to use.” specifically, Congress is requiring NHTSA to improve the organization, availability, readability, and functionality of the website. The Comptroller General is charged with studying these improvements and reporting out NHTSA’s progress

NHTSA has to study the feasibility of creating a public Web portal that allows the searching multiple vehicle identification numbers at a time to retrieve motor vehicle safety recall information

By next September, NHTSA must prescribe a final rule requiring manufacturers to make electronic notification of recalls to consumer, in addition to first class mail – that could mean emails, social media and targeted online campaigns.

For the next four years, NHTSA is required to analyze recall completion rates by manufacturer, model year, component, and vehicle type to determine what actions it must take to improve them.

Although Sen. Richard Blumenthal (D-Conn.) and Sen. Edward Markey (D.-Mass.), did not succeed in inserting legislation to require states to withhold registration renewals for vehicles with open recalls, the FAST Act does require NHTSA to implement a two-year pilot program to examine the feasibility and effectiveness of having state DMVS at least inform vehicle owners of open recalls on their vehicles. 

Event Data Recorders and Driver Privacy

The legislation clarifies that Event Data Recorder data is owned by the owner or lessee unless a legal authority, such as a court, or the owner/lessee authorizes a download. It also requires NHTSA to submit a report, within a year of enactment, the results of a study conducted to determine the amount of time event data recorder “should capture and record for retrieval vehicle-related data in conjunction with an event in order to provide sufficient information to investigate the cause of motor vehicle crashes.” Within two years after submitting this report, NHTSA must promulgate a rule establishing that amount of time.

Reports, Reports, Reports

The FAST Act provides NHTSA with plenty of other opportunities for self-reflection, improvement and report-writing.

Three months from now, NHTSA is require to submit the first of periodic progress reports on implementing the recommendations of the Department of Transportation’s Inspector General  last scathing audit. Released in June, “Inadequate Data and Analysis Undermine NHTSA’s Efforts to Identify and Investigate Vehicle Safety Concerns,” rapped the agency for its opacity, and for a host of process failures, such as the absence of EWR audit procedures to verify that manufacturers submit complete and accurate early warning reporting data and the failure to follow “standard statistical practices when analyzing early warning reporting data.” Next November, NHTSA has to produce a final report on its implementation plans.

A year from now, NHTSA is required to give the public detailed guidance for consumers submitting safety complaints, including a detailed explanation of what information a consumer should include in a complaint; and of the possible actions NHTSA can take to address a complaint and respond to the consumer.

Also on the Act’s one-year anniversary, the agency must submit to Senate and House commerce committees, a catalogue of the accomplishments of the Council for Vehicle Electronics, Vehicle Software, and Emerging Technologies, which was established under the Moving Ahead for Progress in the 21st Century Act (MAP-21).

SAFETEA-LU expired in 2009, and in the last six years, our entire transportation system suffered while a Congress that is in session for a little over 130 days a year, couldn’t find common ground beneath its collective feet on any issue. The Safety Record Blog supposes that we should be grateful that they only took six years to strike a deal. But seeing as it will be a long time before another opportunity arises to move the ball on safety legislation, the FAST Act isn’t too swift.

No Love for LATCH

Another reason to ditch LATCH? A study recently published in Traffic Injury Prevention concluded that the Lower Anchors and Tethers for Children (LATCH) “does not offer equal protection to lap/shoulder belts from head injuries in rear impacts” when used with rear-facing infant safety seats.

The study, conducted by Robson Forensic, Inc., based in Lancaster, PA, tested three popular rear-facing infant child safety seats—the Graco SnugRide, the Britax Chaperone and the Evenflo Tribute –in rear-impact sled tests using three different installations – LATCH, and seat belts with Emergency Locking Retractors (ELR) and Automatic Locking Retractors (ALR). The safety seats were installed in the outboard seating positions of a sled buck representing the backseat of a 2012 Toyota Camry and occupied by a six-month-old CRABI dummy. The researchers were interested in how well LATCH secured the infant seat in comparison to seat-belt installations in a 30-mile-an-hour rear impact, given the physics of such a crash.

The study’s authors describe the kinematics of the RFCRS restrained with LATCH and the vehicle seatbelt in these tests:

The car and subsequently the lower anchors “move out from underneath” the RFCRS and child, forcing the attachment system to act as a fulcrum about which the RFCRS and child system rotates (Feles 1970). The weight of the infant contained within the RFCRS causes the center of mass of the car seat/child system to rotate about the attachment point. Restrained within the car seat with the available five point harness, the infant and the RFCRS have the ability to rotate and contact the seatback of the seat in which the RFCRS is installed. Due to the coupling of the RFCRS and child to the vehicle through the attachment system, whether by the available seatbelt or LATCH system, as the vehicle subsequently decelerates, the RFCRS rebounds off of the seatback while still attached either through the available seatbelt or LATCH system. Rotating and inverting the RFCRS in this manner could expose a properly restrained infant to head/neck accelerations not predicted by the vehicle dynamics alone. Thus, this could result in head contact with the seatback in which the RFCRS is installed, posing an additional risk of head trauma to the otherwise properly restrained infant.

High-speed videos in these rear-facing infant seat tests revealed very different kinematics from forward-facing child and adult restraints, namely the rotation of the seat and the dummy around its attachment axis, allowing the “child’s head to extend beyond the confines of the car seat in many instances, allowing the head to strike the seatback in which the RFCRS was installed. In tests of the Graco SnugRide® without the base it was observed the shell rotated in a manner that caused it to remain rotated in a near vertical orientation after the test was concluded…”

These effects were more pronounced in the LATCH configuration, resulting in an increase in angular momentum and rotation and more severe head strikes. The tests looked at Head Injury Criterion values, even though there are no Federal Motor Vehicle Safety HIC standards for a six-month-old infant. But, what is notable in this study is that the HIC values, which are based on acceleration, are much higher in Britax and Graco seats secured with LATCH — 60 percent higher in the SnugRide and double in the Britax.)

The authors concluded: the results of this study suggest that LATCH does not offer equal protection to lap/shoulder belts from head injuries in rear impacts when used with infant seat type RFCRS.

The Saga of LATCH

Federal Motor Vehicle Safety Standard 213 required automakers to outfit their vehicles with LATCH by 2002 to address the problems of loose-fitting child safety seats, a common problem when seat belts are used to secure child seats. According to the Final Rule, LATCH would usher in the Golden Age of Rear Restraints:

This final rule will help vehicle and seat belt manufacturers design belts to more effectively perform a dual role. Manufacturers will be able to optimize seat belts to restrain older children, teenagers and adults. Further, the final rule will provide motorists with a means of securing child restraints that is easier and more effective. By requiring an independent child restraint anchorage system, the final rule improves the compatibility of vehicle seats and child restraints and the compatibility of seat belts and child restraints. Installation of the new system will result in more child restraints being correctly installed. The standardized vehicle anchorages and the means of attachment on child restraints are intuitive and easy-to-use. For example, they eliminate the need to route the vehicle belt through or around the child restraint. By making child restraints easier to install, correct use and effectiveness will be increased.

The agency was so sure that LATCH was the answer to the child safety seat mis-installation problem that it rescinded the seat belt lockability requirement beginning in September 2012, under the assumption that everyone would be using LATCH and not seat belts to secure child safety seats.

NHTSA’s enthusiasm was misplaced. First, widespread acceptance by parents and caregivers has been slow to come. The last published survey in 2006, showed that LATCH was frequently misused – when it was used at all. A survey conducted over six months in 2005 showed that significant percentages of parents misused LATCH – if they used it at all. NHTSA collected data on 1,121 children ages 4 and under, at 66 sites such as parking lots, health care centers, and recreation facilities in Arizona, Florida, Michigan, Missouri, North Carolina, Pennsylvania, and Washington. The observational study, Child Restraint Use Survey—LATCH Use and Misuse, revealed that 40 percent of parents continued to rely on seat belts; 13 percent of parents bypassed LATCH because they put their children in the center rear position, where there are no LATCH lower anchors. Of the 60 percent who did use LATCH, nearly half were using the lower anchors only and ignoring the upper tether and 13 percent were using the lower anchors in conjunction with the seat belt.  (These configurations can cause performance problems.)

Second, the agency eliminated LATCH for heavier and older children in 2003 when it significantly lowered the weight limit for the lower anchorages at the suggestion of the Alliance of Automobile Manufacturers, which opposed a NHTSA proposal that CRS be tested with a 10-year-old dummy, secured via LATCH. The Alliance argued that when NHTSA adopted the child restraint anchorage rule, the LATCH systems were intended for use by children up to 48 pounds. NHTSA agreed, allowing that when it revised the anchorage requirements in 2003 to accommodate the LATCH system, it had calculated the strength requirements on a combined weight of the child and CRS 65 lbs.

Child safety seat advocates observed that mixed messages to parents, weight limits, and other LATCH design gaps were to blame for its failure to dislodge seatbelts as a means of attaching child safety seats. For example, parents have been cautioned to place their child in the middle position of the rear seat, yet many vehicles do not have lower anchors for the center position. Manufacturers warn consumers against using the inner bars from the two outboard position anchors to secure a child safety seat in the center standard requires the lap belt to be lockable to tightly secure child restraint systems, without the need for locking clips attached to the seat belt webbing.

In 2012 NHTSA was forced to rescind its sunset clause of the lockability requirement.

As for NHTSA’s prediction that automakers, now relieved of their duty to child safety seats, throwing themselves into improving rear seat safety, it, too, has not come to pass — a 2007 study of rear occupant safety in frontal crashes showed that “the real world data suggests that the fatality and serious injury risk in frontal crashes is higher for older occupants in rear seats than for those in front seats.” Other studies showed that in some models “the front seat position is more effective in reducing serious to fatal injuries for adult occupants in frontal crashes than the rear seat.”  

What Does This Study Tell Us?

This study suggests that if caregivers want to use the LATCH system with rear-facing infant seats, they should consider doing so with a tether. Tethers serve a critical purpose in reducing head excursion in a crash and few parents recognize its importance or that it can and should be used in conjunction with lower anchors or seat belts. The study’s authors refer to this type of installation in other countries, but apparently did not use tethers in their tests:

Swedish rear-facing child restraint designs differ from US products, in that they route a tether down and forward to a point on the floor in front of the vehicle seat where the CRS sits. This tethering system limits rotation towards the rear of the vehicle on rebound in frontal impacts or initial impact in rear impacts. The Australian method routes a tether rearward to the standard tether anchorage point used for forward-facing installations. By doing this, the forward rotation of the CRS is limited and allowed the child to “ride down” the collision with the vehicle.

Eight years ago, rear-facing infant seats in the U.S. did not have tethers. Today, a few brands, including Britax and Combi, include tethers in their rear-facing infant seat design.

The data on LATCH use and on rear seat safety is almost a decade old, so it’s difficult to know if LATCH has become more popular, driving automakers to make the rear seat a safer environment for adults. This study could be another indication that LATCH has yet a ways to go to fulfill its promise – or maybe it underscores the fact there are many facets to child safety seat performance – the vehicle seat geometry and seat-back design and the child restraint shell and harness design. One installation method can’t fit all.

And, beyond the vehicle seat-installation-child-safety-seat-system, this study emphasizes the failure of a regulatory system that allows manufacturers to design and sell products intended for every age of occupant, but can’t be used by families with children without special pieces of after-market equipment which caregivers must purchased and installed with no guidance from automakers.

Software Promises and Perils

In May, Honda recalled some 2014-2015 Acura MDX 2WD and AWD, RLX and 2014 Acura RLX Hybrid vehicles, because its Collision Mitigation Braking System could incorrectly interpret certain roadside objects such as metal fences or metal guardrails as obstacles and unexpectedly apply the brakes. In October, Google and Volvo were demonstrating their driverless cars for journalists on two continents – the U.S. and Australia; and this month, Volkswagen – which surpassed Toyota in July to become the world’s biggest automaker – was offering outraged customers $500 gift cards as it tries to dig itself out of an emission cheating scandal in which a “defeat device,” vehicle software designed to detect system testing, would run the engine at less than full power to emit fewer pollutants.

As the automobile continues its radical transformation from an assemblage of mechanical components to a sophisticated computer on wheels, industry leaders promise that electronics and software will make vehicles more efficient and safer, with endless potential. Today’s drive-by-wire Lexus will look primitive next to driverless cars. V2V technology – cyber-speak for crash avoidance systems that take control of a vehicle to prevent a collision – means the network is not just within a single vehicle, but among multiple vehicles. Your car is not just a mode of transportation – wireless technology makes it a phone booth, a movie theater, a navigator, an Internet café.

But, trailing in the wake of fast-moving technology are the obvious problems – recalls for defects caused by the unintended consequences of tangled code and the less obvious problem of how this technology will be regulated and how its problems will be investigated. There are now two open NHTSA dockets regarding automotive software, electronics and functional safety. A Final Rule has just been published on third docket before the U.S. Copyright Office dealing with vehicle owners and researchers rights to examine, copy or alter automotive software. 

Industry – no surprise – has mounted a full-on assault on the very idea of an automotive electronics and software standard. From the copyright docket to the vehicle-to-vehicle communications docket, automakers have sought to build a wall around their software that can be breached by neither the consumer nor the regulator. Some of have even challenged NHTSA’s authority to write standards for this component of today’s vehicles.

But, software experts warn that establishing standards for automotive applications is more critical than ever. In a May 2015 editorial, Tony Dyhouse, director of the U.K’s Trustworthy Software Initiative, a collaborative effort to gather existing standards and best practices, as well producing its own standard to help all manufacturers “avert IT risks,” criticized automakers’ current systems. The demand for automotive software is outstripping developers’ abilities to produce code that is secure, safe and testable: 

“Too much of the code currently produced for the automotive industry is insufficiently protected, leaving manufacturers and drivers vulnerable to potentially dangerous attacks,” he writes in Traffic Technology International. “Connected vehicle technology is one of many areas where software vulnerabilities could have a truly catastrophic effect.”

The Mothership: Functional Safety

In October 2014, NHTSA published a Federal Register Notice seeking comments on the possibility of writing regulations to ensure the safety of automotive electronics. The 10-page request for comments, satisfied a directive from the federal legislation known as MAP–21 to “complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles.”  

The notice attracted 44 comments from safety groups, SAE International, automakers and some of their representative organizations. (Although the Alliance of Automobile Manufacturers was notably absent.)

The Telecommunications Industry Association, ever hostile to government intervention, expressed “strong concerns” with NHTSA’s “seeming intention to regulate vehicle software,” calling it “an unnecessary overreach that would stifle innovation in the US vehicle technology marketplace” and that NHTSA’s focus “on a narrow set of security and safety design standards is similarly inappropriate; this is not a proper role for government.”  

Automakers GM, Ford, Mercedes commented in one form or another that everything is moving too quickly for anything as antediluvian as a function safety standard. Mercedes assured NHTSA that the current standards “have matured to the point that high levels of safety, quality and reliability have been achieved,” but that “as technology continues to evolve, the automotive industry – as it has done in the past – will continue to examine the relevance and efficacy of those standards and adapt them as needed to ensure that safety, quality and reliability are not compromised. Mercedes-Benz actively supports global standards organizations in the pursuit of these objectives; we believe that this proven process is best suited to meet the dynamic needs of continuously evolving automotive electronic component safety, quality and reliability.”

General Motors did not recommend “generic performance tests due to the significant variation among products and the difficulty in normalizing the results to have all manufacturers provide performance test results in a consistent, meaningful manner.”

Ford averred that “any functional safety process will be most effective when incorporated into existing product development processes. Therefore, vehicle manufacturers are best suited to determine which standards and approaches have broad applicability and feasibility in both the extent and manner in which they are used. Hazard analysis methodology is a rapidly evolving research area and we expect refinements in practice will lead to convergence across the automotive industry.”

Ford got it half right. Philip Koopman, a Carnegie Mellon University professor in computer engineering, a safety critical embedded systems specialist, author of the textbook, Better Embedded System Software, and a consultant who performs private industry embedded software design reviews says that the time to ensure the functional safety is during the design process – traditional compliance testing after the vehicle is built is not sufficient to ensure safety, because intermittent electronic defects are difficult to detect. Automotive software designers must take a different approach:

“You have to assume that the software is unsafe until you accumulate enough evidence that you can demonstrate that it is safe,” he says.

Automotive software designers have been guided in constructing safe systems from standards issued by the Motor Industry Reliability Software Association (MISRA) in 1994. This set of best practices is hardly new, Koopman says. In addition, the industry is guided by ISO 26262, a nine-volume standard, developed by a “Functional Safety” industry working group within ISO TC22/SC3/WG16, that included members from nine countries, that includes functional safety throughout the product’s entire lifecycle from development to implementation, to servicing to decommissioning. Published in November 2011, the voluntary guidelines enumerate four different Automotive Safety Integrity Levels (ASIL) A through D, with the latter being the most stringent.

“If you follow them, you are in pretty good shape,” Koopman says. “We all know that software’s imperfect. You have to get more sophisticated and change your tool set, and look how to certify software safety. You don’t just test the vehicle, you get involved with development.”

Koopman says that NHTSA needs to consider the compliance models that have been used successfully in other industries, such as aviation and the chemical process industry. In aviation, for example, there are Designated Engineering Representatives (DERs), who may be employed by the manufacturer, but are ethically and legally bound to the regulating agency. DERs sit in on the design process and ensure compliance with best practices and standards. Or the agency could use the chemical industry model in which manufacturers are required to keep good documentation of their software process that is audited and certified by third party auditors.

“There’s no mystery,” Koopman says “People have known how do this right for a long time.”

V2V is Not for Thee, NHTSA

NHTSA believes that the next wave in reducing harm from motor vehicles will come from vehicle-to-vehicle crash avoidance technology – “on-board dedicated short-range radio communication devices to transmit messages about a vehicle’s speed, heading, brake status, and other information to other vehicles and receive the same information from the messages. Unlike technology based on sensors, radar, or cameras, V2V will perceive threats and warn drivers sooner.” In August 2014, NHTSA published an Advanced Notice of Proposed Rulemaking, proposing to create a new Federal Motor Vehicle Safety Standard 150, requiring vehicle-to-vehicle communication capability for passenger cars and light truck vehicles and to create a minimum performance requirements for V2V devices and messages.

The defining document of the rulemaking is Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application. The 300-plus page report sets out the results of more than a decade of agency research, as well as its authority to regulate such systems. The agency, in particular, cited two sections of the Safety Act involving components sold as replacements or improvements, accessories, addition and one regarding “any device or an article or apparel … that is not a system, part, or component of a motor vehicle; and is manufactured, sold, delivered, or offered to be sold for use on public streets, roads, and highways with the apparent purpose of safeguarding users of motor vehicles against risk of accident, injury, or death.”

The agency thus staked its authority to regulate V2V:

“The language of the Safety Act, however, is broad enough to comfortably accommodate this evolution in vehicle technologies. NHTSA’s statutory authority over motor vehicles and motor vehicle equipment would allow the agency to establish safety standards applicable both to vehicles that are originally manufactured with V2V communications technologies and to aftermarket equipment that could be added to vehicles that were not originally manufactured as V2V-capable (i.e., to convert them into vehicles with various degrees of V2V-capability).”

The telecommunications industry – and to a lesser extent, the Alliance of Automobile Manufacturers – have a different view. The Telecommunications Industry Association, which represents 500 information and communication technology manufacturers, vendors, and suppliers and the CTIA, The Wireless Association, flat-out challenged the agency’s right to impose standards on their automotive applications.

In its submission to the docket, the TIA expressed its “strong concerns with NHTSA’s seeming intention to regulate software in the vehicle, which would be an unnecessary overreach that would stifle innovation in the US vehicle technology marketplace. In addition, TIA believes that NHTSA’s focus in the RFC on a narrow set of security and safety design standards is similarly inappropriate; this is not a proper role for government. Finally, while we urge NHTSA not to take any cybersecurity risk management actions, if it nevertheless acts, it must ensure any regulation is technology-neutral and aligns with existing cybersecurity efforts, such as those by the National Institute of Standards and Technology (“NIST”) rather than pursuing separate automotive industry-specific requirements.” Similarly, the CTIA rejected the agency’s assertions of authority, arguing that NHTSA’s own “longstanding interpretation of its statutory authority” concedes that it does not have “jurisdiction over mobile devices because they are not substantially related to the use or maintenance of motor vehicles.”

The Alliance stated that NHTSA had the authority to regulate V2V technology, but noted that the agency itself admitted that the Safety Act’s reach was limited. It also raised the issue of the availability of the radio spectrum to support V2V communications, and the necessity of working with the Federal Communications Commission to protect the 5.9 GHz radio frequency spectrum  on which such communications would be transmitted. However, the Alliance noted that any proposed V2V communications network, “is not complete without communications and security components that NHTSA cannot mandate fully under its Safety Act authority” given NHTSA’s current lack of appropriations for this purpose.”

And some GOP lawmakers have been trying to carry the telecommunications industry’s water. In November 2014, for Republican Congressional leaders, Michigan Rep. Fred Upton, chairman of the House Energy and Commerce Committee; Pennsylvania Rep. Bill Shuster, chairman of the Transportation and Infrastructure Committee; former Nebraska Rep. Lee Terry, then-chair of the commerce committee’s Commerce, Manufacturing and Trade Subcommittee; and Oregon Rep. Greg Walden, chair of its Communications and Technology Subcommittee send a pointed letter outright rejecting the notion that NHTSA had any business regulating communication devices in automobiles:

“In addition to questions of its authority, we have concerns that NHTSA lacks the expertise to properly advance safety in this space. Guidelines could act as de facto regulation of industry without the expert input, transparency, and process protections that would normally accompany such activity. Indeed, NHTSA’s action could limit further safety innovations and create legal uncertainty for multiple sectors of the U.S. economy.”

Some GOP lawmakers have tried to do more than threaten, by slipping amendments into various measures to prohibit NHTSA from regulating this realm. So far they have not succeeded, but it is clear that the intersection of vehicles and mobile communications is a multi-jurisdictional mess.

Your $30,000 Software License

In mechanical past, no vehicle manufacturer would argue that its customers didn’t own every nut and bolt of their cars from the front bumper to the tailpipe. But GM and other automakers tried unsuccessfully to persuade the U.S. Copyright Office that the $30,540 2015 Buick Regal you bought only entitles you to be the licensee of GM’s proprietary software that runs it.

The Copyright Office didn’t buy it – for now. It issued a Final Rule adopting three-year exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, saying it would not apply to those who engage in non-infringing activities in a number on categories, including vehicle owners and cyber security researchers. This means that owners may tinker with and security software researchers can test the robustness of automotive software, as long as they don’t violate the law or federal regulations.

Every three years, the Copyright Office publishes a notice to consider exemptions to the Digital Millenium Copyright Act. Signed into law in 1998, the DMCA was an attempt to prevent digital piracy by criminalizing the production and dissemination of copyrighted technology and by making a crime to circumvent digital security measures even if it doesn’t infringe on copyright –  think Napster. At the time, explains Kit Walsh, a staff attorney with the Electronic Frontier Foundation, technology advocates and civil liberties advocates protested that the law was too broad. Congress compromised by requiring the Copyright Office to do periodic rulemakings to consider petitions for exemptions.

In September 2014, the U.S. Copyright Office published a notice in the Federal Register calling for exemption petitions. It garnered 40 requests, which it grouped into 27 exemption categories, ranging from audiovisual works for educational purposes to jail-breaking wireless phones to the software for networked medical devices. The EFF submitted six petitions, two relating the automotive software: vehicle software for repair, diagnosis or modification and vehicle software for safety and security research.

It argued that vehicle owners have a right to tinker and otherwise modify their vehicles. Indeed, a billion-dollar aftermarket industry relies on this activity, along with independent repair shops.

“With automobiles, there is a century of history of independent tinkering, leading to the invention of the catalytic converter, the retractable safety belt and a variety of now-standard equipment,” Walsh says. “It’s easy to make the case that tinkering is good for the public. An unintended consequence of the DMCA is that traditional tinkering activities now take place under a cloud of legal liability.”

The EFF also filed a petition to exempt researchers who want to examine the security of automotive software. These studies serve “a critical public service by identifying potential vulnerabilities in vehicle safety,” including security shortcomings which have prompted manufacturers to make improvements, and software bugs. Further researchers have used their findings to develop technology to “protect drivers from flaws left open by manufacturers.”

While the consumer electronics industry argued in the V2V docket that wireless communications were stand-alone items, vehicle manufacturers such as GM and John Deere, made the opposite argument to the U.S. Copyright Office. According to GM:

“The fact that vehicle firmware is sold as part of a car and not as a standalone product does not eliminate the harm to a manufacturer’s copyright interests if a vehicle owner, or those acting on the owner’s behalf, is permitted to circumvent TPMs to engage in security research, but then widely disseminates the code in such a manner that it may be used by bad actors for intentional malicious reasons or by benign hobbyists for purposes which could create inadvertent risks to safety, security and regulatory compliance. Allowing individuals to access, analyze, modify and then publish code for vehicle software risks increasing, not diminishing vehicle safety and security challenges. Further, such increased challenges directly and negatively impact the value of the copyrighted work.”

The Copyright Office concluded that “reproducing and altering the computer programs on ECUs for purposes of facilitating diagnosis, repair and modification of vehicles” was a non-infringing activity as a matter of fair use.  But, the Copyright Office tailored the exemption to exclude computer programs on the ECUs that “are chiefly designed to operate vehicle entertainment and telematics systems.” The Copyright Office concluded that “computer programs in ECUs that are chiefly designed to operate vehicle entertainment and telematics systems” should not be exempted “due to insufficient evidence demonstrating a need to access such ECUs and out of concern that such circumvention might enable unauthorized access to creative or proprietary content.”

Also, excluded were circumvention by third parties, which requires a legislative amendment, and any that would violate the law, or Department of Transportation or Environmental Protection Agency regulations. The office delayed the effective date of the exemptions for a year to give the agencies time to promulgate regulations addressing the exemptions.   For cyber security researchers, the Copyright Office permitted circumvention on a lawfully acquired vehicle “for the purpose of good-faith security research” and doesn’t violate any existing laws. The effective date for this exemption is delayed for a year.

Cyber-Attack on the Internet of Things

In July, Wired magazine wrote up the story of a hair-raising ride in a Jeep on the highway, in which hackers sent commands through the Jeep’s entertainment system to its dashboard functions, such as steering, brakes, and transmission. This story followed a February broadcast in which Dan Kaufman of the military’s Defense Advanced Research Projects Agency (DARPA) demonstrated for 60 Minutes correspondent Lesley Stahl how a software hacker could take control of the new car – make and model obscured. For starters, Kaufman and his associate turned on the windshield wipers and the horn, prompting surprised chuckles from Stahl. Then, they interfered with the braking and the laughter stopped.

These demonstrations have gotten a lot of attention. The headlines veered from “Nobody’s Safe on the Internet” to “Congress, ‘60 Minutes’ Exaggerate the Threat of Car Hacking.” And yet, just 10 days earlier, BMW sent out an over-the-air (OTA) software patch to 2.2 million vehicles after ADAC, Germany’s AAA, discovered that it could lock and unlock the car doors, by exploiting a vulnerability in BMW’s ConnectedDrive telematics system.

Two months after the 60 Minutes story aired, the U.S. House Committee on Energy and Commerce sent a letter to NHTSA Administrator Mark Rosekind asking what NHTSA was doing to address automotive cyber security. The letter asked what staff had been dedicated to researching this topic, how NHTSA was “tracking potential cyber vulnerabilities, and how the agency was evaluating the potential for a cyber-attack on the dealer and/or vehicle maintenance infrastructure.” Among other things, the committee sought information on NHTSA’s evaluation of over-the-air updates to upgrade software and on how existing vehicle systems and technologies utilize public key infrastructure and/or certificates for secure communications.

In 2012, the agency created a new research division, Electronics Reliability/Functional Safety to study, cybersecurity, automated vehicles and electronics reliability. As part of this effort, NHTSA has been building “in-house applied electronics research capabilities at its testing facility at the Vehicle Research and Test Center “to support testing of  electronic systems and potential countermeasures towards developing objective test procedures for electronics related standards, requirements, guidelines, principles, or best practices,” according of a NHTSA overview. The agency has also established a Council on “Vehicle Electronics, Vehicle Software, and Emerging Technologies, managed by senior NHTSA officials “to coordinate and share information on a broad array of topics related to advanced vehicle electronics and emerging technologies.”  

For its part, the industry is building its voluntary bulwark against future agency meddling. In July 2014, the Alliance of Automobile Manufacturers (Alliance1 and the Association of Global

Automakers signed an agreement to work together on cyber security issues. It submitted a copy of this agreement to the agency’s automotive cybersecurity topics and publications docket to inform the agency of its intention of “establishing a voluntary automobile industry sector information sharing and analysis center or other comparable program for collecting and sharing information about existing or potential cyber-related threats and vulnerabilities in motor vehicle electronics or associated in-vehicle networks.”  

In the meantime, members of Congress have been floating their own cyber security bills. In July Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Security and Privacy in Your Car Act (SPY Car), which would require NHTSA and the Federal Trade Commission to establish standards to “secure our cars and protect drivers’ privacy.” It would also establish “a rating system — or “cyber dashboard”— that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards.” The bill includes civil penalties of up to $100,000 per incident.

Reality Check

As much as manufacturers would like to build their porous software systems without the dreary demands of regulations or regulators, the evidence that regulations are more important than ever continues to mount.  As we move toward the age of automotive autonomy, NHTSA needs to get itself up to speed and start considering new ways of demonstrating adherence to best practices.

There is no timetable to promulgate an automotive electronics standard. MAP-21 only requires that the “Secretary shall complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles and write a report on the findings.”  Of course, the examination was required to be completed by October 2014, so NHTSA’s a little behind there.

The integration of electronics continues apace at warp speed. Last month, Tesla founder Elon Musk made cars semi-autonomous with an over-the-air software update for its Models S and X. Its Autopilot feature allows automatic lane changing without touching the steering wheel. And, Fiat Chrysler has been experimenting with a nifty innovation in recall remedies. In Recall 13V-175, FCA fixed cracks in the actuator circuit board that cause the transfer case to inadvertently shift 2005-2010 Grand Cherokee and 2006-2010 Commander vehicles into neutral with a software patch. Rather than replace the defective hardware creating the problem, Chrysler went for a cheap, upstream solution.

Unfortunately, even Musk doesn’t recommend that a driver take his or hands off the wheel, as several viral videos showing Tesla Autopilot failures attest. In one, the driver was exiting the highway after rhapsodizing about how much he trusted Autopilot, when the software abruptly tried to steer the vehicle to the right. (Or see this one.) Fiat Chrysler’s software patch, is similarly unreliable. About a year after the recall, Chrysler issued a bulletin for another reprograming of the FDCM that was applicable to vehicles covered under the recall – including those that had had the recall performed.  In May of 2015, Chrysler launch a Customer Satisfaction campaign to reprogram the control module again – maybe you can’t fix a cracked circuit board with software after all.  

The whole idea behind driverless cars and V2V is: humans are the problem. They are too distracted on the road, make too many bone-headed maneuvers and speed. If we can only remove humans from the equation, our fatality rates will plummet, the advocates promise. If we want to achieve this ambitious goal, we’d better come up with a way to ensure that the humans designing and manufacturing these miraculous mashups of codes and cars aren’t the new problem.

Decoding NTSB’s Tire Safety Report

Tuesday, the National Transportation Safety Board issued findings and recommendations following a 10-month long investigation into tire safety. The effort was launched after two February 2014 two deadly tire-related crashes in Louisiana and Florida. (The latter crash involved an uncaptured recalled BF Goodrich tire and the former an 11-year old Michelin Cross Terrain.) In December 2014, the NTSB followed up with a tire safety symposium to gather testimony from industry, the National Highway Traffic Safety Administration, advocates such as Sean Kane of Safety Research & Strategies, and researchers.

The final report, which will be released in the coming weeks, is focused on two key issues – the tire recall system and tire age degradation (service life). Tuesday’s hearing provided a pretty sturdy outline of the NTSB’s major conclusions. It amounted to a long-ignored to-do list for the regulated and the regulators (nine recommendations for NHTSA and two for industry) like implementing a web-based TIN look-up database and having the complete TIN on both the inboard and outboard sidewalls of a tire.

Board Vice Chair Dr. T. Bella Dinh-Zarr crystalized the tire safety problem with a simple question to the NTSB staff: Why tire techs can’t determine if a tire was recalled? 

And the answer is because no one has built the systems to do this, is best summarized in two of the NTSB’s most important and intertwined conclusions:

  • A computerized system for capturing, storing, and uploading tire registration information would expedite the tire registration process, reduce transcription errors, and encourage more dealers to register tires at the point of sale.
  • The guidance provided by the tire and automotive industries regarding tire service life and the risks associated with tire aging can be inconsistent and confusing, which may lead consumers to make inappropriate tire replacement decisions.

In other words, the tire identification and recall system, which have relied on manual review of hard to find information, must be automated in order to alert techs – and consumers – to tire service life recommendations and recalls. With automated tire tracking, these critical elements of tire safety come together, and service techs can tell a consumer with the swipe of a scanner if a particular tire is recalled and if it’s at the end of its service life – in addition to the typical visual inspection for tread and condition. No complex internet searching and document review, crawling under a tire to capture the full TIN, or pawing through desk drawers for ten-year-old tire technical bulletins – just useful safety information, in real time, quick and easy.

The industry stakeholders preferred to focus elsewhere.

According to Tire Business, the Rubber Manufacturers Association was as happy as clam: “Daniel Zielinski, RMA senior vice president-public affairs, said his association found it encouraging that the NTSB agreed with a number of the RMA’s recommendations, especially tire registration by dealers, recall search engines based on TIN lookups, and consumer education.”

(Although, having the TIN on both sides is the kind of suggestion that makes the RMA very cranky, having successfully fought off NHTSA’s attempts to require it since 1970.  But the RMA is totally in favor of recommendations that require others to assume their responsibilities like a TIN lookup and tire registration.)

And Roy Littlefield, vice president of the Tire Industry Association fretted about an NTSB recommendation to require all tire dealers to register tires at the point of sale. According to Tire Business: “I can’t believe this industry thinks that the best solution to this problem is to hand it over to a government agency,” he said. “This is 2015, not 1982. We have technology that works. To go back to that archaic system would be a disaster.”

Safety Research & Strategies, which has been studying the gaps in the tire recall system and the hazards of aged tires has long advocated for machine readability of tires as a practical way for tire techs and consumers to quickly determine a tire’s recall status and age. Regardless of the changes made to the tire registration system and the plethora of tire service life recommendations, without the ability to scan a tire, there is no efficient way for  service professionals or consumers to determine if a specific tire is recalled or is old enough to be replaced. No doubt, the recommendations for a TIN lookup website and full TINs on both sides of the tire would make it easier (also advocated by SRS), but tire techs and consumers still need to translate the 11 Alpha-numeric characters from each tire accurately into a computer. This is a task fraught with error and isn’t practical in a shop environment. Given the cost-effective and available technology – from RFID to laser-etched QR codes – and the magnitude of the safety issues at stake when recalled and aged tires stay in service, tire scan-ability is where the industry already headed. Most tire makers have added that feature to some lines of tires.  In June 2013, Kumho Tire Co. Inc. announced it would put RFID tags in all of its tires.

The NTSB also appeared to discount NHTSA’s contention that tires that met the new FMVSS 138 and 139 were so robust, that no rulemaking on tire aging was required. In March 2014, NHTSA released Tire Aging: A Summary of NHTSA’s Work, in which the agency announced that it had no plans to turn its tire aging research into a regulation. NHTSA cited 2007 through 2010 stats that purported to show a 35 percent reduction in tire crashes; a 50 percent reduction in fatalities; and a 42 percent reduction in injuries (11,005 to 6,361) when compared with annual averages from 1995 through 2006. A January 2015 study, sponsored by non-profit The Safety Institute, disputed that claim. It found that the number of tire-related crashes and resulting deaths has remained relatively constant since 1995. At the December 2014 tire symposium study co-author Randy Whitfield told the NTSB that the agency’s conclusions were based on a survey with a small sample size of crashes involving light passenger vehicles towed for tire-related damage, rather than evaluating all tire-related crashes.

NTSB concluded: “Further research is needed to confirm that the implementation of Federal Motor Vehicle Safety Standard Nos. 138 and 139 has substantially reduced the risk of tire-aging, related crashes, injuries, and fatalities.”

Improvements to tire safety have long been stalled by the intransigence of the RMA, which puts all of its efforts into keeping the status quo firmly in place and NHTSA, which has not mustered the energy to overcome it. The NTSB has no authority to implement policy – but its pronouncements are influential. And here’s hoping that this round of safety recommendations gets the process moving.

NTSB to Release Long-Awaited Tire Safety Recommendations

In February 2014, there were two tragic, fatal, and high-profile tire crashes on U.S. highways that might very well constitute a tipping point for tire safety.

One involved an 11-year-old Michelin Cross Terrain tread separation on a 2004 Kia Sorrento that led to a crash into a school bus carrying 34 members of a Louisiana high school baseball team in Centerville, La. Four of the Kia occupants died, and the fifth was severely injured. Thirty of the bus passengers suffered injuries.

The other involved the failure of a recalled BF Goodrich tire that was on the left rear tire on a 2002 Ford 350 XLT 15-passenger on an interstate in Lake City, Fla. The driver lost control, and the van swerved onto an embankment and rolled over. Two adults died, and all of the other occupants, including several children, suffered injuries. The tire had been recalled for tread loss or rapid air loss from a tread-belt separation shortly after Sam’s Club put it on the vehicle in 2012. In November 2013, Sam’s Club mechanics inspected the tire, but failed to identify and remove it.

Deaths and injuries in crashes caused by aged and recalled tires are entirely preventable, but neither the tire industry nor the National Highway Traffic Safety Administration has been inclined to do anything to prevent them. On Tuesday, the public might finally see some leadership on this issue from the National Transportation Safety Board. The board is meeting to discuss its new report on tire-related passenger vehicle crashes, “and “the safety issues uncovered during these investigations and the December 2014 NTSB tire symposium.”

Within 10 months of those horrific crashes, the NTSB resolved to take up the issue of tire safety and convened, in lieu of formal hearings, a two-day tire symposium in which stakeholders presented information on tire age, the recall system, tire construction, technology and tire-related crash data. 

The symposium was notable, in part, for NHTSA’s decision to cite inaccurate tire data purporting to show that tire-related deaths and injuries have decreased by half since Federal Motor Vehicle Safety Standard 139 was established, and the Board’s skepticism at the Rubber Manufacturers Association contention that it could do nothing to change the way it did business. Tracey Norberg’s (RMA’s Senior Vice President of Regulatory Affairs and General Counsel) flat-earth argument that it would be too difficult to make tires that could be scanned for tire age and recall information, fell flat.

“That’s interesting because I think an awful lot of people in this audience have an iPhone,” said symposium chair Earl Weener, an aviation safety expert, and NTSB member since 2010. “That iPhone can read QR codes, can read barcodes, can read UBS codes. But somehow that is too much technology for the tire manufacturers and for the tire distribution process. You know, you go to the airport and about every third person checks in with their iPhone, with a barcode on them. So it seems to me that maybe some imagination is required.” (See Safety Research & Strategies 2007 whitepaper on tire RFID)

Safety Research & Strategies president Sean Kane presented an overview on the tire age issue, noting that rubber manufacturers have been publishing papers on thermo-oxidative aging as far back as the 1920s. In the last quarter-century, the debate over, the research on, and the official recognition of this safety hazard has garnered much more attention from automakers, tiremakers and the government. Automakers preceded U.S. tiremakers in issuing tire age warnings by at least a decade. Throughout the 1990s, the majority of vehicle manufacturers worldwide added warnings to their owner’s manuals about aged tires.  These warnings all focused on a six-year threshold.  In October 2005, that Bridgestone/Firestone broke ranks with other tire makers and issued a “Technical Bulletin” to its dealers advising them that tires should be inspected after 5 years and replaced after 10. Other major tiremakers, such as Cooper, Michelin and Continental-General followed.  Many tiremakers defer to auto manufacturers’ recommendations, a defacto service life of six years. NHTSA, which has studied the problem extensively since early the 2000s, has clearly stated that age is a hazard and a factor in tire-related crashes. While there are no state or federal tire age regulations, there is general consensus on when a tire’s useful service life is over. 

Despite decades of acknowledgement among all of the major players, the critical information about tire age has not been adequately conveyed to those at the retail level – consumers, and tire sellers and the tire and service technicians on whose advice and guidance the average motorist relies. Neither industry has taken responsibility for nor taken action to alert and train tire service professionals or consumers, which is why we continue to see old tires rotated into service with deadly results

The symposium was also marked by a rare open dispute between the RMA, which represents manufacturers, and the Tire Industry Association, which represents tire sellers. RMA chose the symposium to roll out its lobbying effort to implement a mandatory registration system requiring retailers to electronically register the tire at the time of the sale. Ever since, the RMA has been busy trying to get language to that effect wedged into a transportation bill. The TIA has argued that tire registration is already too big of a burden for retailers to have to stock registration cards from several manufacturers. Retailers should just provide the customer the TIN and tell them what website they can use to register the vehicles.

TIA Executive Vice President Roy Littlefield says that 80 percent of the tires retailers sell are registered and the group has been trying to keep any such mandates out of federal legislation. The TIA does support any effort to “take advantage of current technology. The industry can do a better job, and not only improve the tire registration system, but also focus on the more serious issue of recalls.”  

Safety Research & Strategies is hopeful that the NTSB will, at long last, move the ball forward. The Tire Identification Number (TIN) system is forty years old and showing its age. Just about every retail product can be and is tracked via automation – except for passenger car tires, and there is no good reason why techs and consumers are still relying on cards and complicated web searches to find out if a particular tire has been recalled and why isn’t the full TIN on both sides of the sidewall?  The excuses are as tired as the system itself.

See also The Run Down on NTSB Tire Symposium

Takata Recall Tests the New and Improved NHTSA

Tomorrow October 22, the National Highway Traffic Safety Administration is scheduled to hold a public hearing ostensibly to explore coordinating a national recall of defective Takata airbag inflators. 

This auto safety crisis had been brewing internally at Takata since at least November 2001, when Honda received its first field report (noted as part of a recall for 2,900 Accord and Acura TL vehicles with passenger-side airbag inflators that had been improperly welded.) But the repeated Honda recalls for driver’s side airbag inflators that could explode with little to no provocation, spewing shrapnel at the vehicle occupants, did not really penetrate the public consciousness until 2013. By then, there were three known deaths and a spate of serious injuries associated with the defect, and the recalls widened to include other automakers and passenger-side inflators. Congress began to summon Takata and National Highway Traffic Safety Administration officials to the Hill for explanations.  

Today, 12 automakers have or are in the process of replacing defective Takata inflators in 19 million U.S. vehicles. Takata had resisted launching national recalls – insisting that it was only necessary to recall vehicles in states with hot and humid climates, even as explosions occurred in locations outside of the initial list. But, under the persuasive influence of a May Consent Order, Takata conceded that a safety defect existed and agreed to conduct national recalls.

This month’s hearing has been billed in the Federal Register as a notice of NHTSA’s resolve to publicize its intention of issuing administrative orders to coordinate the recall under its authority in several provisions of The Safety Act to ‘‘accelerate’’ remedy programs; to inspect and investigate; to ensure that defective vehicles and equipment are recalled and remedied; and to ensure that the remedy for the defect is adequate. The agency envisions its leadership in the recall effort as speeding up delivery of the repairs by prioritizing and organizing the air bag inflator remedy programs among multiple manufacturers; managing inflator sourcing, production, allocation, delivery, and installation; and ensuring adequacy of the remedy. 

Apparently, it’s already game on, because last month, the agency’s chief of Recall Management Division, Jennifer Timian, held a meeting in Ohio with representatives of BMW, Chrysler, Ford, Toyota, Honda, Subaru, GM, Mitsubishi and Nissan – all participants in the Takata Recallapalooza. And, in a subsequent email to the attendees, Timian praised the group:

“We accomplished more than we thought possible in the few short days we had. However, and as many of you lamented, a large portion of the work to be done involves consistent and clear messaging to the public.  To that end, our communications office plans to shortly reach out to your communications folks to arrange a call for later this week to get that coordination kicked off.” The email recommended that automakers send their contact information to NHTSA’s Communication Director Gordon Trowbridge, because, Timian wrote, “We certainly don’t want to leave any critical players out.”

The Safety Record Blog felt a bit left out, and contacted Mr. Trowbridge for comment about the agency’s plans to coordinate communications. He did not respond.

Automakers are definitely upping their communications strategies. One 2002 Honda Accord owner who had inflator recall repairs done in 2011 and 2015 for the driver’s side airbag received several dire robo-calls from the “Honda Customer Service Team,” requesting an immediate response to “this urgent safety recall.” The one minute, 42-second voice message explained in straightforward language how the defect manifested itself. And, unlike the usual recall communications, in which the risk to safety is presented as a hypothetical – even if the defect had caused injuries and deaths – this message dropped all pretense:

“In some Honda vehicles the driver’s side airbag could produce excessive internal pressure upon deployment. If a defective airbag deploys, the increased pressure may cause the inflator to rupture. In the event of a rupture, metal fragments could pass through the airbag cushion material and possibly hit you and others in the vehicle. Past ruptures like this have killed or injured vehicle drivers. Due to the severity of this defect, please call us immediately. Do not delay.”

Meanwhile, the story of who knew what, when has grown like Topsy. And yet, despite intense media attention, there were still pieces of the story that have been hiding in the public record, such as foreign recalls for passenger side frontal airbags that preceded the U.S. recalls by about three years, and a published technical paper lending more credence to at least one root-cause theory that the volatility of phase-stabilized ammonium nitrate that Takata exclusively uses is a key factor in inflator explosions.  

Lies, Lies and Damned Lies

A closer look at the public record shows that automakers have had more truthiness issues with the extent of their knowledge of the problem than previously suspected. To wit, the Part 573 Notices of Defect and Non-Compliance filed in 2013 by Honda, Toyota, and Nissan in their passenger side air bag inflator recalls, which claimed to have discovered the defect in 2011 or later. Honda, for example, told NHTSA that it had no inkling that this could be a problem until October 2011, when a passenger airbag inflator ruptured in Puerto Rico. Ditto for Toyota, which told the agency, that it, too, discovered a passenger-side airbag rupture in October 2011, but in a crash in Japan. Nissan reported to NHTSA that it didn’t know anything about passenger-side airbag inflator ruptures until February 2013, when Takata informed the automaker that it was investigating a “quality issue” with front passenger airbag inflators.

We suspect, however, that the trio already had gotten a big hint there was a problem with exploding passenger side airbags, because all three had launched recalls in the summer of 2010 for passenger inflators in vehicles sold in other countries. Turns out Takata operators had not put enough propellant wafers into the inflators, allowing the other wafers to break apart. 

In August 2010, Honda recalled 57,660 Programmable Smokeless Passenger Inflators (PSPIs) in 82 countries in Asia, Africa, Europe, Middle East, Australia, Mexico and South America, including MY 2001-2003 Civics, MY 2002 Fit vehicles and MY 2001-2003 Stream vehicles because:  “In certain vehicles, the single-stage passenger airbag inflator could produce excessive internal pressure. If an affected airbag deploys, the increased internal pressure may cause the inflator housing to rupture. Metal fragments could pass through the airbag cushion material possibly causing injury or death to vehicle occupants.”

Honda conceded that the U.S. 2001-2003 Civics were similar to the recalled vehicles—except for the inflator modules, which were “dual-stage inflator modules,”  rather than the single-stage modules used in U.S. vehicles, and “we have received no more similar reports for dual stage passenger airbag modules.”

On June 30, 2010, Toyota recalled more than 38,000 MY 2001 Toyota Corolla, Corolla Fielder, Corolla Runx, and Yaris vehicles sold in Japan, France, Malaysia, and “other countries, for: inflators “produced with an insufficient amount of gas generators. In this condition, gas generators in the inflator may become broken and powdered by vehicle vibration over time. This can create abnormal combustion and pressure in the inflator body during airbag activation, causing it to break and scatter. This increases the risk of personal injury during airbag inflation.”

Toyota, long known for its chatty Part 573s, simply said that the foreign vehicles had “different” inflators than those in U.S. vehicles and offered no explanation of the discovery of the defect.

On July 1, 2010, Nissan recalled 4,043 passenger inflators in its 2001 MY Cefiro and Pulsar/Sunny vehicles sold in Japan, Singapore, Australia, and Sri Lanka. The automaker also recalled passenger inflators in 46 U.S. vehicles ( never to be mentioned again). Nissan described the defect as “some air bag inflators may be missing a wafer. As a result, the remaining wafers in the inflator used for the deployment of the front passenger air bag may be broken up into powder due to vibration experienced while driving. This causes the combustion rate of the propellant to increase inside the inflator, which can lead to internal pressure rising suddenly during air bag deployment. In certain cases, the inflator housing may rupture.”

Nissan’s chronology marks its discovery of bad passenger airbags to October 2009, when the automaker learned that a passenger airbag had “deployed abnormally” while being scrapped at a recycling center in Japan. Nissan collected inflators and conducted duplication testing and found that vibration of driving could pulverize the propellant wafers, causing them to burn unnaturally and produce excessive internal pressure. Naturally, Takata records showed that it only happened one time and everything was all fixed up: “During a certain discreet production period, due to a manufacturing error, it was possible that one of the propellant wafers was missing from the inflator. Production records indicated that this manufacturing issue was promptly corrected at the supplier's plant.” 

Given all that had preceded these “discoveries” – multiple recalls, secret testing at Takata, myriad quality control issues at its plants – we think these explanations are one wafer short of an inflator. 

Transient Burning

“Transient Burning Behavior of Phase-Stabilized Ammonium Nitrate Based Airbag Propellant.” That’s a mouthful, isn’t it? Shorter version: Researchers at Pennsylvania State University have been studying the combustion behavior of Takata inflators and how rapidly the propellant burns when there are rapid pressure changes. The technical paper authored by Jonathan T. Essel, Eric Boyer, Kenneth K. Kuo, and Baoqi Zhang of Penn State’s Department of Mechanical and Nuclear Engineering was published in the latter part of 2012. 

For those of you who are not regular subscribers of the International Journal of Energetic Materials and Chemical Propulsion (Editor-in-Chief Kenneth Kuo), this paper describes an investigation into the dynamic burning behavior of an airbag propellant as a function of pressure and pressurization rate. The burn rate of airbag propellants can increase significantly under intense pressure; that’s why they are supposed to be designed to maintain a steady burn rate during the transient combustion process. This paper said:  “It is clear from the results that the PSAN propellant does exhibit dynamic burning behavior. It is also apparent that the higher the pressurization rates, the more severe the dynamic burning effect.” It also said: “The effect of dynamic burning behavior of the propellant needs to be accounted for, when designing or analyzing systems that subject the PSAN propellant to high pressurization rates.” 

This sounds like chemistry-speak for NHTSA’s explanation of the inflator defect:

“Over time, that moisture causes changes in the structure of the chemical propellant that ignites when an air bag deploys. The degraded propellant ignites too quickly, producing excess pressure that causes the inflator to rupture and sends metal shards into the passenger cabin that can lead to serious injury or death.” 

According to a story in today’s New York Times, this investigation was not mere scholarly interest – Takata, which is a sponsor of Penn State’s High Pressure Combustion Lab, paid for this study and forbade the researchers from mentioning Takata or Honda in its published paper. It disliked the results so much that it waited for two years before sharing this information with NHTSA.

Of course, despite the absence of the words “Takata,” and “Honda,” one could infer that the researchers were testing Takata inflators – perhaps at the behest of Takata itself – from several in-the-public-record facts:

  • Of the three global manufacturers of airbag inflators, Takata is the only one to use phase-stabilized ammonium nitrate (PSAN) based propellant.
  • Co-author Eric Boyer is also assistant director of Penn State’s High Pressure Combustion Lab.
  • Takata is a sponsor of Penn State’s High Pressure Combustion Lab.
  • Before a June U.S. House Energy & Commerce Committee hearing updating Congress on the Takata recalls, Kevin Kennedy, Executive Vice President of Takata North America Testifified: “Well, the studies that we have done, and the research that we have from some of the leading experts in the world, seem to indicate that ammonium nitrate is certainly a factor in the inflator ruptures.”

Attorney Ted Leopold, who represents a Duval County, Florida, woman severely injured by a Honda airbag with a Takata inflator, believes that ammonium nitrate is also a factor in over-aggressive deployments. In June 2014, Patricia Mincey, owner of a 2001 Honda Civic, was belted in a moderate frontal crash, when, she alleges, the Honda/Takata airbag “deployed late and violently exploded due to excessive pressurization,” rendering her a quadriplegic. Honda had replaced her inflator in the 2009 recall. Four days after the crash, Honda recalled her vehicle again to replace the defective airbag.

Leopold, of Cohen Milstein Sellers & Toll PLLC in Palm Beach Gardens, Florida, is scheduled to depose Kuo on November 3 about the significance of the Penn State team’s findings.

“The published PSU study confirms that Takata’s use of phase stabilized ammonium nitrate in its inflators results in an over-pressurization that leads to inflator ruptures and aggressive deployments. This often overlooked defect – aggressive deployments – can lead to severe injuries,” he says. 

In 2011 and 2012, while Takata was characterizing the defect as a discrete manufacturing problem, researchers at Penn State were examining the role of the propellant chemistry in inflator explosions and had come to the conclusion that its propellant ignites too quickly. But Takata – three years after this research is published – apparently still isn’t sure. Even as Kevin Kennedy acknowledged that ammonium nitrate is a factor in inflator ruptures, he insisted that its propellant chemistry is safe.

At that same June hearing, Rep. Joseph Kennedy of Massachusetts asked Kevin Kennedy: Can you guarantee that as long ammonium nitrate is used in those products, that the products are safe?

Kevin Kennedy answered: “Well, we believe properly manufactured and designed ammonium nitrate, phase stabilized ammonium nitrate, can be done properly.”

Well, maybe it can, but apparently, Takata didn’t.

Protective Orders and NHTSA

The National Highway Traffic Safety Administration’s whirlwind makeover continues. Monday, the agency published two Federal Register Notices – one inviting comments on a forthcoming guidance document about the sharing of safety defect information discovered in civil litigation and a second notice proposing rulemaking to codify procedures for the assessment of civil penalties.

After years of treating trial lawyers like Kryptonite, the agency has decided that using the information attorneys toiled to extract from a recalcitrant defendant with deep pockets would not rob NHTSA of its super crime-fighting powers. We all know that there are great stinking piles of corporate malfeasance moldering under seal in courtrooms all over this great nation. Yesterday’s notice seeks to shine a little light by sharing the agency’s thinking on the value of that information. NHTSA is recommending “that all parties include a provision in any protective order or settlement agreement that – despite whatever other restrictions on confidentiality are imposed, and whether entered into by consent or judicial fiat – specifically allows for disclosure of relevant motor vehicle safety information to NHTSA and other applicable authorities.”

As the agency noted, “protective orders, settlement agreements, or other confidentiality provisions prohibit vehicle safety-related information from being transmitted to NHTSA, such limitations are contrary to established principles of public policy and law.” With no apparent sense of irony, the Federal Register Notice mentions the GM ignition switch defect as an example of “how vital early identification of motor vehicle risks or defects is for the safety and welfare of the American public.”

In February 2014, NHTSA dissed Lance Cooper, a Marietta, Georgia lawyer who represented the family of a victim of a fatal crash caused by the General Motors ignition switch defect. Based on documents obtained over 18 months of discovery, Cooper warned NHTSA that GM had known about the defect for nine years and that it was only recalling a tiny fraction of the vehicles affected by a low torque condition that could cause the ignition switch to rotate out of run and into accessory position, causing the vehicle to lose power brakes and steering and disabling the airbag. He requested NHTSA that NHTSA open a Timeliness Query, which it did – but without ever acknowledging Cooper’s contribution. Petty and stupid, to boot.

The plaintiffs’ bar, will no doubt welcome NHTSA’s change of heart and have lots to say about it. We don’t believe that automakers will be as enthusiastic. But, how will they argue for the right to keep safety problems from the public? Fortunately for them, an enforcement guidance document doesn’t compel litigants to help NHTSA, but it does encourage them. Before it issues a final Enforcement Guidance Bulletin, NHTSA wants the public to weigh in on specific best practices with attention to the practical impact, and the relative costs and benefits of implementing various practices.

The civil penalties proposal satisfies a directive of Moving Ahead for Progress in the 21st Century Act is issue a rule “providing an interpretation of these penalty factors,” and to update its regulations to reflect the new increased statutory civil penalty maximums for odometer fraud and for lying to the government. Hoo boy – you could erase the deficit by penalizing manufacturers for all of the lies they tell NHTSA.  

This provision will allow NHTSA to directly levy court-enforceable penalties. As The Safety Record has explained, in the past, the agency could reach settlement agreements with automakers and levy pretty significant fines. But to bring an automaker to court, the agency had to go through the U.S. Department of Justice (See NHTSA Consent Orders and Civil Justice). In this notice, NHTSA argues that “MAP–21 vests authority, responsibility, and discretion in the Secretary to impose civil penalties for violations of the Safety Act.” It is proposing to adopt informal procedures which will allow violators to choose between paying the money immediately, or drag it out for months in an informal hearing.  An automaker’s three choices would be: pay the demanded penalty; provide an informal response; or request a hearing. The agency envisions tasking the Assistant Chief Counsel for Litigation and Enforcement with initiating the proceedings by serving notice of the civil penalty and charging him or her with having violated one or more laws, along with the specific factual allegations and informing the violator of the options for responding.

NHTSA promises that “any assessment of civil penalties will be made only after considering the nature, circumstances, extent and gravity of the violation. As appropriate, the determination will include consideration of the nature of the defect or noncompliance; knowledge by the respondent of its obligations under 49  U.S.C. chapter 301; the severity of the risk of injury posed by the defect or non-compliance; the occurrence or absence or injury; the number of motor vehicles or items of motor vehicle equipment distributed with the defect or noncompliance; actions taken by the respondent to identify, investigate, or mitigate the condition; the appropriateness of such penalty in relation to the size of the business of the respondent, including the potential for undue adverse economic impacts; and other relevant and appropriate factors.”

The Safety Record sees in these notice more signs that playtime is over for the auto industry.

But, strictly speaking, the window for change may be short. The Obama administration and its current pick for NHTSA Administrator Mark Rosekind, have another year at the helm. The next president might not be as interested in keeping the agency’s focus on improving its performance as a public health agency, so hopefully the agency will keep moving forward.

The Keyless Ignition Litigation Solution

On Tuesday, the New York firm of Labaton Sucharow LLP filed a nationwide consumer class action in a Los Angeles federal court against 10 automakers who produce and market keyless ignition vehicles to force the implementation of an automatic cut-off feature.

The lawsuit is in response to a longstanding, widespread design defect that leads drivers to inadvertently leaving their keyless ignition vehicles running in the mistaken belief that the fob in their possession means that the engine is off. At least 13 carbon monoxide poisoning deaths have been attributed to the defect.

The Safety Record is quite sure that the manufacturers, including GM, Ford Toyota, Nissan, Honda, and Volkswagen, will welcome the suit with open arms. As they told the National Highway Traffic Safety Administration about a decade ago in response to a proposed upgrade to the accelerator controls standard (FMVSS 124), it is their steadfast belief that “market forces and litigation pressure are sufficient to assure fail-safe performance without a Federal motor vehicle safety standard.” And, as the agency has yet to act on a 2011 Notice of Proposed Rulemaking on FMVSS 114 that purports to address the carbon monoxide and rollaway hazards caused by these systems, litigation, it is!

Safety Research & Strategies has been studying the hazards of keyless ignition systems and advocating for a safety solution since 2009. Our work has included gathering the regulatory history, testing keyless ignition vehicles to assess their compliance with FMVSS 114, sifting NHTSA consumer complaints, keeping track of confirmed injuries and deaths, examining manufacturers’ customer communications regarding keyless ignition systems, and filing Freedom of Information Requests to determine what NHTSA has actually done to address this issue.

And we have shared that information in the form of news stories. And, in 2010, SRS President Sean Kane met with NHTSA officials to present our research. We specifically outlined the many ways keyless ignition vehicles changed the fundamental relationship between the driver and the key, while manufacturers misled their customers about how these systems actually worked. Early on, we concluded:

  • Keyless ignitions – as currently designed – introduced a hazard – carbon monoxide poisoning — that had heretofore not existed
  • Keyless ignitions are antithetical to the letter and intent of FMVSS 114
  • Keyless ignition systems have re-introduced the rollaway hazard – a problem that was ostensibly solved in 1992, after the agency published a Final Rule requiring vehicles with automatic transmissions that have a Park position to have a key-locking system that prevented removal of the key unless the transmission was locked in Park or became locked in Park as the direct result of removing the key.

In a series of interpretation letters, the agency allowed the evolution of the current systems. For regulatory purposes, the agency permitted an invisible electronic code to be considered the “key.” Unfortunately, customers thought the fob was the key – because manufacturers called it the key. Automakers forgot to tell their customers: yes, you need the fob to turn the vehicle on, but it plays no role in turning the vehicle off. So you can leave your vehicle running with the fob in your pocket and go far, far, far out of range, and that engine will keep running. Only some manufacturers have implemented an automatic engine cut-off feature which shuts the engine down after 30 minutes, if the driver’s side door has been opened and closed.

As NHTSA neglected to think the whole thing through from the get-go, it has been stuck trying to rectify its mistake without causing Sturm und Drang in the industry. It hasn’t gone well. The 2011 NPRM clearly acknowledged the carbon monoxide and rollaway hazards. But the best solution it could offer was louder warnings, based on a platform lift standard that was not based in any human factors testing. (In fact, nobody did any human factors testing.)  

To date, the agency has collected some 105 keyless ignition complaints related to carbon monoxide poisoning or drivers mistakenly leaving their vehicles running (46) or rollaways (59); but we know that this happens much more frequently. 

We like this class action. It seeks injunctive relief to eliminate the carbon monoxide standard by compelling automakers to implement a software patch that will cut off the engine, as well as the recovery of drivers’ economic losses. It’s do-able and will prevent these deaths. And as NHTSA said in 1967, when it first compelled automakers to design key systems that did not allow drivers to leave their keys in the ignition: “This is an instance in which engineering of vehicles is more likely to have an immediate beneficial impact than a long-range process of mass education.” (Or warnings, in this case.)

In the meantime, journalist Mark Greenblatt of Scripps Howard has provided some excellent coverage. You can access it here:

Keyless ignition deaths mount as regulators and auto manufacturers slow to act

Class action lawsuit targets automakers for keyless ignition dangers

To read our previous coverage of this issue:

Another CO Smart Key Death… and what Happens when Smart Keys Collide?

Not So “Smart Key” Standard

NHTSA Opens Smart Key Compliance Probe

Stupid Tricks with Smart Keys

A Funny Thing Happened on the Way to My Car…