Category: Automotive

Seat Heater Safety Takes a Back Seat

Posted on | by admin

Four years ago, Safety Research & Strategies, along with nationally recognized burn care specialists, raised an issue long neglected by automakers and the regulators: seat heater safety. This comfort feature — often designed to reach maximum temperatures that range far above human tolerances – can and does pose dangers to occupants, but it is rarely investigated or recalled. In 2011, we wrote an issue brief, based on our research, and challenged the industry to set standards for safe temperatures and the National Highway Traffic Safety Administration and mobility adapters to attend to the problem of burns to drivers and passengers with lower body sensory deficits.

To our pleasant surprise, the National Highway Traffic Safety Administration responded with a letter that indicated, at least, a willingness to study the issue and encourage the Society of Automotive Engineers to devise a voluntary standard. An SAE committee was duly formed, and for two years there was a flurry of publicly posted activity. And then – nothing.

The problem certainly hasn’t burned itself out. We are still documenting cases of serious injuries to individuals who cannot feel the intense heat from car seat heaters. NHTSA is still fielding complaints from consumers about seat heaters that burn through upholstery, clothing and skin, like this one from the owner of a 2007 Mercedes GL450, lodged with NHTSA earlier this month:

We had left the home – drove approximately 3 minutes at 20 miles an hour with the seat heater on. All of a sudden the seat started to smoke – it had caught fire. We had a baby in the car, were travelling down a mountain road in Aspen. We pulled over to the side of the road and thankfully were able to put the fire out with snow from a snow bank (what would have happened if it was in the summer?). There is a big hole in our car seat now and obviously – we are not able to use the seat heaters. I see from the reports here that this has happened many times with the same vehicle — there should be a recall done for this issue on this vehicle as someone may be injured severely in the future.

Perhaps you don’t feel sorry for a person who sustains a seat heater fire in a Mercedes on a mountain in Aspen. Mercedes certainly doesn’t. The automaker has not announced a recall. In fact, Mercedes has deployed scorched-butt tactics against those who have the unmitigated temerity to complain that their seats are burning them. Consider the case of Donna Mattie, of North Andover, Mass. who suffered a back burn in her 2010 GL450 shortly after turning on her heated seat on a cool morning:

According to her legal complaint, Mercedes' technicians tested the SUV and determined that all of the temperature points within the driver's seat were operating at 120-125°F (48-51°C) while the seat heater was on its highest setting, which was within the temperature range specified by Mercedes for the 2010 Mercedes GL 450.

This is well above the human heat tolerance limits set by the ASTM of 111°F. And, Mercedes responded to Mattie’s demand for compensation by ignoring it.

Sadly, ignoring the problem seems to the first response from most of the manufacturers and the regulator.

The Outliers

A cursory review of NHTSA’s Vehicle Owner Questionnaire for any narrative concerning seat heaters or seat warmers affecting any passenger vehicle within the 2000 to 2014 model years, and, after weeding out unrelated complaints, we tallied roughly 1,800 instances in which drivers complained about seat heaters that generated enough heat to produce smoldering, smoke, flames, holes in leather upholstery, pants and coats, extreme discomfort beyond the point of human tolerance and burn injuries. Most of these were mild, because occupants who felt a burning sensation were usually able to pull over, discover the source and turn the seat heater off before it did serious damage. But not always. This complaint was lodged on January 10 by the driver of a 2006 M-series Mercedes:

Contact was driving, approx. 15 min. After engine start and seat heater turn-on. Contact felt a burning sensation on posterior/hip. Contact stopped car and got out. There was a burn hole in the driver's seat back at lower left. There were two burn holes through contact's pants. Later examination showed a second degree (blister) burn on contact's hip. This is not a warranty claim as the dealer suggests, but, rather a serious manufacturer defect that causes burn injury.

Nearly every major manufacturer was the subject of at least a few complaints – but, using raw counts, there were definite outliers. We did not refine the raw numbers; we did not try to derive rates based on the proportion of a manufacturer’s fleet with heated seats as an option or standard equipment. With that caveat, here are the winners:  Up and away, the biggest offender was, Volkswagen with 421; followed by BMW with 228 complaints; Jeep with 183; and followed by Mercedes with 136.

Industry Response

Automaker’s willingness to fix these problems has been lukewarm, at best. Some of the most recent seat heater recalls have been from manufacturers that don’t even get on the VOQ’s radar. Aston Martin, with zero complaints to NHTSA, launched a seat heater recall in December for 7,256 vehicles manufactured between 2006 and 2014. In November, Southeast Toyota, a long-time Toyota distributor based in Florida which turns a handy profit installing accessories such as seat heaters,  recalled 3,233 vehicles, covering a wide range models somewhere in the 2006-2011 model years, for the a seat cushion compression problem, which may damage the seat heater wiring.

There was a correlation, however, between manufacturers with a high number of complaints and past recalls, satisfaction campaigns and NHTSA investigations, which seem to indicate that these problems have not been resolved.

The last time BMW addressed a seat heater problem with a recall was in December 2004, when the automaker recalled 15,030 5-Series and 2,875 7-Series for a heating mat in the outboard side bolster of the seat's backrest that could fail due to mechanical loading – i.e. occupants getting in and out of the seat. It seems, as nearly 200 of the complaints we found post-date this recall by four years and into the present, that Bayerische Motoren Werke did not get all of the affected vehicles. Here’s one filed with NHTSA in January:

On a very cold day, I got into my car, and turned on the seat heater on the driver’s side of my X3. I smelled something burning and the side of my waist felt hot as if I was on fire. I realized that it must be the seat heater so I immediately turned it off. I stopped my car, got out and noticed my coat had been burnt. I noticed a burned hole on the side of my seat, in which was the cause of my coat catching fire.

Volkswagen has also made a stab at fixing the problem issuing a silent recall in response to an Office of Defects Investigation probe that went nowhere. The automaker implemented a customer service satisfaction campaign that began in 2007 and was extended in 2009 and 2010. Volkswagen consumers, however, are still complaining about burning seats. More than half were lodged with the agency from 2011 to the present.

Most recent complaint came into the agency this month:

I own a 2000 VW Jetta. My son and I were heading home after a college visit, he turned on his seat heater and began to nap. 20 minutes later, he popped up rubbing his shoulder, the seat heater caused the seat to catch fire and burned a portion of the seat, his shirt and shoulder. I called the dealer and was told they've never heard of that issue and that there has never been a recall for such an issue. I then did an internet search and found where it's a very common issue.

Jeep has issued two seat heater recalls in 2006 and 2009, but for the same group of vehicles, 102,354 Jeep Grand Cherokees. Unfortunately, Jeep owners from the 2002-2004 model years continued to complain, most recently in July:

Seat heaters have been getting progressively hotter. Passenger side got so hot I thought I was burned. My husband and I heard a pop on passenger side and seat heater slowly cooled down and now does not work. Driver side seat so hot we can't use it. I was talking to another Jeep owner and he said he experienced the same thing whereas his wife actually had red marks on her body for a few days. Why is there no recall?

Mercedes has neither mounted a recall, issued a TSB nor launched a customer satisfaction campaign. No, according to a recent class action filed in U.S. District Court in the Central District of California, Mercedes has taken the silent recall one step further, mounting a gag-order recall. The economic class action stems from a May 2014 incident, in which Elizabeth Callaway was driving her 2006 Benz with a friend and the seat heaters. Both smelled smoke, but San Diego County was plagued by brush and wildfires at the time, so both passed the smell off to events outside of the car. The next day, Callaway turned on her seat heater, and again, smelled smoke. But this time, the smoke was definitely inside the vehicle. She rolled down her windows to air the car out, and when she arrived home five minutes later, there was a pain on her left size, a hole through her dress and a corresponding hole through the leather upholstery and seat padding.  

Mercedes agreed to fix her driver’s side seat heater only if she signed a release, agreeing to accept a $500 payment, surrender all claims related to seat heaters against the manufacturer and keep the whole thing confidential. Mrs. Callaway declined.

As The Safety Record pointed out in October, it is likely based on the 17 property damage EWR complaints that Mercedes has submitted to the agency over a decade, that the automaker has been under-reporting property-damage EWRs (see Elective Warning Reports Redux). And, based on the frequency of VOQs regarding seat heaters submitted by Mercedes owners, we suggested that some of those unreported property damage EWRs probably concerned seat heater burns. The December lawsuit also notes that “Mercedes Benz USA has concealed the extent of the issue from NHTSA by not filing all of its Early Warning Reporting claims regarding failed seat heaters.”

Why Isn’t Burning Occupants A Safety Hazard?

Back in the day, NHTSA thought interior car fires were quite undesirable. It was so long ago, that the agency was called the National Highway Safety Bureau. And, in 1968, when bureau representatives met with automakers and the fabric industry to hammer out an interior flammability standard, Mr. Joseph F. Zemaitis, from the Office of Standards on Post Crash Standards explained its purpose:   

The material must be sufficiently resistant to burning so that if ignition does start, the driver and the occupants would have enough time to stop the car and get out. But you can imagine some of the conditions under which that would be quite difficult. For example, a dropped cigarette or let us say a dropped lighter, and we have a number of instances of dropped lighters that did not close but kept on burning, both liquid fuel and gas butane fuel, let's imagine that happens on a six lane Los Angeles highway, the traffic is moving at 65 miles per hour and we’re going to be getting into another increasing area of such possibilities. Not only is the thing dangerous to the occupants but to those involved in a panic it might result in many, many cars being involved in the crashes. We have on record of instances of fires that took place so rapidly in a moving car that there have been fatalities and very serious injuries before the car could be stopped and the occupants removed. So we do know that there are at least some conditions where materials are used of such a nature that extreme danger is involved. The probability that this will always happen with a dangerous material may be remote. But we are interested in, nevertheless, setting a standard so that all materials are adequately evaluated by methods that are common to everybody in the industry so there is complete understanding as to how they will be tested and where they can be tested and, how they will be used so that we eliminate this potential hazard not only now but for the future to come.

Federal Motor Vehicle Safety Standard 302, published in 1971 states: “The purpose of this standard is to reduce the deaths and injuries to motor vehicle occupants caused by vehicle fires, especially those originating in the interior of the vehicle from sources such as matches or cigarettes.”

Mr. Zemaitis and company did not anticipate that 40 years hence, fewer people would smoke, but in the future that came, automobile seats had taken up the habit and the danger would come from what lay under the upholstery. And all that hysterical talk about the beginnings of an interior car fire on a six-lane LA highway – you can imagine it happening on a mountain road in Aspen, or on your way home from a college visit. You can imagine putting the fire out with snow like this driver:

I was in my 2007 Mercedes GL450 and had driven approx. 2 miles with my front driver's seat heater on. I started to notice a strange smell and suddenly the cabin was starting to fill up with smoke. I immediately stopped the vehicle and discovered the left side of the back of my front driver’s seat was on fire. Snow was on the ground so I scooped up snow to pack in the fire/hot spot which had burned a large hole through the vinyl and inside padding material. I later noticed that my jacket had burn marks and a hole in the exact location of the point of the fire.

What consumers and The Safety Record could not have imagined was NHTSA now thinks these scenarios are no big deal. Since 2000, there have been six seat heater investigations: 2 for Volkswagen, 2 for Chrysler and 2 for Mercedes. But all of them ended with no agency action. And if one reads the Closing Resumes, one gets the distinct impression that ODI thinks that people who complain about seat heater burns and fires to be serial exaggerators – about the nature of the event and the extent of their injuries.

The Closing Resume of Engineering Analysis 04-010 concerning seat heater malfunctions in 2002-2003 Volkswagen Jettas is one such example. The agency and the manufacturer had 290 complaints; 593 warranty claims; 77 injuries and 134 fires. Yet, the agency concluded that: “such failures do not pose a significant risk of injury or fire. ODI believes that further investigation would not likely identify a safety-related defect trend.” (Obviously, this pre-dates the Friedman Engineering Defect Universal Protocol [FEDUP], which states: one is an anomaly; two is a trend.) The final report takes pains to dismiss the belly-aching of consumers who thought that the seat heater should not get hot enough to burn holes through the seat:

Only one of these complaints alleged that "flames" were present, and three consumers reported having sought medical attention for their bum injuries. Seventy-seven of the consumer complaints indicated that their clothing had sustained burn damage. ODI found that the allegation of fire were found consistently to refer to visible and localized heat damage to the fabric of the seat cover, as opposed to the occurrence of flames.

So a smoldering cigarette on a car seat is an occasion for rulemaking, but a smoldering heater in a car seat is an opportunity for the agency to opine that people who can afford vehicles with seat heaters are a bunch of privileged babies.

When it took up the issue Safety Research & Strategies argued that regardless of the volume of complaints, seat heaters should never reach temperatures higher than the well-established limits of human tolerance – by design or defect. Some can reach temperatures up to 150ºF in real-world testing, and produce severe burns within minutes of contact. Human heat tolerances have been long established; a maximum temperature limit is a design concept that has been recognized and incorporated by other consumer products manufacturers. There is no reason why the auto industry can’t do likewise. But, apparently there is still little motivation to do so.

Some in the industry appear to get it. Aston Martin, in its Part 573 Chronology of the defect, explained the problem and the solution with little fuss:

“A Recall Committee convened on November 18, 2014 and determined that:

  • A potential defect could occur in the relevant vehicle population,
  • That this defect could lead to a potential safety risk, and,
  • That a voluntary safety recall be completed.”

That’s how it’s done. 

Taking on Takata

Posted on | by admin

Lately, the National Highway Traffic Safety Administration has come in like a wrecking ball, knocking aside manufacturers’ excuses for delaying recalls and other sundry sins with multi-million dollar fines – and now aggressive legal action.

Wednesday, the agency filed – apparently – its first-ever Preservation Order “requiring Takata to preserve all air bag inflators removed through the recall process as evidence for both NHTSA’s investigation and private litigation cases. The order also ensures NHTSA’s access to all data from the testing of those removed inflators,” according to an agency news release.

The move represents an about-face for NHTSA. Last month, it filed statements of opposition to two South Carolina plaintiffs’ emergency motions to preserve evidence in civil liability cases, Angelina Sujata v. Takata and Robert E. Lyon v. Takata. The Sujata case alleges that an exploding Takata airbag inflator sprayed metal shards in the 18-year-old driver. The Lyon case alleges that a Takata inflator caused the airbag to deploy too aggressively. Both plaintiffs are represented by Kevin R. Dean, of Motley Rice, in Mt. Pleasant, South Carolina.

On February 15, 2008, Mary Lyon Wolfe, 57, was at the wheel of her 2002 Honda Accord, when she veered off the right side of the roadway and it a culvert, a mailbox and a tree before coming to rest in the yard of a home on Griffith Drive in Orangeburg. The suit alleges that the vehicle’s frontal airbags delayed deployment and then burst forward with sufficient force to cause serious head, neck and chest injuries. Wolfe was airlifted to Palmetto Richland Memorial Hospital, where she died of her injuries 17 days later.

Sujata was seriously injured on March 2, 2012, when her 2002 Honda Civic rear-ended another driver who came to an abrupt stop on the highway. The driver’s air bag deployed and the inflator exploded, spraying shrapnel into her chest and face.

“I’m very pleased by NHTSA’s preservation order,” Dean said. “It has accomplished the underlying basic request that we were making which was primarily to preserve 10 percent of the returned inflators in each state for testing and analysis by our experts.”

Preservation orders are garden variety motions in products liability cases, but the issue took on an urgency in early January. Dean discovered that LKQ, which bills itself as North America’s largest online provider of recycled original equipment auto parts for cars and light-duty trucks, could not sell him any inflators, because Takata had an agreement to purchase LKQ’s entire inventory. The supplier is gathering some 12,000 inflators a day from recalled vehicles nationwide, and subjecting most of them to destructive testing.  Dean feared that Takata could destroy all of the Florida inventory during testing, leaving none or few for civil litigants to test independently.

Alarmed, Dean, filed an emergency motion for a preservation order on January 9. Honda, Takata and NHTSA immediately objected. The defendants argued that there was no real emergency or threat that evidence would be destroyed. Further, they argued, it would interfere with the multi-district litigation, which is currently in its initial stages.

NHTSA argued that Dean’s effort to preserve some inflators for testing and analysis would interfere with its ongoing investigation into the root cause or causes of Takata airbag inflators malfunctions. The problem appears to be multi-faceted, caused by some combination of manufacturing errors, including improper airbag seam welds on the inflator assembly; the use of ammonium nitrate, a volatile chemical compound which can degrade over time; and potentially defective design of the assembly that does not fail in a controlled manner when it’s over-pressurized. 

In its January 20 statement in the Lyon case, NHTSA said that a preservation order “would put an abrupt halt to Takata’s ongoing testing efforts essential to NHTSA’s safety investigation. Moreover, this order would require the delivery and preservation of hundreds of thousands of recalled Takata inflators at a single location, and thereby would prohibit any transfer of inflators to other entities for further testing, whether carried out by vehicle manufacturers or NHTSA itself. Without readily available access to inflators, including the ability to oversee destructive testing, NHTSA is unable to conduct an effective investigation….This testing will, NHTSA believes, enable the agency to identify the scope of affected vehicles and the root cause of Takata inflator ruptures and to ensure that the recall remedy is robust and effective. This testing is thus a critical element of the agency’s overall mission to protect public safety.”

As Dean pointed out in his reply, NHTSA itself had expressed its doubts about Takata’s honesty and organizational skills. In his November 20 testimony before the Senate Commerce Science and Technology Committee Hearings, Deputy Administrator David J. Friedman conceded:

“[I]t’s been made clear to us they do not have good quality control and do not have good record keeping because further down the road, they had to update indicating they had not provided us with that information. That is one of the key reasons we are demanding under oath they provide us answers about all of these recalls. All of the tests they’ve done on air bags.”

And:

“Senator, I’m not a lawyer, so I don’t know the exact meaning of probable cause. But I will say I don’t trust that they [the Honda and Takata Defendants] have provided us with [everything] . . . with—we know that they have not always provided the auto industry with accurate information of all the loss involved. We haven’t gotten the information we need. We’re looking into this. I have serious concerns and will hold them accountable based on the findings”

Dean’s emergency motion was denied, rendered moot by the MDL, still without a leadership team. But, he believes that the issue for civil litigants has not yet been totally resolved.

“I brought this to NHTSA’s attention because this was an important issue,” Dean says. “They began to understand and to ask questions, NHTSA took an unprecedented step, which should be applauded and is necessary, to make sure there is a preservation agreement and protocol. While NHTSA’s order addresses the important issue of collecting, organizing and cataloguing the inflators in a systematic manner, from a civil litigation perspective, I don’t believe the order addresses everything.”

Meanwhile, a consortium of 10 automakers that used Takata airbag inflators in their vehicles has hired Orbital ATK to conduct independent testing on Takata airbag inflators, under the supervision of former NHTSA Acting Administrator David Kelly, they announced today. According Orbital ATK’s website: “ATK expanded into the aerospace market with the acquisitions of Hercules Aerospace Company in 1995 and Thiokol Propulsion in 2001.” Morton Thiokol, readers will remember, was the NASA engineering contractor for the Space Shuttle Challenger that exploded in 1986, 73 seconds after the launch, killing all seven aboard. The explosion was traced to a failure of the O-ring seals for the solid rocket boosters. Although Thiokol engineers knew that the rings could fail at low temperatures, management, along with NASA made the decision to launch the space shuttle on Jan, 28, 1986, on a morning with unusually low temperature.

Last week, Chief Counsel O. Kevin Vincent informed Takata, which, up until recently had avoided the civil penalties, that it would be charged $14,000 a day – that’s the maximum $7,000 times two for separate Special Orders sent in October and November — for each day that it fails to provide an adequate explanation for some 2.4 million documents it has filed with the agency so far.

In looking at Takata’s EWR submissions, we notice that it looks as though there’s something else Takata forgot to give NHTSA. Honda’s already ponied up $70 million for failing to fulfill its EWR obligations.  But, under Transportation Recall Enhancement Accountability and Documentation Act regulations, component manufacturers are also required to submit death and injury claims. We know from Honda’s Part 573 submissions that it was informing the supplier of injuries as earlier as 2004. We know that Takata was named in some lawsuits. Takata has filed some EWR claims, but we see no EWR submissions that match up to any known deaths or injuries. In fact, there is but one airbag claim for a 2003 incident involving a Honda side airbag. The last time Takata submitted anything to the agency was in 2010.

Takata knew of no inflator claims? More fines to come?

Hackers: Coming to a Vehicle Near You

Posted on | by admin

This week, Senators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) again took on auto manufacturers, pointing to the privacy and security issues associated with the sophisticated electronic systems that proliferate in today’s vehicles. The senators announced at a hearing on “The Connected World: Examining the Internet of Things,” that they plan to introduce a bill that will require the National Traffic Highway Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to create  federal standards to ensure that automakers protect security and privacy.  Sen. Markey said: “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe.”

In November, Markey sent questions to 19 manufacturers asking what they are doing to protect new technologies from hacking. Their response, released in a report this week, varied widely, but in short, the take-away was: Not much.

That’s not surprising when automakers still often refuse to acknowledge that electronics systems are any different than mechanical parts. Having the latest technologies leaves little time for thinking about complicated safety and security measures during development. And what incentive do manufacturers have when the regulators have equally ignored the issues?  NHTSA, for its part has never adopted standards to ensure that the electronic systems – many of which offer significant safety benefits – have functional safety built in. The result is that defects emerge when vehicle electronic controls fail (which they will at some point) with varying results from simply no operation to driver’s experiencing complete loss of vehicle control or safety features that cause injuries.  Look no further than the recent re-recall of more than two million airbags that inadvertently deploy because of a degrading electronic chip to understand this concept.

Now the cybersecurity threat is taking the spotlight. In the past, the potential for remote hacking was more of an abstract threat, but not anymore: Last month, BMW announced that 2.2 million vehicles had a security loophole that could allow hackers break into the vehicles using only a smartphone. The glitch was in the BMW Connected Drive system, which allows the vehicle to talk to the car manufacturer about roadside assistance or inspection due dates and has a smartphone app for things like remotely opening the door or activating the horn. This would only give the hacker access to the car, not the ability to operate it, but an enterprising hacker could combine it with a previous vulnerability in the 2010-2011 models’ wireless key fob to actually steal the car.

Central Nervous System

Almost all vehicles on the market today rely on in excess of 50 minicomputers, or Electronic Control Units (ECUs), that control one or more specific aspects of the vehicle’s operation, from dashboard lights to airbag sensors to steering and braking. The ECUs regularly share data with each other through the vehicle’s controller area network (CAN), like nerve signals sent out through the body. That’s why the seatbelt tightens when the brakes are applied suddenly and electronic stability control alters engine torque and wheel speed if more traction is needed. Wireless Bluetooth, smartphones, and infotainment systems also communicate with ECUs, opening up wireless entry points to the CAN. Although the communications ECUs do not control safety features, they are often bridged to other ECUs, especially when the vehicle allows drivers to unlock doors or even start the vehicle from their phones. And all vehicles have a federally mandated OnBoard Diagnostics (OBD-II) port under the dashboard, allowing easy access to anyone seeking to access the vehicle’s internal networks.

Just like a home computer, this network of sophisticated software makes vehicles incredibly vulnerable to hackers, either through physically embedded malware or through wireless access. In 2010, researchers at the University of Washington and the University of California San Diego connected a laptop to two late-model passenger cars’ OBD-II ports to run a CarShark program that manipulated the vehicles’ CANs. They later ran the same program through a car’s Bluetooth system. The researchers were able to prevent the driver in a moving car from braking and lock up the brakes unevenly. The researchers also manipulated the speedometer, turned off all of the cars’ lights, blared the horn, killed the engine and locked the doors to prevent the driver from exiting. They discovered that the gateway between the low-speed networks, which control the less critical functions, and the safety-critical high-speed networks was weak, so compromising any ECU can allow a determined hacker to compromise safety-critical ECUs.

“In starting this project, we expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability,” the researchers said. “However, we found exiting automotive systems – at least those we tested – to be tremendously fragile.”

In 2013, two cybersecurity experts, Chris Valasek and Charlie Miller, demonstrated how easy it is to control the steering, braking, acceleration and display in a 2010 Ford Escape and a 2010 Toyota Prius by manipulating their internal wiring. Last year, they surveyed the schematics of 21 vehicles to determine their susceptibility to a remote attack, which unrolls in three stages: the hacker accesses an ECU that “listens” to outside messages; that ECU interacts with a safety-critical ECU; and the hacker makes the safety-critical ECU behave in a way that compromises vehicle safety. Without the actual vehicles to test, they couldn’t determine how easy it would be to remotely attack them through vulnerabilities in the schematics. But Valasek and Miller did find that many vehicles use common desktop technology already familiar to hackers and that 42 percent of the vehicles had no separation between an openly accessible ECU, like remote keyless entry, and a safety-critical ECU. The 2014 Jeep Cherokee, 2015 Cadillac Escalade and 2014 Infinity Q50 appeared to be the most hackable vehicles, while the 2014 Dodge Viper, 2014 Audi A8 and 2014 Honda Accord were the least hackable.

Ironically, Valasek and Miller said new technologies designed for safety might actually leave vehicles more susceptible to security breaches. Manipulating normal braking systems is difficult because the hacker has to find the vulnerabilities and convince the system to apply the brakes, but newer collision prevention systems are already programmed to stop when the CAN receives certain messages – all the hacker has to do is get a message in to the internal network.

At least one real-world hacking incident has been recorded: in 2010, a man fired from a Texas dealership hacked into the dealer’s remote vehicle immobilization system – which lets the dealer disable a vehicle when a payment is missed – and shut off about 100 cars or kept their horns blaring.

With the government’s plans to implement vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) technologies allowing vehicles to “talk” to each other and receive signals from road signs, the hacking threat will only become more imminent, and without proper functional safety designed in, errant signals from one vehicle can potentially affect others around it. 

Message Unreceived

Automakers have typically ignored these warnings. As the Markey report points out, Valasek and Miller approached Ford and Toyota before releasing their 2013 study to the public, giving them a chance to correct the vulnerabilities. But the manufacturers instead claimed it didn’t matter because Valasek and Miller accessed the vehicles through their computer systems and the real danger is remote hacking through a wireless device. The automakers ignored the earlier proof that a remote attack using a wireless Bluetooth stack is just as easy.

The Markey report, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” based in part on responses to a detailed questionnaire by the Senator, found that “many manufacturers did not seem to understand the questions posed” and often gave incomplete or vague answers, or declined to answer altogether. (16 automakers responded to the questionnaire – Aston Martin, Lamborghini, and Tesla declined.) Among the findings:

  • Nearly 100 percent of vehicles have at least one wireless entry point (WEP) that makes it vulnerable to hacking.
  • When asked how they assess security against WEP infiltration and whether they use third-party vendors to test security, about half of the 13 manufacturers who responded to the questions discussed security measures that were related to ensuring the WEP worked as intended, not ensuring it was breach-proof, and even those measures were easily overcome by hackers. The other half mentioned procedures they use in the development process, including threat modeling, penetration testing, input validation and verification, virtual testing, component testing, and physical testing. Only seven automakers said they use outside vendors to verify their security measures.
  • Only 12 companies responded to a question about the number of safety recalls and service campaigns issued between 2009 and 2013 that involved software updates that could be used to introduce malware. Between 11 and 44 percent of the recalls or campaign events involved software updates, which were all delivered in person, not remotely like the BMW “digital recall.” Sen. Markey consulted security experts who said automakers are assuming hackers could not access or acquire the technologies mechanics use, when they should be requiring that the ECU cryptographically verify software updates before they can be uploaded.
  • Only two manufacturers are able to detect and respond to a hacking event in real time. The others said they have systems that record information on-board the vehicle, which “means that infiltrations would only come to the attention of the manufacturer if that data were manually downloaded by a dealer or service center at some subsequent date.”
  • When asked what they are doing to monitor the CAN “buses” that control communications among ECUs and the WEPs and how they would respond to an attack, five companies said the information was confidential, and three did not respond at all. Six companies said they monitor CAN buses and/or WEPs, and two said they are working on monitoring capabilities. They described various monitoring methods, including ECUs that can detect unusual signals, firewalls between ECUs, and seed-key security that allows communication with an ECU only if the message seeking access matches a random security variable. But Sen. Markey’s security experts noted that none of these features would prevent hacking. Only two manufacturers could take action against a hacking event: One has a “fail-safe” mode that limits operations if malfunctions that could cause damage occur, and the other has the option to slowdown and immobilize the vehicle.

Markey also asked about data collected on driver history – a median of 35 percent of vehicles have technologies that can gather enormous amounts of information, such as locations entered into navigation systems, current location, last location parked, steering angle and belt use, tire pressure, engine status and distances and times traveled. Some manufacturers keep the data stored in the vehicle, but others transfer it to a central location, and a large majority contract with outside companies to collect the data. Only one automaker specifically designs the data-storing systems with security protections.

Last year, the automakers tried to head off scrutiny of their lack of mechanisms to protect driver information by creating a set of consumer privacy principles, submitted to the Federal Trade Commission (FTC) by the Alliance of Automobile Manufacturers, Inc., and the Association of Global Automakers. The principles are categorized as: transparency, choice, respect for context, data minimalization, de-identification and retention, data security, integrity and access, and accountability. But Markey noted the vaguely worded principles leave a lot of wiggle room for manufacturer interpretation and discretion.

The report concluded: “The alarmingly inconsistent and incomplete state of industry security and privacy practices, along with the voluntary principles put forward by industry, raises a need for [NHTSA], in consultation with the [FTC] on privacy issues, to promulgate new standards that will protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.” The standards should:

  • ensure that wireless access points and data-collecting features are protected from hacking
  • validate security systems using penetration testing
  • include measures to respond real-time to hacking events
  • require that drivers are made explicitly aware of data collection, transmission, and use
  • ensure that drivers may opt-out of data collection and transfer
  • require removal of personally identifiable information before transmission

The Safety Record has repeatedly pointed out the gaping holes that have allowed for vehicle electronics to proliferate without first advancing an effective functional safety standard for these systems (see “NHTSA Seeks Input on Electronics Rule”).  The lack of adequate security for these electronics increase the safety hazards associated with these systems.

Right now, the only functional safety standard is the voluntary International Organization for Standardization (ISO) standard ISO 26262, created in November 2011, which outlines rules for performing functional-safety assessments, identifies risks during the design phase, and includes guidelines throughout the lifecycle of the product from development to production to operation to reuse and decommission.

In December 2014, NHTSA finished collecting comments on its long-overdue electronics rule, seeking information to determine “whether there are emerging gaps in the functional safety assurance processes of motor vehicles.” But manufacturers are fighting it. The Association of Global Automakers said in its comments that, “there are already a number of process standards and best practices that have either been published or are in the process of being developed” and that “NHTSA’s participation can most effectively be pursued through collaborative efforts with industry and voluntary standards organizations.” On the issue of cybersecurity, the trade association said adopting standards would exacerbate the problem: “If all manufacturers were required to employ either identical or overly prescribed designs for their electronic systems and cyber-attack countermeasures, such attacks could be more likely, or more widespread, if vulnerabilities were to be identified in the agency’s required approach.”

 

UK Tire Age Bills Moves Forward

Posted on | by admin

While the National Highway Traffic Safety Administration has put aside tire age regulations, Great Britain is inching forward with a bill to ban tires older than 10 years on commercial buses and coaches.

The legislation is the result of a campaign by Frances Molloy, whose 18-year-old son Michael died on July 16, 2012 along with another 23-year-old passenger and the driver in a bus crash caused by the catastrophic failure of a 19-and-a-half-year-old tire. The tire, with legal tread-depth, had been purchased secondhand by Merseypride Travel, which owned the 52-seat coach. In December 2013, after a public inquiry by the North West Traffic Commissioner, Merseypride lost its license to operate public vehicles.

The bill, sponsored by Walton MP Steve Rotheram, requires that Public Service Vehicle operator’s license be granted on the condition that the tires on the vehicle be no more than ten years old. It is an amendment to an existing The House of Commons had ordered the Tyres (Buses and Coaches) Bill 2015 to be printed in July, after its first reading, and later this month, the bill is scheduled for a second reading in the House of Commons. (These are very preliminary stages in the British legislative process. The second reading allows members of Parliament to generally debate its merits. The bill gets closer scrutiny in the next, committee stage, in which experts and interest groups can testify. If the bill survives the committee stage, it returns to the chamber for a debate.)

Molloy has been lobbying for a tire age law since 2012, drumming up political and industry support. In 2012, Molloy and accident re-constructionist David Price met with Secretary of State Patrick McLoughlin, who reports directly to the Prime Minister, to solicit his support. While McLoughlin declined to support a tire age bill, in December 2013, the Department of Transport issued guidance for firms registered with the Vehicle and Operator Services Agency: “As a precaution, the Department for Transport strongly recommends that tyres over 10 years old should not be fitted to the front axles of buses and coaches.”

In October, Molloy, chief executive of Health@Work and chair of Liverpool Community Health NHS Trust, spoke at Brityrex International’s TyreTalk seminars. Molloy also won the backing of the Chief Fire Officers Association – fire departments respond to road crashes – and The National Tyre Distributors Association, which represents new tire retailers.

Molloy says that the NTDA acknowledged that tire age was a conversation that the organization’s members didn’t want to have, but had to have. She made her position clear:

She was willing to listen to the science of tire aging in order to develop the most appropriate policy: “But [the solution] cannot be anything but legislation,” she said. “It has to be something in law, that if you don’t follow it there will be consequences. I’m not negotiating on that.”

In advance of the second reading, Molloy will be featured in a BBC documentary called Inside the Commons. The February 17 episode will show Rotheram’s work with Molloy on tire aging, and she hopes it will win the proposal more advocates in that chamber.  But, if the timing of the documentary episode is good, the timing of the second reading is not. It will be the last of three bills to be heard on a Friday afternoon. Molloy and her bill have to keep at least 100 MPs around long enough to support it, before it can advance to the Committee stage. If it fails to garner enough support, any further legislative action will have to wait until after the general elections in May.

“The second reading is very important, there’s a lot of challenges,” Molloy says. “But I will not give up. I will keep going and I will wear them down before they wear me down.”

Unfortunate Chapter Continues: Toyota Bounced for $11 Million in UA Case

Posted on | by admin

Toyota’s runaway success in blaming drivers for its defective vehicles, hit an $11 million pothole yesterday, after a Minnesota federal jury found that the automaker was 60 percent responsible for an Unintended Acceleration (UA) crash that killed three and severely injured two.

Attorney Robert C. Hilliard, who represented plaintiffs Koua Fong Lee, the driver, and the family in the vehicle that was struck, says it’s the first jury verdict against Toyota in a UA case involving a mechanical defect. The automaker made no offer to settle the case prior to the January trial.

On June 10, 2006, Lee was exiting a Minnesota Highway 94 in a 1996 Camry when his accelerator became stuck in the wide open position. Lee was driving his pregnant wife and children home from services when, at 75 miles per hour, he plowed into the rear of an Oldsmobile Ciera that was stopped at an intersection. Fong alleged that he pushed on the brakes, but they failed to stop the Camry. Driver Javis Trice-Adams Sr., and his 9-year-old son were killed, his father, Quincy Adams and Trice-Adams’ daughter Jassmine Adams were injured. Trice-Adams’ niece Devyn Bolton, 6, was paralyzed and died in October 2007. 

Lee was convicted of vehicular manslaughter in 2008, and served two-and-a-half years of an eight-year sentence. Then, in 2009, the Toyota Unintended Acceleration crisis began to build doubts about the certainty of driver error in the crash. In August 2010, Ramsey County Judge Joanne Smith ordered a new trial. The prosecutor dropped the charges and declined to retry the case. Lee was released from prison.

Hilliard argued that Lee and the Adams family were victims of a design defect in which the plastic pulleys in the cruise control assembly overheat and bind the accelerator cable in the open position. Each time the accelerator was tapped, the throttle would open wider. Lee testified that he tried to bring the car to a stop, but the brakes could not overcome the open throttle. In previous testing the National Highway Traffic Safety Administration showed that vacuum brakes lose their effectiveness if pumped continually. Toyota argued that Lee mistakenly floored the accelerator for six seconds before the crash.

Hilliard attacked that notion in his closing arguments, with an exemplar pedal and a timer.

“Their theory was that Koua Fong Lee, without any panic situation, for some unexplained reason, after driving normally for 30 minutes, suddenly floored it for six full seconds as he is approaching a stop light with a bunch of cars in front of him,” Hilliard said. “I told the jury, for you to believe this, you have to believe that at the top of that hill — I floored it and pushed timer. Six seconds seems like an eternity.”

Toyota had attempted to counter Hilliard’s defect theory with the testimony of a Toyota engineer in Japan who claimed that the company’s “robust protocols” included days-long heat testing at 280 degrees. Then shortly before trial, Toyota filed a declaration from that engineer stating that the company actually did no such testing.

“It was the most amazing declaration I’ve ever seen,” Hilliard recalled, “where he was so proud of that test that it turns out they never did.”

Hilliard also bolstered his case with testimony from other who experienced a UA event, such as a doctor and a Black Hawk military helicopter pilot, who was flown in from Kuwait to testify.

The $10.94 million verdict was divided among the crash victims. Lee’s award was reduced by 40 percent for contributory negligence, but Hilliard says that he will file a post-verdict motion to challenge it — if Toyota’s defective design was the direct cause of the crash, then Lee should receive his full share. 

Meanwhile, Toyota has settled more than 250 injury and death claims under its Intensive Settlement Program in the multi-district litigation involving UA in Toyota vehicles equipped with electronic throttle controls, says West Virginia attorney Hike Heiskell, who represents several plaintiffs with UA claims. 

“They have settled a very high percentage of pending cases. One of the interesting things is how many new incidents are being reported after Toyota entered into the deferred prosecution agreement,” he says of Toyota’s March agreement to plead guilty to one charge of wire fraud and pay a $1.2 billion fine.  

While he sees no applicability of the Lee verdict to cases involving electronic throttles,“still — it’s a system that took control of throttle and produced tragic consequences,” Heiskell says. “It pierces the Toyota defense that this doesn’t happen in the real world. Bookout was a great breakthrough, and this case is a great breakthrough, in letting the public see that it does happen in the real world.”

Trinity ET-Plus Test Replicates Field Failures

Posted on | by admin

​Look at the pictures of this week’s s field test of the controversial ET-Plus energy absorbing end terminal below: Do you see what we see? The curled steel ribbon shows that guardrail began to extrude through the feeder end, as designed, but apparently got jammed up in the chute. The rail folded back into a spear and almost penetrated the Geo Metro’s door:

Courtesy of KSAT.

Trinity President Greg Mitchell saw it. According to the pool reporter who bore witness for her fourth-estate buds: 

“Something seemed very dramatic at impact- different than the same 'off-set small car' test at the 27 ¾ inch test in early January. The damage and impact was entire front end- even looking centered for worst damage. I cannot confirm that nothing penetrated the cab.  The Trinity president and PR rep immediately went to one another with no smiles and fast conversation.”

Indeed. This is more or less how some versions of the ET-Plus end terminal – now under fire after a federal jury concluded that Dallas, Texas-based Trinity Industries had defrauded the government by failing to disclose a significant design change that saved the company $50,000 – is alleged to have performed in the field, with catastrophic consequences to actual humans.

It was the eighth and final test at the Southwest Research Institute’s facility in San Antonio, Texas. The skies were blue and sunny, giving all the observers – including the FHWA, representatives of the American Association of State Highway and Transportation Officials (AASHTO) – and Trinity a clear view of the small-car test using a 31-inch guardrail, with an impact off-set to the passenger side.  

The pool reporter, from her position, about 200 yards from the impact, said:

“The black & white car Geo Metro traveled down the track at approximately 62 mph and hit the ET-Plus guardrail head on but off-set to passenger side of the car.  The car hit the head and crashed through approx. 4 posts while spinning half a turn and into traffic.  Substantial damage occurred to front of this car, with not a lot of 'extrusion/ribboning' of the guardrail.”  

According to the FHWA response to Trinity’s test plan, Trinity was concerned about who would be allowed to watch the tests: “The test plan only references FHWA observers. FHWA intends to bring independent experts, members of AASHTO, and State DOT representatives along with FHWA personnel. FHW A will provide Trinity, in advance, with a list of FHWA personnel and those we wish to invite to attend the crash tests. Trinity agrees, is primarily concerned with impartiality, and will inform FHWA if they have concerns with any of the individuals on FHWA's list.” (Trinity has no particular interest in the outcome, so it makes sense to give the company the final say.) 

Nonetheless, the eleven individuals present on Tuesday were not the only eyes on this testing. After Trinity lost the federal whistleblower lawsuit that competitor Joshua Harman brought on behalf of the government, the FHWA was forced to act. In 2012, the agency allowed Trinity to submit seven-year-old test results which purported to show that the ET-Plus energy-absorbing end terminals manufactured after 2005 performed adequately in crash tests. In the wake of the October finding of fraud and a trebled $175 million damages award, the FHWA ordered a fresh round of tests, but not the off-set tests that mirror how the guardrail was faring in the field. 

Documents obtained from the FHWA by Safety Research & Strategies via a FOIA lawsuit show that in the run-up to the tests, FHWA officials were crafting and re-drafting – with guidance from Chief Counsel Thomas Echikson and many hands within the Office of Safety Technologies – responses to pointed questions from the press and U.S. Senator Richard Blumenthal (D-Conn.). 

Although the 267 pages are full of R & R (repetition and redactions), amid the effort to churn out a FAQ, a press release related to the testing plan, and a letter accepting Trinity’s  testing plan, are internal communications regarding a meeting with Blumenthal’s staff. The senator has publicly expressed reservations about the test protocol, which experts say is out of date, and the lack of a crash test that mimics field performance.

According to documents released by the agency, ABC producer Cindy Galli also posed a series of questions to the FHWA – among them, about Trinity’s financial ties to the SWRI, and whether the results of these tests would conclude the matter for the federal government. The agency responded:

"We're reviewing data to determine whether the ET-Plus and other comparable end treatments have vulnerabilities under conditions not covered by NCH RP 350 testing and are considering whether additional analyses, including evaluations of the end treatments' performance on roads, are warranted.•

Surely, Trinity President Greg Mitchell would agree. In a November 6 letter, he presented his bonafides to the FHWA:

“The safety of the American driving public is very important to Trinity, and we take very seriously the safety of the products that we manufacture for installation on the nation's roadways. We believe that this process will confirm going forward that our products meet the NCHRP Report 350 standards.” 

As the Safety Record Blog knows from reading so many letters of this variety, everybody and their Grandmas takes safety seriously. How one’s somber mien translates into demonstrable action – ah, here is where there is much disagreement. Scientific studies show that a sizeable percentage of people who say that they take safety seriously believe that this utterance alone suffices. 

Now that there is videotaped evidence that the process did not provide Trinity or the FHWA with the unequivocal confirmation that the ET-Plus is a NCHRP standard-bearer, what are either going to do about it?

Behind the Honda $70 Million Fine

Posted on | by admin

Honda had its turn on the ducking stool yesterday. The Japanese automaker, which had previously disclosed that a data entry glitch led to a failure to report some 1,729 death and injury claims to the National Highway Traffic Safety Administration’s Early Warning Reporting system, got held underwater until it agreed to pay $70 million in fines.  

NHTSA’s press release blamed Honda “for failing to comply with laws that safeguard the public.” But it’s far more important to examine the longstanding systemic problems behind the headline. In an audit prepared by the defense litigation firm Bowman & Brooke, Honda explained it as an institutional failure to populate or correctly code certain fields on a form that ultimately went to the Product Regulatory Office, which was responsible for submitting EWR data.  Honda learned about the problem from NHTSA’s Office of Defects Investigation (ODI) in late 2011. Yet, the automaker did not correct this administrative error and the regulator did not impose a penalty until three years later — when both were in the teeth of a Category 5 sh-tstorm over exploding Takata-supplied airbags.

Indeed, the EWR system, a key component of the 2000 Transportation Recall Enhancement, Accountability, Enforcement and Documentation (TREAD) Act, was intended to sharpen the agency’s defect detection capabilities and “safeguard the public.” But it hasn’t always worked out that way. NHTSA and the industry regard EWR as little more than a bureaucratic pain-in-the-neck: The first thing the industry did during the EWR rulemaking process was fight to keep the data secret, and the agency’s first order of business was to pare down the amount of information coming to it.

Instead of giving investigators a heads-up on emerging defects, it has functioned as an identifier of failed recalls. Manufacturers report – or not. There’s no robust process for auditing participation. There are no benchmarks for sanctions. In addition to Honda, Congress caught Ferrari failing to report a single claim in a decade. In 2013, Safety Research & Strategies caught a tire maker and two child seat manufacturers that did not report injuries and death claims to EWR; The Safety Record reported that Mercedes is likely severely under-reporting physical damage claims. Honda and Ferrari were fined, because the Hill has taken an interest. But it’s clear that they aren’t the only offenders. 

In official publications, NHTSA touts EWR’s role in identifying defects or supporting defect investigations. But in more intimate settings, NHTSA has taken a less sanguine view. To the National Academies of Science committee on electronic throttle controls, representatives of the ODI said EWR was too vague to be really useful:

“In briefings to the committee, ODI analysts noted that the EWR data lack the detail needed to be the primary source for monitoring the fleet for safety defects and that the main use of these data (especially the field reports) has been to support defect monitoring and investigations by supplementing traditional ODI data,” according to the Safety Promise and Challenge of Automotive Electronics: Insights from Unintended Acceleration.

At a recent legal conference for the defense bar, NHTSA’s Chief Counsel O. Kevin Vincent conceded: “Frankly [EWR]’s not early and it’s sometimes really not a great warning, because you have to dig down into the data.”

What Honda’s Fine Tells Us about NHTSA: No Follow-Up

Once a defect reaches the public crisis stage, and everyone starts ripping at the veils of secrecy that have draped a particular problem heretofore from widespread notice, one key factor in the run-up pops up regularly: NHTSA knew pretty early on and did not respond appropriately. The last five years has seen three whoppers: Toyota Unintended Acceleration, loose GM ignition switches and Takata airbags. In each case, the release of documents from entities outside of the agency shows that NHTSA saw the iceberg coming but, for various reasons, did not adjust its course.

  • Toyota Unintended Acceleration – In December 2003, Steve Chan, a NHTSA ODI staffer, wrote an Issue Evaluation documenting the spike in acceleration complaints in Camrys equipped with a drive-by-wire throttle. The memo noted that Toyota had already issued two technical service bulletins that related to the problem. In doing his peer analysis, Chan showed that the total complaints for Camry and Lexus vehicles far exceeded those for Honda, Nissan and Dodge models, but that the Camry and Lexus complaint rate was comparable to that of the Nissan Maxima. Nonetheless, Chan found that “the complaints do not show a geographic or seasonal trend but do show a strong recent trend of UA incidents.” Chan’s risk assessment concluded: “Although most of the alleged UA incidents had occurred at very low speed (5 to 15 mph), the percentage of incidents that resulted in a crash is high (27/40 or about 68%). Estimation from some of the complainants on engine surging duration ranged from a low of 2 seconds to as high as 20 seconds. These incidents, thought generally at low speeds, are of high risk to pedestrians because they represent situations that could occur in parking lots, at intersections, and at school lots.” NHTSA declined to open an investigation.

 

  • GM Ignition Switches — In March 2007, a group of GM employees met with NHTSA representatives in Washington, D.C., to discuss occupant restraint systems. During this meeting, a NHTSA representative informed the GM employees of a fatal crash that occurred on July 29, 2005, in which a 2005 Cobalt was involved in a frontal collision, the airbags did not deploy, and data retrieved from the car’s sensing and diagnostic module (SDM) indicated that the car’s power mode status was “accessory.” In May 2007, NHTSA sent GM a Death Investigation information request regarding an October 2006 fatal Wisconsin crash. In September of that year, ODI’s Department of Defect Assessment advised opening a formal investigation into the problem. According to a memo written by DAD head Greg Magno, the pattern was noted in 2005 and was investigated by the Special Crash Investigation (SCI) team (which suggested the connection between the non-deployment and the loose ignition switch Technical Service Bulletin): “Notwithstanding GM’s indications that they see no specific problem pattern, DAD perceives a pattern of non-deployments in these vehicles that does not exist in their peers and that their circumstances are such that, in our engineering judgment, merited a deployment, and that such a deployment would have reduced injury levels or saved lives.” NHTSA declined to open an investigation.

 

  • Takata Airbags – According to a review of Honda’s EWR failures by Bowman & Brooke, in late 2011 or early 2012, two employees of NHTSA’s ODI informed Jay Joseph, of American Honda Manufacturing’s Product Regulatory Office, that airbag injury and  death claims were missing from the automaker’s EWR reports: “In looking over separate reports provided by Honda pertaining to the Takata airbag recall, they had noticed that there were half a dozen or so injury or death incidents listed on the detailed spreadsheet that was provided to NHTSA by Mr. Joseph in connection with NHTSA’s review of Takata airbag performance that they could not find having been previously reported as EWRs in the TREAD reporting system.” Joseph explained that two of the incidents were not reportable because the vehicles were more than a decade old, and he would get back them about the others. According to the audit, he did not, and NHTSA apparently did not ask again.

 

In the case of Toyota, NHTSA was hampered by its failure to keep up with the technological changes in automotive safety-critical systems. It didn’t know much about automotive electronics because it had never regulated them and had not laid an institutional foundation of knowledge. If you don’t know how something works, how can you investigate it? Instead, it cowered in its comfort-zone of mechanical defects and driver error, and every ounce of agency energy has been expended in preserving that view to this day.

In the other two defects, ignorance is a little harder to claim. In the case of GM, NHTSA defended its decision by saying that it didn’t understand that the airbags were turned off when the ignition was in the accessory position. But, the connection had already been made by a Wisconsin State Trooper who investigated the October 2006 crash involving a 2005 Cobalt, which  killed the 15-year-old driver, Megan Phillips, and passenger Amy Rademaker – and by NHTSA’s own SCI team, which also investigated that crash.

In the Takata airbag saga, we learn several things from that single sentence in Honda’s audit report. In 2011, NHTSA caught Honda under-reporting death and injury claims and took no action. NHTSA had a detailed spreadsheet of injuries and deaths caused by “unusual” and “energetic” airbag deployments. Yet, the Recall Management Division allowed Honda to make Part 573 Defect and Noncompliance reports without ever mentioning deaths or injuries from this defect – so the public was largely unaware. NHTSA, which had no formal open investigation into Honda’s rolling recalls since 2009, did not open a new formal investigation, despite this knowledge of injuries and deaths.

A Brief History of EWR

In 2000, Congress passed the TREAD Act in the wake of the Ford Explorer/Firestone tire fiasco. The EWR system required manufacturers to submit reams of death, injury, property damage, warranty claims and other information to the government on a quarterly basis. The information was supposed to help government investigators identify defect trends.

EWR data consists of aggregates of broad defect categories, such as “powertrain” and “airbags” but no sub-categories. So it is impossible to determine from EWR data even some of the common defect trends, such as non-deploying airbags, or inadvertently deploying airbags, or ignition switch failures. (If NHTSA investigators want information beyond the general categories code they request the underlying documents for review.)  Any incident involving a vehicle older than 10 years or a tire older than five years does not have to be reported. 

The TREAD Act presumed that most of the EWR data would be public, but after a court battle between the Rubber Manufacturers Association and Public Citizen over the accessibility of tire claims data, NHTSA responded by keeping warranty claims, consumer complaints to the manufacturer, field reports, common green tire information, production data for all except light vehicles, and the last six digits of the vehicle identification number in death and injury claims confidential. Only death, injury and property damage information was included in the public dataset.

In the 2007 Final Rule, NHTSA amended the definition of “fire” to more accurately capture fire related events, eliminated the requirement to produce hard copies of product evaluation reports, and required automakers to update missing vehicle identification number (VIN)/ tire identification number (TIN) or components on incidents of death or injury to a period of no more than one year after NHTSA received the initial report.

In August 2013, the agency added new reporting categories related to emerging technologies.  The Final Rule mandated that automakers specify the vehicle type and the fuel and/or propulsion system type in their quarterly EWR submissions, and added new component categories of electronic stability control, forward collision avoidance, lane departure prevention, backover prevention systems for light vehicles and stability control systems for buses, emergency vehicles, and medium-heavy vehicle  manufacturers.

 

How Significant are EWR Failures?

Early Warning Reports offer no laser-like precision, but they are not useless. In a 2012 Preliminary Regulatory Evaluation, NHTSA said: “Since 2004, EWR data have played a role in the opening of 150 Preliminary Evaluations (PEs). Among those 150 PEs, 31 PEs have been opened based on EWR data, with the remaining 119 PEs supported—but not initiated—by EWR data.”

In an undated document entitled Public Release of EWR Data, the agency said:

As of October 1, 2011, NHTSA has used the EWR data in 225 investigations; 68 were launched because of EWR data alone; 157 were prompted by other information but supported by the EWR data.

The Safety Institute, a non-profit organization founded by SRS president Sean Kane, has also demonstrated the use of EWR data through its Vehicle Safety Watch List.  “The watch list is the culmination of years of hearing that NHTSA simply didn’t have the data to spot problems sooner” said Kane.

And yet, NHTSA, proudly “data-driven,” remains unwilling to make its peace with this unwanted tool. If the agency caught Honda under-reporting EWR data in 2011, it’s fair to assume this wasn’t the first time it found missing claims from a manufacturer. Honda was in no hurry to fix it. There’s no question that it is Honda’s obligation to make these reports, and it deserves to be sanctioned for breaking the law. But, we submit that but for the agency’s laissez-faire attitude toward EWR, Honda might have corrected it much sooner.

NHTSA’s new administrator, Mark Rosekind, has correctly identified some of NHTSA’s most serious gaps – a need for a formal, structured approach to vehicle defect analysis and recalls. He has vowed to seek more resources and authority from Congress.

Where is EWR in this mix? In a recent Automotive News article, Rosekind recounted a conversation with “a senior employee from NHTSA’s Office of Defect Investigations who suggested using less data could be more effective in spotting defects, rather than more.” At best, it’s a curious stance for any investigator to take. But, when you consider the record, perhaps it’s not entirely crazy. Not knowing doesn’t seem to be NHTSA’s problem so much as not doing, caused by a long history and complex combination of a lack of resources, technical knowledge, process, procedures and priorities.

 

The Run Down on the NTSB Tire Symposium

Posted on | by admin

Last week, the National Transportation Safety Board (NTSB) brought together tire industry players, federal regulators, and consumer advocates for a tire safety symposium to evaluate the tire recall system, new technologies, tire age and service life, and consumer awareness in preparation for a tire safety report and recommendations scheduled for release next year.  The intervention by the NTSB, which provides formal safety recommendations independent from NHTSA, signifies an important step in pressing for industry and regulators to address these unresolved safety issues.

But turning around the leaky super-dreadnaught that is our tire recall system isn’t going to be easy. Forty years after the Tire Identification Number (TIN) system was created, techs and consumers are still forced to rely on pen and paper and a lot of searching to figure out whether a tire has been recalled.  While most vehicle and tire manufacturers have issued recommendations and warnings on tire age (i.e., maximum service life), these practices are still little known and rely on consumers and service providers to decode the date of manufacture hidden in the alphanumeric TIN. While most other industries have installed automated systems to individually track goods, but the tire industry has no such mechanism – despite its important role on a vehicle. And TIN numbers are not machine readable; thus, when they move through the distribution chain, retailers and servicers cannot easily determine the tires’ age and recall history in their inventory or for customers who rely on them. The result is that recalled and over-aged tires (that look like perfectly serviceable tires) slip through the cracks undetected. 

Symposium Highlights

By far, the best moment in the two-day confab was symposium chair Earl Weener’s rebuke of the Rubber Manufacturers Association’s assertion that it just can’t change anything about the way it does anything. For example, Tracey Norberg, the RMA’s Senior Vice President of Regulatory Affairs and General Counsel argued that it would be too difficult to radio-frequency identification (RFID) chips into tires. (RFID chips could store the tire’s age and recall information allowing dealers and service techs to scan the tires every time they inspect a vehicle.) Such technology would be challenging, she said, because it could change the structural integrity of the tire – not to mention all the complicated questions about what information to put on the chip, how it’s used, and who will read it and how.

Weener wasn’t buying it:

“That’s interesting because I think an awful lot of people in this audience have an iPhone. That iPhone can read QR codes, can read barcodes, can read UBS codes. But somehow that is too much technology for the tire manufacturers and for the tire distribution process. You know, you go to the airport and about every third person checks in with their iPhone, with a barcode on them,” he said. “So it seems to me that maybe some imagination is required.”

Imagination? Tire manufacturers have been developing RFID technology in tires since 1994. Michelin, Goodyear and others have been embedding RFID tags into commercial and racing tires for years.

Weener noted that despite the TREAD Act, in place for 14 years, NHTSA’s revisions to the tire endurance and resistance standards, and the tire pressure monitoring systems (TPMS) requirements, “…we are still seeing accidents—accidents these measures were intended to address. By holding this symposium, our goals are to explore the effectiveness of these various initiatives in improving highway safety, and identify what additional work needs to be done.”

Much of the symposium was littered with the same arguments we’ve come to expect: NHTSA and the manufacturers continued to point the finger at consumers—tire-related crashes would be minimal if only consumers would perform weekly tire inspections, constantly monitor air pressure and tread depth, have service stations regularly rotate and inspect their tires, do extensive research before purchasing a tire, know better than to buy a used tire, and promptly send in the registration card dealers always helpfully provide so that diligent manufacturers can inform them as soon as there is a recall. As the RMA’s Dan Zielinski said, “there certainly are a number of people talking about [the importance of tire maintenance] and in very a consistent way, and it’s easy for consumers to find, but we’re still facing a significant population that’s not always paying attention to it.”

Other noteworthy moments:

  • NHTSA cites faulty data. Randy Whitfield, of the data-analysis firm Quality Control Systems Corp., dropped a bomb during his presentation on tire safety data, showing that the data that NHTSA has relied on to show that tires are safer is not accurate. Whitfield performed a detailed analysis of the NHTSA’s Fatality Analysis Reporting System (FARS) database—which records all tire-related fatalities. Whitfield’s assessment, sponsored by non-profit The Safety Institute, indicates that the number of tire-related crashes and resulting deaths has remained relatively constant since 1995. Despite acknowledging that Whitfield is right about the FARS data, NHTSA pointed to a study showing that tire-related deaths and injuries have decreased by half since Federal Motor Vehicle Safety Standard 139 made tires more robust. But Whitfield told the NTSB “that’s just not true” because the agency is looking at a survey with a small sample size of crashes involving light passenger vehicles towed for tire-related damage, rather than evaluating all tire-related crashes. Whitfield’s science-based conclusions failed to stop the data-driven NHTSA from quoting the same incorrect figures later in the day. 

“It was stunning to me that a speaker following my talk and following even NHTSA’s statistician’s talk, which confirmed my numbers, was making statements that tire-related casualties have come down,” Whitfield said. “That means we live in a fact-free zone, and that’s dangerous.”

  • Infighting in the industry. There was also dissention in the industry ranks. The RMA, whose members include eight tire manufacturers, and the Tire Industry Association (TIA), made up predominantly of tire dealers, have always held fast to the voluntary system that requires retailers to hand consumers the manufacturers’ registration cards. But now the RMA wants to put the burden solely on the retailers. At the symposium, RMA’s Norberg announced that the group wants a mandatory registration system requiring retailers to electronically register the tire at the time of the sale.

That drew ire from the TIA’s Kevin Rohlwing, who said it’s already too big of a burden for retailers to have to stock registration cards from several manufacturers—instead, retailers should just have to give the customer the TIN and tell them what website they can use to register the vehicles. For too long, the industry has put the entire burden for the registry system on the dealers without providing them with the tools they need to easily do the job, and it looks like the dealers have had enough. (The same can be said about the tire age recommendations.)

  • Tire aging got some of the spotlight. The industry leaders stuck to the same old story that tire age isn’t nearly as important to preventing a crash as keeping the tires properly inflated, without explaining how air pressure is going to keep a 13-year-old spare tire from detreading on a hot highway when it’s put into service. The RMA also offered its age-old argument that there is no “one date” when a tire becomes too old, so a tire expiration date of six or 10 years would force consumers to spend money on a tire that could still be serviceable for several more years. (The RMA continues to ignore the 10 year recommendations of many of its members.)  Sean Kane of Safety Research & Strategies, who presented at the symposium, countered by comparing it to blood alcohol content, saying “we have recommendations for blood alcohol. The states have adopted a .08. And there’s a reason for that. Does that mean that everybody at .08 is going to crash their car on the way home? I don’t think so. I think we understand that there’s an increased risk at that point, and it’s a good point at which we want to cut that off and draw a line in the sand.”

Norberg also mentioned offhand that if tire makers were only interested in money, they would want a tire-aging standard because then they could sell more tires. What she and the manufacturers forgot to mention is that rubber manufacturers have an antiquated logistics and supply chain that doesn’t individually track tires.  The result is that, especially with the proliferation of sizes, tires in the retail stream can be in excess of a year old. When a customer knows that the product has an expiration he or she will likely insist on newer tires or a discount on the older ones. Someone has to pay for that. The only way to avoid those costs is to implement an individual tracking and automated system.

 

The NTSB’s Tire Safety Report

The NTSB’s 2015 report that will include detailed examinations of at least two fatal tire-related crashes that occurred in February 2014. On February 15, the left rear tire on a 2004 Kia Sorrento detreaded, causing the driver to lose control, spin out through an interstate median, and crash into a school bus carrying 34 members of a Louisiana high school baseball team in Centerville, La. Four of the Kia occupants died, and the fifth was severely injured. Thirty of the bus passengers suffered injuries. The Michelin Cross Terrain tire was 11 years old when it failed. 

A week later, on February 21, the left rear tire on a 2002 Ford 350 XLT 15-passenger van experienced a complete tread separation while driving on an interstate in Lake City, Fla. The driver lost control, and the van swerved onto an embankment and rolled over. Two adults died, and all of the other occupants, including several children, suffered injuries. The tire had been recalled shortly after Sam’s Club put it on the vehicle in 2012 because it had a potential for tread loss or rapid air loss from a tread-belt separation. Sam’s Club mechanics inspected the tire in November 2013 but failed to identify and remove the recalled tire.  Neither retailers nor the tire manufacturers have a recall system that allows consumers or service professionals to determine whether a specific tire is recalled. 

The two crashes highlight the dangers of the outdated tire identification and recall system.

Tire recall notification relies on retailers providing consumers with registration cards that need to be completed with the TIN and sent to the manufacturers.  In some cases tire dealers register tires at the point of sale – but that still requires a manual process of transcribing 11 alpha-numeric characters off each tire (accurately) into a system that is then transmitted to the manufacturers.  It’s a slow arduous process that is not conducive to high registration rates and remediation which is in part why tire recall return rates average less than 30 percent. 

Assuming consumers do learn of a recall, there is no database that allows them to search for recalls by TIN number.  (Date codes on tires are found in the last four digits and are coded by the week and year.  For example 4313 equates to the 43rd week of 2013. Tires prior to 2000 relied on three digits and confounding this system are the NHTSA requirements which mandate a complete TIN with the date code only on one side of the tire.  TINs also contain codes associated with the plant of manufacture, size and model and are not unique identifiers, thus thousands of tires can have the same TIN number. 

So to determine if the tire has been recalled, servicers and consumers must still find the full TIN—sometimes requiring that they lie down under the vehicle with a flashlight, if only the partial TIN is showing—then search through NHTSA’s database by make and size and pour over the lists to see if the TIN number is included. It’s a confusing and laborious process retailers and servicers do not have time to undertake and consumers often don’t understand.

On the tire age/service life front, most of the industry has acknowledged in the last decade that tires degrade over time regardless of use and should be removed after about six to 10 years.  Spare tires, tires on little used vehicles and used tires with adequate tread often exceed these recommendations and still appear serviceable (See “Aged” Tire Case Numbers Grow

NHTSA has been researching the issue of tire aging since 2003 and has confirmed that age plays a role in tire safety but has declined to do anything other than advise consumers to follow recommendations from automakers and tire manufacturers.  Nearly every automaker recommends removing tires after six years, and many tire manufacturers recommend removal at 10, but those recommendations are buried in owner’s manuals and technical bulletins, and—despite all the talk about increasing consumer awareness and education—the industry players have consistently failed to tell even their own dealers and servicers that aging is a safety concern. And if consumers were better informed about the dangers of tire aging, the only way to find out a tire’s age is to decipher the odd date code in the TIN.

These problems could be fixed by utilizing scanning technology that’s been available for years that can include RFID or QR codes for example (see Tire Recalls and Tire Safety: The RFID Solution) that could automate the information needed.  But efforts to seriously consider these changes have been repeatedly stymied by the tire manufacturers, led by the RMA, which is intent on passing the responsibility to everyone else – NHTSA, dealers, and consumers. 

The general take: the NTSB is really paying attention and may issue recommendations urging NHTSA and the industry to finally implement some common-sense tire safety regulations and practices. The NTSB is best known for its investigations of aircraft crashes, but the board has played an important role in advancing motor vehicle on issues ranging from the inclusion of rear-seat lap and shoulder belts in the 1980s to recent improvements in highway and rail grade crossings.  More than 80 percent of NTSB recommendations have been adopted.  Typically, NHTSA’s first reaction to the NTSB’s advice is to ignore it, but maybe for reasons we cannot fathom, this time will be different. The Safety Record can dream anyway.

A webcast of the symposium and the panelist presentations is available here.

Texas Attorney Asks NHTSA for Tire Investigation

Posted on | by admin

National Highway Traffic Safety Administration Chief Counsel O. Kevin Vincent’s message to the defense bar a few months ago at a legal conference was pretty clear – keep us in the loop, or risk the consequences. NHTSA’s message to the plaintiffs’ bar has been more like radio silence, so it will be interesting to see what the Recall Management Division does with a request to investigate the failure of a tire distributor to recall a defective Chinese tire already recalled by a different distributor, marketing the same tire under a different brand name. 

Michael Cowen, of the Cowen Law Group in Brownsville, Texas wrote to the agency today asking for an Equipment Query regarding Hercules A/T radial tires sold by the Hercules Rubber & Tire Company.

Cowen represents Krystal Cantu, 25, who lost half of her right arm in an August 2, 2013 crash caused by a catastrophic tread separation. Cantu was a front-seat, belted passenger in a 2004 Ford Explorer Sport Trac, when the left-rear tire – a Capitol Precision Trac II – failed as the vehicle traveled southbound on Interstate 37 in Atascosa County, Texas. The driver lost control when the vehicle skidded; Ms. Cantu’s right arm was crushed in the subsequent rollover.

ITG Voma cited this crash in its October Part 573 Notice of Defect and Noncompliance to recall 94,890 Capitol Precision Trac II tires manufactured between December 2008 and May 2010. The defective tires, actually manufactured by Shandong Yongsheng Rubber Co., Ltd., lacked a nylon cap ply, which made the tires less robust and prone to tread separations.

“Selling essentially the same tire and under a different brand that isn’t covered under the recall needs to be thoroughly investigated by NHTSA.  Our request and the information submitted to the agency should assist them in obtaining a complete accounting of all the tires that need to be taken off the roads” Cowen said in a press release. 

On April 2, 2014, Cantu filed a lawsuit against Voma and the Shandong Yongsheng Rubber Co., Ltd., among other defendants. During the discovery phase of the case, a manufacturer’s representative revealed that the Capitol Precision Trac II shared a common green tire designation with another tire branded as the Hercules Radial A/T in eight different sizes. NHTSA defines a common green tire as “tires that are produced to the same internal specifications but that have, or may have, different external characteristics and may be sold under different tire line names.”  This means that the Hercules A/T and Capitol tires are essentially the same.

Under federal recall regulations, the company that brands the tire is considered the manufacturer, and is responsible for reporting defects to NHTSA and launching a recall. In a December 17 letter, Cowen asked the agency to open a defect investigation called an Equipment Query to pursue the Hercules Rubber & Tire Company, a marketer of replacement tires, headquartered in Findlay, Ohio and a partner of the Cooper Rubber & Tire Company, to launch a recall.

In 2007, Foreign Tire Sales (FTS), a tire importer based Union, New Jersey launched a recall after discovering that tires manufactured by the Hangzhou Zhongce Rubber Co. Ltd for FTS had been built without or with inadequate .6mm c-shaped gum strips used to prevent the separation of belts. The recall followed a legal claim alleging that a catastrophic tread separation of a Telluride 245175R16 tire manufactured by Hangzhou and sold by FTS caused a fatal rollover crash. FTS had claimed to NHTSA that Hangzhou sold similar tires via other importers. The agency’s Recall Management Division responded by sending letters to 17 tire importers/distributors of Hangzhou tires.

The EQ was eventually closed with no further action – all 17 distributors claimed that they had none of the defective tires.

“This underscores the important role litigation plays in identifying safety defects” says SRS President Sean Kane. “It will be interesting to see how many of these defective tires actually come out of service in this campaign given the failed recall system.”

The weaknesses of the current tire recall system were among the topics discussed at length last week at a tire safety symposium hosted by the National Transportation Safety Board. The NTSB held the meeting in advance of a tire safety report and formal recommendations, expected to be issued next year.

Time to Close the Silver Book

Posted on | by admin

For a report that’s a quarter of a century-old, testing old technology and resting on questionable assumptions, An Examination of Sudden Acceleration (also known as the Silver Book) has exerted an out-sized influence over the search for root causes in unintended acceleration events. Manufacturers have loved the document, for its emphasis on driver error as the cause of any event that cannot be readily reproduced. In the absence of any expertise, the National Highway Traffic Safety Administration has used it as a crutch whilst hobbling around a UA defect investigation it cannot resolve.

Antony Anderson, the U.K.-based electronics engineering consultant, says it’s time to consign its conclusions to the dung heap of discredited scientific lore with the likes of alchemy and spontaneous generation. His newest technical paper Intermittent Electrical Contact Resistance as a Contributory Factor in the Loss of Automobile Speed Control Functional Integrity published online by the Institute of Electrical and Electronics Engineers (IEEE) debunks one of The Silver Book’s central tenets, documents the real gaps the automotive industry’s fail-safe systems and makes suggestions for a course correction going forward.

Anderson’s observations are particularly astute in light of a rulemaking on functional safety in automotive electronics. In October, the agency published a Federal Register Notice seeking comments on the possibility of writing regulations to ensure the safety of automotive electronics. The 10-page request for comments satisfies a directive from the federal legislation known as MAP–21 to “complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles.” Comments are due on Monday.

Anderson devotes a couple of sections to taking apart An Examination of Sudden Acceleration and its flawed diagnostic approach:

A major obstacle to the discussion of electrical intermittency in relation to SA incidents is the claim, often repeated by the automobile industry and by NHTSA, that the 1989 NHTSA Sudden Acceleration Report proves beyond all doubt that SA incidents were most probably the result of driver error. This collective mind-set appears to brook no argument and tends to kill stone-dead all reasoned discussion on the subject of electrical intermittency.

It’s most important and destructive assumption, he argues, has no scientific foundation, although it “remains the basis of diagnostic testing for `intermittent electronic failures’ that might cause an SA to this day: ‘If the cause of an SAI is an intermittent electronic failure, physical evidence may be difficult to find, but the failure mode should be reproducible either through in-vehicle or laboratory bench tests.”

This assumption belies the findings of electronics experts who agree that intermittent faults are extremely difficult to find, and that their random, intermittent nature can escape the notice of a vehicle’s diagnostic system. No Fault Found in a field return is a field failure, and should be used in the quest to identify the cause. Further, “the arbitrary introduction of ‘reproducibility’ by NHTSA as the proof for intermittency defines most suspected electronic intermittencies out of existence,” Anderson says.

Any Sudden Acceleration Incident that cannot be replicated leads to the “inescapable” conclusion that the event was the result of driver error. In the driver-error scenario, the Silver Book posits that some vehicle malfunction causes the engine to surge, startling the driver and causing him to depress the accelerator on the mistaken belief that it is the brake. Here, Anderson observes that the root cause is actually the malfunction that caused the driver to startle in the first place and that two of the hypothetical culprits – an idle stabilizer malfunction or a cruise control malfunction – were intermittent electronic malfunctions. (In the case of Unintended Accelerations in Audi, which prompted the report in the first place: Between 1982 and 1987, Audi issued six recalls to address Sudden Unintended Acceleration in its vehicles. Three of them replaced worn idle stabilizer units.) 

Anderson then sets about challenging that premise by using a reed relay to simulate a mechanically-induced electrical intermittency either as an open circuit or a short circuit. His experiments show that intermittent speed sensor connections can generate false speed signals that overcome the vehicle’s low speed inhibit logic. For example, a single mechanically-induced intermittency in one of the speed sensor connections or on the microcontroller PCB, plus a signal to tell the cruise control to engage makes it possible for the system to take over speed control from the driver.

And, because vehicles with electronic throttle controls are not fitted with an independent failsafe system, the driver “becomes the fail-safe for any potential malfunction of the electronic throttle,” Anderson writes. “The automobile industry is unique in this respect – in any other industry loss of speed control would be protected against and, as a last resort, there would be an emergency stop button.”

He scoffs at electronic brake over-ride systems, software patches that run on the same hardware as the electronic throttle – they wouldn’t work in a software malfunction, and therefore are only a “partial fail safe against pressing the accelerator at the same time as the brake.”

Instead, Anderson makes several suggestions for dealing with unintended accelerations: restricting the fuel supply to the engine the moment that an un-commanded wide open throttle condition is detected; suppression of half or a lower fraction of the ignition pulses to reduce engine power; opening a bypass valve in the hydraulic torque converter to reduce the transmitted power.

Anderson’s false speed signal experiments joins other research studies that show how a vehicle can go to an uncommanded wide-open throttle, with no fault found. Southern Illinois University Automotive electronics Professor David Gilbert showed that a short in the accelerator pedal position sensor could cause a wide-open throttle. Scientists from NASA’s Engineering Safety Center demonstrated tin whiskers could cause a UA with no trouble code set and embedded systems expert Michael Barr found a mountain of software errors could lead to vehicle malfunctions, including a UA, unbeknownst to the diagnostic system.

We can only hope that eventually, these more empirically based efforts will overcome the Silver Book’s unfathomable momentum.