The National Highway Traffic Safety Administration has published a Federal Register Notice seeking comments on the possibility of writing regulations to ensure the safety of automotive electronics. The 10-page request for comments, satisfying a directive from the federal legislation known as MAP–21 to “complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles,” would have been an excellent addition to Volume 54 of the Federal Register (published in 1989).
The notice, published in Volume 79, takes note of the sea-change in automotive systems over the last three and a half decades, enumerating the transformation with the kinds of statistics that emerged during the agency’s February 2010 assessment of Toyota Unintended Acceleration, but were ultimately deemed to have no connection to the defect:
“The first common use of automotive electronics dates back to 1970s and by 2009 a typical automobile featured over 100 microprocessors, 50 electronic control units, five miles of wiring and 100 million lines of code.”
The agency also takes note of the difficulties this presents:
“Over time, growth of electronics use has accelerated and this trend is expected to continue as the automotive industry develops and deploys even more advanced automated vehicle features. This trend results in increased complexities in the design, testing, and validation of automotive systems. Those complexities also raise general concerns in the areas of reliability, security, and safety.”
And:
“Growing system complexity and abundance of design variants even within one manufacturer over model years and across classes of vehicles pose general concerns over whether existing processes can ensure their functional safety. Further, anomalies associated with electronic systems—including those related to software programming, intermittent electronics hardware malfunctions, and effects of electromagnetic disturbances—may not leave physical evidence, and hence are difficult to investigate without a record of data from the electronic systems.”
NHTSA announced its intention of determining “whether there are emerging gaps in the functional safety assurance processes of motor vehicles.”
The Safety Record would argue that the concerns about and the gaps around the functional safety and reliability of today’s automotive electronics are present, specific and abundant. For example, NHTSA talks about the ways electronics make vehicles safer, and mentions electronic stability control. There’s no doubt that it can save a vehicle from a loss-of-control crash. In 2007, the agency published a Final Rule establishing Federal Motor Vehicle Safety Standard No. 126, requiring that passenger cars, multi-purpose passenger vehicles and trucks and buses with a Gross Vehicle Weight Rating of 10,000 pounds or less implement electronic stability control, with full fleet implementation by 2012. According to the agency’s last analysis, published in 2011, “ESC was associated with a 6-percent decrease in the likelihood that a vehicle would be involved in any police-reported crash and an 18-percent reduction in the probability that a vehicle would be involved in a fatal crash. The effects become more pronounced when you look at the effect on light trucks: 7 percent overall crash reduction; 20 percent reduction in fatal crashes. ESC reduced first-event rollover scenarios by 56 percent in passenger cars and by 74 percent in LTVs. Fatal impacts with fixed objects are reduced by 47 percent in passenger cars and 45 percent in LTVs.
But there was nothing in that Final Rule ensuring that ESC systems failed safely. So in March 2013, Honda was recalled 183,000 Honda Pilots for inadvertent braking caused by two separate malfunctions of its ESC system, called Vehicle Stability Assist. Honda blamed it on damaged capacitors on the electronic control unit (ECU) circuit board which “may be capable of applying a small amount of braking force for a fraction of a second, even if the brake pedal has not been applied by the driver.” Or, it could be caused by loose electrical ground connector fasteners, which could increase the electrical resistance in the system and send the wrong signal, leading to braking while the vehicle was underway.
Here’s how it played out in the field for Carrie Carvahlo, a Honda Pilot owner from Massachusetts. On October 10, 2010, Carvahlo was in the passenger seat of her 2005 Honda Pilot, with her friend at the wheel, when suddenly, “the car exhibited a very loud groan and the brakes engaged bringing the car to a dead stop in the middle of the road. The vehicles behind her Pilot had to swerve to avoid hitting the car. The driver had his foot on the accelerator the whole time but the brakes engaged on their own,” according to the complaint. A couple of minutes later, the Pilot’s brakes again engaged with no command from the driver. Carvahlo filed a Defect Petition, which eventually forced Honda to launch the recall.
NHTSA’s characterization of vague unease is belied by scores of recalls and investigations related to electronic defects. In 2011 The Safety Record examined 12 months of recalls to determine the prevalence of recalls related to electronic defects. After reviewing 722 recall campaigns, The Safety Record found that electronics recalls comprised more than a quarter; of those, 24 recall campaigns addressed software defects.
In October of that year, Nissan recalled 2004-2006 Armada, Titan, Infiniti QX56 and model year 2005-2006 Frontier, Pathfinder and Xterra vehicles, because of a compromised engine control module relay within the intelligent power distribution module. The automaker told NHTSA that a diode in the relay could allow silicon vapors to form, allowing silicon oxide to develop on the ECM relay contact, causing arcing. This, Nissan said, could lead to a sudden engine stall.
In November 2011, Volvo recalled more than 6,000 XC70, XC90 and S80 and S60vehicles within certain chassis ranges because the engine and transmission software calibration was so sensitive, the vehicle could suddenly stall after a stop, and go into a reduced power mode. Volvo had to update the software.
In the last 30 days, NHTSA listed three investigations related to electronic defects – low-speed UA in Toyota Corollas, loss of Electric Assisted Power Steering in Ford Fusion, Mercury Milan and Lincoln MKZ vehicles, and failures of the Totally Integrated Power Module (TIPM) installed in Chrysler SUVs, trucks, and vans.
In the last 30 days, there were several electronic recalls, among them:
- General Motors recalled some 2013-2014 Cadillac XTS and MY 2013-2014 Chevrolet Impala vehicles which might have left the factory with the sensing and diagnostic module set to “manufacturing mode,” meaning that the vehicle's air bags would not deploy in the event of a crash.
- Ford recalled MY 2013-2014 Ford C-Max and Fusion, and Lincoln MKZ vehicles because the coating on portions of the Restraint Control Module could crack, and when exposed to humidity could cause the circuits on the printed circuit board to short. It also recalled MY 2011-2013 Focus ST because insufficient compression in the engine wiring harness splices to the Manifold Absolute Pressure sensor could send incorrect signals to the powertrain control module (PCM), resulting in an engine stall.
- Chrysler recalled some MY2013-2014 SRT Viper vehicles due to inaccurate seat position sensors, the frontal air bags may deploy with a lower velocity than designed for the actual seat position.
In response to the notice, Sean Kane, president of Safety Research & Strategies said “I would argue that NHTSA, instead of meeting the challenges posed by the difficulties in investigating intermittent electronic defects, has largely pretended that they don’t exist. In the Toyota Unintended Acceleration debacle, the agency cherry-picked data, twisted drivers’ testimony, dismissed physical evidence, and generally missed no opportunity to insist that UA was caused by mechanical interference or driver error.”
In 2007, ODI opened and quickly closed a Preliminary Evaluation into sudden unintended braking involving about 100,000 MY 2000-2001 Mercedes M-class vehicles, without taking any action. Mercedes dazzled ODI with a presentation in which the automaker simulated electrical faults in the yaw rate sensor and showed how “the ESP [Electronic Stability Program] system is programmed to diagnose electrical faults and that brake applications resulting from yaw rate sensor electrical faults are very short in duration (0.3 seconds or less) and don’t affect vehicle control or stability.” The Vehicle Research and Test Center was unable to duplicate the problem in a vehicle that had experienced multiple events, so the investigation was terminated.
Neither system had adequate fail-safes.
Two years ago, NHTSA attempted to upgrade the accelerator control standard by proposing that manufacturers be required to equip all vehicles with a brake override, which cuts throttle voltage in electronic throttle control (ETC) vehicles when the brakes and throttle are in conflict. The Notice of Proposed Rulemaking was in direct reaction to the Toyota UA crisis, but, the proposal merely codified manufacturers’ current designs, and noted that it was meant to address unintended accelerations caused by mechanical failures: component disconnections and pedal misapplication. It noted “allegations” of UAs with electronic causes, but ignored manufacturers’ own recalls for electronically-based UAs.
The agency, in posing a series of questions to the public, made (with no small irony) this admission: “Functional safety assurance of modern automobiles requires a thorough understanding of electronic control systems’ design under a variety of scenarios.”
Among its inquiries:
- Should the agency pursue alternative approaches to categorize and prioritize potential electronic control system hazards and impacts to support new standards?
- What other automotive electronics should it consider in its research that could affect the electronics in the safety critical systems?
- What performance-based tests, methods, and processes are now available for safety assurance of throttle, braking, steering, and motive power management?
- What performance-based tests should the agency consider to ensure safe functionality of these types of automotive electronic control systems under all real-world conditions?
- What methods are effective in identifying potential anomalous behavior associated with electronic components, systems, and communications reliably and quickly?
- What strategies do current vehicles have for activating a ‘‘fail-safe’’ mode when critical problems are detected?
- What types of problems are classified as ‘‘critical’’ and how does the vehicle detect these problems?
- What state-of-the-art detection and fail-safe response methods should the agency be aware of and further assess?
Good questions, all. One hopes that the agency takes seriously the answers and suggestions from members of the public who are not also members of the Alliance of Automobile Manufacturers. The latter has shown no appetite for regulations. In 1995, for the first time since FMVSS 124 was first established in 1972, the agency proposed to gather information in advance of an upgrade, to explicitly state its applicability to new types of engines and throttle controls, and to add a new test procedure to address different types of powertrain technology. According to the 2002 NPRM, manufacturers were not interested in helping: “In general, the comments of vehicle and engine manufacturers did not address the specific questions in the notice. Instead, they voiced a preference for rescinding the standard altogether, suggesting that market forces and litigation pressure are sufficient to assure fail-safe performance without a Federal Motor Vehicle Safety Standard.”
Automakers have proven to be unreliable narrators of their own systems and ODI has proven to be all too credulous of their stories. Toyota, for example, claimed in multiple responses to UA investigations that its electronic throttle control system could not fail without the diagnostic sensing system taking note. That assertion had no basis in fact – as shown by Dr. David Gilbert of Southern Illinois University in his examinations for Safety Research & Strategies, and further detailed by software expert Michael Barr, who examined Toyota’s source code, line-by-line for Bookout v. Toyota. The case involved a September 2007 crash that seriously injured the driver, Jean Bookout, and killed her passenger, Barbara Schwarz. Bookout was exiting Interstate Highway 69 in Oklahoma in a 2005 Camry when she realized that she could not stop her car. She pulled the parking brake, leaving a 100-foot skid mark from right rear tire, and a 50-foot skid mark from the left. She could not stop the Camry, which flew across the road at the ramp’s bottom, crashing into an embankment.
Barr concluded that Toyota’s software system as defective and dangerous, riddled with bugs and gaps in its failsafes that led to the root cause of the crash. Among the many deficiencies: possible bit flips, task deaths that would disable the failsafes, memory corruption, single-point failures, inadequate stack overflow and buffer overflow, single-fault containment regions, thousands of global variables. Barr called Toyota’s safety architecture “a house of cards.”
More recently, we give you the case of Bristol, RI Corolla owner Robert Ruginis, whose wife experienced a low-speed UA while parking the vehicle that resulted in a minor crash. Ruginis, unlike hundreds of other Toyota owners who suffered crashes in similar circumstances, was lucky enough to obtain an Event Data Recorder readout which affirmed Kathy Ruginis’ account. In the five seconds before the airbag made the decision to fire, the data showed that there was no input from the accelerator, but braking, and a doubling of speed and rpms. Somehow, with nothing touching the accelerator, the Corolla experienced a surge, despite braking. The engine control module – like its manufacturer – was silent on this contradiction.
Comments are due to NHTSA Docket by December 8, 2014. Submit here
[More on functional safety in vehicles]