NTSB issues 9 safety recommendations after Tesla crash investigation; says no vehicle in US is self-driving
The National Transportation Safety Board held a public board meeting Tuesday during which it determined the probable cause for the fatal 23 March 2018, crash of a Tesla Model X in Mountain View, California.
Final rest locations of the Tesla, Audi and Mazda vehicles involved in the 23 March 2018, crash in Mountain View, California. Photo courtesy of S. Engleman.)
Based on the findings of its investigation, the NTSB issued a total of nine safety recommendations the recipients of which include the National Highway Traffic Safety Administration (NHTSA), the Occupational Safety and Health Administration (OSHA), SAE International, Apple Inc., and other manufacturers of portable electronic devices. The NTSB also reiterated seven previously issued safety recommendations.
The NTSB determined the Tesla “Autopilot” system’s limitations, the driver’s over-reliance on the “Autopilot” and the driver’s distraction—likely from a cell phone game application—caused the crash.
The Tesla vehicle’s ineffective monitoring of driver engagement was determined to have contributed to the crash.
Systemic problems with the California Department of Transportation’s repair of traffic safety hardware and the California Highway Patrol’s failure to report damage to a crash attenuator led to the Tesla striking a damaged and nonoperational crash attenuator, which the NTSB said contributed to the severity of the driver’s injuries.
This tragic crash clearly demonstrates the limitations of advanced driver assistance systems available to consumers today. There is not a vehicle currently available to US consumers that is self-driving. Period. Every vehicle sold to US consumers still requires the driver to be actively engaged in the driving task, even when advanced driver assistance systems are activated. If you are selling a car with an advanced driver assistance system, you’re not selling a self-driving car. If you are driving a car with an advanced driver assistance system, you don’t own a self-driving car.
In this crash we saw an over-reliance on technology, we saw distraction, we saw a lack of policy prohibiting cell phone use while driving, and we saw infrastructure failures that, when combined, led to this tragic loss. The lessons learned from this investigation are as much about people as they are about the limitations of emerging technologies. Crashes like this one, and thousands more that happen every year due to distraction, are why “Eliminate Distractions” remains on the NTSB’s Most Wanted List of Transportation Safety Improvements—NTSB Chairman Robert Sumwalt
The 38-year-old driver of the 2017 Tesla Model X P100D electric-powered sport utility vehicle died from multiple blunt-force injuries after his SUV entered the gore area of the US-101 and State Route 85 exit ramp and struck a damaged and nonoperational crash attenuator at a speed of 70.8 mph.
The Tesla was then struck by two other vehicles, resulting in the injury of one other person. The Tesla’s high-voltage battery was breached in the collision and a post-crash fire ensued. Witnesses removed the Tesla driver from the vehicle before it was engulfed in flames.
The NTSB learned from Tesla’s “Carlog” data (data stored on the non-volatile memory SD card in the media control unit) that during the last 10 seconds prior to impact the Tesla’s “Autopilot” system was activated with the traffic-aware cruise control set at 75 mph.
Between 6 and 10 seconds prior to impact, the SUV was traveling between 64 and 66 mph following another vehicle at a distance of about 83 feet. The Tesla’s lane-keeping assist system (“Autosteer”) initiated a left steering input toward the gore area while the SUV was about 5.9 seconds and about 560 feet from the crash attenuator.
No driver-applied steering wheel torque was detected by Autosteer at the time of the steering movement and this hands-off steering indication continued up to the point of impact. The Tesla’s cruise control no longer detected a lead vehicle ahead when the SUV was about 3.9 seconds and 375 feet from the attenuator, and the SUV began accelerating from 61.9 mph to the preset cruise speed of 75 mph.
The Tesla’s forward collision warning system did not provide an alert and automatic emergency braking did not activate. The SUV driver did not apply the brakes and did not initiate any steering movement to avoid the crash.
The driver was an avid gamer and game developer. A review of cell phone records and data retrieved from his Apple iPhone 8 Plus showed a game application was active and was the frontmost open application on his phone during his trip to work. The driver’s lack of evasive action combined with data indicating his hands were not detected on the steering wheel, is consistent with a person distracted by a portable electronic device.
NTSB identified seven safety issues during the crash investigation:
Driver Distraction. The Tesla driver was likely distracted by a gaming application on his cell phone before the crash, which prevented him from recognizing that Autopilot had steered the SUV into a gore area of the highway not intended for vehicle travel. The driver was using a company-supplied phone, but his employer, Apple Inc., did not have a policy preventing cell phone use while driving. Strong company policy, with strict consequences for using portable electronic devices while driving, is an effective strategy in helping to prevent the deadly consequences of distracted driving. Additionally, an engineering solution to the distracted driving problem is needed. Electronic device manufacturers have the capability to lock out highly distracting functions of portable electronic devices when being used by an operator while driving, and such a feature should be installed as a default setting on all devices.
Risk Mitigation Pertaining to Monitoring Driver Engagement. The Tesla Autopilot system did not provide an effective means of monitoring the driver’s level of engagement with the driving task, and the timing of alerts and warnings was insufficient to elicit the driver’s response to prevent the crash or mitigate its severity. Requirements are needed for driver monitoring systems for advanced driver assistance systems that provide partial driving automation (SAE Level 2 systems), and Tesla needs to develop applications that more effectively sense the driver’s level of engagement and that alert drivers who are not engaged.
Risk Assessment Pertaining to Operational Design Domain (the operating conditions under which a driving automation system is designed to function). Crashes investigated by the NTSB continue to show that the Tesla Autopilot system is being used by drivers outside the vehicle’s operational design domain (the conditions in which the system is intended to operate). Despite the system’s known limitations, Tesla does not restrict where Autopilot can be used. Tesla should incorporate system safeguards that limit the use of partial driving automation systems (Autopilot) to those conditions for which they were designed. Additionally, the National Highway Traffic Safety Administration has failed to develop a method for verifying that manufacturers of partial automation systems are incorporating system safeguards that are critical to ensuring the safety of the motoring public.
Limitations of Collision Avoidance Systems. The Tesla’s collision avoidance assist systems were not designed to, and did not, detect the crash attenuator. Because this object was not detected, (a) Autopilot accelerated the SUV to a higher speed, which the driver had previously set by using adaptive cruise control, (b) the forward collision warning did not provide an alert, and (c) the automatic emergency braking did not activate. For partial driving automation systems to be safely deployed in a high-speed operating environment, collision avoidance systems must be able to effectively detect potential hazards and warn of potential hazards to drivers.
Insufficient Federal Oversight of Partial Driving Automation Systems. The USDepartment of Transportation and the National Highway Traffic Safety Administration (NHTSA) have taken a non-regulatory approach to automated vehicle safety. NHTSA plans to address the safety of partial driving automation systems through enforcement and a surveillance program that identifies safety-related defect trends in design or performance. This strategy must address the risk of foreseeable misuse of automation and include a forward-looking risk analysis. Additionally, NHTSA should complete a further evaluation of the Tesla Autopilot system to ensure the deployed technology does not pose an unreasonable safety risk.
Need for Event Data Recording Requirements for Driving Automation Systems. Advanced driver assistance systems that provide partial automation collect significant safety relevant data that can be used for crash analysis and risk assessment. Currently, manufacturers provide limited access to this data and there is no standardization of retrievable data parameters. This report describes NTSB’s previous safety recommendations and the inaction of federal regulators to address this important issue area that is needed to foster system safety improvements.
Highway Infrastructure Issues. As part of this crash investigation, the NTSB issued a safety recommendation report addressing systemic problems related to the timely repair of traffic safety hardware in California. Investigators found that on the day of the collision, the crash attenuator at the US-101–SR-85 interchange was in a nonoperational damaged condition because of a previous crash, which had occurred 11 days earlier on March 12, 2018. The Mountain View report briefly summarizes the findings of the safety recommendation report and the actions taken by the state of California to address this safety issue.
To address these safety issues the NTSB made nine safety recommendations that seek:
Expansion of NHTSA’s New Car Assessment Program testing of forward collision avoidance system performance.
Evaluation of Tesla “Autopilot”-equipped vehicles to determine if the system’s operating limitations, foreseeability of misuse, and ability to operate vehicles outside the intended operational design domain pose an unreasonable risk to safety.
Collaborative development of standards for driver monitoring systems to minimize driver disengagement, prevent automation complacency and account for foreseeable misuse of the automation.
Review and revision of distracted driving initiatives to increase employers’ awareness of the need for strong cell phone policies prohibiting portable electronic device use while driving.
Modification of enforcement strategies for employers who fail to address the hazards of distracted driving.
Development of a distracted driving lock-out mechanism or application for portable electronic devices that will automatically disable any driver-distracting functions when a vehicle is in motion.
Development of policy that bans nonemergency use of portable electronic devices while driving by all employees and contractors driving company vehicles, operating company issued portable electronic devices or when using a portable electronic device to engage in work-related communications.
The NTSB also reiterated seven previously issued safety recommendations issued to: the National Highway Traffic Safety Administration (H-15-4, H-17-39 and H-17-38); the Department of Transportation (H-17-37); and Tesla (H-17-41 and H-17-42). The reiterated safety recommendations issued to Tesla (H-17-41 and H-17-42) were also reclassified from “Open―Await Response” to “Open―Unacceptable Response,” as were two reiterated safety recommendations issued to NHTSA (H-17-39 and H-17-40) and one (H-17-37) issued to DOT.
The full final report is expected to publish online in the next few weeks. Lessons learned from the emergency response to the post-crash fire will be incorporated into a separate NTSB report on electric vehicle battery fires. That report is expected to be released in the third quarter of calendar year 2020.