R-1. It is recommended that NHTSA consider whether additional study, government regulation, or policy is warranted based on the findings and observations within this report [...]

a. Controls for managing safety critical functions as currently applied to the railroad, aerospace, military and medical sectors, warrant consideration [as part of automotive safety]

NASA, NESC
Unintended Acceleration Report
Recommendation, p.174

NASA, NESC Unintended Acceleration Report

'... Model-based design provides an efficient approach for establishing a common framework for communication throughout the design process ...'

Further support for model-based design in the development of safe vehicles comes from the 2009, 2010 forensic study of unintended acceleration (UA) initiated by the US National Highway Traffic Safety Administration (NHTSA) that was contracted to the National Aeronautics and Space Administration (NASA) Engineering and Safety Center (NESC). The final report was released by NHTSA in January 2012.

The forensic investigation employed -

"a top-down systems engineering approach that explored the critical functions in the electronic throttle control of a particular vehicle model, how the system might defend against failures (fail-safe design features), and if the system has vulnerabilities.”

Modelling and simulation assisted in the investigation -

“… critical throttle control functions were modeled to look for potential algorithm or logic issues that could lead to unintended throttle opening. The models were validated on benchtop simulators consisting of a pedal, electronic control module (ECM), and throttle assembly configured for test functionality. Software and hardware test scenarios were based on both a top-down understanding of the system design and a bottoms-up (sic) testing of the electronic sensor inputs and postulated electronics failures that may affect the throttle position.” [UA Report, extracted from pp 14-16]

The same report states on p 150:

“Model-Based Design (MBD) is a mathematical and visual method of addressing problems associated with designing complex control systems. It is used in many motion-control systems, industrial equipment, aerospace, and automotive applications. MBD provides an efficient approach for establishing a common framework for communication throughout the design process while supporting the development cycle ("V" diagram). In MBD, development is manifested in the following steps: modeling a system, analyzing and synthesizing a controller for the system, simulating the system, and integrating all these phases by implementing the system.

A final NESC Recommendation states, on p 174:

R-1. It is recommended that NHTSA consider whether additional study, government regulation, or policy is warranted based on the findings and observations within this report.
a.   Controls for managing safety critical functions, as currently applied to the railroad, aerospace, military and medical sectors, warrant consideration [as part of automotive safety].

The US Transport Research Board (US TRB) – a board of the US National Research Council (NRC) – was requested by NHTSA, via NRC, to review investigations of unintended acceleration and to recommend ways to strengthen the agency’s safety oversight of automotive electronics systems. TRB released the report in January 2012 (onlinepubs.trb.org/onlinepubs/sr/sr308.pdf) from its Committee on Electronic Vehicle Controls and Unintended Acceleration. Its 2nd recommendation, on p 124:

“NHTSA convene a standing technical advisory panel comprising individuals with backgrounds in the disciplines central to the design, development, and safety assurance of automotive electronics systems, including software and systems engineering, human factors, and electronics hardware. The panel should be consulted on relevant technical matters that arise with respect to all of the agency’s vehicle safety programs, including regulatory reviews, defect investigation processes, and research needs assessments".

UA issues began to be investigated in the US in 1973 (www.safetyresearch.net/2011/09/06), and they are not a single OEM issue. UA belongs to a general class of problems in safety critical engineering with risk of harming humans, property and the environment being very high when the systems that interact to prevent UA – and many other unsafe outcomes – fail.

Adequately addressing the areas of specification, architecture, optimization, design and verification in safety critical engineering requires the pervasive deployment of model-based design that uses high fidelity mathematical models in specification, and operational models in design, development, verification and validation.

Read the published report at:  Transport Research Board