|
From:
|
NTSB
|
|
To:
|
Tesla Motors
|
|
Date:
|
10/25/2021
|
|
Response:
|
The National Transportation Safety Board (NTSB) appreciates the productive and professional cooperation extended by Tesla’s technical staff to our investigators over the course of our various crash and incident investigations, such as our recent work in Spring, Texas, and Coral Gables, Florida.
I am deeply concerned, however, that Tesla’s action—or rather, inaction—to implement critical NTSB safety recommendations has not demonstrated the same productivity or professionalism. Four years ago, on September 28, 2017, we issued Safety Recommendations H 17 41 and -42 to Tesla based on our investigation of the 2016 collision between a Tesla Model S operating with an engaged Level 2 automation system and a tractor semitrailer truck in Williston, Florida.
H-17-41
Incorporate system safeguards that limit the use of automated vehicle control systems to those conditions for which they were designed.
H-17-42
Develop applications to more effectively sense the driver’s level of engagement and alert the driver when engagement is lacking while automated vehicle control systems are in use.
Our investigation of the Williston crash found that the driver used the Autopilot system outside of its operational design domain (ODD)—on roadways for which it was neither designed nor safe—and went extended periods of time without hands-on driving. We also found other indications of the driver’s lack of engagement and awareness before the crash, and, accordingly,
determined that Tesla’s Autopilot system did not effectively monitor and respond to the driver’s interaction with the steering wheel to ensure driver engagement.
The NTSB issued Safety Recommendation H-17-42 to Tesla and five other manufacturers of vehicles equipped with SAE Level 2 driving automation systems. The other five manufacturers responded to us, describing the actions they planned to take, or were taking, to better monitor a driver’s level of engagement. Tesla is the only manufacturer that did not officially respond to us about the recommendation.
While we were awaiting a response from Tesla, in 2019, a crash nearly identical to that in Williston occurred in Delray Beach, Florida. The Delray Beach highway operating environment, like the cross-traffic conditions in Williston, was clearly outside the Autopilot system’s ODD. The highway did not have limited access and had 34 intersecting roadways and private driveways in the 5-mile region encompassing the crash location. As we concluded after the Williston crash, if automated control systems are not automatically restricted to operating in those conditions for which they were designed and are appropriate, the risk of driver misuse remains.
During our subsequent investigation of a fatal 2018 crash in Mountain View, California, Tesla stated the following:
Under the SAE J3016, operational design domain limits are not applicable for Level 2 driver assist systems, such as Autopilot, because the driver determines the acceptable operating environment. Autopilot can be safely used on divided and undivided roads as long as the driver remains attentive and ready to take control.
However, our crash investigations involving your company’s vehicles have clearly shown that the potential for misuse requires a system design change to ensure safety. In the Delray Beach crash, a contributing factor in the crash was the operational design of Tesla’s partial automation system, which permitted disengagement by the driver, and the company’s failure to limit the use of the system to the conditions for which it was designed. Our investigation of the Mountain View crash found tragically similar evidence of driver disengagement and ineffective driver monitoring, and our report stated the following:
Despite communicating . . . operating conditions and limitations to owners and drivers, Tesla Autopilot firmware does not restrict the system’s use based on functional road classification. The system can essentially be used on any roads where it can detect lane markings, which allows drivers to activate driving automation systems at locations and under circumstances for which their use is not appropriate or safe, such as on roadways with cross traffic or in areas that do not consistently meet the ODD, such as roadways with inconsistent lane markings.
Therefore, we reiterated Safety Recommendations H-17-41 and -42: that Tesla and other manufacturers of Level 2 automation incorporate system safeguards that limit use of automated vehicle control systems to those conditions for which they were designed. Tesla has still not officially responded to the NTSB regarding these safety recommendations.
You have stated that “safety is always the primary design requirement for a Tesla.” Now that statement is undercut by the announcement that Tesla drivers can request access to “Full Self Driving Beta technology,” operational on both highways and city streets, without first addressing the very design shortcomings that allowed the fatal Williston, Delray Beach, and Mountain View crashes to occur.
If you are serious about putting safety front and center in Tesla vehicle design, I invite you to complete action on the safety recommendations we issued to you four years ago.
The NTSB has long advocated for implementation of myriad technologies to prevent tragedies and injuries and save lives on our nation’s roads, but it’s crucial that such technology is implemented with the safety of all road users foremost in mind. I look forward to receiving an update on our safety recommendations.
|
|
