November 22, 2011
Reprinted from The Safety Record, Volume 8, Issue 3, November 2011
Last month, the National Highway Traffic Safety Administration (NHTSA) Office of Defects Investigation opened a Preliminary Investigation into BMW 7-Series vehicles that roll away because the electronic ignition fails to shift the vehicle into Park when the driver leaves with the key fob. The agency had fielded two consumer complaints, and an unspecified number of Early Warning Reports on rollaway incidents before shipping off a Manufacturer’s Request for Information to BMW on Sept. 29.
If the 7-Series isn’t locking into Park, as consumers have alleged it should, BMW ought to be investigated. But the luxury carmaker should also be commended for designing an electronic key system which complies with the intent and letter of Federal Motor Vehicle Safety Standard 114 because many electronic key systems out there do neither. Starting with a 2002 interpretation letter to an unknown automaker permitting the electronic code to serve as the key to the vehicle, to the enshrinement of that view in a new FMVSS 114 Final Rule in 2006, NHTSA has permitted the introduction of millions of electronic key systems which allow rollaways, vehicle theft – both of which are addressed in FMVSS 114 – and, a new, deadly wrinkle that was not imagined by the standard: carbon monoxide poisonings.
In January, the Society for Automotive Engineers released a recommended practice for keyless ignitions that mostly codifies what automakers have already been doing for the last 20 years, while doing little to alleviate the hazards introduced by poor designs. More recently, NHTSA has indicated that it will re-visit the standard sometime in the near future with amendments designed to tighten the current regulation or maybe introduce standardization into electronic ignition systems.
These corrections would not be necessary if NHTSA had not allowed automakers to separate the electronic key code from its housing – the key fob, creating the two-part key. Under the current schema, the fob starts the vehicle by delivering the electronic code, but plays no role in turning it off. To do that, typically, the driver has to turn off the ignition (usually with a push-button on the dash or console), place the transmission into Park, and exit the vehicle through the driver’s door. Until that sequence is completed, your invisible key (the electronic code) is still (metaphorically) dangling in the ignition. Unfortunately, most consumers don’t know that – because it defies the well-established relationship between the ignition and the key, and because many automakers call the fob the “key” in owner’s manuals and on dashboard messages to the driver.
The Key You Can’t See
Originally, the “key” in Federal Motor Vehicle Safety Standard 114 Theft Protection was defined solely according to its security function. But in 2005, when the agency proposed amended FMVSS 114 to reflect the new, electronic systems, it redefined the key in relation to a different function. The key was now “a physical device or an electronic code which, when inserted into the starting system (by physical or electronic means), enables the vehicle operator to activate the engine or motor.” In other words, the key is what starts the vehicle.
In plain English, the fob must be considered the key, because without it, the driver cannot start the vehicle. The electronic code is more akin to the digital realization of indents on a metal key. Just as a driver could not start a vehicle using a traditional ignition system with just the bottom half of the key, a driver cannot start an electronic system without the fob. Drivers need the entire object – the traditional key’s head or the electronic key’s fob –to start the vehicle. But, not according to NHTSA and the automakers.
NHTSA has declined to enforce the regulation, as defined. In many real world instances, vehicles with electronically based systems have, in essence, two keys. One is the physical fob, which delivers the electronic code to the vehicle. You must use this key to start the vehicle. Once the fob delivers the code to the vehicle, its role as the “key” ends. To “remove” the second “key” (the electronic code), you must put the vehicle in Park, turn off the engine and open the driver’s door, or a similar sequence involving killing the engine and putting the vehicle transmission into Park.
In 1992, General Motors sought the agency’s guidance in developing an electronic lock/ignition system. In its reply, NHTSA opened the door to the two-part key. It agreed that “an electronic code which is entered into a locking ignition system by the vehicle operator to permit operation of the system comes within this definition.” The agency also affirmed that GM could re-engineer the locking function of the system to accommodate this new system, as long as the vehicle transmission was in the Park position or automatically locked in Park when the “key” was removed.
In a 2002 interpretation letter to unnamed automakers, the agency took its basic interpretation another step. Chief Counsel Jacqueline Glassman affirmed that a similar system complied with FMVSS 114 – even though, “the removal of the ‘Smart Key’ from the running vehicle would have no effect on the vehicle’s operation until the engine is stopped.”
Even as Glassman stated that the system as described was compliant, she acknowledged the human factors problem:
“We observe that if the ‘Smart Key’ device remained in the car. e.g. in the pocket of a jacket laying on the seat, a person would need only turn the ignition switch knob to start the engine. It appears to us that, with systems of this kind, there would be, in the absence of some kind of a warning, a greater likelihood of drivers inadvertently leaving a ‘Smart Key’ device in the car than with a traditional key. This is because the driver must physically touch a traditional key, unlike the ‘Smart Key’ device, as part of turning off the engine. You and/or the vehicle manufacturer may wish to consider whether there are any practicable means of reducing the possibility of drivers inadvertently leaving their ‘Smart Key’ devices in the car.”
The Hazards of Today’s Electronic Key Systems
Glassman’s reasoning – that changing the traditional interface between the driver and the key would have negative consequences for drivers – was right. Her take on the consequences, however, was not – leaving the key fob in the vehicle was the least of it. Consider these incidents that are occurring in the real world because of a key you can’t see:
In 2010, Palm Beach police concluded that 29-year-old Chastity Glisson died of carbon monoxide poisoning after she inadvertently left her 2006 Lexus running in the garage attached to her Boca Raton town house. Her key fob was found in the house.
The Porsche Panamera’s keyless ignition system was blamed in a September heist from a dealership in Lawrence, New Jersey. Police speculated that the pair of thieves – two twenty-somethings who posed as potential buyers – made off with the $148,000 vehicle by switching key fobs, and coming back for the sports car after the dealership closed.
In February, a Mercedes owner complained to NHTSA:
“I purchased a brand new 2011 Mercedes Benz gl450 4matic last night. The car has a keyless go system. When I was pulling into my driveway with my kids in the car this afternoon I accidentally turned the car off without putting the car in park and began to exit the vehicle. I noticed the car started to roll back down my driveway. The car never went into park when I turned it off. Rather it went into neutral. I have never driven a car that didn’t go into a park mode when the engine was terminated. Thank goodness a child wasn’t playing in my driveway or my dog was there. A car of this sophistication, technology and price should have shifted into the park mode, not the neutral mode when the engine was turned off even if the car wasn’t put in park. Additionally, if that is how the car works, then I would think there would be a safety switch on the driver’s seat that would disengage the gear when I went to get out of the car. I am truly concerned for the safety of others as well as parked cars with what I believe to be a major design flaw.”
These incidents are not isolated. At least two other people have died in carbon monoxide poisoning incidents similar to Glisson’s; several others have been injured. Keyless ignition systems are presenting thieves new opportunities to nick high-end vehicles. Not only have academics demonstrated methodologies to start electronic key systems using cell phones, laptops and relay antennas, but real criminals have used them to steal David Beckham’s BMW X5 – twice. Rollaways, like the incident described by the Mercedes owner, are actually a new design feature of many electronic ignition systems.
SRS recently examined some 2012 models with smart keys, running 15 vehicles from major manufacturers through a series of scenarios designed to reveal their strategies for halting vehicle operations in the absence of a key fob and for alerting the driver that the vehicle was not in Park.
Most manufacturers do not have warnings when the key fob has left the vehicle and prevent restart when the key fob is removed and the driver exits through the driver’s door. Several vehicles included visual indicators that the “key” (meaning the fob) was no longer in the vehicle when it was driven and the key fob was not in the vehicle, or that the “remote starter” was not detected or some similar language that avoided calling the fob a “key.” If a manufacturer used an audible telltale, it typically was neither distinct as a warning, nor heard from outside the vehicle. Once the driver closes the door and exits, an interior audible telltale no longer functions as an alert to the driver, because the sound is contained within the vehicle. SRS found no evidence of any automatic engine shutoff mechanisms when key fobs are removed from vehicles and the engines are left running; however, they may be embedded in software that would activate after a length of time. For the most part, the trigger for electronic code removal – which according to NHTSA and the manufacturers is the real “key” – is the driver’s door.
SRS has also examined other model year vehicles like the 2008 Toyota Highlander Hybrid and 2010 Lexus RX350 to determine whether the vehicles could be driven when the key fob was not present, whether the vehicle could be remotely started with the key and driven without the key fob present, and whether the vehicle could be left in Neutral once the key fob was physically removed from the vehicle. Our examinations demonstrated that these vehicles, like most other Smart Key-equipped models, once started, can be driven without the key fob, which most owners believe is the “key.” If the driver exits the vehicle with the vehicle running and removes the fob from the interior, reenters the vehicle without the key fob, the vehicle can be driven normally, but the Lexus dash indicator notes that the “key” is out of range (i.e., the fob is not in the vehicle). There is no consequence to mobility. The message to the driver reinforces the notion the key fob is the key. Once the vehicle is shut down, it cannot be restarted without the fob present in the vehicle.
In another scenario, if the driver remains in the vehicle without opening the driver’s door and the key fob is removed (i.e., a passenger removes the key fob in a Bag or jacket or is removed through a window or passenger door), in many vehicles there is no indication to the driver that the key fob is no longer in the vehicle. The RX 350 will alert the driver with an audible tone that the vehicle has not been put into Park. But there is no warning that the vehicle is in Park, but still running, when the key fob alone or the key fob and the driver exits the vehicle.
In the past, the driver had three cues that that the key was still in the ignition and that the vehicle was running – the physical absence of the key in his possession, the sound of the engine, and the audible telltale. The latter is mandated by FMVSS 114 because, the agency has argued, drivers need a reminder that they have left the key in the vehicle. The electronic systems coupled with today’s quiet engines have removed two of these cues, and created a scenario that the originators of FMVSS 114 never anticipated. In addition, many lighting systems remain on for some period of time whether or not the vehicle is running or off, making it hard for drivers to discern what state the vehicle is in.
How Did We Get Here? A Brief History of FMVSS 114
In 1967, the Federal Highway Administration first proposed adding a theft protection standard – FMVSS 114 – out of concern that stolen vehicles constituted a major safety hazard because unauthorized drivers were more likely to initiate crashes.
The agency’s first proposal would have required cars to be equipped with devices to remind drivers to remove keys when leaving their vehicles and require manufactures to use a large number of locking system combinations to prevent use of master keys for theft. The rule was officially established on April 27, 1968, and became effective in January 1970. The rule remained substantially unchanged from the proposal and reiterated the safety concerns related to vehicle theft. By 1980, the anti-theft rule had been tweaked and expanded to include light trucks and multipurpose passenger vehicles (MPV’s) whose GVWR of 10,000 pounds or less.
Eight years later, the agency proposed amending the rule to encompass the problem of rollaway vehicles. In 1988, the agency’s Notice of Proposed Rulemaking noted that it received complaints of accidents and injuries associated with steering wheel lock-up when a key is inadvertently removed, and inadvertent actuation of the transmission gear shift lever in vehicles with automatic transmissions. The latter, the agency said, “often results from children inadvertently moving the gear shift level [sic] from ‘park’ to ‘neutral’ in a stationary vehicle with the ignition turned off. The vehicle then rolls away. Most inadvertent gear shift accidents involve property damage only. However, there have been several reports of recent cases resulting in serious or fatal injuries. In these cases, a child inside the vehicle inadvertently moved the gear shift level [sic], and the vehicle rolled out of control injuring or killing a child inside or outside the vehicle.”
The proposed amendment would have required gear shift lever locks on automatic transmissions in place of the then-current requirement, which allowed for a steering column or gear shift lever lock, or both. The proposed requirement would have prevented shifting the transmission after the key was removed and locking the gearshift or steering column while the vehicle is in motion.
Two years later, the agency issued a Final Rule. FMVSS 114 now required vehicles with automatic transmissions that have a Park position to have a key-locking system that prevented removal of the key unless the transmission was locked in Park or became locked in Park as the direct result of removing the key. This requirement became effective for vehicles manufactured after September 1, 1992. The proposal to prevent steering lock-up was not adopted in the final rule, but the agency noted that the amendment to prevent transmission lever shifting would also serve to prevent the removal of the key while the vehicle was in motion, because the amendment allowed key removal only when the transmission is in Park.
In the early 1990s, the agency began to field inquiries from manufacturers asking how FMVSS 114 would affect the development of keyless and electronic ignition systems.
In August 2005, NHTSA decided to address these new systems. It published a Notice of Proposed Rulemaking to amend the theft protection standard to reflect technological advances since the standard was last amended. After receiving several petitions from manufacturers requesting confirmation that their new systems were in compliance, NHTSA acknowledged that the regulatory language had become outdated and incompatible with key locking systems that employ electronic codes to lock and unlock the vehicle and to turn on the engine. The agency proposed to reorganize the regulation to separate the text related to theft protection from that intended to prevent unintended rollaway. It also wanted to simplify the language, redefine the word “key” to better reflect electronic codes and other locking devices and remove provisions that unnecessarily restrict design – such as the provision allowing only override systems that prevent steering before the key can be released or the transmission lever can be shifted.
On April 7, 2006, NHTSA issued a Final Rule to address comments and amend the theft protection standard as proposed in the August 2005 NPRM. NHTSA declined to drop the audible warning requirement, proposed by the Alliance of Automobile Manufacturers, because the current fleet uniformly already employed audible warnings and the agency said it was unaware of any vehicles in production using a non-audible notification method.
FMVSS 114: Not Just for Theft Protection
For two decades, FMVSS 114 has clearly served a two-fold purpose: prevent auto theft and vehicle rollaways caused by the inadvertent actuation of the shift lever. The anti-theft purpose has been a part of the rule since 1970, and rollaway prevention became a feature of a 1988 Final Rule. The crux of those protections has been preventing drivers from leaving keys in their vehicles or in a state that rendered vehicles vulnerable to unintentional movement.
Both intentions were firmly rooted in safety concerns. From the rule’s inception, the agency argued that this rule would reduce injuries and deaths caused by auto theft. In establishing the standard, the agency cited a Department of Justice study that 94,000 stolen cars were in crashes in 1966, and more than 18,000 of these incidents resulted in injury to one or more people. According to the report, the accident rate for stolen cars was some 200 times greater than the normal accident rate for non-stolen vehicles. This standard would clearly benefit safety, by reducing the number of stolen vehicles, the agency argued.
The agency has reliably affirmed the rule’s intent every time it amended it, right through to the last Final Rule in 2006: “Our safety standard on theft protection specifies vehicle performance requirements intended to reduce the incidence of crashes resulting from theft and accidental rollaway of motor vehicles.”
Regardless of how the vehicle key is constructed – metal or digital – the operator must physically place the transmission into Park to remove the key, or the transmission must automatically lock the vehicle in Park, if the transmission is in any other position when the vehicle is turned off. As the agency noted in the 2006 Final Rule: “Systems using an electronic code instead of conventional key would satisfy the rollaway prevention provi sions if the code remained in the vehicle until the transmission gear is locked in the ‘park’ position.”
In 2006, when the agency made the last round of amendments, it again rejected the Alliance of Automobile Manufacturers argument that an audible telltale was not necessary, based on human factors:
“A warning must be sufficient to catch a driver’s attention before he or she exits the vehicle without the keys. For example, a visual dashboard telltale might be insufficient to accomplish this goal. We believe that it is necessary to carefully examine the alternatives to audible warnings in order to make sure that they are effective in reducing likelihood of drivers leaving their keys in the vehicle.”
For these reasons, the rule makes two demands on key systems. One, the vehicle must be locked in park before the key is removed, or must automatically lock in place when the key is removed. Two, once the key is removed, normal activation of the vehicle’s engine or motor; and either steering or forward self-mobility of the vehicle, or both must be prevented.
SAE: Late to Party, Came Without a Gift
In January, SAE issued an exceedingly weak keyless ignition systems standard. Issued about 20 years after manufacturers began offering the first keyless ignition systems, SAE J2948 does little to alter the status quo. Most manufacturers’ systems already meet the very generic recommendations, and many manufacturers already have developed their preferred stop/start sequences.
SAE’s J2948 does address the problem of shutting down a keyless ignition system in an open throttle situation – a problem that emerged during the Toyota Sudden Unintended Acceleration crisis. Consumers who experienced a long duration acceleration event often reported that they hit the ignition button multiple times, in an attempt to bring the vehicle to a stop – to no avail. These drivers did not know the Toyota system required the driver to hold the ignition button in for a full three seconds before it would shut down an engine that was racing at full throttle while the vehicle was underway. This was the manufacturer’s solution to prevent inadvertent shutdowns if the switch was bumped. In an emergency situation, drivers with few options to control a vehicle that is not responding to their brake commands naturally reacted by hitting the ignition button multiple times. This standard takes pains to define short and long actuations and recommends that systems underway stop when the ignition button is actuated for a long period of time or is subject to a series of short actuations. BMW vehicles, for example, will shut down the engine after three short actuations.
However, SAE J2948 does nothing to ensure FMVSS 114’s rollaway and anti-theft protections – in fact, it’s weaker than the mandatory regulation. Today’s keyless entry systems – which already meet the provisions of J2948 – can be exited without the vehicle’s transmission being locked into Park, creating a rollaway hazard. They can also be driven away, under many conditions, when the fob is not present, rendering a vehicle susceptible to theft. Similarly, SAE J2948 does not address the problem of drivers leaving their vehicle engines on – sometimes until all the fuel is spent – with the key fob in their possession. This circumstance has already led to carbon monoxide poisoning deaths of at least three Toyota owners.
The SAE J standard does not define critical design concepts, such as “key” and “audible.” The audible telltale in many vehicles is often too soft, too similar to other auditory telltales, or confined to the interior of the vehicle, and thus completely inaudible to the driver, once he has exited and shut the door.
Finally, SAE J2948 does nothing to address the direct misinformation conveyed to the driver by the manufacturer calling the fob a “key” or using marketing monikers such as “Smart Key” or “Intelligent Key,” or by semantically associating the fob in any way with vehicle propulsion. The term “key” is used to refer to the fob in owner’s manuals and visual telltales, leading the consumer to believe that the fob is the key. For example, in some vehicles, you can remove the fob, with the vehicle running, and the dash will illuminate a message to the driver: “Key Not Detected.” Nowhere are consumers informed that the key is an invisible electronic code.
The standard would be much more effective, and, ultimately, compliant with FMVSS 114, if it established the fob as the key and encouraged manufacturers to install systems that stop engine propulsion and lock the vehicle in Park when the fob is removed from the envelope of the vehicle. Making the “key” an invisible code has created problems that are not hypothetical. They are occurring – with extreme and harmful consequences for users.
SAE’s recommended practice does nothing to address the current crop of problems. It’s unlikely that NHTSA will be able to write more words that will correct the error of the two-part key. Enforcement of the standard, as written, is another avenue of redress – equally improbable.
