July 29, 2022
Neil Black, Tom Mueller
On February 25, Ken Rothfield was backing down his driveway at about 7:30 a.m., and noticed that there was barely enough room to ease his vehicle between the brick wall jutting out to his left, and his wife’s Toyota on the right. He pulled a bit forward of the wall, with the intention of re-parking his wife’s car to create more space. He got out, and left the driver’s side door open – moving the Toyota would just take a few moments. And in just a few moments, Rothfield was pinned between his Chevy Volt and the brick wall, in excruciating pain and shock.
In an account of the rollaway incident, Rothfield wrote: “Things happened very quickly, and I recall only three vivid images: Looking into the driver’s compartment and realizing there was no way for me to get back inside and hit the brake; Looking forward as the open door struck me and drove me backwards between the car and the brick wall. I could feel my arm getting trapped between the wall and the car above the door, and thought I would be torn apart and crushed; A sudden stop – The door caught the wall. I was now in a seated position with my left arm trapped above the door, between the car and the wall. Both legs were trapped below the door between the car and the wall.”
With his focus on getting to work that morning, Dr. Kenneth Rothfield, Chief Medical Officer at Texas Health Resources Arlington Memorial Hospital thought he shifted his transmission into Park. And his 2017 hybrid electric Volt, which GM assured customers in a marketing brochure “We’ve got your back. And sides. And front,” didn’t do a thing about it. Tricked out with computers, radar, sensors, and cameras, fully connected to Siri, smart phones and Apple Car Play with built-in 4G LTE Wi-Fi®, and loaded with advanced features, such as automatic braking and steering to prevent collisions, adaptive cruise control, automatic parking and intelligent headlamps, the 2017 Volt didn’t even warn Rothfield that he was about to exit an unsecured vehicle.
His entreaties to Siri were ignored, he could only manage a few honks of the horn before his other hand gave out. In the end, Rothfield yelled for five minutes until a neighbor came to his aid. Dr. Rothfield sustained a number of injuries — three broken ribs on the right, complex lacerations to his left shin, complete dislocation of his left elbow, and a complex soft tissue lesion of his thigh that required two surgeries and many weeks recovery.
Much of Dr. Rothfield’s estimable career as a hospital physician executive has focused on patient safety, risk management, and public health. He was shocked to learn that the auto industry treated the rollaway problem so cavalierly – with a patchwork of half-measures, or no measures to mitigate a well-known safety hazard.
“As a safety/public health guy, you know there are no accidents!” he says.
Real-world rollaways are split-second catastrophes that happen under a wide variety of circumstances. The engine may be on or off, the transmission might be in Reverse, Neutral, or Drive. But absent a vehicle failure, rollaway incidents occur when the driver believes that the vehicle is secured, and absent instant and clear feedback to the contrary, steps out of the car. Just as Rothfield learned that February morning, that mistake can lead to life-changing or -ending consequences. Drivers underestimate how tricky it is to stop a moving vehicle once they’ve begun to exit, or are completely outside, how easily and quickly they can be knocked under the wheels, and how deadly even a slow moving two-plus ton rolling machine can be when those forces are exerted on the human body.
Following are some recent incidents that have come across The Safety Record’s desk. While the circumstances of each are slightly different, they share a common theme: the drivers thought they had secured their vehicles, because they were stationary. However, the vehicle itself is no longer a clear source of engine or transmission state. The old tells – such as the sound and vibration of the running engine – have largely been eliminated by design (more on that below). Automakers have replaced these traditional cues with audible alerts and visual messages. But in many cases, they are indistinguishable amongst the many non-descript alerts and fail to convey any urgency about the potential hazard, especially in the seconds it takes the driver to get out of a vehicle and their attention already turned to the next task.
Some of these vehicles offered limited rollaway protection, some had technology that could have prevented a rollaway, but wasn’t designed to do so, some allowed the driver to get out of a vehicle not in Park without so much as a warning. Those vehicles with “warnings” often provide little connection to the hazard, and there’s no time to consult the owner’s manual – which is often voluminous, confusing, with significant omissions and sometimes inaccurate information Automakers have the tools to fix it, but few do — it’s easier to blame users, and it’s worked for the industry.
The most recent death and injury numbers published by NHTSA’s National Center for Statistics and Analysis (NCSA) in April 2018, based on the agency’s Non-Traffic Surveillance (NTS) System, estimated 142 people were killed and 2,000 injured in 2015 due to rollaways involving an unattended vehicle with no driver in control.
Rollaways accounted for 17 percent of all non-traffic deaths and injuries. Like all of the non-traffic incident data, the number of rollaway deaths and injuries are based on estimates, and likely undercount the scope of the problem. Because the majority of rollaways don’t occur on public roadways, rather they are the province of private driveways and parking lots, they don’t garner the same reporting mechanisms as on-road vehicle incidents. It’s also why NHTSA had to be compelled to collect the data in the first place. From the agency’s inception, it defined its motor vehicle safety mission in the context of vehicle performance on public roadways, and the agency resisted calls to collect motor vehicle hazard data or regulate vehicle performance related to non-crash incidents, such as power window and trunk entrapments or backovers.
In 2005, Congress mandated that NHTSA begin collecting non-traffic death and injury incidents associated with backovers as part of the $244.1 billion transportation bill, the Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA-LU). Backover incidents, occurred frequently in residential driveways, often involved a child who entered the blind zone, an area behind the vehicle that isn’t visible to the driver due to vehicle design characteristics, as it was reversing. These deaths and injuries were not accounted for in traditional motor vehicle-related deaths and injuries data, which only included incidents occurring on public roadways. In 2007, the Cameron Gulbransen Kids Transportation Safety Act of 2007 (K.T. Safety Act) took things a step further, requiring NHTSA to create and establish a database of non-traffic death and injury (those that don’t occur on public roadways) incidents.
By law, the Non-Traffic Surveillance (NTS) database is required to be accessible to the public and is described by NHTSA as “a virtual data collection system designed to provide counts and details regarding fatalities and injuries that occur in non-traffic crashes and in non-crash incidents.” In its first report covering rollaway in 2014, researchers noted: “The statistics reported in this statistical summary are based on the NiTS data 2008–2011. Since a complete record of all nontraffic crash fatalities from States and police jurisdictions is not available, adjusted weights have been used to obtain national estimates.”
NTS relies on NHTSA’s National Automotive Sampling System, General Estimates System and the Fatality Analysis Reporting System for non-traffic crash data. The non-crash injury data is based on emergency department records “from a special study conducted by the Consumer Product Safety Commission’s National Electronic Injury Surveillance System (NEISS) All Injury Program” and the non-crash fatality data is derived from death certificate information from the Centers for Disease Control’s National Vital Statistics System.
Based on summaries of the data in three reports published by NHTSA’s NCSA covering non-traffic crashes, during 2008-2015 an estimated total of 787 deaths and 17,000 injuries occurred due to vehicle rollaways.
The Human Factor
In the past, rollaway was mostly a function of a component failure like misaligned linkages, or broken parking pawls, or a design defect that allowed a transmission to slip from Park into Reverse. But the advent of advanced automotive technology has made it increasingly likely that a rollaway occurs because the driver isn’t provided with adequate indicators about the state of the vehicle. And, despite the ever-increasing features designed to mitigate or prevent outcomes that can harm the vehicle, the driver, or those around a vehicle, many modern vehicles fail to provide any real warnings of eminent hazard and fail to use already existing sensors, hardware and electronic control modules to prevent rollaway.
The reasons for rollaway are many. For one, it’s gotten harder to understand exactly what power and engine state the vehicle is in, as vehicle designs have eliminated many of the visual and audible cues. The keyless ignition radically changed the way drivers interact with their vehicles. The metal car key on a ring with the house key and other essential keys that drivers needed to have after they parked and exited their vehicle is passing into history. With the metal car key in hand, the driver was assured of two things: the engine was off and the gear shift lever (on an automatic transmission) was locked in Park – otherwise the vehicle ignition key couldn’t be physically removed from the ignition cylinder.
With the aid of NHTSA, through its redefinition of what constitutes a “key,” automakers are able to provide a key fob that appears to act like a regular metal key and is often referred to as the “key” by car companies. In reality it’s a key carrying device. The actual key is an invisible code transmitted by the fob that enables the vehicle to start when the fob is brought into the occupant compartment. While the fob is a proximity device for starting the vehicle, unlike the metal key, removing the fob from the vehicle has no effect on the engine and transmission state. Drivers can exit with their fob thinking that the vehicle must be off and secured or they may turn off the engine without placing the gear selector in Park. In that circumstance, many models surreptitiously move the ignition state to Accessory mode, to keep the electronic key code in the ignition, and to meet the requirements of the federal safety standard that mandates: when the “key” is removed from the vehicle, the ignition must be off and the transmission locked in Park or become locked in Park automatically. Thus, after turning off the engine with the vehicle in gear, the driver is unlikely to know that the automaker just flipped the ignition to Accessory in order to technically comply with the standard, if they don’t have an automatic means to shift the vehicle into Park. The manufacturers willingness to use this loophole in the standard means the driver often has no clue about these states. What they do know is that they were able to shut off the engine and exit the vehicle with the key fob, which they believe is the key.
Modern passenger vehicle operations have fundamentally changed, and with it, the driver’s relationship to the vehicle controls. No longer assemblages of separate mechanical systems, today’s cars are complex, integrated networks of sensors and computers that communicate with each other. Rather than directly controlling the car, the driver is less of an operator and more like a supervisor who makes requests while hundreds of sensors report information about the environment, conditions, and driver actions to numerous interconnected electronic control units (ECUs). In turn, the ECUs make decisions based on these inputs under the software algorithms automakers have designed. In many instances, automakers use these systems to prevent a catastrophic or unwanted event from occurring, to compensate for inattention, and even override the driver’s input. For example, depressing the accelerator pedal to the floor while driving on a slippery road, don’t expect full throttle and spinning tires — your request will be overridden by the vehicle electronic controls to reduce the engine output and apply braking automatically until traction is regained. Similarly, most automatic transmissions prevent the driver from selecting the Park gear, intentionally or not, when the vehicle is moving above a pre-determined speed (usually 2 mph) – even in models with mechanical shift selectors – to prevent transmission damage and possible loss of control.
Many other systems commonly found in vehicles are specifically designed and marketed to protect drivers from inattentiveness or operating errors. Page through any marketing brochure or owner’s manual, and you’ll find dozens of examples of such features that protect the vehicle or the driver – headlights that automatically shut off after a set time, seat heaters that turn themselves down or off after reaching a certain time or temperature level, brakes that automatically apply if you get too close to the vehicle in front, or steer your vehicle back into the lane of travel if you drift over the line, cruise control systems that prevent you from getting too close to the lead car, automatic emergency braking systems, electronic stability control, and low oil engine shutdowns.
In some cases, the countermeasures are applied in ways that driver may not detect. For example, if the driver turns off the engine of an MY 2015 Ford Edge but leaves the ignition in Accessory, after 15 minutes, the battery saver feature will turn off the power state to prevent the battery from discharging.
A driver exiting their vehicle without securing it in place is simply another condition – but with a potential for death, injury, or property damage – that can and should be prevented when detected by vehicle systems already in use.
Decades of Options, Few Taken
For nearly two decades, automakers have preferred to use to primary ways to prevent rollaways: an electric parking brake (EPB) automatically applied any time the driver exits the vehicle, or in vehicles with electronic shifters, an automatic shift to Park anytime the driver fails to do so before exiting the vehicle. (We note that there are other ways automakers can prevent rollaways in vehicles with mechanical shifters and parking brakes through controlling torque to the wheels.) For example, FCA’s Safe Hold, introduced in 2014, and on Jeep, Chrysler, and Fiat models, automatically sets the parking brake anytime the driver attempts to exit an unsecured vehicle, regardless of engine state. Similarly, Ford’s Return to Park feature, first implemented in the 2017 Fusion rotary shift knob, automatically shifts the transmission into Park anytime the driver attempts to exit an unsecured vehicle. (For more about these technologies, read our 2018 story The Persistence of Rollaway)
These are the exceptions. A survey of anti-rollaway features among all automakers shows how slowly these technologies have spread through the US fleet, and how infrequently they were and are used as an effective rollaway countermeasure – if at all. Take EPBs – early adopters, such as Ford and Toyota began equipping their luxury lines with EPBs in calendar year 2002 (MY 2003 Lincoln LS and MY 2003 Jaguar Type S) and 2006 (MY 2007 Lexus 460LS). Yet, neither included EPBs widely among its other models. Ford Motor Company didn’t install an EPB on another U.S. Ford model until the 2013 Fusion. Toyota, which had been researching and patenting EPB technology since 1999, installed EPBs on some Lexus models, but not on any U.S. Toyota-brand model until the 2018 Camry Hybrid and the 2018 C-HR.
The vast majority of EPB systems only apply automatically once the transmission has been shifted into Park, periodically as a system-check, or in other narrowly defined circumstances. For example, Jaguar Land Rover’s Queue Assist – an adaptive cruise control feature that keeps a set distance between your car and the one in front of it — automatically applies the EPB if the vehicle has come to a stop while in Queue Assist mode, and the driver attempts to get out of the vehicle.
require the driver to activate this feature manually at every key cycle by depressing a button. Most manufacturers include a rollaway countermeasure in their fuel saving engine stop-start algorithms: if the driver brings the vehicle to a stop, and the engine automatically shuts down, and the driver unbuckles their seat-belt and opens the driver’s door, the EPB will automatically set. This same basic algorithm can be used to apply the EPB in situation in which the gear shifter is not in Park and the driver attempts to exit the vehicle.
Manufacturers are more likely to pair an automatic anti-rollaway feature with e-shifters – often because of the recognition that e-shifters, such as rotary dials or monostables, are less intuitive and fail to provide the driver with a level of tactile and visual feedback found on traditional mechanical shifters. Notably, many vehicle models with e-shifters and are programed to auto-shift to Park only when the driver turns the engine off.
There is another large group of vehicles in which the rollaway prevention algorithm is just shy of being complete, because the automatic shift-to-Park does not activate under all potential rollaway conditions when the vehicle is in Neutral. These include models manufactured by Mercedes, BMW, Hyundai/Kia, Volvo, Audi, Nissan/Infiniti, and Jaguar Land Rover. Many automakers appear to do this to allow a vehicle to roll in Neutral for towing or automated car wash purposes. However, most transmission shifters allow the driver to shift into Neutral without stepping on the brake – and in real-world scenarios, rollaways occur because the shifter can be inadvertently bumped into Neutral. Car wash modes are best accomplished through a stepped process that requires the driver to intentionally select non-standard procedures to prevent unintended Neutral rollaways.
You are the Countermeasure
Manufacturers don’t need out-of-date NTS data to be aware of this problem. In 2009, industry representatives, at NHTSA’s request, formed an SAE keyless ignition controls sub-committee to write a recommended practice addressing the carbon monoxide poisoning and rollaway hazards associated with keyless ignitions. In 2011, SAE published the result – a recommendation for warnings, so vague and apparently so dissatisfying that NHTSA moved to amend Federal Motor Vehicle Safety Standard 114 Theft Protection and Rollaway Prevention. In December 2011, the agency published its proposal for explicitly loud, hard-to-ignore warnings. (See Keyed up With Anticipation: Smart Key Hazards Still Unresolved )
The Notice of Proposed Rulemaking recognized, in unambiguous language, that the current keyless ignition systems had led to driver confusion, resulting in vehicles left running and/or out of the Park position, and the consequent rollaways and carbon monoxide (CO) poisonings. It also acknowledged that under the current designs, drivers can and do exit the vehicle without the transmission locked in Park, and sometimes without actually turning off the engine. The NPRM noted that the lack of standardization in combination with the lack of visual and tactile cues about the status of the vehicle engine has set the stage for the real-world incidents in which drivers, mistaking the fob for the key, inadvertently leave a vehicle running and/or exit the vehicle without putting the transmission into Park. NHTSA’s recommended countermeasures for the rollaway and CO threats were the use of audible alerts. The agency proposed two sets of warnings, internal and external, if the driver exits the vehicle with the transmission not in Park. The alerts would reach sound levels of at least 85 dBa between 500-3000 Hz, and the external alert would sound for a full minute. The agency borrowed this warning requirement from an existing Platform Lift Standard.
Manufacturers, in particular, hated NHTSA’s proposals for audible warnings, fearing them too loud and annoying. The Alliance of Automobile Manufacturers argued that the agency did not have enough hard data on which to base the proposed regulation. (Read the comments from the Alliance of Automobile Manufacturers)
Safety Research & Strategies and other advocates also criticized the proposal because the agency had failed to base its warning recommendations on research showing its efficacy, and because warnings, by themselves, were insufficient. (Read SRS’ comments )
This rulemaking remains “open,” but inactive.
In 2013, the agency launched an FMVSS 114 compliance investigation into the potential rollaway hazards in 34 different 2013 and 2014 keyless ignition models among eight different manufacturers. (Read NHTSA Opens Smart Key Compliance Probe / And Now, the Rest of the Story on Keyless Ignition)
Automakers’ own internal surveys and customer complaints clearly show the ease with which drivers lose awareness of the engine and transmission state. At least one manufacturer, Toyota, is collecting rollaway data outright through its vehicle diagnostic system.
Starting with the MY 2013 Rav4, Toyota has installed a “Vehicle Control History” function on its models to collect and store data on vehicle and driver actions. Like an Event Data Recorder (EDR), which records pre-crash information, the VCH records non-crash vehicle and driver actions. In a 2019 technical paper, Toyota engineers described how the VCH records driver inputs, such as hard acceleration and hard braking, or when the vehicle’s dynamic systems, such as ABS or the electronic stability control system are activated. The data is useful, they said, to understand and analyze real-world dynamic events. Notably, Toyota’s hybrid models contain additional VCH data starting in at least one of its 2016 models, that is not described in its 2019 technical paper, that includes this data point: “Driver Exited Vehicle When Shift Position Wasn’t P.”
And what has Toyota done with that data? Mostly, it just gathered it, and used the vehicle-generated information – transmission not in Park, vehicle stationary, driver’s seatbelt unbuckled, driver’s door opened – to record the event in the VCH and to trigger a “Shift to P Before Exiting Vehicle” text message in the instrument cluster, along with a non-descript, low-volume tone alert. It could have just as easily used those same data points to activate the EPB to ensure the safety of those in and around the vehicle – and still collect the data – knowing that it protected its customers from a rollaway hazard.
Also of note, in 2019, Toyota announced that it would begin to counter the rollaway hazard in 2020 Model Year vehicles with e-shifters and EPBs, by installing an Automatic Park feature “designed to reduce the risk of rollaway.” It wasn’t until the following model year that eight out of a total of 35 MY 2021 Toyota/Lexus models which were equipped with either an EPB or an e-shifter received the new “Automatic Park” feature.
Rather than employ strategies that actually prevent the vehicle from rolling away, many automakers still rely on various cues, which might or might not alert the driver to a potential hazard and result in a correction: icons or visual messages on the information display screen, such as “Shift to Park,” and audible warnings, such as internal intermittent or continuous internal beeps and buzzers, and external horn chirps. Automakers are mandated by FMVSS 114 to emit an audible warning if the driver exits a vehicle with the engine off, leaving the key behind. But it does not set out any specific requirements for its volume, duration, frequency, or tone. The design and efficacy is left to the manufacturers. In addition, modern cars are now a cacophony of beeps and dings for all kinds of conditions – many sound alike, or fail to convey the urgency of the condition, making it difficult for drivers to understand what the vehicle is trying to tell them. In rollaway scenarios, drivers only have a second to figure it out – manufacturers have had years.
Warnings are considered one of the least effective methods of protection against a safety hazard — yet this is the only rollaway prevention feature in most passenger cars.
Another failed strategy is the use of “creep force” or “creep torque,” a condition in which the vehicle in drive or reverse will move once the driver has released the brake pedal. In 2003, NHTSA proposed to amend FMVSS 102 (Transmission shift position sequence, starter interlock, and transmission braking effect) by requiring creep force in hybrid vehicles in either gear as “a cue that indicates to the driver that he or she is in the correct gear, as the driver is releasing the brake and has the best chance of stopping quickly in case of a gear selection error.” (NHTSA dropped the proposal from the 2005 Final Rule.) Vehicles with conventional combustion engines and automatic transmission use creep force in this way. The thought is – no one gets out of a moving vehicle. On a flat paved surface, vehicle movement is theoretically apparent. But in some vehicles, that “creep” cue may not be present, either delayed or mitigated all together for improved vehicle efficiency. Absent this clear cue that the vehicle is not secured in Park, a driver may exit, resulting in a rollaway. And, the vehicle movement created by creep torque can be eliminated when the vehicle is on a slope with the transmission in a drive gear. In some real-world rollaway incidents, creep force kept the vehicle stationary in a sloped driveway with the engine running and the transmission in a drive gear. Absent vehicle movement and lacking any meaningful and urgent alert about the unsafe state of the vehicle, drivers can and do exit vehicles without the transmission in Park.
What’s It Going to Take?
NHTSA’s proposal to address the rollaway and carbon monoxide dangers linked to keyless ignitions has languished for a decade.
Three years ago, U.S. Senator Richard Blumenthal (D-CT) introduced the Protecting Americans from the Risks of Keyless Ignition Technology (PARK IT) Act, which would require NHTSA to amend and finalize the 2011 proposed rulemaking a rule that vehicles automatically shut off if left unattended after a period of time to prevent carbon monoxide poisoning, and a rule that sets a performance standard to prevent rollaway. With the failure to secure Republican support for the rollaway provision, the bill was re-formulated and re-named the Stop CO Poisoning Exposures (SCOPE) Act. In November 2019, Blumenthal, along with Sens. Edward Markey (D-MA) and Deb Fischer (R-NE), introduced the SCOPE Act, which would force NHTSA, within two years of its enactment, to issue a final rule to require manufacturers to install technology in each motor vehicle equipped with a keyless ignition device and an internal combustion engine to automatically shut off the motor vehicle after the motor vehicle has idled for the period determined by the NHTSA Administrator. This version of the bill did not contain the rollaway countermeasure aspect of the PARK IT Act. However, the House version of the bill continues to include both provisions. Congress may include some portion of either legislation in the proposed infrastructure bill, but its future is uncertain.
After decades of blaming the drivers for their own design failures, the industry has been inculcating itself in a new hazard analysis technique called Systems Theoretic Process Analysis (STPA) based on the incident causality model Systems-Theoretic Accident Model and Process (STAMP). It marks an important departure from the traditional hazard analyses processes, such as the Failure Modes and Effects Analysis (FMEA), which has long formed the foundation of automotive engineering design. This new approach integrates causal factors associated with new technology and elevates the role of human factors and flips the script on user error. Under STPA/STAMP, operator error is a symptom of a design flaw – not a cause; blaming users for hazardous incidents, rather than the systems designers is not an acceptable practice. Several major manufacturers, including Ford, GM, Nissan, and Toyota have presented at the Massachusetts Institute of Technology (MIT) Partnership for Systems Approaches to Safety and Security annual conference to discuss how they are applying this hazard control method to current their current designs.
Also, the SAE has established the Recommended Practice Task Force on Committee J-3187 Applying System Theoretic Process Analysis (STPA) to Automotive Applications, to educate engineers in how “STPA may be applied within a safety assessment process focusing on automotive vehicle safety-critical content.”
In the meantime, rollaways continue to injure and kill. One way or another, it’s time to end the carve-out for rollaway.